HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

VA OIG Report Highlights Risk of Medical Device Workarounds

A recent inspection of a California VA medical center by the Department of Veteran Affairs Office of Inspector General (VA OIG) has revealed security vulnerabilities related to medical device workarounds and multiple areas of non-adherence with Veterans Health Administration (VHA) and VA policies.

Tibor Rubin VA Medical Center in Long Beach, California was inspected by the VA OIG after VHA and VA privacy and security policy violations were identified during an unrelated investigation.

The auditors identified inappropriate staff workarounds for transferring and integrating information from patient medical devices into the medical center’s EHR system. The auditors also found two potential breaches of patient information while performing the inspection.

The medical center did not have an interface between VHA medical devices and its EHR system, which forced staff to use inappropriate workarounds. Biomedical engineering and IT assistance had not fully resolved software interface issues between VHA medical devices and the EHR, and facility staff were using unapproved communication modes which risked the accidental disclosure of sensitive patient information.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Inspectors discovered 9 out of 12 medical devices lacked an interface with the EHR system, including a high-resolution esophageal manometry (HRM) medical device. The interface with the VHA EHR stopped functioning when the medical center upgraded to Windows 7 from Windows XP in 2013. Biomed and IT had provided assistance initially when problems were first experienced, but additional software interface issues remained unaddressed.

The gastroenterology (GI) provider told the inspectors that the facility’s biomedical engineering and IT departments were involved in the decision to continue using the equipment even though there was no working interface. The GI provider developed two workarounds that were not in line with VHA and VA policies covering sensitive personal information. Those workarounds placed patient information at risk of exposure.

Those methods involved the use of the GI provider’s personal computer and the transfer of sensitive information via unencrypted email, the cloud, and a non-VA-issued unencrypted flash drive. Staff in the GI laboratory, pulmonary/sleep laboratory, and neurology departments had also developed workarounds as a result of interface issues following the operating system upgrade.

Staff were aware of the importance of patient privacy and securing patient information, and one staff member ensured information was only sent via secure, encrypted email. However, other staff members sent email using personal email accounts, unsecured devices, and via SMS text messages.

VA OIG found 99% of the emails sent from the GI provider’s email account contained sensitive patient information as did 91.7% of SMS text messages sent to staff. Inpatient and nursing staff were also discovered to be using non-secure methods of communicating patient information. The medical center was also discovered to still be using logbooks to record equipment taken home by staff, which is against VHA policy.

The report involved one VA medical center, but the findings are not surprising. Similar problems are experienced by many healthcare providers, which also use workarounds to solve software compatibility issues, even though those workarounds can introduce considerable risk.

The VA OIG has made several recommendations on how the medical center can correct the violations and improve security. Those recommendations include taking steps to ensure staff members only use secure methods to communicate patient information, and for the medical center director to conduct a review of communications processes between staff and IT/biomedical engineering and to take action to address interface issues and improve communication.  The medical center is currently in the process of implementing those recommendations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.