In-Person Direct Access Provides Additional Information

An in-person on-site discovery will allow you to view what the EMR notes look like at different points in time, and gain access to inactive or deleted records. Check out this blog to learn more!


In-person direct access is what is often required to be able to get a complete view of what happened, because some of the data doesn’t show when you’re just looking at the produced printed charts. Such missing items may include: routing history, what the notes look like at different points in time, access to inactive or deleted records, and communications. Below is a screenshot from a popular Health Information System, Epic.

EPIC

Epic Notes View

So this is Epic and here you see the notes view and when you’re entering into the system, there’s routing which can give you additional detail about what happened in terms of the routing of the notes. You have a note time, a filed time, and a note time. In this case, all these records with exception of this one down here, the 10:04 AM note time was filed 15 minutes later. So it’s important to have both date and timestamps because sometimes, the file times are many days after discharge or nowhere contemporaneously to the events and that’s important if notes are being entered into this EMR days after something awful happened, you really want to know when those notes were filed. If they’re filed long after things went wrong, oftentimes, that suggests that fabrication of the EMR took place. You can see here, here’s some of the routing, it allows for you to specify different recipients and so knowing that routing of information, that’s important because it’s not always evident when you’re looking at the chart. Here’s an example of adding a note and you can see here, there’s the ability to copy and paste different notations. The date and time on these notes when you first go to create a note, default to the current computer’s clock time but it’s totally possible to change the date and time to put it back in time by dates or hours and that information is relevant. Here’s an example of the Cerner notes. Again, Cerner allows the user to change the date to something other than the current date and time. And it still stores, again, the creation time of that note, even if the note purports to be days earlier. And there are also different filters here, when you’re looking at the EMR with power notes on Cerner, there are different filters, such as my notes only, there’s inactive, active, and so on.

Watch other videos making up this 4 part series, Unlocking the EMR Audit Trail.

Part 1 of 4: “The Keys to Unlocking Electronic Medical Records”
https://enigmaforensics.com/blog/keys-to-unlocking-the-emr-audit-trails-electronic-medical-records/
Part 2 of 4: “HIPAA”
https://enigmaforensics.com/blog/health-insurance-portability-and-accountability-act-of-1996-hipaa/
Part 3 of 4: “Navigating to Trial or Settlement”
https://enigmaforensics.com/blog/navigating-to-trial-or-settlement/
Part 4 of 4: “In-Person Direct Access”
https://enigmaforensics.com/blog/in-person-direct-access-provides-additional-information/

Medical Device Security Challenges

Behind lifesaving medical devices are Cyber Experts hard at work to secure and protect Patient Health Information (PHI). Check out this video on securing medical devices.

Cutting edge medical devices save lives! Not only do they save lives but they carry a vector of complicated communications and a unique set of security challenges. Cyber Security Expert Lee Neubecker, sits down with Sterling Medical Device’s top engineer, Keith Handler who develops cyber protection and security for their client’s medical devices.

Sterling Medical Devices helps companies design and develop mechanical & electronic medical devices and follows them through FDA approval. The conversation is educational and important to those interested in knowing how medical devices are cyber protected and secured. In this video, they outline the concerns that relate to the control, security, and confidentiality of the patient’s health information (PHI) when using these medical devices.

The transcript of Part 1 of our Series in Medical Device Security

Lee Neubecker: Hi, I have Kieth Handler here on my show from Sterling Medical Devices. Keith is a top engineer here that helps ensure cybersecurity and resilience and protection of medical devices of their clients. They help assist through the FDA certification process. Keith, thank you, thank you for being on my show.

Keith Handler: Thanks for having me, Lee.

LN: So can you tell me a little bit about what your firm does and how it helps clients in cybersphere?

KH: Yeah, sure. Sterling Medical Devices is a 13485 certified product development firm. We help various companies design and develop electro-mechanical medical devices. Pretty much from, anything from concept all the way to submission to the FDA.

LN: So, can you tell everyone what, ISO…?

KH: 13485?

LN: 13485 Certification means?

KH: Yes that is, that is the ISO standard that defines the product development and manufacture of medical devices. It defines all the processes that we generally run our business by.

LN: Okay, so what are some of the concerns that you have as it relates to the patient personalized information, sometimes known as PHI? Is that right?

KH: Yeah, patient help information, that’s correct. Well, you know, our first concern, of course, with any medical device is safe. We want to make sure that the devices are treating patients as intended and not presenting any undue harm to the patient or anybody else. The second thing is the Patient Help Information. It’s very important that we maintain confidentiality for all patients, in any of these systems. Diagnostics, their personal information, all need to be protected.

LN: These devices, they have PHI, they also have, they also are involved with the generation of electronic medical records, known as EMR, that feed into the various hospital systems that are used to provide and deliver healthcare to users. As it relates to this, what are some of the top concerns that you try to address as it pertains to safety for your clients?

KH: Well, when it comes to information or command and control that can be done remotely on a device, it’s again important to maintain the integrity of those communications, and to protect everything there. One of the hardest aspects, I would say, is integrating a medical device into a larger hospital system. We may have control over the confidentiality of the information, and of the commands that are sent and received within a device, but as soon as we connect to an external system we lose control of that data. So, it becomes a unique challenge to try and make sure we are protecting, and not only in our system but also in any system ours might integrate with.

LN: Yeah, and there’s such a myriad of ways devices connect, Bluetooth, wifi–

KH: Yes.

LN: I’m not sure if medical devices use infrared or–

KH: Yes.

LN: Near band communication, but there are all these vectors of communication that create new threats and potentials for compromise.

KH: And typically medical hardware is pretty cutting edge, you know, some of the things that they’re trying to treat now still can’t. So all of these things that you’re bringing up, all exist in medical, all need to be protected.

LN: Great, so in our next segment we’ll be talking a little bit more about the FDA, the certification process, and some of the standards that devices might undergo to help ensure adoption by the FDA, and to make them commercially viable to be sold in the United States. And then, in our third segment, we’ll talk more about protecting devices against cyber compromise, the firmware and software that gets embedded into these devices, and other things that should be done to help keep medical devices safe and secure. Thanks for being on the show today.

KH: Thanks again for having me, Lee.

Related Materials on Medical Malpractice

Forensic Imaging

See more about Sterling Medical Devices on their website.

https://sterlingmedicaldevices.com/

See other related websites for more information about Medical Device security.

FDA ISO Standards

https://www.iso.org/standards.html

FDA Medical Device Cybersecurity Guidelines

https://www.fda.gov/medical-devices/digital-health/cybersecurity