Professional Documents
Culture Documents
Steven Zhang
ENLC 556 Management of Health Care System Quality Outcomes and Patient Safety
We live in a world in which constant connectivity and instant feedback is the norm.
Work, entertainment, and even healthcare can now be done at the comfort of your own home. In
fact, home health care is one of the fastest growing healthcare sectors in the United States.
According to Business Insider, “the U.S. home healthcare market is projected to grow about 7%
annually from $103 billion in 2018 to $173 billion by 2026—outpacing growth in all other care
types” (Business Insider). As such, the increase in remote patient monitoring tech, telehealth, and
various medical devices associated with home healthcare are expected to grow with it. As the
number of medical devices used increase in the home setting, so does the risk associated with
unique challenges. According to ECRI Institute’s special report of top 10 health technology
hazards for 2020, some unique cybersecurity risks are “the reliability and dependability of the
home network—which health care providers cannot control.” (ECRI Institute, 2020). Physical
access to the device since it is no longer within medical offices or hospitals, and the level of
proficiency from the patient to use said medical devices correctly and safely (ECRI institute,
2020). These three challenges will challenge healthcare cybersecurity experts to design robust
systems and processes to ensure continuous connectively between the patient and healthcare
providers, ensure proper security to prevent protected healthcare information (PHI) from being
stolen, and ease of use for nonmedically trained patients and aids.
The implications of these challenges are that no standardized cybersecurity playbook for
It is important to explore this topic because the there are two major risks associated with
1. Any delays and stoppage in connectively between home care patients and their primary
care physicians can result in misdiagnosis and delay in care- which could complicate and
2. Stolen PHI data can lead to loss of trust, stolen identity, and possible financial losses.
The goal of this paper is to provide healthcare organizations a high-level overview of the
risks associated with home health and what policies, policies, and technology can address reduce
Literature Review
A total of five articles were selected to begin my research into cybersecurity in a home
health setting. Each article discusses the important of protecting medical devices used by health
care organization from criminals who will endanger both patient safety and their electronic
protected health information. Each article acknowledges health care organizations are slow
compared to other industries in protecting their device from cyber criminals, and the best way to
protect medical devices is to design devices with cybersecurity in mind. All of the authors
argued healthcare organizations, federal government, and medical devices manufactures need to
collaborate to build a system that will proactively address the ever-changing cyber threats.
Wong explored the need for increased cybersecurity protection in medical devices in a health
care organization. The authors purposed that a systematic approach of “an effective device
management plan also starts at the procurement stage” (Cornado & Wong), and creating a
standard operating procedure for cybersecurity event is necessary to relay information. Methodist
CYBERSECURITY RISKS IN HOME HEALTHCARE 4
when risk assessment, mitigation, and continual management improve patient physical safety and
The article Privacy by Design and Cybersecurity for Safe, Effective and Reliable Home
Health Care for Aging in Place (Fournier, Molyneaux, Kondratova, & Ali,) explores how
advancements in modern medical technology can deliver a safe, effective, and reliable home
health care for senior citizen. It goes on to explore how remote monitoring can help seniors live
more independent lives at their own homes. The technology reviewed in this article is a
telehealth application for android-based cell phones. The authors’ argument is cybersecurity of
medical devices designed for home health should be a proactive event, not a reactive one. This
article highlights seven software design areas for medical devices manufactures.
Kramer and Fu’s Cybersecurity Concerns and Medical Devices: Lessons from a
Pacemaker Advisory serves as a warning to the potential dangers of cybersecurity for home
health medical devices. In 2016, there was an alert of a potential vulnerability of the wireless
capabilities of pacemakers that are already implanted into patient’s body. Although no patient
suffered harm from this vulnerability, the potentiality of pacemakers being hacked highlights the
potential dangers of not only but the entire medical devices industry. The need for healthcare
organization, federal government, and medical device manufactures will need to collaborate and
rate.
Multifaceted Problem (Williams & Woodward), the authors explored in depth the challenges
associated with addressing cybersecurity concerns in medical devices. The goal is to find the
CYBERSECURITY RISKS IN HOME HEALTHCARE 5
balance between patient safety and PHI protection. The article explains that current federal
regulation is not enough to ensure proper protection of patient’s safety and their PHI
information. It explores the current state of medical devices and recent attacks, the current
relationship between manufacture and federal regulations. It explores the value of PHI to cyber
criminals and their motivations and where vulnerabilities are within the current generation of
medical devices. Ultimately, the authors main argument is that addressing cybersecurity of
medical devices require a “coordinated proactive approach that includes standard cybersecurity
assessment and control, together with specific medical device data and workflow consideration”
Frederick, Jacobson, & Monticone) is an in-depth exploration of the current state of malicious
cybersecurity tacticsidentifying possible counter measures to guard and protect sensitive patient
safety and electronic protected health information inside medical devices. A team of researchers
learned that the healthcare industry lags other industries in data protection. Thus, medical
cybersecurity is becoming a prime target to criminals unless actions are taken to ensure proper
Identified Solution
cybersecurity technology intended for home use. Due to the complexity of healthcare
cybersecurity, which involve compliance with the federal government (Health Insurance
Portability and Accountability Act, Health Information Technology for Economic and Clinical
Health Act, and the Federal Drug Administration), medical device manufactures, healthcare
foundation for medical device companies to build upon. Without this proactive collaborative
system, medical devices will continue to be a prime target for cyber criminals that will steal vital
professionals, healthcare organizations, and the government need to work together to build new
unified regulatory standards for medical devices. The complexity of medical devices used in the
concerns.
groups and work independently of each other. Each stakeholder (clinicians who monitorthe
machines, IT and network specialists who ensure connectivity, cybersecurity experts who
protects the data, government who sets certain regulations, and the patients that use the devices)
create ad hoc relations with medical device companies to build machines that meet their own
specific needs. Due to the vast differences of each stakeholder, a meaningful holistic
collaboration is needed to build a multifaceted process to mediate system to protect patient safety
and ePHI.
Once established, specific new policies can be created at the national level to create a
baseline protection for all medical device companies to follow. The current trend of technical
advances is outpacing the FDA’s ability to keep up, and thus a more aggressive plan is needed to
ensure that manufactures have up-to-date and specific requirements for medical companies to
follow through.
CYBERSECURITY RISKS IN HOME HEALTHCARE 7
A standardized system of feedback and notification is needed for medical devices so the
information can flow quickly to this new team. Once the report is analyzed, cohesive feedback
Auditing is another aspect of cybersecurity that needs to be standardized and agreed upon
by these the government, medical device companies, and health care organizations. Auditing is
to ensure agreements about rules are being followed and the highest level of care are given to
The creation of this cybersecurity medical devices taskforce will improve safety and trust
of patients who use home health services. This multifaceted approach in developing
cybersecurity measures will ensure a holistic mitigation of cybersecurity risk for medical
devices. Thus, patients and clinicians can have peace of mind knowing medical devices that
meets these requirements are safe and protected from cyberattacks. Whether at the hospital or at
home, patients can be assured that medical devices in any a hospital or home environment will
A Failure Mode Effects Analysis is a tool used to measure possible failure points within a
flow chart process. The Likelihood, likelihood of detection, and severity are measured to create a
risk profile number- which is then used to determine what issues to be addressed first.
Quality Measure
The quality outcome that will be measured is to reduce the number of cybersecurity
breaches related medical devices. The creation of a unified set of federal cybersecurity
CYBERSECURITY RISKS IN HOME HEALTHCARE 8
regulations/standards will make it easier for companies to follow. The program team that lead the
cybersecurity taskforce will oversee measuring the quality outcome of their solution.
capture the current state of cybersecurity in the home health setting. This is done to create a base
to measure the effects of the new streamlined regulations- to see if it made a positive or negative
impact. The benchmarking process will allow team-members to collect data from the past 20
years and record all successful and attempted thief of ePHI, malicious network hijacks and/or
stoppages, and any medical device issues that lead to adverse patient events.
The data will be collected and presented in a control chart. This method was chosen
because we are recording data over an extended period. Data will be pulled from the national
database of adverse events. The control chart is the ideal method of measurement since it records
the number of incidents over an extended amount of time. Additionally, with the addition of
statistics, one can speak with a certain percentage of certainty whether this solution is producing
Measurements after the implementation of our proposed solution will be done once every
quarter. Data will be collected for the following: adverse events directly affecting patients,
compliance from medical device manufactures, and new risks that are not being addressed by our
current set of regulations. Once a year, the taskforce will get together to review the year’s
findings and adjust the current policies to stay up to date with the ever-evolving world of
cybersecurity.
Conclusion
new century thinking. The complexity brought on to deliver dependable and safe care for
CYBERSECURITY RISKS IN HOME HEALTHCARE 9
patients in a home healthcare environment has never been greater. Current federal regulations
cannot keep up with the exponential growth of technology the past few decades.
As the articles selected in this review showcase the known vulnerabilities of our current
cybersecurity of medical devices. Various industries within the healthcare industry build
requirements and regulations within their own ninth; however, a holistic cybersecurity taskforce
This taskforce, backed by the United States Federal Government, will be comprised of a
holistic group of healthcare industry leaders from both the clicnical and technology side. They
will work together to build a set of regulations and security requirements that can effective
reduce the risk potential cybersecurity attacks within the healthcare system.
home health environment. Specifically, a new programming language or the use of blockchain
can be customized to fit the privacy and security needs of patients and healthcare organizations.
CYBERSECURITY RISKS IN HOME HEALTHCARE 10
References
Alkhatib, S., Waycott, J., Buchanan, G., & Bosua, R. (2018). Privacy and the internet of things
(IoT) monitoring solutions for older adults: A review. Studies in health technology and
Cornado, A. J., & Wong, T. L. (2014). Cybersecurity risk management: Keys to an effective
26-30. doi:10.2345/0899-8205-48.s1.26
Dzissah, D. A., Lee, J. S., Suzuki, H., Nakamura, M., & Obi, T. (2019). Privacy enhanced
Herzog, A., & Lind, L. (2003). Network solutions for home health care applications. Technology
and Health Care: Official Journal of the European Society for Engineering and
Lin, C. H., Young, S. T., & Kuo, T. S. (2007). A remote data access architecture for home-
doi:10.1016/j.medengphy.2006.03.002
Williams, P. A., & Woodward, A. J. (2015, July 20). Cybersecurity vulnerabilities in medical
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4516335/
Running head: CYBERSECURITY RISKS IN HOME HEALTHCARE 11
Appendix A
1.Start- A Health care organization, clinicians, 1 .Start -Healthcare IT experts and cyber security
nurses, and frontline staff leaders meet and experts formulate a plan that can minimize the risk of
discuss their requirement of medical devices medical devices for designed for home health
Goes back and repeats until a collective Goes back and repeats until a collective
list of requirements is completed list of requirements is completed
Yes
No No
Industry leaders selected and list
of suggestions of security
requirements made for medical
devices?
Appendex B
Table A1
1 Process step Industry experts formulate a set of requirements that can minimize the risk of medical devices for designed for home health.
2 Potential failure Key industry leaders missing from Unable to come up with a collective Too many or too basic requirements
mode conference agreement
3 Potential cause(s) -Scheduling, issues with other -Siloing, -Unclear instructions,
responsibilities -Entrenched ideas, -poor facilitation/ moderators ----
-Lack of interest, failing to see the -Poor collaboration, challenging attendants to come up with
benefits of attending -Industry politics creative and innovative ideas.
-Doesn’t understand the mission and -Active sabotage -Poor meeting set up and no filtering
vision of this process to weed out bad ideas and goals.
-Travel visas issues from aboard
4 Severity 5 5 5
Process step #1
6 Hazard score 8 8 8
1 Process Step New Medical Device Security committee is formed with industry leaders and the federal government
2 Potential -Too many or too basic requirements- -Lack of commitment throughout this -Unable to work collaboratively
Failure each industry wants to put all their process
Mode requirements onto the federal standard
3 Potential -Poor selection process. Lack of -Too many/ not enough committee -Poor facilitator
Cause(s) engagement. meetings. Poor process -poor program set up to nurture collaborative
- poor guidelines and understand of the -unproductive meetings causing a loss environment
selection process. Failure to build a of interest - failure to negotiate, focusing on positions,
culture of collaboration - office politics not interest
Process Step #2
4 Severity 5 5 5
-This can delay the progression of the -This can delay the progression of the -This can delay the progression of the project
project and lead to a waste of time and project and lead to a waste of time and and lead to a waste of time and resources
resources resources
6 Hazard 8 8 8
Score
7 Action Control Eliminate Control
(Eliminate,
Control, or
Accept)
8 Description -Strong moderator to control and -Clear guidelines and nurturing a -Clear guidelines and nurturing a collaborative
of Action provide feedback collaborative process process
-Employ lean, agile, and other - Employ lean, agile, and other - Employ lean, agile, and other collaboration
collaboration processes collaboration processes processes
Table A3
CYBERSECURITY RISKS IN HOME HEALTHCARE 14
1 Process Step A standardized requirement of security for medical devices are agreed up and put into motion
2 Potential -New rules too strict. Making this -Rules are too laxed- loopholes and no -Disconnect from what the federal can do and
Failure industry too regulated real improvement from current what companies wants to implement
Mode regulations
3 Potential -Drifting from the originally agreed on -Facilitators and moderators failed to -Expectations were not properly built during
Cause(s) list from industry meeting in step 1 balance out moderate and fair the regulation building process.
-overzealous and overly ambitious, regulations proposals -private companies’ terminology not being
scope drift translated correct into government speak
Process Step #3
4 Severity 5 5 5
Failure at this point could delay and Failure at this point could delay and Failure at this point could delay and delay the
delay the project by months and delay the project by months and project by months and possibly years
possibly years possibly years
5 Probability Frequent Frequent Frequent
6 Hazard 8 8 6
Score
7 Action Control Control Control
(Eliminate,
Control, or
Accept)
8 Description -Clear guidelines and nurturing a -Clear guidelines and nurturing a -Clear guidelines and nurturing a collaborative
of Action collaborative process collaborative process process
-Trust building among the group -Trust building among the group -Trust building among the group
Table A4
CYBERSECURITY RISKS IN HOME HEALTHCARE 15
1 Process Step New laws are established for all medical devices companies to following and a plan to bring current devices up to this standard
2 Potential -Laws took too long to enact, already -Political gridlock and potential -No new system to enforce these new
Failure Mode outdated by the time it’s put into law partisanship standards
3 Potential Decision making process took too Government not doing enough to clear Project planning process needs to be discussed
Cause(s) long. Not enough meetings or the path for these new standards. to talk about enforcement and education
processes to avoid deadlock
Process Step #4
4 Severity 5 5 5
-This can delay the progression of the -This can delay the progression of the -This can delay the progression of the project
project and lead to a waste of time and project and lead to a waste of time and and lead to a waste of time and resources
resources resources
Table A5
1 Process Step Annual Reviews of current requirements and makes necessary updates to address new security threats.
2 Potential Poor auditing. How many companies Unable to keep up with current threats Feedback process is too slow
Failure Mode are registered
3 Potential -Poor planning of enforcement and -Not enough manpower to continue -Lack of state and local support of program
Cause(s) accountability tracking current security threats
4 Severity 5 5 5
-This can delay the progression of the -This can delay the progression of the -This can delay the progression of the project
Process Step #5
project and lead to a waste of time and project and lead to a waste of time and and lead to a waste of time and resources,
resources, risking this project being resources, risking this project being risking this project being canceled
canceled canceled
6 Hazard Score 8 8 4
Appendix C
Steps in Failure Modes Failure Causes Failure Likelihood Likelihood Severity Risk Actions to
the Effects of of detection Profile reduce
process occurrence Number Occurrence of
failure