Greg Herr, BSEE, MBA, CCE	Mark Prell, BS, AS, CBET

Recently, our clinical IT services were called upon by a hospital for which we do not normally provide these services. When our engineers responded, they found the hard drive was starting to fail. As part of the normal process of assessing the system, it was discovered the system was connected to the hospital network, which in itself is not an issue. However, passwords, antivirus, and security updates were not enabled. In reality, there were multiple problems, the most pressing of which was a pending hard drive failure, with the application software not available and no backup/ghost of the drive, plus all of the patient data, which could have been lost. Second, but still critical, there was no antivirus software, OS patching process, security, or ongoing monitoring enabled on the system.

The point of this incident is not what was done to correct the problems, but how many hospitals are in this same situation: A medical IT device or system is connected to the network with inadequate protection; with little or no system administration; and lack of processes to monitor, alert, and correct issues on a real-time basis. Just as it is unacceptable to have a new system introduced into the clinical environment without inventory, inspection, and in-service, it is equally unacceptable to enable these systems without properly securing and protecting them from an IT standpoint.

Issues

The issues are security, protection, cost, and quality, and related to these, customer satisfaction.

• Security: Is the patient information secured and protected? Is it backed up? What level of OS patching has been performed? How is the system protected from a virus or other malicious software?
• Cost: Without a valid backup or ghost of the system, reinstalling the software (that is, obtaining a loaded drive from the OEM) would have had taken several thou- sand dollars and a week of downtime, resulting in cancelled cases on top of the loss of relevant patient data.
• Quality: Loss of patient data, delayed diagnosis/ treatment, and possible duplication of exams affect the care and quality of services provided.
• Customer satisfaction: The week of downtime would have resulted in cases cancelled, delaying patient diagnosis/treatment, and aggravating the patients, referring physicians, and the department. This could result in the exam performed in a competing entity. Even though this system is in the biomedical inventory and had routine scheduled inspections, the "computer safety processes" were outside the scope of the program. The internal IT department was unaware of the existence of this device. Consequently, it was not included in its program, including antivirus, patch management, and backup schedules. In addition, in this situation, IT did not want the responsibility.

New Requirements

As clinical engineering assumes more of a role in clinical IT devices/systems—as we must—clinical engineering is going to be asked by various entities, such as the IT security officer, safety/security committees, clinical departments, and the administration, for risk-assessment reports. We, as biomedical equipment technicians and clinical engineers, must have the tools and processes to answer these questions, just as we have for electrical and device safety, scheduled maintenance, repairs, and clinical user issues.

The IT Toolbox

What are the tools needed to comply with these requirements? Just as we had to develop or acquire tools for electrical safety, calibration, and repairs, we now need to provide the same capabilities for clinical IT systems. The new inventory will need to include network addresses, antivirus protection schemes, patch histories, passwords/accounts, and monitoring for system errors or alerts, not inclusive. Remote access is a must, as well as network tools that can determine the current network protocols, speed, and if errors are reported on the switch. Some of the tools needed are shown below, but this list is not all-inclusive and it assumes needed laptops/workstations with software.

• Backup/ghost software;
• Remote access software;
• Patch management software;
• Antivirus software;
• Network analyzers;
• Hard drive recovery software;
• Account management software;
• HL7 and DICOM interface tools;
• System diagrams;
• HIPAA compliance/assessment tools;
• Real-time monitoring and notification of system errors/failures/log reports;
• Reporting capabilities for risk assessment, QA, and ongoing issues; and
• Biomedical equipment asset systems redesigned to include the IT data.

Medical systems continue to evolve. In the past 25 years there has been a steady progression toward computerization. The standardization of networks, the World Wide Web, accelerating computational capacities, new software capabilities, and wireless features—to name a few technologies—have not only changed familiar devices, but they enable the development of new devices/systems. These new IT-based clinical systems have risks and potentially serious issues if not properly monitored and secured, similar to the early days when new electrical medical devices were introduced with little or no thought about how to make them safe and protect the patient, staff, and hospital from their risks.

This now needs to done for medical device IT-based systems. The dangers include loss or theft of patient data (electronic protected health information, or EPHI), software errors, system crashes, hardware failures, hackers, and poorly administrated systems. Patient outcomes can be negatively impacted due to all of these threats. Without these tools, it is impossible to properly manage and support these systems to the level needed, or these systems will fall to other departments willing to take them on. We have to consider that this is as electrical safety was in the 1970s—a problem that needs specialized attention.

New capabilities within clinical engineering maintenance software, the incorporation of IT-based software tools, and a full understanding of HIPAA, along with training and engineering expertise, are needed. Many of these systems cannot be maintained by standard IT processes due to the real-time monitoring of physiological parameters, alarm conditions, etc. It is up to the medical device experts—the clinical engineers and BMETs—to provide this service in cooperation with IT and clinical departments. In most cases, our experience has been positive; they want our help, and in return they assist in providing more resources or expertise, as needed.

The new tools will be software based, using databases and applications with features that are familiar to many of us already, but with new capabilities targeted to the dimension of IT. These new parameters include network information, real-time monitoring of device status, administrative management, network diagrams, patch scheduling, monitoring of patches released from medical device companies, and virus protection, along with risk-assessment tools able to generate concise and informative reports.

By the way, what success did the team have on that medical device discussed earlier? Downtime was minimized to about 2.5 hours (from an estimate of a week), the hospital avoided about $4,000 in hardware/software expenses, and prevented a week's worth of patient cancellations with resulting revenue impact. In addition, the patient data was not lost and the hospital is now on a computer safety support process, where its other systems are being assessed. How is your clinical IT management plan?

Greg Herr, BSEE, MBA, CCE, is director, imaging support/technical assessment, for Masterplan Inc at the Health Alliance and The Christ Hospital in Cincinnati; and Mark Prell, BS, AS, CBET, is the manager of clinical information systems for six hospitals for Masterplan's Cincinnati accounts. For more information, contact .