Report Highlights Risk of Medical Device 'Workarounds'Experts: Problems at VA Medical Center Are Common at Many Healthcare Entities
A watchdog agency review of a Department of Veterans Affairs medical center in California spotlights security issues involving medical device "workarounds" that some experts say are common but often overlooked or underestimated risks.
In a report issued Wednesday, the VA Office of Inspector General highlights a variety of episodes of "non-adherence" to Veterans Health Administration and VA policies on patient information privacy and security that were first identified during an unrelated investigation at the Tibor Rubin VA Medical Center in Long Beach.
Among the VA OIG's security and privacy findings were issues related to the facility's medical devices and "inappropriate staff workarounds" for transferring and integrating patient device information into the medical center's electronic health records system.
The VA OIG says the security issues involved:
- The lack of a software interface between VHA medical devices and the EHR as well as inappropriate staff workarounds;
- A lack of biomedical engineering and IT assistance in resolving software interface issues between VHA medical devices and the EHR;
- Unapproved communication modes used by facility staff that risk disclosure of sensitive personal information.
The watchdog report notes that investigators identified the medical device issues "involving the potential violation" of the VHA information security policies.
"Specifically, a gastroenterology provider and other staff used unauthorized methods to communicate, transfer and store patients' sensitive personal information," the report says.
The facility uses a medical device called a high-resolution esophageal manometry - or HRM - to measure a patient's swallowing function.
Prior to 2013, the facility's HRM used the Windows XP operating system and was able to interface with the EHR. In 2013, the VA upgraded the HRM to Windows 7.38, the report notes. "With this upgrade, the network could no longer support the interface between the HRM and the EHR," the report says.
"The GI provider notified the direct supervisor, IT, and biomed [department] about the HRM's inability to interface with the EHR." Options discussed to address the problem included purchasing a new HRM, or continuing to use the HRM but without the ability to interface with the EHR, the report says.
The GI provider, along with biomed and IT departments, made a decision to continue to use the HRM, but without the ability to interface with the EHR, the report notes.
The provider developed and implemented two workarounds to enter the HRM information into the EHR and continued to use the facility HRM until it became non-operational around June 2018, the report says.
"The GI provider, acting alone and without guidance from the facility's privacy officer or information systems security officer, used a non-VA unencrypted flash drive, personal computer and personal email account to transfer reports from the facility HRM to the VA computer," the report notes. This created security and privacy risks to the data.
"The OIG determined that the facility HRM lacked the ability to interface with the EHR beginning in 2013. In addition, the GI provider did not follow VA security requirements, under the VA Rules of Behavior, to secure and protect VA information, when developing and implementing the workarounds used when the facility HRM could no longer interface with the EHR," the report says.
When the security risk was identified by the VA OIG, the facility information systems security officer took mitigating measures to decrease the risk of exposing sensitive patient information, the report adds.
The OIG also found that additional medical devices used in other departments of the medical center also lacked the ability to interface with the EHR.
"However, the providers and staff using these medical devices developed workarounds that ensured the secure transfer of data, results and images from the medical devices to the EHR," according to the OIG report.
The OIG report highlights important - and common - issues involving the security of data related to medical devices, some security experts note.
"Risk is not just restricted to the technical aspects of an infrastructure," says former healthcare CISO Mark Johnson, a consultant with LBMC Information Security. "This OIG report highlights that operational considerations can present risk equal to or more impactful than technical. In other words, how the IT infrastructure is used is just as important as how it is configured."
In many cases, organizations conducting risk assessments look at the technical or regulatory implications, but fail to look at the operational context in which the infrastructure is used, Johnson says.
"This is a lesson I learned years ago when I was a CISO," he notes. "I had to help design security controls and 'workarounds' that people will use. I had to think about the workflow and processes before I created the new control or migrated a system. We tell our clients the same thing: Operations, not regulations, drives security."
The risk involved with unsecure "workarounds' is pervasive in healthcare settings, notes Ben Ransford, president of healthcare cybersecurity firm Virta Labs.
"Every health system is in a similar boat - so many layers of workarounds that it becomes difficult to see the original plan," Ransford says. "This situation presents security risks, since complexity is the enemy of security, but it also presents operational risks. What if the brilliant nurse who developed a site-specific workaround leaves? The people best prepared to improve security are the people who devote some resources to paying down this technical debt in addition to new tools or workflows."
Former healthcare CIO David Finn, executive vice president at the consulting firm CynergisTek, offers a similar assessment.
"There is nothing in the VA OIG report that is surprising and not happening at every hospital in the country," he says. But the potential risks created by workarounds involving medical device data are serious, he adds.
"A miscalculation or a data entry error are not uncommon at all on some of these complex devices," Finn says. "Now you throw in hackers or unknown consequences of cyber events - even as collateral damage on something like a syringe pump - and they can become weapons," he says. "The results of minor changes can be devastating."
That's because "complex systems fail in complex ways," he adds. "Medical devices are a system of systems and that includes a series of overlapping processes and interactions between people and technology, caregiver, patient, other clinical systems and departments."
In clinical settings, workarounds involving the inappropriate use of patient data are widespread, Finn adds. "Only the people doing them are aware they are taking place. These workarounds are both common and underestimated," he says.
"In my experience, there is no group more resourceful, unrelenting and clever about finding 'workarounds' than a clinician tasked with the care of a patient. If they can't get it through the systems provided, they will use their own systems; they will do it on paper, text, personal email; they'll get a cloud-based system or buy something themselves."
Healthcare workers need to understand the risks involved with workarounds, and they need to work with security and privacy professionals to find ways for getting their work done without violating policies, procedures, regulations or laws, Finn says.
VA OIG Recommendations
The VA OIG makes a number of recommendations for how the California hospital can correct the security issues identified during the agency's review.
For example, it recommends that the medical center's director review the communication processes between employees and the biomedical engineering and IT departments regarding disclosure of patient sensitive information when interface issues exist and take necessary actions to improve this communication.
The watchdog agency also recommends that the hospital take steps to ensure that staff members protect sensitive patient information across all communication modes, including email, according to VA and VHA policy.
In a statement provided to Information Security Media Group, a VA OIG spokesman says the medical center's director concurred with the findings and recommendations in the report. "The medical center has taken steps to address the issues identified in the report and is working to implement the OIG's recommendations," he says.
"The OIG believes this report will help VA to address these kinds of security risks and to account for the need for medical information to move seamlessly and securely between medical equipment, providers, patients and the medical/electronic healthcare record," the spokesman says.