Securely Linking Medical Device Data

Partners HealthCare Integrates Remote Monitoring Data into EHRs
Securely Linking Medical Device Data

As Partners HealthCare expands the capabilities of its remote monitoring of patients with chronic illnesses, it's taking steps to safeguard that data while providing clinicians and patients with secure, convenient access to it.

See Also: Demonstrating HIPAA Compliance

Partners, a Boston-based integrated delivery system with a variety of facilities, including Massachusetts General and Brigham and Women's hospitals, recently began linking its remote monitoring database - which collects data from patients' home-based medical devices and sensors - with its electronic health records. That enables physicians to view patient readings, such as glucose levels of diabetics, while accessing other information in the EHR.

"The security aspects of this are probably not different from any other conversations going on... about how to deal with patient-derived data in general," says Joseph Kvedar, M.D., founder and director of the Center for Connected Health, Partner's telehealth division that's leading the remote monitoring initiative.

"Healthcare organizations are doing patient-reported outcome measures, they're doing survey data, they're having people log in to patient portals and doing things with mobile devices," he says. All these efforts "bring on security risks, and this [remote monitoring] is no different than the others: It needs to be dealt with, but is a solvable problem."

To address security, Partners is taking several steps, including using encryption when transmitting the data and ensuring that medical devices are matched to the correct patients' records.

Making greater use of data from patients' remote monitoring devices is a growing trend, says Dale Nordenberg, M.D., executive director the of Medical Device Innovation, Safety and Security Consortium. "There is big push in this arena. Companies are building hubs to collect device and sensor data and then send it to the cloud for analytical or clinical use," he says. "Integrating this data into the EHR itself is still in the very early stages."

An Evolving Effort

The work to collect data from home medical devices and then get that information into the hands of Partners' clinicians has been going on for nearly a decade, Kvedar explains. Initially, Partners began collecting remote monitoring device data from patients with heart failure, high blood pressure and diabetes.

Originally, the data was collected in three separate databases, which didn't easily allow clinicians to see the bigger picture of patients suffering from more than one of those conditions, Kvedar says. So Partners worked closely with the vendors of the medical devices to integrate the patients' vital signs collected from any of the monitoring equipment into one database.

This improved the ability of clinicians to view - and to successfully identify - abnormalities and act on the data by offering faster intervention for patients experiencing problems.

Partners began to see impressive results shortly after launching the remote monitoring effort. For instance, for patients remotely monitored, 69 percent of those with hypertension experienced a drop in blood pressure, heart failure patients had a 50 percent decrease in hospital readmissions, and diabetic patients had a 1.5 percent drop in A1C glucose levels, Kvedar says.

Based on those results, Partners decided to ramp up the project. But first, the data in that single remote monitoring database needed better integration, Kvedar says. "The feedback we got from clinicians was, 'this is great, it makes sense ... but it needs to be better integrated into our workflow."

So Partners began building out "service calls" that allow various clinical applications to display the home monitoring data. "The most meaningful applications [for this remote monitoring data] was our electronic health record and patient portal," he says.

Recently, Partners completed a project that enables data from the remote monitoring database to show up as a flow-sheet in the EHR, he says.

"We've provided a clinical case and a business case that we can [use] this tool to succeed in a world of care management," he says. That business case is becoming increasingly important under healthcare reform, including new accountable care organizations for which reimbursement is based on successful care coordination and better patient outcomes.

Securing Data

Partners HealthCare and the device makers have taken several steps to secure the data, Kvedar says.

For starters, each device is individually mapped to patients before they get it. This involves pairing the serial number of the device with the medical record number of the patient, so that the readings from the monitoring are integrated into the correct patient record.

Typically, the data that's generated by the devices - whether it's a blood pressure cuff, weight scale, glucose meter or other instrument - is sent via a cellular end-to-end network to a hub server of the medical device maker. Data feeds are then transmitted to Partners' remote monitoring database behind its firewall, which currently stores 1.2 million vital signs from thousands of patients. The readings in the database are now viewable via clinical applications, including Partner's EHR, as well as the patient portal.

All the data transmissions are encrypted using secure transport, says Robert Havasy, a project specialist and operations manager at Partner's Center for Connected Health. "We have used a variety of protocols and methods for the WAN link over the years, not just SSL," he says. "In the past, we have received data via dedicated VPN connections using IPSec or L2TP/IPSec, and even as SMTP e-mail with payloads, or attachments encrypted via private keys."

Having the remote monitoring data protected behind Partner's firewall boosts security and provides more opportunities to allow more clinicians to securely access the data for use with other applications, Kvedar says.

Medical device vendors are responsible for addressing malware if any issues are discovered, Kvedar says. Typically, sensors, such as blood pressure cuffs and weight scales, do not need upgrades, but when they do, such firmware upgrades are handled by the vendors, he says.

For certain "hub devices," such as the HealthPal remote monitoring offering of MedApps, which was recently acquired by Alere, and Qualcomm's 2Net hub, "we can apply patches ... according to manufacturers specification, via the cellular network," Kvedar says.

If a physician or other clinician discovers a patient reading that's cause for concern, they can intervene by communicating with the patient over a secure patient portal, "or in most cases, they pick up the phone," he says.

Patients can also view their readings securely through the portal, he says. "They can read the sensors when they take the readings, but [via the portal] the data is trended for them," he says. "This gives them some sense of how their lifestyles affect their health. It keeps their health top of mind."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.