Role of Equipment Manager in HIPAA HIPAA Role of Equipment Manager - PowerPoint PPT Presentation

Role of Equipment Manager in HIPAA HIPAA Role of Equipment Manager in & & HIPAA and Medical Device Standards HIPAA and Medical Device Standards Organizations (e.g., DICOM, IHE) Organizations (e.g., DICOM, IHE) Charles Parisot, GE Medical Systems IT Charles Parisot, GE Medical Systems IT

Role of Equipment Manager in Role of Equipment Manager in HIPAA HIPAA

Policy versus Technology Policy versus Technology Risk Mitigation Minimum Policy & Procedure Maximum Minimum Maximum Technology

Example : Employee Termination Process Example : Employee Termination Process Risk Mitigation Minimum Policy: Singular Account Removal Technology: Biometric Finger Print Access Control to CT Scanner Policy: Singular Account Removal and Audit Usage Policy Technology: Centralized User Login & Procedure Policy: Removal of Account at Each CT Technology: Local User Login into CT & Video Surveillance Policy: Retrieve Physical Key and Manual Records of Key Ownership Technology: Lock CT Room Maximum Minimum Maximum Technology

Looking for HIPAA Compliant Looking for HIPAA Compliant Equipment ? ? Equipment � No vendor can make HIPAA-compliant product s, � But products can be made that make it easier for CEs to comply with HIPAA. � If you are proposed a HIPAA Compliant product be careful Security and Privacy: NEMA NEMA Introduction to Introduction to HIPAA HIPAA Security and Privacy:

Key Security and Privacy Features Key Security and Privacy Features on Medical Devices on Medical Devices � Locally managed logins for all operators � Password Control (size, content, pattern, age) � Use Account Maintenance (disable ,onetime, reports) � Auto logoff � Device to device authentication (device ID and list) � Log all security events, changes to configuration � Access to audit logs restricted � Configuration lockdown, secured operating system � Integrity control on data � Emergency Access to Device

What lies ahead…. What lies ahead…. � An increasing number of systems become networked � The boundary between medical devices and medical information systems is blurring � Security/Privacy and connectivity become significantly dependent � Security/Privacy and connectivity both require an overall healthcare enterprise perspective

Articulating the various pieces Articulating the various pieces Healthcare Institution Policies Product Medical Industry Enterprise-wide Solutions Integration e.g. NEMA Frameworks e.g. IHE Security and Communication Standards HL7, DICOM, W3C, etc….

Security/Privacy Architectures Security/Privacy Architectures Devices (Single use, Single concurrent user, minimum number of records) •Standalone •Standalone •Minimal UI •Special Purpose •Limited network •Embedded Processor e.g., Monitoring e.g., ECG, Stress e.g., CT, MR, US Information Management Systems (Multiple access points, large number of records) •Permanent Network Storage •Multiple access points •Workflow spread around systems •Integrated Information Systems e.g., CT + MR + PACS Hemodynamics + Cathlab IS EKG Carts + Stress + Cardio IS Service (Remote Interface) •Maintenance Center Access to Systems •Service Back-Office •Reactive Service •Preemptive Service Remote e.g., Remote CT scanner maintenance maintenace Hospital Center

Scope of NEMA Privacy and Security Scope of NEMA Privacy and Security � All systems, devices, components, and accessories : � used in medical imaging informatics � as described for the NEMA Medical Imaging Informatics Section (http://www.nema.org/nema/medical/annual/9ps.asp) � with respect to health information � International data security and data privacy legislation, currently focusing on the European Community, Japan, and the United States of America

Mission Mission Ensure a level of data security and data privacy in the health care sector � that meets legally mandated requirements � in ways that are reasonable and appropriate � to reduce the costs of compliance to our customers

Strategy - - Action Action Strategy � Publish common interpretations of data security and data privacy requirements for health care imaging systems in the EC, Japan, and US as industry positions to � target consistent approaches in the global market � avoid incompatibilities between institutions exchanging data � guide implementation of privacy and security measures � Advocate common industry positions on privacy and security issues that require interpretation � Develop solution recommendations based upon industry standards

Accomplisments Accomplisments � The first white papers are published � Security and Privacy - An Introduction to HIPAA (Feb. 2001) � an educational paper on HIPAA � to be used for management and customer education � an interpretation of data security and data privacy regulations as provided by HIPAA � contains no technological specifications � Security and Privacy Requirements for Remote Servicing (Apr. 2001) � Continuing with white papers on: � Audit Controls � Suggested allocation of security rules � Modality Requirements

The Remote Servicing Problem The Remote Servicing Problem Remote Servicing and Support of medical systems is critical: For medical devices such as imaging modalities 1. For information systems such as PACS and RIS 2. The downtime reduction of such systems is critical 3. Local servicing and remote servicing are both needed 4. Healthcare Enterprises use many such systems: Provided and Maintained by different vendors 1. An increasing number of these systems are networked 2. These systems create and manage patient data 3. Regulations in many countries require that care institutions take 4. proper measures Facilitating remote servicing while ensuring to care institutions security and privacy of their operation.

Remote Servicing Infrastructure Remote Servicing Infrastructure Vendor A Equipment Care Remote Institution 1 Vendor B Servicing Access Internal Equipment Center A Point Network Other Equipment Care Institution 1 Access WAN Vendor B Equipment Care Remote Institution 2 Servicing Vendor A Access Center B Equipment Point Internal Network Other Equipment Care Institution 2

Remote Servicing Logical Access Remote Servicing Logical Access Vendor A Equipment Care Remote Institution 1 Vendor B Servicing Access Internal Equipment Center A Point Network Other Equipment Care Institution 1 Access WAN Vendor B Equipment Care Remote Institution 2 Servicing Vendor A Access Center B Equipment Point Internal Network Other Equipment Care Institution 2

Requirements Requirements Remote Servicing Center and Vendor Equipement in Care Institution communicate with mutual security and privacy: Reduce overall costs by sharing remote servicing infrastructure (Access 1. WAN, Access Point, Internal network, Procedures) for servicing equipement from multiple vendors across multiple care institutions. Define a limited number of WAN access and Internal network Technology 2. supported. Each Remote Servicing Center shall only be provided access sessions to 3. the equipement it services with proper access control. Each Remote Servicing session shall be logged by the remote servicing 4. center (why, who, what, when). Policy and procedures shall be defined when vendor personnel performs 5. remote servicing session where identifiable patient data is handled. Security measures and policies at vendor remote servicing center shall 6. ensure isolation between care institution internal networks .

Feedback to NEMA is Feedback to NEMA is welcome: welcome: MII Section Industry Manager: MII Section Industry Manager: Vastagh, Stephen , Stephen Vastagh ste_ _vastagh vastagh@ @nema nema.org .org ste

Role of Standards Standards in in HIPAA HIPAA Role of

Communication Standards Communication Standards � HIPAA includes the definition of Claim Attachment EDI Transactions � Limmited number of transactions � Focussed on Hospital Insurances � Many oher network exchange of patient information is needed within the hopital � HIPAA will not standardized those transactions � HIPAA impact need to be managed � In fact there is a significant deficit of integration in most healthcare enterprises today......

Why Does Healthcare Need Why Does Healthcare Need Integration? Integration? � In the enterprise, computer systems don’t talk to one another � Islands of data isolated in departments and systems � Integrating disparate systems is costly and difficult � Mandatory compliance with regulations like HIPAA requires coordination

What are the Technical What are the Technical Challenges to Integration? Challenges to Integration? � Different standards: DICOM, HL7, etc. � Different interpretations/implementations � Redundancies and gaps between standards

Technical Challenges to Technical Challenges to Integration Integration � Different information models � No common vocabulary for integration � No agreed system boundaries � Limited guarantee of interoperability of compliant applications

What are What are the the Resulting Resulting Problems? Problems? � Disconnected information flows � Inconsistent identifiers � Reliance on human links for information exchange