Tech Optimization: Medical device and IoT operating secrets
Connected medical devices and the Internet of Things have become major areas of both promise and concern for hospitals in recent years. They generate key clinical data – and can enable timely and life-saving interventions – but they also pose serious safety and security implications when improperly configured.
Chief information officers, chief medical information officers, chief medical officers, chief information security officers and other IT leaders all have a vested interest in the safe operation of medical devices and IoT tools, and in ensuring the integrity of their data output. But making IoT run optimally is a challenge.
In this special report, three medical device experts – from Capsule Technologies, First Databank and Pivot Point Consulting – offer their decades of experience in the field to give best practices for healthcare-provider organizations seeking to optimize medical device and IoT technologies to run best for individual provider institutions.
Medical device-optimization overview
Slowly but inevitably, the medical device landscape is changing – and in a positive direction. Historically, the ordering, recording and adjudicating of medical devices at health systems have all been hampered by the absence of comprehensive databases and standard identifiers for devices, said Patrick Lupinetti, senior vice president for legal affairs and medical device at First Databank, a vendor of, among many things, medical device databases.
“While such databases have been available for drugs for many decades, medical devices have not had the benefit of the same protocols and procedures,” he said. “This deficiency has not only limited materials management and documentation, but it has also denied clinicians ready access to relevant medical data – device verification, defining attributes, MRI compatibility and recall notifications – both at the point of care and for retrospective analysis.”
"With devices, there has historically been no channel through which doctors can get that information – a status they absolutely wouldn’t tolerate in their administration of drugs."
Patrick Lupinetti, First Databank
However, there is a major transition underway, sparked in large part by the FDA’s Unique Device Identifier (UDI) initiative, which requires the assignment of a distinctive identification number to medical devices sold in the United States from manufacturing through distribution to patient use.
As the FDA describes it, full implementation of the UDI “will ultimately improve patient safety, modernize device postmarket surveillance and facilitate medical device innovation.”
“Significantly, the existence of the UDI will enable a definitive identifier to be included on electronic claim forms, which, for the first time, will permit an accumulation of device utilization data and tracking information,” Lupinetti explained. “When coupled with information systems and comprehensive databases, UDI-linked records will improve the way that medical devices are managed – in day-to-day clinical practice, supply chain management, claims adjudication, value assessment and safety.”
As a result, several health systems are beginning to incorporate UDI database information into their EHR systems to better track medical device information for clinical, safety and operational improvement.
Meeting full data requirements of staff
A best practice to optimize medical devices at healthcare-provider organizations is to consider how to meet the full data requirements of clinicians, researchers, IT security and clinical engineering, advised Hemant Goel, CEO of Capsule Technologies, a vendor of medical device integration and clinical-surveillance technologies.
“While most hospitals and health systems already have integrated a small percentage of their medical devices into the EHR, the actual amount of data that is kept in the patient’s record is only a fraction of what is generated by the connected medical devices,” he said.
"While most hospitals and health systems already have integrated a small percentage of their medical devices into the EHR, the actual amount of data that is kept in the patient’s record is only a fraction of what is generated by the connected medical devices."
Hemant Goel, Capsule Technologies
“Streaming data from medical devices, which can include measurements, waveforms, alarms and device settings, can provide the most immediate picture of developing patient conditions, and can power a wide range of existing and emerging applications, including alarm management, clinical surveillance, remote monitoring and high-fidelity clinical research databases.”
Almost every CIO that Goel talks to, he said, is strategically looking forward to predictive analytics, artificial intelligence and personalized-medicine initiatives to help improve outcomes and reduce the cost of care.
“Medical devices and the data they produce represent a rich source of information to power these advancements,” he explained. “We encourage CIOs to imagine the possibilities for advancing care and improving outcomes by extending the liberation of device data through applications that produce insights in real time and help accelerate the delivery of meaningful care.”
Early Warning Scoring
Capsule Technologies points to the example of Early Warning Scoring when it talks with CIOs about data liberation, since it provides nearly real-time data.
“In fact, studies already have shown that augmenting early warning scoring systems and predictive analytics related to patient deterioration provides better performance than models that only use data from the EHR,” Goel said.
“These are early days still for medical device connectivity and system interoperability,” he explained. “As device producers develop new integration technologies and incorporate standardized data profiles, more data will become available to be shared among more systems and applications.”
When selecting new medical devices or deploying a medical device integration solution, CIOs should envision how data can be captured and leveraged for all users across the enterprise today, he advised.
“But discussing and planning for the device data demands of the future is a best practice that will help healthcare provider organizations optimize their medical devices for new opportunities. Medical device data is increasingly becoming, if it isn’t already, an essential component of their health system IT infrastructure and, as such, their overall clinical and operational success.”
A clinical best practice
Comprehensive databases that include all relevant medical device attributes (clinical dimensions, materials, coatings etc.), with customization based on a particular health system’s operational model, are extremely important for clinical purposes, said Lupinetti, of First Databank.
“The value of getting doctors the information they need – both when they are treating patients and when they are looking back at historical procedures to evaluate outcomes – should be obvious to everyone,” he said.
“Nonetheless, with devices, there has historically been no channel through which doctors can get that information – a status they absolutely wouldn’t tolerate in their administration of drugs,” he explained. “There really are not any major technical or developmental impediments to progress here – we just need a willingness to accommodate the new opportunities.”
Health system CIOs can best appreciate the needs that are currently not being met by asking their doctors what medical device information they require access to – both during treatment and retrospectively – to promote better clinical care, and then give it to them, he added.
“As an example, First Databank has been working with Duke University, one of the nation’s leaders in making use of the UDI, to link device records to enhanced product attributes for cardiac medical devices – for example, maximum stent expansion, drug eluted or not, alloy composition – to support clinical determinations and enable a deeper analysis of device outcomes.”
Medical devices and EHRs
As most providers today use an EHR, the intrinsic complexities and burdens of management are substantial. When implementing a flagship EHR such as Cerner or Epic, it is likely that capital-improvement projects such as medical device integration were a required portion of the EHR implementation.
The provider ultimately is left to manage a robust EHR that pulls data from all different realms of medical devices; the challenge then becomes how to apply best practices in optimizing such an integrated system, said Jeff Maris, senior director, strategic implementation and partnerships, at Pivot Point Consulting.
"Organizations that can invest in the necessary human effort and inventory tracking tools will likely have the best probability of hitting the goal metrics of medical device integration."
Jeff Maris, Pivot Point Consulting
“First and most important is understanding the current state,” he advised. “From performing a multitude of technical assessments, I always found it astounding how little providers know about what connected medical device assets they have. Organizations that can invest in the necessary human effort and inventory tracking tools will likely have the best probability of hitting the goal metrics of medical device integration.”
EHR-vendor road map
Second, providers have to know not only their organizational roadmap, but also their EHR vendor’s roadmap, Maris suggested.
“EHRs are requiring providers to migrate live solutions to cloud services more than ever, perform continuous upgrades and cope with end-of-life device support,” he said. “Providers can’t afford not to consider the clinical and technical workflow ramifications now that medical devices are being integrated into the ecosystem. Having a collaborative road map strategy incorporating the EHR vendor and integrated third party is now more than ever a required approach to ensuring an effective and efficient rollout strategy.”
The immersion of the EHR in the provider space has clearly created new challenges for appropriately managing medical devices, he said.
“When embarking on optimization of your medical device environment, getting a good grasp of your current state and a road map of where EHR and medical device vendors’ strategies are going are pivotal key success factors,” he said.
Security and accidental architecture
Another best practice to optimize medical devices at healthcare provider organizations is to avoid accidental architecture and enhance data security when connecting medical devices, said Goel of Capsule Technologies.
“‘Accidental architecture’ is a term referring to the outcome of connecting medical devices and clinical systems through a series of independent, uncoordinated tactical projects, without considering a long-term vision of a facility’s medical device connectivity strategy,” he explained.
“The result is often a web of devices, network protocols and systems that can be overly burdensome for IT and clinical engineering to maintain, support and further expand.”
Hospitals are looking to solve this by standardizing on a single vendor or, in some cases, on a small set of technologies able to integrate disparate devices to unify how they communicate with networks, with one another and with clinical information systems, he added.
“One way to solve this challenge would be to start over and standardize the purchase of new connectable medical devices and new information systems to ensure they integrate,” he observed. “However, this remains cost-prohibitive. Therefore, clinical, clinical engineering and IT teams need to clearly identify their ideal clinical workflow and data-insights requirements across the healthcare enterprise.”
Once a clear vision is defined, plus a thorough assessment of existing devices, systems and workflows, a plan can be developed to implement a connectivity/data management strategy that works for the hospital, he advised.
“Additionally, there have been numerous reports recently in healthcare-industry publications related to various cybersecurity vulnerabilities of medical devices,” he added. “A major challenge and source of stress for healthcare providers is that medical devices are essentially ‘closed boxes’ that give users reduced control over security. Yet, providers need to connect many of these devices to their networks.”
Legacy devices often have little or no ability to protect themselves, he said. When managing older devices, hospital IT can be limited to mitigating security deficiencies by adding protection around the devices, which is less effective and more effort-consuming than a device that was designed with security in mind, he said.
“With new devices, vendors have been making advancements in their security capabilities,” he noted. “Still, given the vast inventories of devices in today’s healthcare facilities, which include devices from different vendors, and at different stages in their life cycles, and the continuous sophistication of the cyber-attacks, it is impossible to completely and permanently secure all medical devices in a hospital.”
Reducing the overall security risk
But there is an effective way to improve the security posture of medical device fleets and the IT networks over which these devices connect: Intermediary systems or solutions can be employed to reduce the overall security risk for medical devices directly, or indirectly, for any connected systems, Goel advised.
“Connecting multiple medical devices to hospital networks through a reliable and secure integration system mitigates the vulnerabilities of individual devices and raises the overall security posture to a high level,” he said.
“It also makes securing these devices more scalable, as securing one intermediary system is more efficient than securing many different devices. Avoiding the ‘accidental architecture’ also increases the cybersecurity efficiency.”
It is clear that data security, in general, and medical device security, in particular, is an organizational problem, not just a hospital information technology problem, he added.
“Fortunately, several advanced solutions are available to help hospitals understand their security exposure, then organize and optimize the mitigations,” he suggested. “These tools can deliver an inventory of all the medical devices in use, match these devices with vulnerabilities that are known to exist, alert users to the potential risks that each device brings and provide advice on actions to take.”
Additionally, some tools include security features that guarantee only organization-approved software can run on their networks, he said.
“Address the increasing risk of cyberattacks by planning and deploying intelligent medical devices,” he advised. “Medical device providers are generally being transparent on security, as we recognize this matter as a shared responsibility between vendors and healthcare providers to ensure that devices can be safely used to provide effective patient care.”
For CIOs, Capsule Technologies stresses the importance of having a well-designed deployment architecture that secures device data in motion at the edge as much as possible in order to decrease exposure to unencrypted data on the network.
“In maintaining this architecture, the work continues,” Goel said. “Monitor all network traffic with solutions designed to raise awareness on issues, and constantly re-assess the potential exposure as new vulnerabilities can be discovered any day.”
In the consumer-products business, when Pepperidge Farm needed to recall Goldfish crackers in 2018, there wasn’t a package to be found on store shelves within one to two days, said Lupinetti of First Databank, drawing a comparison to healthcare.
“But in healthcare, the ability to track safety issues for patients with high-risk implanted medical devices remains very challenging due to a historic lack of device identifiers and a national database to efficiently contact patients who have the devices,” he explained.
“Because of that, even after a device is recalled for safety reasons, many patients are still walking around with one – with no idea that there could be an issue. This is a major public health problem, especially considering that, in 2019, the number of medical device recalls spiked compared to the previous three years, according to the FDA.”
It is important for health-system leaders to implement UDI tracking, and to incorporate comprehensive databases that involve real-time recall alerts and integration with EHRs, in order to better monitor medical device safety issues, he advised.
“These tools enable health systems to reliably run recalled product identifiers against their inventories and to provide a fail-safe at the point of use: A bar code scan that flashes red if a device has been recalled serves as a final safety check,” he noted. “UDIs, as a common and unique designator, are invaluable in making recall management easier and more consistent.”
Tracking devices with their UDIs and recording them in EHRs also can facilitate recall management for devices that already have been implanted. A facility would need only run the recalled product’s UDI number against its EHR to identify which, if any, of its patients have received the device, he concluded.