Stephen L. Grimes, FACCE, FHIMSS

Today, we frequently hear the word "security" used in a variety of contexts, often associated with topics where security (or the lack thereof ) has ominous implications for safety, health, or protection. As in other contexts, security has become both a rapidly growing and critical concern for us in the medical device industry. In our case, it is typically the security of medical information that poses the greatest concern. By medical information, I mean all medical data—such as diagnostic and therapeutic—being transmitted or maintained by medical devices.

To better understand the nature of the medical information security issue, it is helpful first to recognize that today's typical medical devices are often specialized computers with built-in microprocessors capable of collecting, analyzing, and transmitting an increasingly wide array of data. Many of these devices also have the capability to network with other medical devices and information systems, thereby significantly extending the range over which their data is sent and used. A consequence of this growing computerization and networking is that health care providers are becoming increasingly dependent on this data. Since they are more dependent on this information, any disturbance or interruption in the flow of data has the potential to severely compromise a health care provider's clinical or business operations.

In the information technology (IT) industry, security is defined in terms of three elements: data integrity, data availability, and data confidentiality. It is in these same areas that clinical engineering also must focus to effectively address the security of medical devices. It is only by putting an appropriate level of administrative, physical, and technical safeguards in place that we can ensure the security of medical information that providers have come to rely on for providing patient care and maintaining their business operations.

The security of all medical data—such as diagnostic or therapeutic—being transmitted or maintained by medical devices poses the most concern.

Summing up the forces driving the need for an effective medical information security program, we have a situation where:

• There is a proliferating number of medical devices that collect, process, store, and transmit critical medical information;
• Clinicians are becoming increasingly dependent on the information these proliferating systems provide;
• The increasing number and complexity of these proliferating systems has resulted in a corresponding increase in the number of system vulnerabilities (possible sources of failure, for example).

A Growing Concern

For the reasons outlined above, medical information security issues will continue to be a growing concern and will in fact be the primary focus of this coming generation of clinical engineers. To adequately address the challenge of medical information security, I believe we need to consider adding a new role for clinical engineers: clinical systems engineers. In their institutions, these clinical systems engineers would be responsible for coordinating an organizationwide program to ensure the effective deployment, integration, and support of interconnected medical systems.

Specifically, the clinical systems engineer's responsibilities would include:

• Maintaining a current inventory of networked and integrated medical systems, including a catalog of services, features, and interconnections;
• Coordinating a security management process including risk (criticality and probability, for example) and vulnerability analysis, and related documentation associated with interconnected/integrated medical systems;
• Coordinating with stakeholders a process to prioritize, develop, and implement a plan to manage/mitigate identified risks associated with interconnected/integrated medical systems by applying appropriate administrative, physical, and technical safeguards;
• Maintaining the integrity of FDA approval for interconnected/ integrated medical systems;
• Working with stakeholders to ensure effective deployment, integration, and support of new medical systems into legacy systems and nonmedical elements of the organization's information infrastructure. This would include working to assure systems are deployed into an optimum—secure and supportive—environment, continually reviewing system components to determine which are obsolete or otherwise no longer adequately supportable, and planning for and implementing component upgrades/replacement in a timely manner.

The above works with:

• Identifying and managing appropriate software upgrades, security patches, and antivirus installations for interconnected/ integrated medical systems according to industry best practices;
• Conducting root cause analysis and failure mode effects analysis on incidents involving integrated medical systems, and reporting findings to appropriate stakeholders for follow-up action;
• Monitoring and adopting industry best practices to insure integrity, availability, and confidentiality of data maintained and transmitted across interconnected and integrated medical systems;
• Educating stakeholders on security and other implication associated with the proliferation of interconnected and integrated medical technologies;
• Supervising clinical engineering and other staff in clinical systems integration and infrastructure support (hybrid reporting structure, project supervision) as necessary.

In addition to the typical education and experience qualifications for a clinical engineer, the clinical systems engineer might also possess:

• Experience in information systems;
• Project management and planning skills/experience;
• Strong communication and team building skills across functional areas;
• IT-related professional certifications such as certified information systems security professional, administered by (ISC)²; Cisco certified network associate, or Cisco certified network professional; and Microsoft certified systems administrator or Microsoft certified systems engineer.

The clinical systems engineer would need to work with stakeholders in other areas including:

• Informatics (including network support and disaster recovery);
• Clinicians (system users including physicians, nurses, technologists, etc);
• Medical system manufacturers/vendors;
• Risk management and quality assurance;
• Information security;
• Medical procurement;
• Clinical engineering.

The medical information security challenges I have described exist today and will continue to grow rapidly as new integrated health care technologies emerge and are deployed. The best possibility we have of addressing these challenges now and in the future is to begin preparing candidates to fill the role of clinical systems engineers. This will require significant changes in the curricula at our educational institutions, creating new best-practice guidelines, new or revised certification programs, and new organizational roles. Developing this new role will also require the collaboration of clinical engineering and IT professionals.

It will take some time to prepare the necessary quantity of qualified clinical systems engineers. While preparing the next generation of engineers, and to address the immediate needs, we need to work with our colleagues in IT and use existing IT and clinical engineering resources at least to begin identifying our institution's security issues related to medical technology, address the major issues now, and plan for the acquisition of the clinical systems engineering resources necessary for the future.

Read previous Networking articles from past issues of 24x7 by searching for Tech Talk in our online archives.

It is a major challenge because these security issues exist now, and the industry has not yet adequately prepared itself. Just over 35 years ago, clinical engineering's major growth came as the result of a consumer advocate claiming in the press that 5,000 patients a year were dying as a result of receiving lethal microshocks from substandard medical equipment. Today, there are plenty of anecdotal reports that address security compromises to medical equipment—compromises that do adversely affect patient care or business operations. Hopefully, our industry can be sufficiently proactive and apply appropriate resources to address these very real security issues before security failures start making "good" headlines.

Stephen L. Grimes, FACCE, FHIMSS, is vice president, enterprise resource planning, Technology in Medicine Inc, Holliston Mass; and president, American College of Clinical Engineering. For more information, contact