March 4, 2005
The Honorable Michael O. Leavitt
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Leavitt:
As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Administrative Simplification Provisions of HIPAA, including the Security Standard for Electronic Protected Health Information (Security Rule). The Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in Washington, D.C., on November 19, 2004. Because much medical equipment in use today either stores protected health information (PHI), or connects to a network with other systems that store PHI, such medical equipment needs to comply with the Security Rule. In addition, Computer errors, resulting either from a computer virus or a provider inappropriately performing a software update, may cause medical equipment or devices to malfunction, potentially resulting in patient harm Therefore, NCVHS held hearings to gather information about the effect of the Security Rule on medical devices.
At the hearings, we heard testimony from the Veterans Health Administration (VHA), the Food and Drug Administration (FDA), as well as various manufacturers of FDA regulated software and medical devices. We also received written comments from an individual representing various medical device industry groups.
The witnesses indicated that there are a wide variety of challenges associated with bringing medical devices into compliance with the Security Rule, as well as providing effective security. The witnesses' testimony centered around two main themes:
One witness representing the VHA testified that the Security Rule has been perceived as a barrier to the continued use of certain medical equipment. Where medical equipment needs to be modified to comply with the Security Rule, the providers must often wait for the manufacturer to provide the appropriate updates.
Another witness representing the FDA stated that the FDA's primary focus has historically been the safe and effective use of medical devices, and therefore the FDA has not evaluated security in approving the use of a medical device. The witness further indicated that it is the responsibility of the medical device manufacturers to design their devices to enable covered entities to comply with the Security Rule. Subsequent to the hearings, the FDA issued a guidance document titled "Guidance for Industry - Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software" (see http://www.fda.gov/cdrh/comp/guidance/1553.html).
A number of witnesses recommended that a process be developed to allow manufacturers to post Security Rule information for their medical devices. The witnesses cited an initiative by the Healthcare Information Management and Systems Society (HIMSS) Medical Device Security Work Group. The work group proposed that the industry adopt the use of a "Manufacturers Disclosure for Medical Device Security" (MDS2) form. The MDS2 form is a vehicle for medical device manufacturers to report the capabilities of their medical devices consistent with the Security Rule. While there was no consensus whether the HIMSS MDS2 form was suitable for use, in concept it appears that this approach would be of great value to providers.
Based on the oral and written testimony, NCVHS recommends the following:
We appreciate the opportunity to offer these comments and recommendations.
Sincerely,
/s/
Simon P. Cohn, M.D. M.P.H.
Chairman, National Committee on Vital and Health Statistics
Cc: HHS Data Council Co-Chairs