The FDA has issued a draft guidance for medical device manufacturers on its expectations for cyber security design and associated regulatory submissions. EHRs are not regulated as medical devices although some argue they fall well within the applicable definition. None-the-less the ideas in the draft guidance, and in a related document, can be readily adopted as expectations for EHR design, selection and use.
The draft guidance first reiterates what should by now be well known data risk considerations including confidentiality, integrity (accurate, complete and not improperly modified), and availability (accessible and usable on a timely basis in the expected manner). The latter includes data and system recovery after a failure, although timely might be ill-defined in this case. We might add to these considerations specific concern for where the data actually is, and how it is backed up. These fundamental computer data issues might in part be amplified for EHRs as the data flows directly to patients, from provider to provider, and also to exchanges. Suitable encryption is one issue in such transfers.
After reiterating the more-or-less familiar potential problems, the FDA then makes the bold suggestion that designers should actually consider these issues early in the design cycle as part of an organized process such consistent with an established “quality system”, as is required for medical device manufacturers. This is opposed to perhaps trying to patch them in later, if at all. Issues for early consideration include actual identification of vulnerabilities, vulnerability impact assessment, incorporation of suitable mitigation strategies, and residual risk assessment (the problems not solved) against established acceptance criteria. Also, there should be a systematic plan for providing validated updates and patches, including suitable controls on who can execute them. All of this should be the subject of appropriate documentation.
The second related FDA release is a Safety Communication on network cyber security. Although again the FDA is not speaking directly about EHRs, this document addresses hospital responsibilities, which might also be extended to all providers. Again the steps are familiar beginning with threat (risk) assessment, followed by control measures. These might include multi-layered access control, making sure anti-virus and related systems are up-to-date, and developing and evaluating strategies to maintain critical functionality during adverse conditions. The final user step is an effective problem reporting system which is well codified for medical devices but absent for EHRs. In fact there have been reports of EHR contracts that preclude reporting problems to third parties.
Cyber safety and security is a pervasive problem and EHRs are certainly deep in this morass, as HIPAA requirements and enforcement actions illustrate. However HIPAA has only a narrow privacy perspective, and HIPAA’s emphasis is on the end user, skipping over system design issues. The principles here are that it takes actual and disciplined effort by both suppliers and users of EHRs to assure a reasonable initial level of broad designed in protection, followed by an ongoing effort to make sure that that level is maintained over time.