Monitoring Interoperability, Device Interface, and Security


31


Monitoring Interoperability, Device Interface, and Security



R. Renee Johnson-Smith / Jillanna C. Firth



INTRODUCTION



In today’s healthcare climate of increasing patient acuity, decreasing resources, and increasing financial restraints, the use of medical devices that interface with each other, as well as the electronic health record (EHR), is imperative to improve the safety, quality, accessibility, and affordability of healthcare. So much of physiological monitoring has become digital and extends outside the intensive care units, telehealth ICU, hospital units, and into the home that barriers to monitoring patient quality are not technical but a failure to capture data collected in silos that are not interoperable. A recent group convened by the National Academy of Medicine (NAM) described the new platform of interoperability and the need to develop uniform standards, procurement practices, and requirements for functional interoperability in care processes (National Academy of Medicine, 2018). The document begins with a challenge to physicians and nurses to evaluate the use of current devices and keep the interoperability person-centered.


With the interoperability and wireless nature of the devices, there becomes an increased risk for assuring security and now cybersecurity. These needs are highlighted in this updated chapter.


This chapter will also describe the new projects at the National Institute of Standards and Technology (NIST) and at the Food and Drug Administration (FDA) that has the regulatory authority over medical devices.


The scenario is real and possible today, as the situation describes, due to teams of experts working on standards that have been approved by the FDA. The actual procedure is due to advancements in surgery, technology, and regulations.


INTEROPERABILITY



As we digitize more information and request it for analytics for quality assurance, research, and clinical care, standards are needed to drive interoperability. One solution has been to have all devices interoperable and common standards within the hospital environment. Another is for the persons procuring these devices to insist on interoperability of devices. A third is a blockchain solution for system design. The common theme of all these potential solutions is interoperability and standards based upon regulations. Each of these solutions is discussed in this chapter.



In a recent report by the National Academy of Medicine (NAM), a group of health industry experts from academics, government agencies, organizations, and professional societies developed a roadmap to facilitate Electronic Health Data exchange, integrate standards, and seamlessly exchange health data (National Academy of Medicine, 2018). A diagram for interoperability is shown in Fig. 31.1. The figure demonstrates that interoperability can be viewed in three tiers. A person who is entering the hospital and requiring physiological monitoring comes from a community. That person might have been involved in a critical fall while taking a selfie on a cliff. The ambulance dispatched to the scene begins to transport the patient to an emergency room or trauma center in the macro-tier. The transport team begins assessments, treatments, and imaging data collection. The hospital in the meso-tier can see the patients’ vital signs. Once in the emergency room or trauma center, monitoring begins integrated into the hospital EHR, pharmacy, laboratory, radiology, and so on in the meso-tier. The admission system becomes operational with administrative information. The evaluation of critical condition after surgery enters the patient into the micro-tier or patient point of care (POC) where numbers of sensors, programmable infusion pumps, and monitoring devices are connected in the micro-tier. This is where the break in the interoperability can occur since the patient’s medical history, comorbidities, and underlying disease severity are in an EHR that may not be available unless the patient had previous hospitalizations at the same hospital or networks of hospitals like Catholic Healthcare, HCA, Tenet, Kaiser, Department of Veteran Affairs, or Department of Defense. Upon discharge to the post-acute unit, the patient’s entire plan of care to achieve quality outcomes can be transferred. Upon discharge to home or a rehabilitation facility, the patient’s hospitalization records, progress plan of care, and discharge summary can be embedded in the patient’s wearable devices making these records accessible as they begin a new plan of care in their home or via community resources.


Images


• FIGURE 31.1. Example of Full Interoperable Health and Healthcare System (Reproduced, with permission, from Pronovost, P., Johns, M.M.E., Palmer, S., Bono, R.C., Fridsma, D.B., Gettinger, A., …Wang, Y.C. (2018). Procuring interoperability: Achieving high-quality, connected, and person-centered care. Washington, DC: National Academy of Medicine. Copyright © 2018 by the National Academy of Sciences. All rights reserved.)


The essence of interoperability in the NAM report is the integration of interoperable platforms, and standards into the overall architecture should confirm improvements in patient quality outcomes and costs and can be demonstrated and disseminated. When users have shown successes from interoperability, and they insist on interoperability and standards in procurements, then the culture will shift toward interoperability frameworks.


One model of global medical record interoperability described was the DoD and VA. They are moving toward interoperability between agencies DoD and VA through a common platform to align strategies, plans, and structure with the Cerner platform.


A proposed rulemaking from the Office of the National Coordinator (ONC, 2019) recommends standards using Health Level 7 (HL7) and Fast Healthcare Interoperability Resources (FHIR) standards for healthcare application programming interfaces (APIs). These standard recommendations would also be a positive trend in making systems interoperable (ONC, 2019).


DEVICE SECURITY



When the sixth edition of this book was written; the concepts of security were not stressed in the physiological monitoring chapter. But, when the WannaCry malware outbreak occurred in May 2017, it was questioned how much the medical devices contributed to this security breach. Since the patch that was needed was in Microsoft Windows which was fixed within a month, it raised the issue how the patch of thousands of medical devices hooked up to patients in a hospital and intensive care unit could be patched. Since the FDA has regulatory oversight on medical devices, the FDA issued draft guidance based on the NIST description of Tier I—highest security standards needed based on the level of potential harm to patients, and Tier 2—a standard security risk for the device.


The FDA or Agency is announcing the availability of a new draft guidance entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” As more medical devices are becoming interconnected, cybersecurity threats have become more numerous, more frequent, more severe, and more clinically impactful. There is a need to provide manufacturers with specific technical recommendations (e.g., appropriate threat modeling and other premarket testing) to help ensure device cybersecurity. The updates to the existing “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance is anticipated to better protect against risks, such as ransomware campaigns, that could disrupt clinical operations and delay patient care and risks, such as exploiting a vulnerability that enables attacks on multiple patients. This draft guidance is not final, nor is it in effect currently (FDA, 2018)


According to Wirth, the medical device connectivity is expected to increase efficiency and productivity, improve clinical workflow, and lower costs while improving patient quality and safety. In a recent book on Healthcare Information Technology (2017), Axel Wirth describes the unique needs of securing devices. The application of innovative technologies in healthcare has added to improvements in quality of care but has proved challenging because of the complexity of proprietary software and the lack of standards. The nurse needs easy access to all the connected devices to care for the patient, but the possible security measures require updates in software sometimes for up to 2000 devices in a hospital. Taking all the devices down to repair them poses a huge health threat but leaving them untouched causes up-to-date security measures to adapt to the ever-increasing number of cyberattacks in hospitals (Wirth, 2017).


As more device technologies are vulnerable to cyberattack, and more manufacturers adopt Internet of Things (IOT) in manufacturing, NIST has added to the cybersecurity recommendations. Through the recommendations, the manufacturers are encouraged to provide how their devices meet cybersecurity efforts required by customers in different environments (NIST, 2020a).


MEDICAL DEVICE REGULATIONS



Medical devices are regulated by the FDA in the United States. This process includes prioritizing engineering processes, formal testing, and well-documented release documents that attest to the benefits of the safety of the device. According to a recent report from the FDA, a summit of national leadership in the field, and vendors and users of these devices, safety over flexibility has been the movement with the threat of cybersecurity (FDA, 2018).


One of the standards for healthcare is the NIST Cybersecurity Framework (CSF) for healthcare. As a government agency, the NIST has the mission to conduct research, and develop and publish guidance for the protection of information technology and data (McMillan, 2017).


Clouds


Because the volume of digital data has now exceeded the capacity of networks of systems and local servers, there has been a sharp rise in the use of clouds. The use of clouds has improved the storage, management, and access to data, as well as expanded flexibility to process data in using the cloud information for artificial intelligence and machine learning. The previous networks of servers can now use remote servers hosted on the Internet. The cloud allows healthcare systems to move the data center infrastructure outside of the organization.


The Healthcare Information and Management Systems Society (HIMSS) attributes the growth of clouds to two drivers: faster deployment and scalability, and access to advance technology such as machine learning. The patient data alone has reached a level of data that includes genomics, electronic health data including imaging, and videos of patient gait, and mobile device patient data in their home and environment (HIMSS, 2018)


With the networked physiological monitoring devices come definitions of the unique issues in security and the data and whether the data are in a public, private, or shared cloud. Some of the unique security issues include the access to data, identity of users and patients, ownership of data, multiple organizations on the same cloud and sharing data, and regulatory compliance (HIMSS, 2017).


Standardized Communications


The ability of medical devices to talk to each other requires a standard model, language, and communication structure, the most common in healthcare being HL7. According to Interface, HL7 is by definition “an ANSI (American National Standards Institute) standard for healthcare-specific data exchange between computer applications. The name comes from ‘Health Level 7’, which refers to the top layer (Level 7) of the Open Systems Interconnection (OSI) layer protocol for the health environment. The HL7 standard is the most widely used messaging standard in the healthcare industry around the world” (Interfaceware, 2013).


The ONC-proposed rule supports the use of the HL7 FHIR standards for healthcare APIs, which is a positive trend in making systems interoperable (Federal Register, 2019). A part of the proposed rulemaking describes certification criteria for electronic health records to use HL7 FHIR standards along with implementation specifications. It will ultimately facilitate healthcare interoperability which would enable data sharing for both inpatient and population health. Since these are proposed rules, the reader should follow the ONC site for continuous updates (ONC, 2019). A center that is working to promote the HL7 and FHIR interoperability standards is the Center for Medical Interoperability (Center for Medical Interoperability, 2019). This center is taking the standards one step further to promote secure Plug and Play interoperability of physiological devices in a lab to solve technical challenges, and to develop research on the architectures and interfaces that allow improvements in patient quality and outcomes. The lack of Plug and Play contributes to clinician fatigues. The Center for Medical Interoperability hopes to test and certify the devices and technologies to meet the new interoperability standards. This type of interoperability could put devices in the future on an App Store for healthcare like your apps on your mobile devices.


IEEE has recently released standards, IEEE P1709— Standards for Wearable Cuffless Blood Pressure Monitoring, and IEEE P1752—Standard for Mobile Health Data, to ensure interoperability and communication between healthcare devices with computer systems (IEEE, 2014). These standards were developed to enable medical devices to share physiological data and to communicate with other computer information systems. These new standards were released to ensure safe and secure transmission of healthcare data from devices in advance of value-based healthcare and point-of-care services. The devices are broken down into the domain model which defines the methods, attributes, and functions of the medical devices, and the nomenclature which defines the terminology or codes across the devices. The standard will define specifications for APIs and assist in capturing and analyzing data from any type of connected devices.


Other standards in the public domain are XML, JSON, and YAML language formats that enable detailed specifications of the devices (NIST, 2020b). These schemas are a part of the collaboration with industry to develop Open Security Controls Assessment Language (OSCAL) which allows the representation of common data types and defines objects to further device interoperability.


Middleware


Device connectivity and operability require middleware. Middleware is a term with broad implications. For purposes of this chapter, middleware enables the integration of data between two or more programs, devices, or information systems. Middleware facilitates communication and data sharing. While the following is not all-inclusive, several types of middleware will be discussed such as integration engines, gateways, medical device data systems, and Class II medical devices for active monitoring.


Integration Engine


Often integration engine and interface engine are terms used interchangeably. In the healthcare industry, integration engines use HL7 to characterize their ability to manage all interfaces. The engines aggregate and share data regardless of the transmission protocol. They are responsible for message routing and translation.


Gateway


Data are transferred through a device gateway. This transfer is usually through a central server that consolidates and collates data and then forwards the information to the aggregator or EHR (Day, 2011).


Medical Device Data Systems


Unfortunately, not all medical devices use or know how to speak native HL7, so a medical device connectivity solution (MDCS) or a medical device data system (MDDS) is required (Table 31.1 provides the FDA description of MDDS). Medical device connectivity solutions are available via the EHR vendor, medical device vendors, and third-party vendors. Typically, the EHR solution and medical device vendor solutions only work with its own solution, whereas third-party solutions are designed to be agnostic to the medical devices and can interface with a multitude of devices, sometimes referred to as enterprisewide connectivity. The advantage of third-party vendors for a medical device connectivity solution is that it allows a single vendor to manage the interface between the enterprise-wide medical device data and the EHR rather than the facility managing a multitude of interfaces for each type of device (FDA, 2014). It also enables hospitals to choose any vendor for patient care–related devices regardless of the integration issues.



TABLE 31.1. Medical Device Data Systems

Only gold members can continue reading. Log In or Register to continue

Jul 29, 2021 | Posted by in NURSING | Comments Off on Monitoring Interoperability, Device Interface, and Security
Premium Wordpress Themes by UFO Themes