HIPAA Security Compliance for Biomedical Technology

The HIPAA Security Rule requires that healthcare providers have certain administrative, physical and technical safeguards in place by April 20, 2005 to ensure the security of electronic Protected Health Information (ePHI).

Are you aware that an increasing number of medical devices and systems contain ePHI and are therefore subject to HIPAA’s Security Rule?  In fact, hospitals typically have 300 to 400% more medical than information technology (IT) devices and systems.  Yet many hospitals have focused on IT and largely ignored the medical device security issues … presumably because most compliance officers and consultants come from an IT background and understandably have little knowledge of medical devices and systems or the security risks associated with them.

For many years, industry experts and organizations such as ECRI, the Health Information and Management Systems Society (HIMSS) and the American College of Clinical Engineering (ACCE) have been advocating for HIPAA Security compliance programs that incorporate medical devices.   In June 2004, ACCE and ECRI co-published the industry standard on this subject, Information Security for Biomedical Technology: A HIPAA Compliance Guide.  In late 2003, HIMSS established a Medical Device Security Workgroup which subsequently developed the Manufacturer’s Disclosure Statement for Medical Device Security (MDS²) form and other HIPAA-related medical device security resources. 

If you suspect your organization’s medical devices and systems may not have been adequately addressed with respect to the HIPAA Security Rule’s requirements and April 2005 deadline, allow Strategic Health Care Technology Associates (SHCTA) to provide you with a proposal.

As the author of the ACCE ECRI Security Guide, chair of the HIMSS and ACCE committees addressing medical device security, and a frequent writer and lecturer on this topic, SHCTA Principal Associate Stephen Grimes is a nationally recognized authority on the HIPAA Security Rule’s implications for medical technology.  He brings the aforementioned experience to SHCTA’s HIPAA Security Compliance for Biomedical Technology consulting service.  With our thorough knowledge of the best practices and tools available to address medical device security and HIPAA compliance issues, we have designed SHCTA services to “jump start” the medical device security process at your organization and insure its fit into your overall compliance program.

Examples of Medical Device Security Services include:

Evaluation

• HIPAA Security Readiness Assessment

• Independent Review of of the Security Management Program

Planning
Given the organization's size, services and resources, develop a practical plan for

• Organization, Staffing & Assignments

• Steps Recommended to Achieve Compliance

• Timetable for Implementation

Risk Assessment

• Identify Portion of Medical Device Inventory at Risk

• Identify Processes Associated with Medical Device Related Risks

• Define Risk Scoring Criteria

• Prioritized Action Plan

Risk Mitigation & Remediation Plans including recommendations regarding

• Policies & procedures

• Contingency & Disaster plans

• Information Incident reporting

Education, Training & Support for

• IT staff

• Clinical engineering staff

• Clinical staff

• Other key staff

	Five Key Risk Management Steps in any Healthcare Organization's Information Security Management Program
	Illustration of HIPAA Security Compliance Process for Biomedical Technology

© SHCTA