Medical Data Security in Next Generation Medical Devices

This article was first published in PrimaryCare Today on May 2011

Introduction

Just as mobile phone technology is advancing, similarly medical devices are adopting many of the same attributes, particularly in the storage, retrieval, sharing and transmission of medical data for many different purposes.

Many medical devices attach to practice PCs and networks and this trend is accelerating.

Primary care practices must keep up to date in this fast moving field, to ensure that they do not incur breaches of the Data Protection Act (DPA).

Some medical devices use security settings administered by the network administrator, but data protection issues can also arise with stand alone devices, with intermittent or no connection to the IT systems in the practice.

Background

Fast-paced IT advances have made it increasingly possible and useful for primary care practices to collect medical and patient data on an unprecedented scale, to improve both the diagnosis of medical conditions and the administration of health records. However, collecting so much data is not risk-free. As well as fines being imposed for malicious or reckless breaches of the Data Protection Act (DPA), the Information Commissioner's Office (ICO) can act against facilities that have:

  • Kept data for longer than is necessary
  • Obtained personal data unlawfully
  • Accidentally deleted that data

For example, last year there was a report of significant data loss which emerged from sources at the ICO, with over 8000 people believed to have been affected after a lost USB stick incident at a medical practice in Wales. Large-scale losses like this are not unusual, both and in and outside the health sector. In this case the manager of the practice signed an ICO undertaking requiring her to set out mandatory plans to roll out encryption across all portable storage devices that the practice owns and uses and to ensure that staff receive additional training in order to ensure that they understand the ways in which portable storage can be used responsibly and safely.

The latest ICO figures show that 711 businesses, government bodies and charities have suffered data security breaches over the past two years. Of these organisations more than 200 were NHS health trusts and practices, almost double the reported data security incidents from the previous two years. Reckless practices with personal data could incur a £500,000 fine from the Information Commissioner's Office. The high level of losses among NHS trusts prompted the ICO to write to the Department of Health warning it needed to improve data security at health trusts.

Medical Data Encryption

Encryption is a way to encode computer files so that only someone with access to un-encryption software and a secret 'key' can read them. Encryption minimises the risks of data being used maliciously if the data fall into the wrong hands, but encryption alone does not provide a 'cure all' solution, but it is a good start.

Medical Devices

Examples_of_spirometer_devices_capable_of_transmitting_anonymised_and_encrypted_data There are several classes of medical devices which are capable of storing patient data and thus have the potential to breach the data protection legislation.

  • Medical device software integrated into the workstation PC / network, incorporating software that is using the processing power of the PC to provide the required functionality.
  • Stand alone desktop or office based medical devices capable of receiving and transmitting patient data in the practice.
  • Professional use portable medical devices used outside the practice which feed data back to the EMR
  • Ambulatory monitors which feed data back to other systems.
  • Home monitoring devices which remotely send data.
  • Electronic Medical Record (EMR) systems which are also medical devices

The reader may be surprised by this last item. To clarify this, the Medical Devices Directive (MDD) definition a "medical device" includes software intended use in the diagnosis, prevention, monitoring, treatment or alleviation of disease.

  • Medical data transmitted to and filed in an EMR 'document storage and retrieval' system will not make the EMR a medical device.
  • But if the software function is to examine the data and give feedback such as an alarm to the healthcare practitioner, the software becomes a medical device. This means that it must conform to ISO13485 and many other standards which would not be a concern in a simple (or complex) 'filing system'.

But this is changing; in the USA on February 14, 2011 the FDA signalled a shift from regulatory discretion to enforcement discretion regarding Medical Device Data Systems (MDDS) with the publishing of the final rule. Europe will almost certainly follow suit and all UK EMR software suppliers will need to extremely careful.

Confidential patient data is generally data which will allow a particular individual person to be identified. Obviously names and addresses fall into this category, but also some less obvious information such as NHS number, or even date of birth if contextualised with other data.

  • Stand alone medical devices which do not have the ability to share data and which only have unidentifiable data such as age, height and gender would not normally give rise to any concerns on data protection.

Secure Access to Medical Data

Another layer of security is secure access. You will have to enter your password to start using any application in the medical practice. This may be a nuisance, but is necessary for data security.

There are other ways of secure log-on, biometrics is sometimes used, such as the finger print scanner in Spirotrac. There is no need to be frightened of such devices, they do not scan your entire fingerprint and send to Scotland Yard for a possible match! The sole purpose of these scanners is to confirm identity, just like a password. It does this by measuring a few points of your fingerprint which are unique to you, but nothing like a fingerprint. Gel finger print scanners are a lot better than the 'swipe' fingerprint scanners like those found on laptops, and can save a lot of time and do not password changing.

Specialist Medical Data Storage

Electronic Medical Record (EMR) systems provide all kinds of practice management functionality but are in essence medical data storage and retrieval systems. Your practice may also use a different type of software which is clinical support and decision making software. As mentioned earlier, such software is part of or a medical device in their own right and is by nature specialised for specific disease categories.

An example of this is respiratory disease. Many forms of lung disease are insidious, the sufferer being unaware that they have lung disease until late in life when most of their lung function has been permanently lost, resulting in increasing morbidity and early mortality.

By measuring and analysing longitudinal data an abnormal decline in lung function can be observed in the early stages and early intervention is strongly associated with improved quality of life for the sufferer and reduced healthcare cost for the NHS.

The specialised clinical support software will often connect with the practice EMR to show that data is available, but the data is not usually transferred, except in the form of a report document.

Expert Over-Read of Medical Data

Expert over-read is increasingly being used in the primary care practice. This has several advantages for the practice. It is used:

  • where the specialist expertise is not available
  • where a second opinion is required
  • interpretation in complex patterns
  • for quality control purposes
  • for data collection purposes

An increasing number of types of diagnostic test data are being transmitted for over-read, which is becoming very low cost and highly automated. Tests such as:

  • Resting ECG
  • Ambulatory ECG
  • Ambulatory BP
  • Spirometry
  • e-Diary data
  • Scans of various types

The Importance of Maintenance in Medical Data Security

Proper maintenance of your medical devices does not just earn QoF points for your practice, it is also essential in medical data security.

Most software has an annual technical support licence which will ensure that you can get help when you need it and most importantly get the software updates in a timely manner. Many people are aware on their home PCs how often Microsoft delivers 'security updates'. These updates can affect other software on your PC making it inoperable or vulnerable to security breaches. This software must also be routinely updated which includes medical software. These updates are nearly always free updates if you have a support licence. Keep it up to date!

This applies to primarily to PC software medical devices, but can also apply to firmware driven medical devices - i.e. electronic medical devices which do not have a user accessible operating system. Updates in this type of medical device will often be a part of the annual Planned Preventive Maintenance (PPM) for the device, delivered by the manufacturer.

Conclusion

It is important for all staff in a primary care practice to recognise which data is 'personal data' under the current legislation. To ensure this they must be trained using real examples of data that they are responsible for each day.

Any data that makes it possible to identify an individual person which is not held in a secure environment, even temporarily, must be encrypted and treated with special care.

The practice manager must ensure that the medical devices and software have proper security and are routinely maintained, with up-to-date certification and support licences.