Hospital Wireless Networks May Be Regulated Medical Devices

← Back to Stories (view on slashdot.org)

Hospital Wireless Networks May Be Regulated Medical Devices

Posted by Soulskill on Monday January 10, 2011 @08:09AM from the digital-lifeblood dept.

Lucas123 writes "As hospitals continue to connect patient monitoring equipment, physician PDAs and laptops to wireless networks, and then collapse those data paths onto traditional IT networks, the closer the US Food and Drug Administration comes to regulating them, according to Computerworld. The focus of the FDA's regulation comes in its recently finalized 80001-1 standard that established risk management practices for those networks, the adherence to which may be voluntary, but would determine Medicaid and Medicare reimbursements. 'If you don't comply, then you have two choices. You can have the federal government come in and inspect your hospital, or you can decide not to accept money from Medicare or Medicaid. Voluntary sometimes isn't exactly voluntary,' said Rick Hampton, wireless communications manager for Partners HealthCare System in Boston."

31 of 185 comments (clear)

Min score:

Reason:

Sort:

Good? by Kenja · 2011-01-10 08:18 · Score: 2

Current level of security and quality for medical IT is rather poor.

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
1. Re:Good? by Anonymous Coward · 2011-01-10 08:33 · Score: 4, Interesting
  
  I'd have to concur. I've been in hospitals where the IT staff offered free wireless internet for the waiting areas- and the only open access point was to the "airgapped" network for the financials, etc. I'm sure that Medicare would LOVE to find out about THAT particular HIPAA violation. >:-D
2. Re:Good? by NevarMore · 2011-01-10 08:40 · Score: 3, Insightful
  
  I I'm sure that Medicare would LOVE to find out about THAT particular HIPAA violation. >:-D
  Then go tell them. If you've physically been in the hospital that could be your data, your loved ones data, or just plain due diligence if you were there for work and not for a medical reason.
3. Re:Good? by Anonymous Coward · 2011-01-10 08:52 · Score: 2, Informative
  
  I think the quality of classic IT in a hospital isn't that bad. The status of our Windows network isn't that bad. There are issues, but I don't think we're any worse than any other industry. What is bad is the Biomed side of the house. The medical equipment stores patient data with no authentication or auditing capabilities. The systems that are based on off the shelf hardware and software (e.g. Windows PC hooked up to a medical device) can't be patched because the vendors won't certify the systems with those patch levels and turn around and blame the requirement on FDA approval.
4. Re:Good? by emarkp · 2011-01-10 13:49 · Score: 2
  
  Sadly, that's not the only part of the equation. Will regulation make it better and/or safer?
  Because in my experience (10+ years of software medical device work) FDA regulation of medical devices has reached a point where the cure is now worse than the disease. Innovation is swamped under paperwork that prevents many solutions from coming out that would make medical devices safer or better, but which would cost too much for a company to implement because of FDA rules.
  Too often, medical device errors (radiation burns, etc.) are because of human error which could be corrected with a strict checklist, rather than more FDA regulation.
  The most likely result of regulating wireless networking in a hospital will be the removal of the wireless network. People will likely schlep data around on USB drives, which are unmarked and untracked, etc. (I've seen that happen before when devices don't have networking capability). In such a scenario are patients protected or endangered?
Good. by RightSaidFred99 · 2011-01-10 08:18 · Score: 5, Insightful

I'm one of those much hated libertarian leaning people who thinks regulation should only be applied when absolutely needed. In this case, we're talking life and death data and I would expect medical systems to be heavily regulated both for security and availability/reliability.
So what's the controversy?
1. Re:Good. by Kenja · 2011-01-10 08:21 · Score: 4, Funny
  
  You fool! You're suposed to let the free market decide! If too many people die at hospital A, just go to hospital B!
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
2. Re:Good. by Talderas · 2011-01-10 08:21 · Score: 4, Interesting
  
  Well. Since you need to comply with FDA regulations or not get your medicare/medicaid funding, it's a pretty big deal.
  The problem exists in the transition. These improvements cost money and there's a good chance that networks in transition wouldn't meet the FDA requirements. That would cause the hospital to loose the medicare/caid funding and consequently have to turn away or eject patients that would be a huge cost to them that would otherwise get treatment.
  Since there's that potential while in transition to a more modern network, hospitals may be quite unwilling to fund the improvements in the first place and preserve their funding.
  
  --
  "Lack of speed can be overcome. In the worst case by patience." --Znork
3. Re:Good. by Korin43 · 2011-01-10 08:35 · Score: 2, Insightful
  
  The problem is that a heavily regulated system like this raises prices, so your only choices become the best healthcare or no healthcare. It's perfectly fine if you have the money for the first option, but not everyone does.
  Not to mention that some people would be willing to take the risk to save money. Everything you do in life has a risk, why regulate just that one? There are many cases where I'd be willing to go to a hospital with a crappy wireless network to save some money. I'd think twice about getting heart surgery there, but not everything a hospital does is that big of a deal.
4. Re:Good. by dkleinsc · 2011-01-10 08:39 · Score: 2
  
  Yeah, someone needs to send RightSaidFred99 to a Cato Institute reeducation center before he starts thinking that health insurance is a life-and-death kind of thing too and needs to be regulated!
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
5. Re:Good. by blueg3 · 2011-01-10 08:50 · Score: 2
  
  The problem is that a heavily regulated system like this raises prices
  It also tries to make arguments on blind assertions.
6. Re:Good. by Mordok-DestroyerOfWo · 2011-01-10 08:50 · Score: 2
  
  Oh my. I really hope you have karma to burn.
  Is it wrong that I heard George Takei when I read this?
  
  --
  "Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
7. Re:Good. by Americano · 2011-01-10 08:53 · Score: 3, Interesting
  
  Or, as with just about any government regulation, the policy would be enacted and give hospitals X number of months or years to comply with the standards set forth in that policy, or face a loss of Medicare/Medicaid funding.
  Here's what will not happen:
  12:01 a.m., January 1, 2012: Regulation goes into effect.
  12:02 am, January 1, 2012: All non-compliant hospitals cease to receive funding from Medicare and Medicaid, and the feds move in to shut down these illegal dens of medical "care" for their noncompliance.
  They'll probably have several years to bring themselves into compliance, with a requirement that they document their risk mitigation policies until they are compliant, and if at the end of that time they can't show compliance, then they will risk losing their Medic[are|aid] funding.
8. Re:Good. by Americano · 2011-01-10 09:09 · Score: 4, Interesting
  
  Were wireless networks actually killing anyone...?
  If you read TFA, yes, actually, they were:
  
  According to Shuren, the FDA last year received reports that six patients died and 44 people were injured as a result of health IT-related malfunctions. The FDA also received 260 reports of malfunctions that had the potential to harm patients.
  Reporting of these numbers is strictly voluntary, so you do the math - if institutions volunteered these numbers, how many other patients and patient devices are being affected by some intern streaming House re-runs over the network? And do you really think it's inappropriate to mandate that certain controls must be in place on a general network that is relied upon by medical devices which require the network to operate, and which are sending sensitive medical data over the network?
  I work for a financial services company; it's standard practice for us to firewall off our sensitive database systems and authentication systems, and restrict access to a very tightly controlled set of uses. If your retirement account or brokerage account was held here, would you want us to take down all the firewalls, network filtering, and access controls on the networks? I'm betting the answer is no. If you want that much protection on your financial information (which might embarrass you, but certainly won't kill you), why wouldn't you want controls at least as strict on networks & systems that could - quite literally - kill you if they malfunction for some reason?
9. Re:Good. by mangu · 2011-01-10 09:24 · Score: 3, Interesting
  
  Plenty of karma, don't worry. However no mod points, have been posting too actively of late. If I had I would give the GP (-1, offtopic).
  Why is it that leftists always mock of libertarianism with this monotonous "free market" chant? Economic freedom is *one* of the infinite liberties a person can have. The free market works admirably for what it's meant to do, but it's not a tool for everything.
  The free market is *not* intended to maximize the preservation of human life. We do need some regulations for that. Of course, there are private corporations, like this one to verify that regulations are being followed, but they do not make the regulations, that's not what the "free market" is intended to do.
  So, in the end, there must exist some form of governmental or non-market regulations in effect. No libertarian denies that.
10. Re:Good. by Peeteriz · 2011-01-10 09:54 · Score: 3, Insightful
  
  According to the TFA, this has killed at least 6 people in the last year, so in this case the communication between two machines was 'life and death'. Or wasn't it?
11. Re:Good. by eth1 · 2011-01-10 09:56 · Score: 2, Interesting
  
  Or, as with just about any government regulation, the policy would be enacted and give hospitals X number of months or years to comply with the standards set forth in that policy, or face a loss of Medicare/Medicaid funding.
  Here's what will not happen:
  12:01 a.m., January 1, 2012: Regulation goes into effect.
  12:02 am, January 1, 2012: All non-compliant hospitals cease to receive funding from Medicare and Medicaid, and the feds move in to shut down these illegal dens of medical "care" for their noncompliance.
  They'll probably have several years to bring themselves into compliance, with a requirement that they document their risk mitigation policies until they are compliant, and if at the end of that time they can't show compliance, then they will risk losing their Medic[are|aid] funding.
  Exactly. What will really happen is this:
  12:01 a.m., January 1, 2012: Regulation goes into effect, with deadline of 2015-01-01.
  2012-01-01, IT: "We need to get started on this"
  2012-01-01, Exec: "We don't have the money yet"
  2013-01-01, IT: "We need to get started on this"
  2013-01-01, Exec: "We don't have the money yet"
  2014-01-01, IT: "We need to get started on this!"
  2014-01-01, Exec: "We don't have the money yet"
  2014-11-01, Exec: "We need this in two months or we're fscked!! We'll need you to work 168 hour weeks!"
12. Re:Good. by Zironic · 2011-01-10 10:14 · Score: 3, Insightful
  
  Because it's true. You constantly see people that claim they're libertarians while preaching that the free market will fix 'everything'. On another forum I saw a person claim that "All" regulation is "Evil", no exceptions, obviously they're either ignorant or crazy but those are the people that give libertarians such a bad rep.
13. Re:Good. by Libertarian001 · 2011-01-10 11:11 · Score: 2
  
  Maybe that's how it works at *your* hospital, but not at *mine* (I work in diagnostic imaging, which is under IT at my hospital). At my hospital we've known this was coming for quite some time and have been working towards it. And the Feds have also known it's been coming and have been working with us. Early adopters get big $$$ to help the process. That amount goes down the closer they come to the due date. They start to get penalized once the due date passes, losing more and more $$$ as time goes on, until it actually becomes an issue about 5 years after the deadline.
14. Re:Good. by Libertarian001 · 2011-01-10 11:13 · Score: 2
  
  I work in a hospital, in the department controlling this. I really don't think you understand what's happening. Do you honestly believe that telemetry is on the same network as everything else? Or that we don't have multiple networks?
not really a surprise... by ducomputergeek · 2011-01-10 08:18 · Score: 4, Interesting

I consulted with a small medical equipment business 5 years ago when they were replacing a DOS based system they bought in 1993 with new software that met all the HIPPA compliance plus their state requirements. It was a pretty big deal back then since 80% of their business was either Medicare or Medicad. It took about six months to write out all the contingency plans and make sure they were doing proper back ups, could restore backs ups, had secure off-site storage of tapes, etc..
I do remember the big hang up was the fact their database server and terminals had have an airgap between them and the Internet, or at least that was the easist and cheapest way to meet the standards they had to and In fact the only line out was a dial up modem to submit billing to the state. It only took about a month to back up all their records to hard copy (just incase), get the new systems and transfer all the old data to the new system.
It took another five months to write all the damn documentation the government required for their certification/accrediation/inspection or whatever it was they had to pass.

--
"The problem with socialism is eventually you run out of other people's money" - Thatcher.
1. Re:not really a surprise... by Rich0 · 2011-01-10 08:28 · Score: 4, Interesting
  
  Believe it or not, there is... I work in a regulated industry and we pay tons of money for software that basically helps us manage the paperwork that says we're doing everything right...
2. Re:not really a surprise... by alphax45 · 2011-01-10 08:37 · Score: 2
  
  Please, for all of us, wear pants.
  
  --
  K Man
3. Re:not really a surprise... by Kenja · 2011-01-10 08:38 · Score: 2
  
  You sound just like the delivery guy from the chinese restaurant.
  
  --
  
  "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Appropriate in Hospitals by Rich0 · 2011-01-10 08:26 · Score: 4, Insightful

I think that this kind of regulation is appropriate - in certain cases. I think you need to do a FEMA (failure mode effects analysis - basically ask what could go wrong?) and then control your network accordingly.
Modern networking gear is very reliable in terms of transmission accuracy - if you send a packet from A to B and it gets there, it is extremely unlikely that it was modified (unless deliberately). It is not so reliable in terms of guaranteed transmission.
So, if we're talking about a network being used to display a lab test in a doctor's office, I'd argue that there is a pretty low risk of anything going wrong and strong control over the network should be unnecessary (beyond general good security practices that would apply in any business setting).
On the other hand, if we're talking about monitoring equipment, I'd say that control of the network is critical, unless there is some kind of backup for communicating alarms. If an alarm in a patient room is likely to be heard and responded to without the aid of the network, then it is probably important but not critical. If a patient alarm could be ignored if not broadcast over a network, then that network needs to be treated as a life-critical piece of equipment. That means that changes are carefully controlled, and the design has to be fit for purpose. Lives are at stake, and if some cheap router hangs up without a backup of some kind, or if a cable is left detached during maintenance and isn't caught by routine procedure, somebody could die.
The sad thing is that regulations like this are likely to get abused in two different ways (I've seen this happen in other regulated industries):
1. It will be over-applied in areas that are not really at risk, driving up all kinds of costs that consumers end up paying for, and often delaying the introduction of technology that could actually improve care.
2. Because of the huge cost associated with knee-jerk reactions and consultants/etc in #1, administrators will try to skirt the regulation as much as possible, which puts patients at risk in situations where the controls really are appropriate.
In other regulated industries I've actually seen "turn the clock back" responses to regulation - where ancient practices that are grandfathered in get preferred to modern practices that are actually better, but which become more expensive to implement due to the presence of the regulation. In this way regulation can actually harm those it purports to benefit. Unfortunately, it usually is still better than the alternative.
But that makes sense anyway. by rdunnell · 2011-01-10 08:37 · Score: 3, Insightful

And that's part of the point. Why would you want your radiology machines on any sort of main network, regardless of whether they can or can't be updated? There's no reason for them to be widely available and the technology to firewall it off is not expensive when compared to the cost of, say, a collection of medical imaging systems that will sit behind it.
1. Re:But that makes sense anyway. by eth1 · 2011-01-10 10:10 · Score: 3, Informative
  
  And that's part of the point. Why would you want your radiology machines on any sort of main network, regardless of whether they can or can't be updated? There's no reason for them to be widely available and the technology to firewall it off is not expensive when compared to the cost of, say, a collection of medical imaging systems that will sit behind it.
  Well, since you ask...
  I manage firewalls for several hospital chains. One of the main reasons that their radiology stuff is connected to their main network is that those images are all stored digitally, and need to be available all over the place (Dr.s' offices, etc., that may or may not be at the physical location of the hospital. Also, most hospitals these days don't have a radiologist sitting around in the ER all night/weekend, any more. They contract with a remote one, so they also have to be able to send those images elsewhere (over a VPN to the imaging service, for example). Often those systems are at least firewalled in a DMZ, but I have yet to see them on a completely separate network (although some clients are making noises in that direction).
2. Re:But that makes sense anyway. by Gonoff · 2011-01-10 10:26 · Score: 2
  If the scanners are on the network you can...
  
  see it from PC beside scanner
  see it from consultants office
  see it from any PC in hospital - if the user has permission
  on call consultant can VPN in from home to look at it
  show patient in ward
  compare it against earlier pictures
  compare it against reference scans
  teleconference and discuss it
  check whether your scanners actually work properly
  Hospitals here have some pretty serious rules & policies on Information Governance. If it is properly looked after, we should use this equipment in ways that get maximum benefit for the patients.
  --
  I'll see your Constitution and raise you a Queen.
Re:Sounds familiar by Attila+Dimedici · 2011-01-10 08:50 · Score: 2

While as other people have said, that equipment should not be on the main network, the reason you have this problem is that the person who wrote your validation documentation wrote it wrong. I work in a GxP laboratory environment and the key to this sort of thing is writing the validation correctly so as to allow patching of the systems and updating/changing the antivirus client without requiring a change control. Unfortunately, it has only been in the last 2-4 years that it has become accepted that it is ok to do so.
Even with the way that your validation documentation is written (at least as it appears to be from your comment), you could patch your systems and install an antivirus client on them, it is just that you would need to do a change control in order to do so. Actually, unless the original documentation was unusually anal, you could probably patch the systems without a change control. Of course that would require someone who both knows and understands computers and knows and understands the specific regulations as they apply to your specific application to have sufficient pull within the organization to do this.

--
The truth is that all men having power ought to be mistrusted. James Madison
"Yay, I got the best healthcare!..." by apparently · 2011-01-10 09:00 · Score: 2

The problem is that a heavily regulated system like this raises prices, so your only choices become the best healthcare or no healthcare. It's perfectly fine if you have the money for the first option, but not everyone does.
"...Boo, my social security number, credit card number, and license number were stolen due to a poorly-secured network!" And all because a few doctors couldn't take a small paycut to afford the cost of securing their systems.

Not to mention that some people would be willing to take the risk to save money. Everything you do in life has a risk, why regulate just that one? There are many cases where I'd be willing to go to a hospital with a crappy wireless network to save some money.
And why should the contents of my personal health records and financial records be put up for grabs, because you're willing to accept the risk? You act is if it's like the choice to wear or not wear a seatbelt, in which it's your life at stake if your coin comes up tails.
Re:Dance by darthdavid · 2011-01-10 15:06 · Score: 2

And if the tea baggers won your state you won't even be eating government cheese. That adds to the deficit don'cha'know?