While the pursuit of true interoperability in healthcare continues to accelerate, data security concerns still loom large. Data standards, security and privacy requirements, and advanced health IT systems are critical to achieve full healthcare interoperability, according to a report from the Hospital Agenda for Interoperability.
In truth, full and unfettered interoperability is not always the goal if it comes at the expense of data security or patient safety. That’s one reason why a custom medical device can be both the nexus point for interoperability and a model showing how limited interoperability may be the answer to some safety and security concerns.
Understanding Interoperability and Data Security
To understand why there may be times where full interoperability for data in transit and device control access across a complex healthcare system network may not be the only way to go, we need to agree on a definition for full interoperability. From a data perspective, the Healthcare Information and Management Systems Society (HIMSS) describes the foundational level of interoperability as
Data exchange from one information technology system to be received by another and does not require the ability for the receiving information technology system to interpret the data.
The definition stops short of saying all data in transit shared across all systems since securing all data across the network can be a daunting task. Three regulatory areas that reveal the potential vulnerability in systems sharing all data without a high level of safeguards include:
- The strict Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Information Technology for Economic and Clinical Health (HITECH) Act
- Compliance rules with Electronic Protected Health Information (EPHI)
Not all data needs to go to all systems and all users all the time, so some forms of limited interoperability will be part of the eventual interoperability mix. Custom made medical devices that perform specific diagnostic tasks and connect to specialty peripheral devices used for treatment are a perfect example of when limited interoperability is a security safeguard.
This may not make the device incapable of sharing data. Such medical devices add safeguards that would require an additional protocol safety step to share an electronic health record (EHR) on a network or with clinical information systems (CIS).
Secure Interoperability Models with a Custom Medical Device
There are many commercial tablet PHI security limitations that show why a custom medical device is needed as an important diagnostic, periphery medical device, and medical data access tool. Custom medical device manufacturers are therefore in the best position to accommodate the specific needs for patient treatment and equipment maintenance, including:
- Access control for medical treatment personnel authorized to provide certain treatments, and potentially for treatment of specific patients
- Limitation of the time periods that the device connects to a network
- Encryption and authentication of remotely provided device commands for monitoring and potential treatment of the patient
- Administrative security for device EPHI data access based on the patient being treated
- Physical security for access control, hardware removal, and theft
- Smart security that uses encryption, authentication, tamper detection, secure execution, and more
- Automatic and remote management of deployed devices, including geographic-based operation and health monitoring.
- Limitation of device remote control and access for the protection of patient safety and privacy
But device manufacturers and the healthcare continuum must keep in mind that interoperability is not an all or nothing proposition. There are several instances where some form of limited interoperability may not only be desirable, but necessary.
The Merits of Limited Interoperability Through Custom Made Medical Devices
These custom medical devices can provide very targeted interoperability based on very specific communications protocols that may be proprietary to a specific device or set of devices. Regardless of this level of specificity, they will still provide communication with patient databases for information retrieval or storage.
Manufacturers include wired and wireless networking encryption protocols within the device, which are usually limited to those necessary for specific device functions. They additionally provide purpose-built security features that requires specific conditions to enable remote access. The result ensures optimal data security for any interaction with the broader WWAN, LAN and the cloud for data transfers where interoperability is needed, while limiting access that inherently protects information and patient safety.
Successful design, regulatory certification, and production of custom medical devices or medical grade tablets requires a careful balance across several important parameters. The first is the need for raw technical capability across several engineering disciplines (electronics, software, mechanical, systems, and more). This works in combination with the following:
- Full use case and requirements development
- Rigorous design processes
- Planning for device and information security
- Compliance control
- Supply chain management
- Sustained engineering processes
This shows why it often makes sense to seek the help of a custom medical device manufacturer with a track record and proven processes for developing customized, purpose built medical devices.
As the healthcare continuum pursues a workable form of interoperability, management of patient-focused requirements with information security will continue to rise in importance. The goal is to deliver a connected medical device design that meets the needs of healthcare personnel and patients in the digital age while never compromising patient and data safety.