Office of Inspector General’s (OIG) 2016 Work Plan, released Nov. 3, 2015, calls for increased scrutiny of protections of electronic protected health information (ePHI) with respect to “networked medical
devices.” Furthermore, the OIG indicated its plan to determine the “extent to which hospitals comply with contingency planning requirements of the Health
Insurance Portability and Accountability Act (HIPAA)” regarding their use of electronic health records (EHR) systems. Thus, the OIG has indicated that
there will be heightened focus on the HIPAA Security Rule, which addresses the administrative, physical and technical safeguards of ePHI (45 CFR Part 160 and Subparts A and C of Part 164).
The OIG specifically indicated that it will examine whether the U.S. Food and Drug Administration (FDA) is providing sufficient oversight of “networked
medical devices” in hospitals. With this statement of priorities for 2016, the OIG has affirmed that the proliferation of devices, with their ability to
store health information, creates real risks to the privacy and security of ePHI. Although the list of devices that store and transmit ePHI is vast and
growing rapidly, the OIG specifically mentioned “dialysis machines, radiology systems, and medication dispensing systems that are integrated with
electronic medical records (EMRs) and the larger health network.” The OIG also recognized that these devices may create risks, whether they are wired or
The OIG also stated, “Medical device manufacturers provide Manufacturer Disclosure Statement for Medical Device Security (MDS2) forms to assist health care
providers in assessing the vulnerability and risks associated with ePHI that is transmitted or maintained by a medical device.” In highlighting the MDS2
forms, the OIG has effectively signaled that HIPAA-covered entities that use networked medical devices should document the ways in which they have
considered the disclosure statements for such devices as part of their HIPAA security risk assessments and overall HIPAA compliance plans.
Although it was not mentioned in the 2016 Work Plan, anyone using networked medical devices should bear in mind that improper disposal of such devices
carries significant HIPAA risks. Specifically, for any of these devices that store ePHI locally, there is a risk of a HIPAA violation if the device is not
stripped of all ePHI or otherwise destroyed prior to disposal. Indeed, in 2013, Affinity Health Plan Inc. entered a $1.2 million settlement agreement with
the U.S. Department of Health and Human Services for returning multiple photocopiers to a leasing agent without first erasing the data contained on the
hard drives of the copiers. See:
The FDA, too, has indicated that it is concerned about cybersecurity of medical devices. In 2014, the FDA issued “Guidance for the Content of Premarket Submissions for Software Contained in Medical Devices” and “Guidance to Industry: Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software.” In these guidance documents, the FDA indicated that medical device manufacturers should consider cybersecurity in the design and development of medical
devices and that they should consider cybersecurity with respect to the functionality of medical devices that use off-the-shelf software. Of course, the
data at issue with medical devices is very likely to be ePHI.
As for EHRs, the OIG Work Plan reiterated that “the HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and
procedures for responding to an emergency or other occurrence that damages systems that contain protected health information.” As a result, the OIG plans
to “compare hospitals' contingency plans with government- and industry-recommended practices.”
The issues of cybersecurity with respect to medical devices will continue to grow as the proliferation of devices and EHR systems continues. Covered
entities will need to be vigilant in addressing the HIPAA considerations as they use and dispose of these devices and as they continue the shift to
electronic health records systems. Similarly, manufacturers of medical devices and developers of EHR systems will need to ensure that security is a
fundamental part of design and production.
This alert also appeared on the McGuireWoods blog Password Protected.