Faced with ambiguity, biomeds take the lead to ensure the integrity of data transmitted via telemedicine

One day, a short while ago, a nameless pathologist was viewing family photographs on her computer. Her family photos looked a little funny, so she adjusted their colors to improve the appearance of her loved ones. Unbeknownst to the pathologist, the color adjustment also affected the images of the slides she viewed remotely through a telemedicine service, altering the appearance of certain indicators as well. As a result, some patients were misdiagnosed.

The pathologist is nameless because the story has not been traced to an actual source but has been passed down from colleague to colleague. Is it an urban legend, or did it happen? Does it matter?

Like most urban legends, the story serves as a cautionary tale for the dangers inherent in care delivered remotely. And just as we should not be afraid to eat Pop Rocks and drink soda, this story should not turn the medical community away from telemedicine. The benefits of telemedicine far outweigh the risks. Monitored and maintained properly, information is transmitted accurately and securely.

Regulations exist to guide institutions in achieving this level of quality. But there are two ends, and regulations at each end may differ. Navigating these rules can be a challenge for those responsible for compliance, but even that can be ambiguous at times. Because of the nature of telemedicine, there is often crossover between biomedical engineering and information technology (IT) departments. Biomeds should take the lead, says Paul Ostrowski, PhD, CCE, chief of biomedical engineering, John D. Dingell VA Medical Center in Detroit.

“Biomeds need to be aware if telemedicine is becoming part of the landscape in their hospital and get involved. Otherwise, instead of being on the front end, helping to make sound equipment decisions, they’ll be on the back end, reacting to a negative situation placed in front of them,” Ostrowski says. Proactive biomed involvement can help remove some of the ambiguity in telemedicine, creating smart solutions that best serve the patients.

Big Potential
Telemedicine covers a broad array of services and disciplines, and an institution can employ it as little or as often as its needs demand.

It is used in cardiology, dermatology, HIV/AIDS, home care, mental health, pharmacy, radiology, rehabilitation, prison-based and school-based services, and trauma and emergency care. Existing and experimental applications include patient consultations, disease management, education, electronic medical records for rural health systems, remote surgery, and specialist referral services.

The FDA Defines “Medical Device”
Just how does the US Food and Drug Administration (FDA) define a medical device? According to section 201(h) of the Federal Food Drug & Cosmetic Act (www.fda.gov/cdrh/devadvice/312.html#link_2.), a medical device is:

“An instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory which is:

• Recognized in the official National Formulary, or the United States Pharmacopoeia, or any supplement to them;

• Intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals; or

• Intended to affect the structure or any function of the body of man or other animals, and which does not achieve any of its primary intended purposes through chemical action within or on the body of man or other animals, and which is not dependent upon being metabolized for the achievement of any of its primary intended purposes.”

Tim Gee, principal at Medical Connectivity Consulting (Beaverton, Ore), summarizes: “The short answer is that anything, other than a drug, that is used in the diagnosis and/or treatment of a person or animal is a medical device.” —RD

At the Baystate Health Systems in Springfield, Mass, telemedicine is used to provide after-hours imaging coverage at the institution’s smaller facilities and at a referral site to determine whether patients there should be sent to the main hospital, according to Jeff Bronke, MSBME, the facility’s supervisor of clinical engineering. “We also have telemedicine grants allowing some information to be sent from patient homes, but that service is limited at this point,” Bronke says.

Telemedicine has been found to increase cost efficiency, reduce transportation expenses, improve patient access to specialists and mental health providers, improve quality of care, and create better communication among providers. But to do all this, the systems on which the information is captured, transmitted, and viewed must have their security and integrity maintained at all times, and on both ends.

Keeping It Real
Since it is impossible for any biomed to be in two places at once, each party is responsible for the integrity of the data at his end. Ostrowski uses the transmission of a retinal scan as an example.

“The person sending the image or the person who does the scan and sees the picture on a monitor is expecting that image to be a correct representation of the retina of the patient. If they send that down the wire to a physician for diagnosis, or an ophthalmologic surgeon for possible surgery, the doctor on the far end has to have confidence that the image displayed on his screen is indeed a correct representation of the patient’s eye. Essentially, you cannot bypass the integrity of the image at either end of the chain,” Ostrowski says.

In some cases, one institution assumes more responsibility. “In these types of services, there is usually a ‘mother ship’ and a satellite facility. The mother ship assumes more of the responsibility, especially for directing the satellite in the proper use of the system. The degree of responsibility varies by the relationship between the two parties, for instance, whether both are owned by the same system or separate entities, and whether or not the satellite got its part of the system through—or specified by—the mother ship,” says Tim Gee, principal of Medical Connectivity Consulting in Beaverton, Ore.

If there is no mother ship, however, some are concerned that physicians will not have the knowledge or resources needed to perform the maintenance and quality control that ensures the integrity of their systems. “You are concerned with the brightness of the screen, the grayscale, and other requirements, but who is checking the screen in Australia or the doctor’s office?” Ostrowski asks.

“We put the onus on the receiving group or individual to render whether or not the information received is acceptable. We assume responsibility for making sure the information reaches its destination. I’m not sure whether or not that’s right, but in some cases, transmitting to Australia for example, it’s almost physically impossible to check,” Bronke says.

In any event, both parties play a role in the proper operation of the system. Specifications and directions for use from a regulated device should be followed and should include procedures for ensuring that the entire system is able to operate properly, according to Gee.

Equipment can drift; monitors do go off calibration. An off-label use, or a system put together by the health care provider, should have the process defined to ensure proper configuration, performance, and operation of the system based on a risk analysis done by the health care provider. Industry standards, such as DICOM, help to ensure integrity at the other end. “The industry is hoping there is consistency,” Bronke says.

Keeping It Legal
Consistent, however, is not an adjective many would use to describe the regulations that govern telemedicine. By its nature, a service that crosses geographical boundaries is likely to encounter some challenges. Whose rules apply?

“That’s a real sticky wicket. Medical-device regulatory issues are consistent within the United States. Between the US and Canada, Europe, and Latin America, regulatory harmonization should cover any contingencies. Be sure to get the manufacturer’s advice, and talk with other customers who may be providing the same cross-border services,” Gee advises.

“Physicians have to meet the requirements of both, and conflicts have to be worked out in the contracting process. So a certain procedure may be allowable in Australia, but when they are dealing with information from the United States, they have to conform to the rules and regulations of the US Food and Drug Administration (FDA) and the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), if the hospital is JCAHO-accredited, over and above what they may have to do in Australia,” Ostrowski says.

Baystate Health Systems turns to its legal department. “They will develop a contract with the respective vendor in regard to whose jurisdiction the information needs to adhere to,” Bronke says.

Keeping It Safe
Knowing whose rules apply does not necessarily mitigate ambiguity, however. Despite the FDA’s official definition of what constitutes a medical device (see sidebar, page 20), there are still gray areas, particularly since organizations, such as the JCAHO, may have a more expansive definition. Much of the gray area concerns telecommunications.

Ostrowski has seen the issue in the Joint Commission Environment of Care News Sourcenewsletter. One example is the July 2005 issue, in which someone asked whether a fax machine used to transmit lab results is considered a telemedicine device.

JCAHO’s expert answer was that the commission does not inspect public utilities so phone lines or data lines would not be part of a review, but that if communications were problematic, the medical facility should develop alternative or backup methods.1 “Similarly a fax machine, which normally would not be considered clinical equipment, could in a telemedicine application merit heightened attention from those maintaining other clinical equipment.”1

“It can get murky as to where the definition of a medical device ends and IT equipment for the transfer of information begins. The general guidelines suggest if it’s not at the end where you are diagnosing patients, it’s not a medical device,” Ostrowski says.

Of course, the FDA has the final say on what constitutes a medical device, so biomeds should make a determination based on the intent of the FDA law, experts advise. The regulations of accreditors, such as the JCAHO, must also be incorporated.

Gee recommends that when using a regulated device in accordance with its intended use, biomeds follow the manufacturer’s directions and ensure that operational specifications are met. “With systems like telemedicine or remote monitoring, a biomed team might want to do a formal risk analysis of factors required for safe system operation. Policies and procedures should be developed and implemented to ensure that the system is configured properly and everything meets specifications. If the operation of the system entails departments other than biomed—such as IT, nursing, or a medical service—a cross-functional team should be used to review the risk analysis and recommendations for mitigating risk,” Gee says.

Keeping It Secure
Cross-functional teams may also be used to maintain telemedicine systems since IT departments may be asked to play a role, but biomeds should have control. “Biomeds typically take the lead in ensuring patient safety when devices of any kind are involved. A natural extension of this role would be to take a leadership position in ensuring the safety and effectiveness of a remote monitoring or telemedicine system,” Gee says.

Bronke agrees. “If the biomed doesn’t own the cabling, it is his responsibility to work with the appropriate groups to ensure that the information needed to treat the patient is where it needs to be when it needs to be,” Bronke says.

IT may specifically be asked to play a role in the security and privacy of the system. “We would work with the vendors and the clinical folks to define the security and privacy requirements, and then with the IT department, who would be responsible for setting up secure communication lines. So again, biomeds facilitate. We treat the entire system, overseeing how it’s going to work. And when it comes to the IT piece, the IS [information systems] group handles the security piece,” Bronke says.

In general, biomeds do not assume much responsibility for privacy and security. Oftentimes, compliance falls under the purview of the institution’s security officer. But biomeds may be responsible for some portion. Ostrowski’s team ensures that the hospital’s telemedicine network is free from outside taps and has the appropriate antivirus and firewall software. But even this portion can be challenging.

“The FDA has stated that anything on a medical device, including the software, has to be approved by the manufacturer of the equipment. So if I am putting in a new radiation oncology treatment system that has to go on to the network to get images from a computed tomography (CT) machine, and I have no control over the network between the treatment planner and the CT, I can’t just put the software on the treatment-planning computer unless the manufacturer says it’s OK. Otherwise, I have adulterated a medical device,” Ostrowski says.

“We are oftentimes at the vendors’ mercy with the type of security and privacy that can be put in place,” Bronke concurs. As a result, his team works closely with vendors, as well as across departments.

Gee also notes the role manufacturers play. He advises that biomeds ask each vendor to complete a Healthcare Information and Management Systems Society (HIMSS) Manufacturer Disclosure Statement (MDS2) for medical-device security. The information is collected as part of a thorough analysis of the telemedicine system. How is patient-identifiable data transmitted, stored, and purged from the system? “A risk analysis should be done to identify all privacy and security risks and to develop mitigation strategies for overcoming those risks,” Gee says.

This may require enhanced IT skills. Bronke’s team is developing members whose IT knowledge is stronger than has traditionally been the case. Ostrowski also recommends that biomeds take the lead in acquiring the new skills needed to maintain telemedicine systems. Doing so will help to ensure the integrity of the data, as well as the application.

Renee DiIulio is a contributing writer for 24×7.

Reference
1. Joint Commission on Accreditation of Healthcare Organizations. Association for the Advancement of Medical Instrumentation Q&A. The Official Joint Commission Environment of Care News Source. Oakbrook Terrace, Ill: Joint Commission on Accreditation of Healthcare Organizations. 2005 July;8(7):5.