Medical Equipment Safety
Patient safety is our primary concern when it comes to medical equipment. But with modern, connected equipment, a few threats have emerged that not only put patient safety at risk but also patient information which can lead to monetary penalties enforced by the Office for Civil Rights (OCR ) .
Medical equipment can be hacked in ways that can leak medical information onto the Internet or make a tumor appear in an image that isn’t really there. Luckily, very few devices have been the target of these types of attacks. But there’s more to medical equipment security than just protecting them from nefarious hackers.
For instance, think about a navigation computer found in many CT rooms today. These devices utilize cutting-edge graphics hardware to render internal structures. But they can also be used to render Call of Duty in a sixteen-year-old’s LAN-party gaming room for his buddies. To most people walking past the device, it’s just a computer. But to our example miscreant gamer, we can imagine what could be running through his head: I can have more friends over at my house. There’s no way I could afford that $4,000 computer on my own. This is a hospital with deep pockets. They probably have insurance on this. If they cared, there would be cameras all over the place. They would have locked it down. They’re practically begging for this to be stolen. They won’t even miss it. Yoink!
And just like that, the device is gone. He’s probably reformatted the machine and playing games on it, but you don’t know for certain if he’s selling patient information. And when you get asked about it, the laptop may have had hundreds, even thousands of records on it. So you’re forced to call the OCR. And then they ask you what you did to protect it from theft. And you don’t have an answer.
The OCR fines based on how much you tried to protect your patients’ information. And in this situation, you didn’t. So they dole out the maximum fine.
A similar situation happened at Lahey Hospital and Medical Center in 2017. They agreed to pay $850,000 – more than $1,400 per stolen record. Their case was supposed to be a lesson to everyone in healthcare: I need to protect and document my efforts to protect my PHI on my medical equipment. But across the nation, most have still not heard this three-year-old message. And so the OCR continues to fine hospitals the maximum amount when hospitals fail to enact a risk analysis process and respond to found risks.
How is your facility dealing with medical equipment security? If you’re behind the curve, CE-Tech can help you catch up, and fast.
Written by: Ben Archambault, CE/IT Operations Manager