Medical Devices and FDA Compliance

By segmenting medical devices, hospitals can optimize their network for performance and security

Wi-Fi is fast becoming the preferred method to connect medical devices in the hospital. The Wi-Fi Alliance reports that 71% of all global mobile communication is happening over Wi-Fi – a trend that will continue to increase. In 2013, $1.3 billion was spent on mobile health technologies, a number that is predicted to grow to $10.2 billion by 2018. As the shift from wired to wireless medical devices continues to increase exponentially, hospitals will be challenged to integrate these different devices. Hospitals will need to look at the network architecture in terms of bandwidth requirements, capacity and latency to deliver a secure, high-quality user experience while ensuring that mission-critical medical devices are working properly.

To help hospitals keep up with the growing congestion of medical devices and applications on the network, the FDA has released guidelines for hospitals to follow to enable them to better protect devices on the network. As more medical devices are added, it will no longer be acceptable to simply make all medical devices part of a dedicated network. Medical devices will need to be isolated from each other in order to reduce the risk of unauthorized access or the misconfiguration of one medical device type impacting others. By using Extreme Networks policy management to segment devices by manufacturer and type, hospitals can optimize the network for performance and security around them with minimal intervention.

Background

With the rapid adoption of Wi-Fi by medical device manufactures many hospital IT departments are finding themselves now supporting medical such as IV pumps, blood gas analyzers, telemetry systems, mobile X-ray machines, ultrasound units, hemodialysis devices and glucose meters on their wireless local area networks.

As more medical devices are added, the strategy that organizations used during initial rollouts five years ago is no longer adequate. For example, a common approach was to make all medical devices part of a dedicated network, physical or virtual. The theory at the time was that these devices were being protected from outside performance and security risks, but that hasn’t always been the case. Over the years, hospitals have experienced challenges supporting wireless medical devices from multiple manufacturers of a single medical device on their virtual network because of:

  • Inability of legacy wireless medical devices to support latest authentication and encryption systems.
  • Unique network configurations to accommodate the devices such as network quality of service parameters or security settings.
  • Limiting access to a shared wireless password.
  • A variety of medical devices on the same network, running the risk of negatively influencing each other.

New FDA Guidelines for On-Boarding Medical Devices

Aware of these growing challenges, the U.S. Food and Drug Administration recently released an advisory highlighting the current risks of medical devices on hospital networks along with the following basic recommendations for hospitals:

  • Restrict unauthorized access to networks and medical devices, and track network activity.
  • Update antivirus and firewall efforts, as well as security patches.
  • Create and evaluate strategies for maintaining functionality during an adverse event.

For many IT departments, medical device support is new territory. Best practices formerly included placing all medical devices on a single VLAN protected by a firewall. However, this process is outdated due to a number of factors including:

  • Failure to restrict and track internal access by employees, contractors and manufacturer maintenance personnel.
  • Risk of misconfiguration of one medical device type impacting others.

Best Practices for Integrating Wireless Medical Devices

To address these risks and issues, many IT departments are segmenting wireless medical devices onto dedicated VLAN or service set identifiers based on their authentication and encryption requirements. In the long term, this approach is not scalable because provider organizations may find themselves trapped into adding dozens of independent networks, which add significant management traffic and system complexity. With the exponential growth in the number of wireless medical devices, it is becoming crucial to keep traffic management to a minimum.

The approach of using a large number of wireless access points to address the growing device numbers is also no longer sufficient to accommodate the onslaught of devices. Sometimes less is more, and too many access points can lead to poor overall performance of the network.

Another challenge for IT departments is that the next-generation medical devices are often measurement devices that integrate with smartphone applications. The shared functionality of the smartphones is forcing IT administrators to focus on the applications in addition to the networks for quality of service and security.

To address these challenges, the necessary approach is a combination of technology as well as operational changes. Using this process is a way to ensure that the right types of devices are selected going forward and that support processes are addressed before use. From an operational standpoint, the following practices are recommended:

  • Start with an audit of wireless medical devices in the environment. It’s crucial to first understand what is already operating in your organization.
  • IT and clinical engineering departments should collaborate closely to determine policies and support of wireless devices.
  • Use of a formal evaluation/certification process to vet every device before it is brought into the network.

A Case Study: Henry Ford Health System

The Association of Advancement of Medicine (AAMI) developed a framework for risk management when dealing with wired/wireless medical devices, called 80001. Henry Ford Health System set up their own certification and on-boarding process for which they have received several awards. The process entails:

  • Testing devices from a technical perspective and disclosing everything you find.
  • Working with departments to find out if the device works with the current workflow.
  • Understanding how to support the device and who is responsible if something breaks.
  • Putting a formal device procurement process in place device.

The process was launched in 2012 with much success and now HFHS can keep a close eye on all of their Wi-Fi medical devices, which saw growth from 100 mobile Wi-Fi medical devices in 2006 to 2,900 by the end of 2014.

Conclusion

Healthcare networks and devices are becoming significantly more complex, presenting a growing challenge for the IT staff supporting them. Rather than thinking in terms of device counts and bandwidth, now is the time to reassess an organization’s approach to medical device support and how best to apply business intelligence to the network.

Extreme Networks NAC and Purview solutions allow hospitals to meet the FDA guidelines by isolating medical devices by vendor, type and application requirements, allowing centralized management for access and auditing, and leveraging Purview for performance and analytical data.

For Additional Information

Interframe Technology Solutions, Detroit MI

Download the Solution Brief