Hospital Wireless Networks May Be Regulated Medical Devices 185
Lucas123 writes "As hospitals continue to connect patient monitoring equipment, physician PDAs and laptops to wireless networks, and then collapse those data paths onto traditional IT networks, the closer the US Food and Drug Administration comes to regulating them, according to Computerworld. The focus of the FDA's regulation comes in its recently finalized 80001-1 standard that established risk management practices for those networks, the adherence to which may be voluntary, but would determine Medicaid and Medicare reimbursements. 'If you don't comply, then you have two choices. You can have the federal government come in and inspect your hospital, or you can decide not to accept money from Medicare or Medicaid. Voluntary sometimes isn't exactly voluntary,' said Rick Hampton, wireless communications manager for Partners HealthCare System in Boston."
Good? (Score:3)
Re:Good? (Score:4, Interesting)
I'd have to concur. I've been in hospitals where the IT staff offered free wireless internet for the waiting areas- and the only open access point was to the "airgapped" network for the financials, etc. I'm sure that Medicare would LOVE to find out about THAT particular HIPAA violation. >:-D
Re:Good? (Score:4, Insightful)
I I'm sure that Medicare would LOVE to find out about THAT particular HIPAA violation. >:-D
Then go tell them. If you've physically been in the hospital that could be your data, your loved ones data, or just plain due diligence if you were there for work and not for a medical reason.
Re: (Score:2, Informative)
I think the quality of classic IT in a hospital isn't that bad. The status of our Windows network isn't that bad. There are issues, but I don't think we're any worse than any other industry. What is bad is the Biomed side of the house. The medical equipment stores patient data with no authentication or auditing capabilities. The systems that are based on off the shelf hardware and software (e.g. Windows PC hooked up to a medical device) can't be patched because the vendors won't certify the systems with tho
Re: (Score:2)
What's your rate of infections by viruses? If you're running a MSWind network, that might be a fair test. If it's zero, you may be doing pretty well.
This wouldn't work on a Linux or Unix network, as there basically aren't any viruses to probe the network, but on MSWind they might do a fair job of testing you.
N.B.: I'm *NOT* a sysadmin, so I may be talking through my hat. But at least it sounds like a fair first test. If viruses are getting through, you KNOW your network is pervious.
P.S.: Whenever I se
Re: (Score:2)
What's your rate of infections by viruses? If you're running a MSWind network, that might be a fair test. If it's zero, you may be doing pretty well.
This wouldn't work on a Linux or Unix network, as there basically aren't any viruses to probe the network, but on MSWind they might do a fair job of testing you.
Its just an anecdote, but a casual acquaintance I met at HOPE 2006 in NYC or something, worked at a hospital and their solution to preventing LAN/network based infections was to create the semi-mythical one PC vlan.
So the linux side spoke dot1q and had a zillion interfaces and spoke smb via samba or whatever the heck the biomed device used. There was also some confusing discussion of mac address filtering, he was guite proud that any ole sysadmin could do iptables at OSI 3 and up, but he was doing all mann
Re: (Score:3)
Sadly, that's not the only part of the equation. Will regulation make it better and/or safer?
Because in my experience (10+ years of software medical device work) FDA regulation of medical devices has reached a point where the cure is now worse than the disease. Innovation is swamped under paperwork that prevents many solutions from coming out that would make medical devices safer or better, but which would cost too much for a company to implement because of FDA rules.
Too often, medical device errors (radi
Good. (Score:5, Insightful)
I'm one of those much hated libertarian leaning people who thinks regulation should only be applied when absolutely needed. In this case, we're talking life and death data and I would expect medical systems to be heavily regulated both for security and availability/reliability.
So what's the controversy?
Re:Good. (Score:5, Funny)
Re: (Score:3)
Yeah, someone needs to send RightSaidFred99 to a Cato Institute reeducation center before he starts thinking that health insurance is a life-and-death kind of thing too and needs to be regulated!
Re: (Score:2)
Oh my. I really hope you have karma to burn.
Re: (Score:3)
Oh my. I really hope you have karma to burn.
Is it wrong that I heard George Takei when I read this?
Re: (Score:2)
Why would that be wrong? I wish I had the speaking voice that guy has, I'd be able to hold peoples' attention much more easily in meetings.
Re: (Score:2)
Re:Good. (Score:4, Interesting)
Plenty of karma, don't worry. However no mod points, have been posting too actively of late. If I had I would give the GP (-1, offtopic).
Why is it that leftists always mock of libertarianism with this monotonous "free market" chant? Economic freedom is *one* of the infinite liberties a person can have. The free market works admirably for what it's meant to do, but it's not a tool for everything.
The free market is *not* intended to maximize the preservation of human life. We do need some regulations for that. Of course, there are private corporations, like this one [wikipedia.org] to verify that regulations are being followed, but they do not make the regulations, that's not what the "free market" is intended to do.
So, in the end, there must exist some form of governmental or non-market regulations in effect. No libertarian denies that.
Re:Good. (Score:4, Insightful)
Because it's true. You constantly see people that claim they're libertarians while preaching that the free market will fix 'everything'. On another forum I saw a person claim that "All" regulation is "Evil", no exceptions, obviously they're either ignorant or crazy but those are the people that give libertarians such a bad rep.
Re: (Score:2)
You constantly see people that claim they're libertarians while preaching that the free market will fix 'everything'
And vice-versa, you often see people preaching that regulation will fix 'everything'.
Wanna get instant karma on Slashdot? Pick a discussion on energy and say that "deregulation caused the California energy crisis": (+5, Insightful) ia a few minutes. Try to do some basic research [wikipedia.org] on the matter and you will find that the energy crisis was caused by companies like Enron manipulating the regulations.
Regulations are like medicine, they can cure a problem, but the wrong medicine will kill you. The mantra of regul
Re: (Score:2)
Plenty of karma, don't worry. However no mod points, have been posting too actively of late. If I had I would give the GP (-1, offtopic).
Maybe you don't get mod points because your mods are ridiculous? Troll or flamebait maybe, but how is "let the free market decide!" in response to someone who claims to be a libertarian but doesn't want the free market decide in any way off-topic?
Why is it that leftists always mock of libertarianism with this monotonous "free market" chant?
Probably because libertarians argue with the same monotonous "free market" chant.
Economic freedom is *one* of the infinite liberties a person can have. The free market works admirably for what it's meant to do, but it's not a tool for everything.
The free market is *not* intended to maximize the preservation of human life. We do need some regulations for that. Of course, there are private corporations, like this one [wikipedia.org] to verify that regulations are being followed, but they do not make the regulations, that's not what the "free market" is intended to do.
I like your theory. I really do. In fact, it sounds to me a lot like what a lot of Democrats I know believe. Rest assured you are not the target of anti-libertarian rhetoric. Thos
Re: (Score:2)
I now declare libertarianism to be the same... (Score:2)
Re: (Score:2)
There are rational libertarians. They aren't the majority. I don't know if there are any rational Libertarians.
To say that someone who takes the most common stand taken by a group of people who apply that label to themselves as representative of that belief is unreasonable is, itself, unreasonable. To take the well-reasoned view of a small minority who apply that label to themselves is much more unreasonable.
So, yes, I would say that libertarians believe the the supremacy of the Free Market!! at all cost
If only it were so easy (Score:2)
That should be true for non-life-threatening circumstances.
But it frequently is not true. In fact, even if you could get enough data to make a rational and fully informed decision (which is almost always impossible in real life), most people wouldn't know what to do with the information once they got it. It's possible to measure outcomes in many cases but there are so many variables that go into health care that most people would find it impossible to say Doctor A is better than Doctor B even if you just restrict the evaluation to medical outcomes - never mind ex
Re: (Score:2)
You fool! You're suposed to let the free market decide! If too many people die at hospital A, just go to hospital B!
That should be true for non-life-threatening circumstances.
The satire that leftists make of libertarianism is rather stupid and preaching to the choir.
If that's merely the satire that leftists make of libertarianism, then how come I've talked to so many libertarians who say the exact same thing when it comes to drug safety, for example, and automobile safety, and say it with a completely straight face? "The FDA is just another encroachment of the federal government on our individual liberty! If a company makes a dangerous drug then more people will buy their competitor's drug instead."
The free market isn't the goal of libertarians, it's just one of the consequences. And it works for its purposes which are economic in nature.
Most libertarians I know would claim that it works for all purposes,
Re:Good. (Score:5, Interesting)
Well. Since you need to comply with FDA regulations or not get your medicare/medicaid funding, it's a pretty big deal.
The problem exists in the transition. These improvements cost money and there's a good chance that networks in transition wouldn't meet the FDA requirements. That would cause the hospital to loose the medicare/caid funding and consequently have to turn away or eject patients that would be a huge cost to them that would otherwise get treatment.
Since there's that potential while in transition to a more modern network, hospitals may be quite unwilling to fund the improvements in the first place and preserve their funding.
Re: (Score:2)
Maybe a really small hospital might have issues, but if you're mid or larger and can afford something like Epic MyChart, you can afford a competent network admin.
Re:Good. (Score:5, Interesting)
If you read TFA, yes, actually, they were:
Reporting of these numbers is strictly voluntary, so you do the math - if institutions volunteered these numbers, how many other patients and patient devices are being affected by some intern streaming House re-runs over the network? And do you really think it's inappropriate to mandate that certain controls must be in place on a general network that is relied upon by medical devices which require the network to operate, and which are sending sensitive medical data over the network?
I work for a financial services company; it's standard practice for us to firewall off our sensitive database systems and authentication systems, and restrict access to a very tightly controlled set of uses. If your retirement account or brokerage account was held here, would you want us to take down all the firewalls, network filtering, and access controls on the networks? I'm betting the answer is no. If you want that much protection on your financial information (which might embarrass you, but certainly won't kill you), why wouldn't you want controls at least as strict on networks & systems that could - quite literally - kill you if they malfunction for some reason?
Newbie (Score:2)
If you read TFA, yes, actually, they were:
You must be new here...
Re: (Score:3)
I work in a hospital, in the department controlling this. I really don't think you understand what's happening. Do you honestly believe that telemetry is on the same network as everything else? Or that we don't have multiple networks?
Re: (Score:2)
I don't work in a hospital, but I did RTFA.
Perhaps you should do that, and then ask yourself if your hospital just happens to have better IT practices than some of the places talked about in the article.
Or do you honestly believe that "collapsing" networks together means that they're somehow keeping things on separate physical networks, when it in fact reports that they're NOT doing that?
Re:Good. (Score:4, Interesting)
Or, as with just about any government regulation, the policy would be enacted and give hospitals X number of months or years to comply with the standards set forth in that policy, or face a loss of Medicare/Medicaid funding.
Here's what will not happen:
12:01 a.m., January 1, 2012: Regulation goes into effect.
12:02 am, January 1, 2012: All non-compliant hospitals cease to receive funding from Medicare and Medicaid, and the feds move in to shut down these illegal dens of medical "care" for their noncompliance.
They'll probably have several years to bring themselves into compliance, with a requirement that they document their risk mitigation policies until they are compliant, and if at the end of that time they can't show compliance, then they will risk losing their Medic[are|aid] funding.
Re: (Score:3, Interesting)
Or, as with just about any government regulation, the policy would be enacted and give hospitals X number of months or years to comply with the standards set forth in that policy, or face a loss of Medicare/Medicaid funding.
Here's what will not happen:
12:01 a.m., January 1, 2012: Regulation goes into effect.
12:02 am, January 1, 2012: All non-compliant hospitals cease to receive funding from Medicare and Medicaid, and the feds move in to shut down these illegal dens of medical "care" for their noncompliance.
They'll probably have several years to bring themselves into compliance, with a requirement that they document their risk mitigation policies until they are compliant, and if at the end of that time they can't show compliance, then they will risk losing their Medic[are|aid] funding.
Exactly. What will really happen is this:
12:01 a.m., January 1, 2012: Regulation goes into effect, with deadline of 2015-01-01.
2012-01-01, IT: "We need to get started on this"
2012-01-01, Exec: "We don't have the money yet"
2013-01-01, IT: "We need to get started on this"
2013-01-01, Exec: "We don't have the money yet"
2014-01-01, IT: "We need to get started on this!"
2014-01-01, Exec: "We don't have the money yet"
2014-11-01, Exec: "We need this in two months or we're fscked!! We'll need you to work 168 hour wee
Re: (Score:2)
Re: (Score:3)
Maybe that's how it works at *your* hospital, but not at *mine* (I work in diagnostic imaging, which is under IT at my hospital). At my hospital we've known this was coming for quite some time and have been working towards it. And the Feds have also known it's been coming and have been working with us. Early adopters get big $$$ to help the process. That amount goes down the closer they come to the due date. They start to get penalized once the due date passes, losing more and more $$$ as time goes on,
Re: (Score:2)
Re: (Score:2)
That would cause the hospital to loose the medicare/caid funding and consequently have to turn away or eject patients that would be a huge cost to them that would otherwise get treatment.
This assumes that medicare/medicaid patients are, and always will be, your most profitable. If your assumption ever turns out to be wrong...
Re: (Score:3, Insightful)
The problem is that a heavily regulated system like this raises prices, so your only choices become the best healthcare or no healthcare. It's perfectly fine if you have the money for the first option, but not everyone does.
Not to mention that some people would be willing to take the risk to save money. Everything you do in life has a risk, why regulate just that one? There are many cases where I'd be willing to go to a hospital with a crappy wireless network to save some money. I'd think twice about gettin
Re: (Score:3)
The problem is that a heavily regulated system like this raises prices
It also tries to make arguments on blind assertions.
Re: (Score:2)
The problem is that a heavily regulated system like this raises prices
It also tries to make arguments on blind assertions.
So you think things get improved for free then? More rules means more time spent making sure you're following them, and in the case of the healthcare industry, it means paying insane amounts of money for something that's cheap for everyone else (but the cheap version doesn't come with the right certifications).
Re: (Score:2)
So you think things get improved for free then?
So, are you trying to argue that since it costs money to improve X, then if Y is an improved version of X, then Y is necessarily more expensive than X?
Re: (Score:2)
No, I'm saying that if it costs money to improve X, and you require that X be improved, then it will cost money. If Y uses X and isn't a charity, then Y will become more expensive to make up for it.
Re: (Score:2)
The problem is that a heavily regulated system like this raises prices, so your only choices become the best healthcare or no healthcare.
Wait a minute - I thought the original article was referring to hospitals in the USA - so then "best healthcare" is not an option.
"Yay, I got the best healthcare!..." (Score:2)
The problem is that a heavily regulated system like this raises prices, so your only choices become the best healthcare or no healthcare. It's perfectly fine if you have the money for the first option, but not everyone does.
"...Boo, my social security number, credit card number, and license number were stolen due to a poorly-secured network!" And all because a few doctors couldn't take a small paycut to afford the cost of securing their systems.
Not to mention that some people would be willing to take the risk to save money. Everything you do in life has a risk, why regulate just that one? There are many cases where I'd be willing to go to a hospital with a crappy wireless network to save some money.
And why should the contents of my personal health records and financial records be put up for grabs, because you're willing to accept the risk? You act is if it's like the choice to wear or not wear a seatbelt, in which it's your life at stake if your coin comes up tails.
Re: (Score:2, Informative)
The point is that I'm not forcing you to go to my hospital, but with these regulations, you want to force me to go to yours.
Re: (Score:2)
The point is that I'm not forcing you to go to my hospital, but with these regulations, you want to force me to go to yours.
First off, it's not your hospital, it's not my hospital, it's the community's hospital.
Your mental calculus concludes that the cost of securing a network outweighs the risk of a network being compromised. My mental calculus concludes that not only does the degree of the risk necessitate the cost, it also has the benefit of potentially reducing costs associated with identity theft, law suits due to HIPAA violations, and of course, the reputation risk of the hospital and doctors associated with it.
Well clearly you're much smarter than me, so I guess you're right that I shouldn't have choices. I'll just shut up and let you make all of my decisions for me.
Re: (Score:2)
The point is that I'm not forcing you to go to my hospital, but with these regulations, you want to force me to go to yours.
First off, it's not your hospital, it's not my hospital, it's the community's hospital.
Your mental calculus concludes that the cost of securing a network outweighs the risk of a network being compromised. My mental calculus concludes that not only does the degree of the risk necessitate the cost, it also has the benefit of potentially reducing costs associated with identity theft, law suits due to HIPAA violations, and of course, the reputation risk of the hospital and doctors associated with it.
Well clearly you're much smarter than me, so I guess you're right that I shouldn't have choices. I'll just shut up and let you make all of my decisions for me.
How about you shut up because you make shitty arguments? I'd say that's a much better reason.
Re: (Score:2)
How about you shut up because you make shitty arguments? I'd say that's a much better reason.
Of course. We've already established that you're so smart I shouldn't make my own decisions, so I guess it makes sense that I shouldn't argue with you. What confuses me is why that's not illegal yet. I mean, people can still do stupid things (disagreeing with you). You should really suggest a law to fix that.
Re: (Score:2)
How about you shut up because you make shitty arguments? I'd say that's a much better reason.
Of course. We've already established that you're so smart I shouldn't make my own decisions, so I guess it makes sense that I shouldn't argue with you. What confuses me is why that's not illegal yet. I mean, people can still do stupid things (disagreeing with you). You should really suggest a law to fix that.
I don't push for laws to be made, I just give friendly suggestions and hope that fixes the problem. If not, I get over it. You should try it some time, it works really well.
Re: (Score:2)
I don't push for laws to be made, I just give friendly suggestions and hope that fixes the problem. If not, I get over it. You should try it some time, it works really well.
Laws affect other people whether you're friendly about it or not. I'll agree to disagree when you agree to stop forcing your choices on me.
Re: (Score:2)
It's like me saying I want the choice to go to a dirty, unsanitary restaurant or I want to go to a carnival with unsafe rides.
No it's like saying I'd rather eat dirty, unsanitary food than not eat. Or I'd rather live in an old run-down house with no running water than live on the street. Or work a low-paying job rather than none at all. Or I'd rather go to a hospital that's not the best than not have access to healthcare at all.
I'm trying to point out how the rich in society are perfectly happy screwing over the poor in the name of helping them without considering the consequences. When you require that all products be of the high
Re: (Score:2)
It has nothing to do with "being smarter", it comes down to assessing cost vs. risk, and protecting the privacy of patients. Don't get all pissypants with me, just because you haven't been able to articulate why the costs will be just so overbearing, or how the risk is minimal. HIPAA and HITECH weren't enacted out of the blue: history had shown health care records as requiring protection that hospitals weren't providing on their own. If you're even a casual /. reader, you know full-damned well how insecure wireless networks can be; ensuring that hospitals protect these systems is the only means of ensuring HIPAA and HITECH compliance.
And because I know that insecure wireless networks are expensive, I should support government regulations on it? Maybe if our government was competent, but government regulation in the healthcare industry means insane prices on simple equipment ("this is a medical-grade router, only $100,000") and sticking with old technology because upgrading is expensive.
I was trying to talk about the problem in general though. All of these little regulations add up. Maybe spending 100x more for each router isn't a big de
Re: (Score:2, Insightful)
I'm one of those hated libertarian people, and you haven't even begun to explain anything libertarian.
This isn't between life and death, this is just communication between two machines (wireless networking). By confusing the two, you've fallen into the trap of the "do it for the children" crowd.
In this case we have a government that is withholding payments because they haven't inspected a network. Okay, I'm okay with that, except for one thing, this isn't about privacy or security or anything like that. It
Re:Good. (Score:4, Insightful)
According to the TFA, this has killed at least 6 people in the last year, so in this case the communication between two machines was 'life and death'. Or wasn't it?
Re: (Score:2)
According to the TFA, this has killed at least 6 people in the last year, so in this case the communication between two machines was 'life and death'. Or wasn't it?
Bah! Never let the facts get in the way of a good story!
Re: (Score:2)
I'm a little less libertarian than you and I see some potential problems. I don't really have many problems with this being regulated, but I'm a bit uncertain that the FDA is the best agency for this. I typically think that regulation is very similar to encryption. Both can make you much safer if done well, but they aren't done well very often (especially regulation) and end up just being a big inconvenience. Unlike many I genuinely believe that regulation can and should be done properly, which means it
Re: (Score:2)
Perhaps you are unaware that it can take several years and millions of dollars to get a new "medical device" through the FDA?
Perhaps now you can see the possible implications in limiting a hospital's choices of networking devices if the FDA starts to regulate them as medical devices.... not to mention the delays in implementing a new higher bandwidth network when the technology is out there, but no one has put a 10 Gig Ethernet switch through the FDA approval process yet, for examp
No regulation is as bad as way too much (Score:2)
I think you are a troll or a moron or both but what the heck.
I am one of the REALLY HATED libertarians. I am against gov't regulations of everything.
Gov't has 2 jobs:
1. Minimum military.
2. Justice system.
That's it, no exceptions.
Really? You have come up with a solution for how to build an efficient road system? How to keep a financial system functioning in the face of a credit crisis? How to establish a widely accepted private currency? How to build a private fire fighting system? Zoning rules? Education system? How to keep natural monopolies of power, water, and communications from taking every penny you own? You have a solution for the problem of market failure [wikipedia.org]?
Re: (Score:2)
I am one of the REALLY HATED libertarians.
Really hated? No.
Mocked and subsequently ignored? Yes.
not really a surprise... (Score:5, Interesting)
I consulted with a small medical equipment business 5 years ago when they were replacing a DOS based system they bought in 1993 with new software that met all the HIPPA compliance plus their state requirements. It was a pretty big deal back then since 80% of their business was either Medicare or Medicad. It took about six months to write out all the contingency plans and make sure they were doing proper back ups, could restore backs ups, had secure off-site storage of tapes, etc..
I do remember the big hang up was the fact their database server and terminals had have an airgap between them and the Internet, or at least that was the easist and cheapest way to meet the standards they had to and In fact the only line out was a dial up modem to submit billing to the state. It only took about a month to back up all their records to hard copy (just incase), get the new systems and transfer all the old data to the new system.
It took another five months to write all the damn documentation the government required for their certification/accrediation/inspection or whatever it was they had to pass.
Re: (Score:2)
I consulted with a small medical equipment business 5 years ago when they were replacing a DOS based system they bought in 1993 with new software that met all the HIPPA compliance plus their state requirements.
You're not exactly doing consultants a favor by showing that you can't spell HIPAA [wikipedia.org], you know.
Re:not really a surprise... (Score:5, Interesting)
Believe it or not, there is... I work in a regulated industry and we pay tons of money for software that basically helps us manage the paperwork that says we're doing everything right...
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
You sound just like the delivery guy from the chinese restaurant.
No, he only requests you wear pants on his own behalf.
Re: (Score:2)
it costs a ridiculous amount of money
Re: (Score:2)
So business plan is:
1) write the software
2) sell it for "ridiculous amount of money minus one dollar"
3) profit?!
Appropriate in Hospitals (Score:5, Insightful)
I think that this kind of regulation is appropriate - in certain cases. I think you need to do a FEMA (failure mode effects analysis - basically ask what could go wrong?) and then control your network accordingly.
Modern networking gear is very reliable in terms of transmission accuracy - if you send a packet from A to B and it gets there, it is extremely unlikely that it was modified (unless deliberately). It is not so reliable in terms of guaranteed transmission.
So, if we're talking about a network being used to display a lab test in a doctor's office, I'd argue that there is a pretty low risk of anything going wrong and strong control over the network should be unnecessary (beyond general good security practices that would apply in any business setting).
On the other hand, if we're talking about monitoring equipment, I'd say that control of the network is critical, unless there is some kind of backup for communicating alarms. If an alarm in a patient room is likely to be heard and responded to without the aid of the network, then it is probably important but not critical. If a patient alarm could be ignored if not broadcast over a network, then that network needs to be treated as a life-critical piece of equipment. That means that changes are carefully controlled, and the design has to be fit for purpose. Lives are at stake, and if some cheap router hangs up without a backup of some kind, or if a cable is left detached during maintenance and isn't caught by routine procedure, somebody could die.
The sad thing is that regulations like this are likely to get abused in two different ways (I've seen this happen in other regulated industries):
1. It will be over-applied in areas that are not really at risk, driving up all kinds of costs that consumers end up paying for, and often delaying the introduction of technology that could actually improve care.
2. Because of the huge cost associated with knee-jerk reactions and consultants/etc in #1, administrators will try to skirt the regulation as much as possible, which puts patients at risk in situations where the controls really are appropriate.
In other regulated industries I've actually seen "turn the clock back" responses to regulation - where ancient practices that are grandfathered in get preferred to modern practices that are actually better, but which become more expensive to implement due to the presence of the regulation. In this way regulation can actually harm those it purports to benefit. Unfortunately, it usually is still better than the alternative.
Re: (Score:2)
So, if we're talking about a network being used to display a lab test in a doctor's office, I'd argue that there is a pretty low risk of anything going wrong and strong control over the network should be unnecessary (beyond general good security practices that would apply in any business setting).
On the other hand, if we're talking about monitoring equipment, I'd say that control of the network is critical, unless there is some kind of backup for communicating alarms.
The important thing is that somebody has looked at the use and decided that those levels are appropriate. And if it's not documented, it didn't happen.
It will be over-applied in areas that are not really at risk, driving up all kinds of costs that consumers end up paying for, and often delaying the introduction of technology that could actually improve care.
2. Because of the huge cost associated with knee-jerk reactions and consultants/etc in #1, administrators will try to skirt the regulation as much as possible, which puts patients at risk in situations where the controls really are appropriate.
In other regulated industries I've actually seen "turn the clock back" responses to regulation - where ancient practices that are grandfathered in get preferred to modern practices that are actually better, but which become more expensive to implement due to the presence of the regulation. In this way regulation can actually harm those it purports to benefit. Unfortunately, it usually is still better than the alternative.
Essentially, you need a system that requires somebody to do a HAZOP or functional hazard analysis to see what hazards any new system (or reversion to an old system!) presents. If the hazards are negligible then job done. If they aren't then you do full risk assessment and management, but the extent of that will vary according to the severity of risks. That's
Re: (Score:2)
In other regulated industries I've actually seen "turn the clock back" responses to regulation - where ancient practices that are grandfathered in get preferred to modern practices that are actually better, but which become more expensive to implement due to the presence of the regulation. In this way regulation can actually harm those it purports to benefit. Unfortunately, it usually is still better than the alternative.
I work in an ensemble of hospitals for cronical patients, that is barely getting into the information age. My experience is that in these last cases regulation is not harming advance, but just reveals the nasty truth behind "the paper way": inadequate communication (that is supplemented through informal channels), inefficiences, and so on. One of the first fruits of the process of defining our clinical record system is that our directors found out how did really work some of the areas under their "supervisi
Sounds familiar (Score:2)
We can't even patch some of our systems or install an antivirus client on some of our equipment because it is considered a "medical device" and would lose FDA certification.
One proposed solution is to VLAN these devices so we don't have radiology equipment spreading conficker throughout our network . . .
But that makes sense anyway. (Score:4, Insightful)
And that's part of the point. Why would you want your radiology machines on any sort of main network, regardless of whether they can or can't be updated? There's no reason for them to be widely available and the technology to firewall it off is not expensive when compared to the cost of, say, a collection of medical imaging systems that will sit behind it.
Re: (Score:2)
Get over it (Score:2)
I don't want our medical devices on our main network.
Too bad. It's going to be increasingly necessary that they are if you want to really utilize electronic records. That doesn't mean that security is impossible but it is going to be a fact of life. Get over it and worry about how to secure the network.
Re: (Score:2)
Re:But that makes sense anyway. (Score:4, Informative)
And that's part of the point. Why would you want your radiology machines on any sort of main network, regardless of whether they can or can't be updated? There's no reason for them to be widely available and the technology to firewall it off is not expensive when compared to the cost of, say, a collection of medical imaging systems that will sit behind it.
Well, since you ask...
I manage firewalls for several hospital chains. One of the main reasons that their radiology stuff is connected to their main network is that those images are all stored digitally, and need to be available all over the place (Dr.s' offices, etc., that may or may not be at the physical location of the hospital. Also, most hospitals these days don't have a radiologist sitting around in the ER all night/weekend, any more. They contract with a remote one, so they also have to be able to send those images elsewhere (over a VPN to the imaging service, for example). Often those systems are at least firewalled in a DMZ, but I have yet to see them on a completely separate network (although some clients are making noises in that direction).
Re: (Score:3)
If the scanners are on the network you can...
Hospitals here have some pretty serious rules & policies on Information Governance. If it is properly looked after, we sho
Re: (Score:2)
Re: (Score:2)
That sounds like a description of a secure network. Hopefully, that is what all hospitals do. Sadly, they will not generally be using the most secure operating systems to use it.
Re: (Score:2)
The ability to share data across the world improves medical care. If a local physician can't quite read a scan, the scan can be shared to instantly which improves the overall care the patient receives. That's why you want this stuff on a network.
I work in the medical device industry and none of this is all that new. It's clear that the FDA wants companies it regulates to THINK ABOUT RISK and then show that you've mitigated the relevant risks and can prove that's true. It's not rocket science, and doesn
Re: (Score:3)
Re: (Score:2)
Six words:
I work for the Federal government.
Re: (Score:2)
We can't even patch some of our systems or install an antivirus client on some of our equipment because it is considered a "medical device" and would lose FDA certification.
If it really are safety of life equipment there should be no way for a virus to get in, and that should be documented. If folks are connecting to the net or installing pirated games on safety of life equipment, the problem is not that you can't install an antivirus client. And as for patching the systems, if you can show that the patches are developed to FDA standards, you can patch them. If you can't, you shouldn't even be considering it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Why does the radiology equiment need to be given access to the internet anyway such that it would ever get infected by conficker?
So they can update the bugs in the software, as required by the FDA. Even if there are no known bugs, what if they later discovered the billionth patient would get irradiated to a crisp, they need to prove to the FDA they could theoretically deploy a patch.
Also some very expensive embedded hardware (not exclusively medical) phones diagnostic data home for troubleshooting. You're not going to print out a one million line trace file, are you?
Radiology (Score:2)
Why does the radiology equiment need to be given access to the internet anyway such that it would ever get infected by conficker?
Because a lot of radiology is done on computers (film is going away for the same reasons you don't use a film camera anymore) and the data is often read remotely, sometimes not even in the same state. Unless you have a plan to somehow come up with a secure parallel internet that doesn't cost trillions of dollars, it is necessary to use the internet to transmit data. Sneakernet is not really an option, nor is walling everything off completely from the internet. You also might want to be able to put the ra
What is the word then.. (Score:2)
If something is not exactly voluntary and yet called voluntary, what is the real word for that? And I don't mean non-voluntary. What is a word for something that is voluntary, but not 100%? I.e. there are consequences if you don't. Because then it isn't "completely" voluntary.
Re: (Score:2)
Mandatory (Score:2)
People are bound to disagree with me, but I'd say "mandatory". It has been mandated that non-compliance has consequences. The word is usually used as a strict synonym for compulsory, but that's overstepping.
In other words, you're not being compelled to comply, but consequences have been mandated. If you would say that you are being compelled, then you could not say that it is voluntary.
Re: (Score:2)
If something is not exactly voluntary and yet called voluntary, what is the real word for that?
I believe it's called extortion. At least when anyone besides the federal government does it.
Re: (Score:2)
Coercion - the use of express or implied threats of violence or reprisal (as discharge from employment) or other intimidating behavior that puts a person in immediate fear of the consequences in order to compel that person to act against his or her will
FDA vs FCC? (Score:2)
Can the FDA regulate wireless networks? Just because the network is in a hospital?
I don't disagree that they should be as secure as possible due to the sensitive nature of the data.
ISO8001:1 2010 (Score:2)
not just encryption, what about rf? (Score:2)
Perhaps... (Score:2)
It might be a good idea not to connect life-support and -monitoring equipment to the Internet? Even an internal network is a poor idea.
These infrastructures can't handle flawless transmission of the NORMAL data that isn't life-critical, so I sure as hell don't trust it to tell a doctor in any timely or reliable fashion if my heart rate drops or my O2 sats are off so they can come help. Perhaps a separate, dedicated system is in order? You could possibly use most of the same type of infrastructure components
make a law forcing the right to install updates / (Score:2)
make a law forcing the right to install updates / anti virus on 3rd party systems / hardware / pc's hooked up to printers, medical devices and more. Forcing as in they can't void warranty or force you have there own tech to come in to do the windows updates no they must give you the pass words so you can use your own techs to do the work.
Re: (Score:2)
Depends on who you are. If you have a warehouse full of $1000 commercial APs and a box full of "Medical Grade / FDA certified" stickers in you desk drawer - it looks like you'll be retiring early!
Re: (Score:3)