From the December 2015 issue of HealthCare Business News magazine
By Chris Bowen
Software-powered medical devices play an increasingly central role in patient care.
For many of the software applications that run on these devices, FDA classification is, or will soon become, a mandate — and vendors that get ahead of this now will be better positioned than those that have to rush to catch up. That said, the requirements may not be easy for many vendors. Even to achieve FDA Class 1 tier reserved for low-risk devices and applications, requirements include annual registration with the FDA, careful product labeling and use of marketing language, and a number of security and privacy mandates. These last two areas may trip vendors up who have never before encountered the many layers required to protect the personal health data that will pass through their apps. It’s a significant undertaking that will sidetrack — and ultimately sideline — the unprepared vendor. The good news is that an application designed to comply with the HIPAA Security and Privacy Rule has a notable head start for some FDA Class 1 domains. This, in turn, can be accomplished to a great extent by hosting your application within a health care-exclusive, HIPAA-compliant data center.
Access to managed services at a manageable operating expense
Quest Imaging Solutions provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs
Many health care organizations and the vendors who serve them are turning to “cloud” managed services partners for a broad set of security and privacy services. These services are typically delivered within a top-tier data center, by professionals in health care IT security and privacy. The many services they offer can span from an initial risk assessment of the current IT infrastructure that houses your applications, to privacy impact and software development life cycle assessments, to ongoing, managed hosting of this infrastructure within a cloud environment that exceeds HIPAA, GAPP and other security and privacy controls.
Note that the investment in this fortress-like environment was made by someone else. All of its capabilities and assets, from data hosting to professional IT expertise, is available on a pay-as-you-go model, much like a monthly utility bill. In other words, vendors pay only for what they need. In the case of making medical software secure and private to FDA and HIPAA standards, this can include services where there is considerable overlap between the two sets of controls.
Both FDA Class 1 and HIPAA address configuration management, for example, which assures (among other responsibilities) that vendor-supplied credentials are changed to unique passwords. This is routine work for managed data services experts, who can also facilitate other change-driven activities, such as a secure transition of valuable data to new systems and integration of multiple databases. Monitoring and physical environmental security are another two areas where FDA Class 1 and HIPAA converge. Managed data services in the cloud can include real-time monitoring, intrusion detection and prevention, data encryption and regular scans to detect new compliance risks. As for physical security, few commercial buildings are more secure in these modern times than a top-tier data center, from perimeter security to biometric authentication requirements for internal staff.