- As the healthcare industry continues to push for EHR interoperability, the Food and Drug Administration (FDA) believes that healthcare data security, patient safety, and risk management should be top priority for IT developers and users.
In their Design Considerations and Pre-market Submission Recommendations for Interoperable Devices draft, the FDA explains some of the safety precautions IT developers should take when creating interoperable health devices. Many of these precautions include ones to improve healthcare data security.
“Including an electronic data interface on a medical device may have an impact on the security and other risk management considerations for the medical device, the network, and other interfaced devices,” the FDA explained. “Analysis of risks due to both the intended and unintended access of the medical device through the interface should be considered.”
Although interoperable health IT devices open doors to many benefits such as care coordination and ubiquitous access to patient health information, they also create an increased risk of healthcare data breaches. If a device is able to access patient health information from another device or even healthcare facility, that information could potentially be accessed by the wrong person.
To protect from those risks, the FDA suggests healthcare organizations use some foresight when adopting new interoperable health devices.
“FDA recommends that manufacturers include in their risk management approach a particular focus on the potential hazards, safety concerns, and security issues introduced when including an electronic data interface,” the document’s authors explain.
Specifically, health IT manufacturers and adopters should consider the following:
- Whether implementation and use of the interface degrades the basic safety or risk controls of the device;
- Whether implementation and use of the interface/interfaces degrades the essential performance of the device;
- Whether the appropriate security features are included in the design;
- Whether the device has the ability to handle data that is corrupted or outside the appropriate parameters.
Health IT interfaces should also be developed with standardized risk mitigation abilities that can come into play in the event of a healthcare data breach incident. Looking ahead, health IT developers should create a standard of potential data security incidents and create built-in mitigation capabilities.
“Medical devices that receive data from other sources should complete a risk assessment of their connection that considers reasonably foreseeable uses and misuses,” the FDA maintains. “The manufacturer should ensure that the risks are mitigated through the design of the device.”
In all, developers should anticipate the following situations:
- Failures or malfunctions caused by direct or indirect connection of intended devices;
- Failures or malfunctions caused by invalid commands;
- Failures or malfunctions caused by receiving and processing erroneous data or commands;
- Failures or malfunctions caused by not adhering to the non-functional requirements of the communication specification.
Earlier this month, the FDA also released a draft guide regarding cybersecurity. This draft guidance stated that health IT stakeholders should be cognizant of different system vulnerabilities and should anticipate the mitigation of those vulnerabilities.
Additionally, the FDA suggests cybersecurity stakeholders create a system which essentially assesses the damage of a health data security incident.
“Manufacturers should also have a process for assessing the severity impact to health, if the cybersecurity vulnerability were to be exploited,” the FDA explains in the draft guidance.
In all, the FDA intends the cybersecurity draft guide to set a standard for the health IT stakeholders it regulates for better cybersecurity risk management.
Cybersecurity risk management is a shared responsibility among stakeholders including, the medical device manufacturer, the user, the Information Technology (IT) system integrator, Health IT developers, and an array of IT vendors that provider products that are not regulated by the FDA. FDA seeks to encourage collaboration among stakeholders by clarifying, for those stakeholders it regulates, recommendations associated with mitigating cybersecurity threats to device functionality and device users.