Increasing awareness and concern over information technology (IT) security and information privacy has shaped the current regulatory climate in the U.S., which is encouraging and enforcing related best practices. Accordingly, the medical device manufacturer community has experienced a significant increase in questions related to these aspects of healthcare.
This article seeks to provide guidance to healthcare entities seeking security-related information for medical devices and systems. By facilitating clear, comprehensive communication and providing insight on the response process, the hope is that device manufacturers can achieve expedited delivery of the information requested by customers. Due to the complexity of medical devices and systems, manufacturers have gone to great lengths to provide current and comprehensive information. The manufacturer community recognizes the importance of this information to customers' compliance efforts and its potential relevance to purchasing decisions.
Form over function: Getting the questions right
Many organizations have attempted to modify internal compliance documents or questionnaires -- those developed in the wake of the HIPAA regulations -- to serve the dual function of "security-specific" questions in a request for proposal (RFP). Often the wording of a question may be confusing to a manufacturer attempting to provide the most appropriate answer. For example, attempting to answer questions that are formatted in a manner distinct to the healthcare organization can add significant time and complexity to the response process.
Many providers develop an RFP for a medical device or system by seeking input from various departments, passing the document around, and requesting a list of questions from within the organization. These groups of questions are then forwarded as one large set without appropriate consideration of the interaction between the various sets of inquiries.
For example, an IT professional may not have a broad understanding of the clinical implications of the security questions posed, such as how the workflow may be impacted if an operating system patch installation is required. On the other hand, a clinician may not be aware that operating system patches must be validated prior to installation. Such nuances not only change the perspective of the questions, they are likely to be reflected in the responses.
To expedite the RFP and request for information (RFI) response process, seeking available vendor and manufacturer information (such as that contained in the Healthcare Information Management Systems Society [HIMSS] manufacturer disclosure statement for medical device security (MDS²) forms, which is endorsed by provider organizations) can provide information in a manner that is easily understood by the healthcare organization, and, with its understanding of specific needs and details, may be more quickly entered into internal compliance documentation. Alternatively, providing a list of questions that may be answered in a generic format, such as in a Microsoft Word document or Excel spreadsheet, will likely reduce the time it takes for the responding party to provide the information requested.
Form over function: Getting the right answers
Just as healthcare provider organizations employ personnel with a broad range of specialties, medical device manufacturers employ many levels of specialists with varied expertise. Some are clinical experts or product specialists, while others are connectivity and interoperability experts. Because the goal in responding to an RFP is to provide the most accurate and timely information possible, many individuals are involved in the response process. At times, several individuals may be working on one RFP response, taking advantage of the various technical resources available. Accordingly, security experts, and those involved in product engineering from a security perspective, will have an easier time responding to questions about the security functionality of the products in question -- especially if the questions are as specific as possible.
Understanding what you're asking for in your purchased product
Questions are often posed that a manufacturer cannot answer, as the inquiry is referencing a policy or procedure internal to the healthcare provider organization. Framing questions to address security needs of your organization is understandable; however, care should be taken to develop questions to seek appropriate and specific responses. For example, a question regarding disaster recovery could be posed in the following manner: What are your disaster recovery procedures/policies?
If this is posed as a general question, the responding manufacturer may not know how to address it in an appropriate manner. It could likewise be seen as a question pertaining to a departmental procedure, rather than a device-specific procedure. A vendor is then left to interpret the question and might respond about removable media rather than what the RFP author intended. A better way to phrase this is: How does your product support our need for recovering data following a disaster?
A general inquiry such as, "Explain the security of this system," can lead to a response that is either overinclusive or does not truly provide the information an organization may need to document various security aspects of the equipment or system. Questions that are broken down into precise topics, with specific requests for technical security functionality or feature information, are easier to answer and easier to document for compliance purposes.
Ask if the question can actually be answered
Additionally, and quite significantly, asking questions that are impossible to answer, due to the form of the question, can lead to miscommunication and can preclude an organization from obtaining the information sought.
For example: Is this system/device HIPAA-compliant? Is medical device manufacturer XYZ HIPAA-compliant?
These questions can only be answered one way -- No. However, this answer is misleading, as there may be many technical features or functions that provide HIPAA-responsive solutions, and medical device manufacturers want customers to be aware of those benefits. Medical devices and systems cannot be HIPAA-compliant. The only entities that can be HIPAA complaint are healthcare providers, healthcare provider organizations, or any other "covered entity" as defined by the HIPAA regulations.
Medical device manufacturers are not considered covered entities by the HIPAA regulations, and are therefore incapable of being HIPAA-compliant. This is also true for services -- such as remote service capabilities -- provided by noncovered entities.
Forming a question intended to elicit a response regarding the HIPAA-related functionality can be challenging; however, questions that are too general can result in either incorrect information, or information that is not useful.
Beware of limiting answers to yes/no
Not all questions can be answered with a simple "yes," "no," or "not applicable (N/A)." This is especially true when a field may not be available for including comments -- where the response requested is either "yes" or "no." This may be inappropriate or may limit the capability to provide substantive, useful information to a customer. One question about login or user IDs may be asked in various ways such as: Does the device or system limit the number of user ID/accounts?
This could be a tricky question to answer if the response is "yes" for administrative or service accounts, but "no" for user accounts -- especially when there is no option other than a drop-down menu containing "yes," "no," or "N/A."
Not all medical devices and systems are created equal
Many healthcare providers use one form or questionnaire to cover all product and system RFPs. While this approach may be time-saving in theory, in practice important information can be missed, or not even considered, if the specific system or device for which the RFP is created is not taken into account. Device manufacturers often receive a "standard HIPAA security questionnaire," or something similar. Depending on the product, these forms may have inapplicable questions.
Having someone with clinical and IT knowledge review the questions regarding a particular system is an efficient, effective way to ensure that the necessary questions are being asked, and that superfluous questions are deleted, to avoid confusion. Devices that will be placed on a hospital's network may have additional questions for network-related security and Web-based access information. However, those that are not, such as various mobile units or more simple systems, may have security functionality addressing physical security, electronic protected health information (ePHI)-related features, audit capabilities, and so on. Recognizing the applicable questions, and posing product-specific questions, can reduce the response time and assist in acquiring only relevant information.
RFPs come in many forms. The variety in RFPs parallels the diversity of the healthcare provider organizations. Security- and privacy-related questions are often posed as an individual section or part of the general RFP, instead of a separate form or questionnaire. In these cases, it is very helpful if the information being requested is true to the format of the RFP -- meaning that the security-labeled section contains only security-related questions.
Often, manufacturers receive RFPs that include network, connectivity, DICOM, and interoperability questions that may be unrelated to security, in the HIPAA or security section. If the questions are not worded carefully to elicit the desired response, they may be misunderstood.
Keeping it simple, making sense
The subject of security is not known for being simple. However, when seeking information regarding the security of a medical device or system, the principle of simplicity can be quite useful. Multipart or multilayered questions can be difficult to answer, especially when the vendor may not be aware of aspects of the requesting organization's infrastructure or enterprise-wide security strategy. Simple, one-part questions are the best way to ensure that correct and succinct information is provided.
The following are some guidelines to improve the effectiveness of your security RFP:
Clinical review as well as review by IT-knowledgeable personnel will ensure clear, concise questions that produce clear, relevant answers.
Ask for the vendor/manufacturer's security policy for an overall understanding of its comprehensive approach to security.
Seek device-specific information, understanding that medical devices vary widely due to engineering specifications and device functionality, and that what may be true for one device, may not be true for another.
Avoid restrictive "yes," "no," or "N/A" questions. When these questions are necessary, allow for additional comments to clarify answers.
Simple, single-layered questions elicit the most succinct and accurate responses. Multilayered questions can be difficult to respond to -- especially without the opportunity for discussion.
Certain responses may have dependencies, such a hospital's infrastructure or enterprise-wide security strategy. Unless a manufacturer has in-depth knowledge of such dependencies, these questions cannot be answered accurately.
By Kristen Knight
AuntMinnie.com contributing writer
November 6, 2006
Kristen Knight is an attorney and senior marketing manager for Bothell, WA-based Phillips Medical Systems' product security division.
Related Reading
GAO: CMS needs to improve IT security, October 4, 2006
Private parts: Breast cancer screening and HIPAA compliance, October 2, 2006
Practices that embrace EHR security regulations inspire patient confidence, July 14, 2006
HIPAA compliance remains inconsistent, April 12, 2006
Dealing with HIPAA changes in 2006, April 6, 2006
Copyright © 2006 Philips Medical Systems - Product Security