Hospital Wireless Networks May Be Regulated Medical Devices

Lucas123 writes "As hospitals continue to connect patient monitoring equipment, physician PDAs and laptops to wireless networks, and then collapse those data paths onto traditional IT networks, the closer the US Food and Drug Administration comes to regulating them, according to Computerworld. The focus of the FDA's regulation comes in its recently finalized 80001-1 standard that established risk management practices for those networks, the adherence to which may be voluntary, but would determine Medicaid and Medicare reimbursements. 'If you don't comply, then you have two choices. You can have the federal government come in and inspect your hospital, or you can decide not to accept money from Medicare or Medicaid. Voluntary sometimes isn't exactly voluntary,' said Rick Hampton, wireless communications manager for Partners HealthCare System in Boston."

not really a surprise...

[ducomputergeek]

I consulted with a small medical equipment business 5 years ago when they were replacing a DOS based system they bought in 1993 with new software that met all the HIPPA compliance plus their state requirements. It was a pretty big deal back then since 80% of their business was either Medicare or Medicad. It took about six months to write out all the contingency plans and make sure they were doing proper back ups, could restore backs ups, had secure off-site storage of tapes, etc..

I do remember the big hang up was the fact their database server and terminals had have an airgap between them and the Internet, or at least that was the easist and cheapest way to meet the standards they had to and In fact the only line out was a dial up modem to submit billing to the state. It only took about a month to back up all their records to hard copy (just incase), get the new systems and transfer all the old data to the new system.

It took another five months to write all the damn documentation the government required for their certification/accrediation/inspection or whatever it was they had to pass.

Re:Good.

[Talderas]

Well. Since you need to comply with FDA regulations or not get your medicare/medicaid funding, it's a pretty big deal.

The problem exists in the transition. These improvements cost money and there's a good chance that networks in transition wouldn't meet the FDA requirements. That would cause the hospital to loose the medicare/caid funding and consequently have to turn away or eject patients that would be a huge cost to them that would otherwise get treatment.

Since there's that potential while in transition to a more modern network, hospitals may be quite unwilling to fund the improvements in the first place and preserve their funding.

Re:not really a surprise...

[Rich0]

Believe it or not, there is... I work in a regulated industry and we pay tons of money for software that basically helps us manage the paperwork that says we're doing everything right...

Re:Good?

[Anonymous Coward]

I'd have to concur. I've been in hospitals where the IT staff offered free wireless internet for the waiting areas- and the only open access point was to the "airgapped" network for the financials, etc. I'm sure that Medicare would LOVE to find out about THAT particular HIPAA violation. >:-D

Re:Good.

[Americano]

Or, as with just about any government regulation, the policy would be enacted and give hospitals X number of months or years to comply with the standards set forth in that policy, or face a loss of Medicare/Medicaid funding.

Here's what will not happen:
12:01 a.m., January 1, 2012: Regulation goes into effect.
12:02 am, January 1, 2012: All non-compliant hospitals cease to receive funding from Medicare and Medicaid, and the feds move in to shut down these illegal dens of medical "care" for their noncompliance.

They'll probably have several years to bring themselves into compliance, with a requirement that they document their risk mitigation policies until they are compliant, and if at the end of that time they can't show compliance, then they will risk losing their Medic[are|aid] funding.

Re:Good.

[Americano]

Were wireless networks actually killing anyone...?

If you read TFA, yes, actually, they were:

According to Shuren, the FDA last year received reports that six patients died and 44 people were injured as a result of health IT-related malfunctions. The FDA also received 260 reports of malfunctions that had the potential to harm patients.

Reporting of these numbers is strictly voluntary, so you do the math - if institutions volunteered these numbers, how many other patients and patient devices are being affected by some intern streaming House re-runs over the network? And do you really think it's inappropriate to mandate that certain controls must be in place on a general network that is relied upon by medical devices which require the network to operate, and which are sending sensitive medical data over the network?

I work for a financial services company; it's standard practice for us to firewall off our sensitive database systems and authentication systems, and restrict access to a very tightly controlled set of uses. If your retirement account or brokerage account was held here, would you want us to take down all the firewalls, network filtering, and access controls on the networks? I'm betting the answer is no. If you want that much protection on your financial information (which might embarrass you, but certainly won't kill you), why wouldn't you want controls at least as strict on networks & systems that could - quite literally - kill you if they malfunction for some reason?

Re:Good.

[mangu]

Plenty of karma, don't worry. However no mod points, have been posting too actively of late. If I had I would give the GP (-1, offtopic).

Why is it that leftists always mock of libertarianism with this monotonous "free market" chant? Economic freedom is *one* of the infinite liberties a person can have. The free market works admirably for what it's meant to do, but it's not a tool for everything.

The free market is *not* intended to maximize the preservation of human life. We do need some regulations for that. Of course, there are private corporations, like this one [wikipedia.org] to verify that regulations are being followed, but they do not make the regulations, that's not what the "free market" is intended to do.

So, in the end, there must exist some form of governmental or non-market regulations in effect. No libertarian denies that.

Re:Good.

[eth1]

Or, as with just about any government regulation, the policy would be enacted and give hospitals X number of months or years to comply with the standards set forth in that policy, or face a loss of Medicare/Medicaid funding.

Here's what will not happen:
12:01 a.m., January 1, 2012: Regulation goes into effect.
12:02 am, January 1, 2012: All non-compliant hospitals cease to receive funding from Medicare and Medicaid, and the feds move in to shut down these illegal dens of medical "care" for their noncompliance.

They'll probably have several years to bring themselves into compliance, with a requirement that they document their risk mitigation policies until they are compliant, and if at the end of that time they can't show compliance, then they will risk losing their Medic[are|aid] funding.

Exactly. What will really happen is this:
12:01 a.m., January 1, 2012: Regulation goes into effect, with deadline of 2015-01-01.
2012-01-01, IT: "We need to get started on this"
2012-01-01, Exec: "We don't have the money yet"
2013-01-01, IT: "We need to get started on this"
2013-01-01, Exec: "We don't have the money yet"
2014-01-01, IT: "We need to get started on this!"
2014-01-01, Exec: "We don't have the money yet"
2014-11-01, Exec: "We need this in two months or we're fscked!! We'll need you to work 168 hour weeks!"