As a follow-on to the previous three blog posts addressing the mIoT—that is, the medical Internet of Things―an Office of the Inspector General (“OIG”) audit of the Food and Drug Administration (“FDA”) policies and procedures to guard against medical device cybersecurity risk in the postmarket phase noted an important deficiency.
As you likely know, the FDA, which is an agency of the U.S. Department of Health and Human Services, is responsible for making certain that foods and drugs are safe. It is, however, also responsible for ensuring that all medical devices that come to market are secure and that they incorporate cybersecurity protections to prevent cyberattacks that could alter the functionality of the devices and thereby possibly harm patients. To do so, it has developed policies and procedures to review these protections before vendors bring these devices to market.
The deficiency found in the audit was that several FDA district offices did not have written standard operating procedures (“SOPs”) for recalling suspect devices that might be vulnerable to cybersecurity attacks from hackers attempting to gain access to the devices to alter functionality, steal patient data, or use the devices for attacks on health care networks.
To address this deficiency, the OIG recommended that the FDA take the following actions:
- Continually assess cybersecurity risks to medical devices and update its plans and strategies accordingly.
- Establish written procedures for securely sharing sensitive information about cybersecurity events with appropriate stakeholders.
- Enter into a formal agreement with the Department of Homeland Security (“DHS”) Industrial Control Systems Cyber Emergency Response Team to establish roles and responsibilities.
- Ensure that policies and procedures are established and maintained covering the recall of medical devices vulnerable to cybersecurity threats.
Although this report is not wholly similar to covered entities’ and business associates’ needs to protect devices within the mIoT, several of the recommendations are similar to HIPAA’s requirements. For example, the continual assessment of cybersecurity risks is required by the HIPAA Evaluation Standard. Also, the sharing of cybersecurity events certainly falls under the HIPAA Security Rule’s Risk Management Process. Further, the formal agreement with the DHS Industrial Control Systems Cyber Emergency Response Team calls to mind the need for such agreements with other entities under the HIPAA Disaster and Emergency Mode Operation plans.
Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar earlier this month on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on our Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. It will include the mIoT.
If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation.
Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.
Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.
If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.
As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts.
Check this blog for more on this area—that is, the risks inherent in the MIoT and possible security measures. We plan to keep you up to date as issues develop.