Dive Brief:

• The Department of Veterans Affairs Office of Inspector General found that workarounds used to solve software interface issues at a VA medical facility in Long Beach, California put patients’ personal information at risk for disclosure to outside sources.
• The OIG’s findings, detailed in a report issued last week, followed an inspection at the Tibor Rubin VA Medical Center into what the watchdog identified as inappropriate staff workarounds put into place because the facility’s high-resolution esophageal manometry medical device lacked the ability to interface with the Veterans Health Administration’s electronic health records system.
• The OIG made several recommendations in its report addressing communication and education, disclosure of protected patient information, VA policy review and compliance with the use of logbooks.

Dive Insight:

Healthcare led all industries in cybersecurity breaches in 2018, accounting for one-third of potential compromised records, according to one assessment. In the first half of 2019, nearly 32 million patient records were compromised, more than double the records breached in all of 2018, according to a new report from IT security firm Protenus.

For FDA, the security of medical devices is a top priority, not only to protect patient information but because hackers could exploit vulnerabilities to interfere with the operation of the technology, causing potential harm to patients.

The VA’s management of cybersecurity continues to have weaknesses that increase vulnerability to cyber threats, a report published in April by the U.S. Government Accountability Office said.

In the case of Tibor Rubin VA Medical Center, the VA OIG determined that 133 patients had sensitive personal information stored in unencrypted emails or text messages. The issues stemmed from a facility provider implementing two workarounds to keep the HRM device in use that didn't follow VHA and VA privacy and security policies.

The facility’s HRM device lost the ability to interface with VHA’s EHR system in 2013 when the VA upgraded from the Windows XP operating system to Windows 7, the OIG said. The workarounds involved use of personal emails, a laptop, a non-encrypted flash drive and electronic storage that weren't approved by the VA. Facility staff also used prohibited logbooks to track patient information and testing equipment.

In addition to the HRM, eight of 11 other medical devices also weren't able to interface with the EHR. However, the providers and staff using the technology in the GI laboratory, neurology, and pulmonary/sleep laboratory developed workarounds that maintained the secure transfer of data, results and images from the devices to the EHR system, OIG said.

Among its recommendations, OIG suggested the Tibor Rubin VA Medical Center director review and improve the communication processes between employees and biomedical engineering and information technology departments when interface issues exist. The director also should make sure that staff can identify which patient information is considered protected from disclosure, OIG said.

OIG suggested the VA assistant secretary for information and technology review and adjust the VA handbook on management of breaches involving sensitive personal information to include a process to address incidents such as using personal emails to transfer and store patient data and texting with personal cell phones.

FDA plans to hold a meeting of the Patient Engagement Advisory Committee on Sept. 10 for a public discussion of medical device cybersecurity.