Testimony on Impact of HIPAA Security Rule on Medical Devices

Presented By C. David McDaniel
Deputy Director, Bus. Dev. for HIPAA & Education Svcs.
Veterans Health Administration
Chief Business Office

National Committee on Vital and Health Statistics
Subcommittee on Privacy and Confidentiality

November 19, 2004

Mr. Chairman, Committee members, thank you for the opportunity to speak to you today on the subject of the impacts that the Security Rule of the Health Insurance Portability and Accountability Act will have on how we, as a health care provider and a covered entity under HIPAA, use medical devices in our VA medical centers.  We also appreciate the opportunity to share our concerns and issues related to complying with the HIPAA Security Rule with regard to these devices.

In order to provide exceptional care to our nation’s veterans, the Department of Veterans Affairs, Veterans Health Administration must pursue the same advanced technologies used by other health care industry providers.  To do this, we purchase scores of medical devices that allow us to provide care to the over 7 million veterans enrolled with VA.   These devices are critical to our operations and we depend on their use on a seven days a week, 365 days a year basis.  Medical devices have historically been designed with an emphasis on clinical efficacy and safety first, with inherent limitations related to more recently identified security capabilities.  More often than not, these limitations are not optional choices that a consumer can choose to purchase or not purchase, implement or not implement, turn on or off.    There are even cases where adding security to a device renders it ineffective to operate properly.

The cycle for new medical devices to be delivered to market takes approximately 3 to 5 years. While medical device manufacturers are currently addressing security capabilities for products in development, it is clear that the vast majority of products now available and the legacy inventory of medical devices in hospitals today still have limitations for security capabilities. With product teams dedicated to designing new medical devices, it is unrealistic to expect medical device manufacturers to expend time and resources to redesigning products that have been successfully operating for years.

VA believes in the rights of our veterans to have their protected health information used and disclosed only as appropriate.  We have taken great pains to ensure that VHA complies with all of the requirements of the Privacy Rule of HIPAA as well as the Privacy Act and other privacy statutes and continue to work toward a culture where protected information of all types is maintained, stored, used and disclosed with the utmost care to the protection of the information.

With the enforcement of the Security Rule of HIPAA, additional requirements will have to be considered for protected health information contained in medical devices as well as in other systems used by health care providers.  As a result of these Security Rule requirements that electronic protected health information be maintained in a secure manner and that systems that house this information be able to limit access to the appropriate personnel, medical device capabilities become a major stumbling block to VHA as well as every other health care provider in the industry as to how to handle the lack of security capabilities in today’s devices.  While we look to the medical device manufacturers to correct this issue in the future it is very unlikely that these changes will be developed and certainly not in place in hospitals around the country by the April 2005 deadline of the HIPAA Security Rule.

VHA is taking precautions to secure medical devices where possible and will continue to look for ways to minimize the possibility that electronic protected health information maintained in medical devices in VA medical centers is as safe as possible without the added protections of access controls built into the devices.  We have already isolated our medical devices from other systems containing protected health information in order to minimize the possibility of access through one of these devices to our other systems containing protected health information.  We are also looking at ways to make the devices inaccessible to persons who do not have a need for the information contained in the memory of the device.   This is a cumbersome short-term solution that will likely impact our ability to provide quality, efficient and effective care over time.

VHA holds firm that protecting the information we are trusted with by our veterans is not negotiable and should be protected to the best of the ability of the entire VHA workforce, we realize that there are limitations to many of the devices currently used in VA medical centers that are not able to meet the stringent requirements of the Security Rule.

So as a health care provider who is an active purchaser of medical devices as they come into the marketplace and as a covered entity under the HIPAA Security Rule, what are VHA’s options for complying with the HIPAA Security Rule by April 2005?  As we understand the situation, we have several choices.  The first is that we make the issue of deficits in medical device security known so that the Department of Health and Human Services is aware of the problem for us as a consumer of these devices and as a covered entity under HIPAA.  That is one of the primary reasons we are here today.  As one of the defined organizations identified to assist HHS with the HIPAA Administrative Simplification Rules, we are looking to you, the National Committee on Vital and Health Statistics for assistance in conveying this issue to the Centers for Medicare and Medicaid Services.  I would like to make it clear that we are not here to assign blame to device manufacturers or to proclaim that this is an insurmountable situation.  Certainly we see this as a new requirement that health care must rise to and given the right amount of time to respond, this issue will be resolved.  The second option for us as a purchaser and user of these devices is to assess the risk of each of our medical devices and to mitigate any risk each device may pose to protecting the electronic information contained within it as much as is possible in today’s environment.  This includes using any existing access controls on devices that have these capabilities already and minimizing access to the devices themselves where possible to personnel with the minimum necessary need for the device and its protected health information.  The optimum solution for this option would be to partner with other heath care providers who also need to assess devices and develop a strategy to divide and conquer this process of assessing the risk of the many medical devices we all have in our hospitals.  The third option is the one that concerns us the most and that is that we must wait.  While partnering with medical device manufacturers is possible and while many of these manufacturers are willing and anxious to resolve the needs health care providers have for security capabilities on these devices, the development for patches, fixes, software changes and new technologies to provide this added security takes time.

Thank you for the opportunity to share this concern with you.  We hope, by stepping forward as the largest health care provider in the industry who has a great need for the devices we have within our facilities today and a great desire to protect the information contained in those systems, that maybe a solution can be found that not only satisfies the needs of health care providers for each of the devices addressed here today, but the requirements of the HIPAA Security Rule that control the access to the protected information contained in these devices.