The Department of Health and Human Services Office of the Inspector General will conduct an audit looking at whether the security of networked medical devices at U.S. hospitals is sufficient to effectively safeguard electronic protected health information (ePHI) and ensure patient safety.

Medical devices such as dialysis machines, radiology systems and medication dispensing systems that are “integrated with electronic health records and the larger health network, pose a growing threat to the security and privacy of personal health information,” states OIG’s fiscal 2016 work plan, which summarizes new and ongoing reviews that the agency plans to pursue with respect to HHS programs and operations.

“Such medical devices use hardware, software, and networks to monitor a patient’s medical status and transmit and receive related data using wired or wireless communications” that have vulnerabilities and risks “associated with ePHI that is transmitted or maintained by a medical device,” according to OIG.

“We’ve done a number of studies looking at EHRs and some of their vulnerabilities. In addition to that, we’re now looking at these networked medical devices,” said Donald White, senior public affairs specialist at OIG.

The expected audit comes on the heels of a Federal Bureau of Investigation alert issued in September warning companies and the public about the cybersecurity risks that networked medical devices and wearable sensors pose to consumers.

Also See: FBI Issues Cyber Alert for Internet of Things Medical Devices

In addition, OIG in FY16 will seek to determine the extent to which hospitals comply with HIPAA contingency planning requirements and compare hospitals’ contingency plans with government- and industry-recommended practices. “The HIPAA Security Rule requires covered entities to have a contingency plan that establishes policies and procedures for responding to an emergency or other occurrence that damages systems that contain protected health information,” states the OIG plan.

In a separate activity, the agency will determine the adequacy of the Office for Civil Rights’ oversight over the security of ePHI. A September OIG report found that OCR, “has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities” and described OCR’s oversight as being “primarily reactive.” Subsequently, OCR said it would be stepping up its audits, according to White. “We will also be continuing to do work on electronic health records,” he says.

For instance, OIG plans to review the extent to which providers participating in accountable care organizations in the Medicare Shared Savings Program use EHRs to exchange health information to achieve their care coordination goals. “We will also assess providers’ use of EHRs to identify best practices and possible challenges to the exchange and use of health data, such as the degree of interoperability, financial barriers, or information blocking,” states the agency.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access