March 4, 2005

The Honorable Michael O. Leavitt
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201

Dear Secretary Leavitt:

As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Administrative Simplification Provisions of HIPAA, including the Security Standard for Electronic Protected Health Information (Security Rule).  The Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in Washington, D.C., on November 19, 2004.  Because much medical equipment in use today either stores protected health information (PHI), or connects to a network with other systems that store PHI, such medical equipment needs to comply with the Security Rule.  In addition, Computer errors, resulting either from a computer virus or a provider inappropriately performing a software update, may cause medical equipment or devices to malfunction, potentially resulting in patient harm  Therefore, NCVHS held hearings to gather information about the effect of the Security Rule on medical devices.

At the hearings, we heard testimony from the Veterans Health Administration (VHA), the Food and Drug Administration (FDA), as well as various manufacturers of FDA regulated software and medical devices.  We also received written comments from an individual representing various medical device industry groups.

The witnesses indicated that there are a wide variety of challenges associated with bringing medical devices into compliance with the Security Rule, as well as providing effective security.  The witnesses’ testimony centered around two main themes:

  1. Although most new and currently produced medical devices are capable of complying with the Security Rule, much of the medical equipment in use is no longer manufactured and may not be upgradeable by the manufacturer.  As a result, it may not be possible to bring these “legacy devices” into compliance with the Security Rule.
  2. Many of the medical devices manufactured today contain commercial-off-the-shelf (COTS) software and operating systems.  Because of the critical nature of the medical equipment, any software updates (including those released by COTS software manufacturers in response to specific security threats) must be tested to ensure that the updates do not adversely affect the operation of the medical device.  This testing often delays implementing critical security related software updates.  Further, some customers update medical equipment with the latest software updates from third party software and operating system suppliers without first verifying whether the update affects the safe operation of the medical device for its intended purpose.

One witness representing the VHA testified that the Security Rule has been perceived as a barrier to the continued use of certain medical equipment.  Where medical equipment needs to be modified to comply with the Security Rule, the providers must often wait for the manufacturer to provide the appropriate updates.

Another witness representing the FDA stated that the FDA’s primary focus has historically been the safe and effective use of medical devices, and therefore the FDA has not evaluated security in approving the use of a medical device.   The witness further indicated that it is the responsibility of the medical device manufacturers to design their devices to enable covered entities to comply with the Security Rule.  Subsequent to the hearings, the FDA issued a guidance document titled “Guidance for Industry – Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software” (see http://www.fda.gov/cdrh/comp/guidance/1553.html).

A number of witnesses recommended that a process be developed to allow manufacturers to post Security Rule information for their medical devices.  The witnesses cited an initiative by the Healthcare Information Management and Systems Society (HIMSS) Medical Device Security Work Group.  The work group proposed that the industry adopt the use of a “Manufacturers Disclosure for Medical Device Security” (MDS2) form.  The MDS2 form is a vehicle for medical device manufacturers to report the capabilities of their medical devices consistent with the Security Rule.  While there was no consensus whether the HIMSS MDS2 form was suitable for use, in concept it appears that this approach would be of great value to providers.

Based on the oral and written testimony, NCVHS recommends the following:

  • HHS should provide guidance to covered entities to assist them to bring medical equipment into compliance with the Security Rule and to otherwise take appropriate steps to make medical equipment secure (e.g. protection from viruses that may impact the proper functioning of the medical equipment).
  • HHS should provide clarification regarding the compliance obligations of covered entities with non-compliant and non-upgradeable legacy medical devices. A range of options should be considered based on the nature of the equipment, its replacement cost and life expectancy, patient safety implications, security problems, and the possibility of protecting the security of PHI through other means.
  • HHS should develop guidance to assist medical device manufacturers to provide medical device functionality consistent with the Security Rule, as well as address reasonable security risks.
  • HHS should support industry efforts to have medical device manufacturers self report the capability of their medical devices consistent with the Security Rule.

We appreciate the opportunity to offer these comments and recommendations.

Sincerely,

/s/

Simon P. Cohn, M.D. M.P.H.
Chairman, National Committee on Vital and Health Statistics

Cc: HHS Data Council Co-Chairs