Crafting an RFP for device and systems security

Nov 5, 2006

Increasing awareness and concern over information technology (IT) security and information privacy has shaped the current regulatory climate in the U.S., which is encouraging and enforcing related best practices. Accordingly, the medical device manufacturer community has experienced a significant increase in questions related to these aspects of healthcare.

This article seeks to provide guidance to healthcare entities seeking security-related information for medical devices and systems. By facilitating clear, comprehensive communication and providing insight on the response process, the hope is that device manufacturers can achieve expedited delivery of the information requested by customers. Due to the complexity of medical devices and systems, manufacturers have gone to great lengths to provide current and comprehensive information. The manufacturer community recognizes the importance of this information to customers' compliance efforts and its potential relevance to purchasing decisions.

Form over function: Getting the questions right

Many organizations have attempted to modify internal compliance documents or questionnaires -- those developed in the wake of the HIPAA regulations -- to serve the dual function of "security-specific" questions in a request for proposal (RFP). Often the wording of a question may be confusing to a manufacturer attempting to provide the most appropriate answer. For example, attempting to answer questions that are formatted in a manner distinct to the healthcare organization can add significant time and complexity to the response process.

Many providers develop an RFP for a medical device or system by seeking input from various departments, passing the document around, and requesting a list of questions from within the organization. These groups of questions are then forwarded as one large set without appropriate consideration of the interaction between the various sets of inquiries.

For example, an IT professional may not have a broad understanding of the clinical implications of the security questions posed, such as how the workflow may be impacted if an operating system patch installation is required. On the other hand, a clinician may not be aware that operating system patches must be validated prior to installation. Such nuances not only change the perspective of the questions, they are likely to be reflected in the responses.

To expedite the RFP and request for information (RFI) response process, seeking available vendor and manufacturer information (such as that contained in the Healthcare Information Management Systems Society [HIMSS] manufacturer disclosure statement for medical device security (MDS²) forms, which is endorsed by provider organizations) can provide information in a manner that is easily understood by the healthcare organization, and, with its understanding of specific needs and details, may be more quickly entered into internal compliance documentation. Alternatively, providing a list of questions that may be answered in a generic format, such as in a Microsoft Word document or Excel spreadsheet, will likely reduce the time it takes for the responding party to provide the information requested.

Form over function: Getting the right answers

Just as healthcare provider organizations employ personnel with a broad range of specialties, medical device manufacturers employ many levels of specialists with varied expertise. Some are clinical experts or product specialists, while others are connectivity and interoperability experts. Because the goal in responding to an RFP is to provide the most accurate and timely information possible, many individuals are involved in the response process. At times, several individuals may be working on one RFP response, taking advantage of the various technical resources available. Accordingly, security experts, and those involved in product engineering from a security perspective, will have an easier time responding to questions about the security functionality of the products in question -- especially if the questions are as specific as possible.

Understanding what you're asking for in your purchased product

Questions are often posed that a manufacturer cannot answer, as the inquiry is referencing a policy or procedure internal to the healthcare provider organization. Framing questions to address security needs of your organization is understandable; however, care should be taken to develop questions to seek appropriate and specific responses. For example, a question regarding disaster recovery could be posed in the following manner: What are your disaster recovery procedures/policies?

If this is posed as a general question, the responding manufacturer may not know how to address it in an appropriate manner. It could likewise be seen as a question pertaining to a departmental procedure, rather than a device-specific procedure. A vendor is then left to interpret the question and might respond about removable media rather than what the RFP author intended. A better way to phrase this is: How does your product support our need for recovering data following a disaster?

A general inquiry such as, "Explain the security of this system," can lead to a response that is either overinclusive or does not truly provide the information an organization may need to document various security aspects of the equipment or system. Questions that are broken down into precise topics, with specific requests for technical security functionality or feature information, are easier to answer and easier to document for compliance purposes.

Ask if the question can actually be answered

Additionally, and quite significantly, asking questions that are impossible to answer, due to the form of the question, can lead to miscommunication and can preclude an organization from obtaining the information sought.

For example: Is this system/device HIPAA-compliant? Is medical device manufacturer XYZ HIPAA-compliant?

These questions can only be answered one way -- No. However, this answer is misleading, as there may be many technical features or functions that provide HIPAA-responsive solutions, and medical device manufacturers want customers to be aware of those benefits. Medical devices and systems cannot be HIPAA-compliant. The only entities that can be HIPAA complaint are healthcare providers, healthcare provider organizations, or any other "covered entity" as defined by the HIPAA regulations.

Medical device manufacturers are not considered covered entities by the HIPAA regulations, and are therefore incapable of being HIPAA-compliant. This is also true for services -- such as remote service capabilities -- provided by noncovered entities.

Forming a question intended to elicit a response regarding the HIPAA-related functionality can be challenging; however, questions that are too general can result in either incorrect information, or information that is not useful.

Beware of limiting answers to yes/no

Not all questions can be answered with a simple "yes," "no," or "not applicable (N/A)." This is especially true when a field may not be available for including comments -- where the response requested is either "yes" or "no." This may be inappropriate or may limit the capability to provide substantive, useful information to a customer. One question about login or user IDs may be asked in various ways such as: Does the device or system limit the number of user ID/accounts?

This could be a tricky question to answer if the response is "yes" for administrative or service accounts, but "no" for user accounts -- especially when there is no option other than a drop-down menu containing "yes," "no," or "N/A."

Not all medical devices and systems are created equal

Many healthcare providers use one form or questionnaire to cover all product and system RFPs. While this approach may be time-saving in theory, in practice important information can be missed, or not even considered, if the specific system or device for which the RFP is created is not taken into account. Device manufacturers often receive a "standard HIPAA security questionnaire," or something similar. Depending on the product, these forms may have inapplicable questions.

Having someone with clinical and IT knowledge review the questions regarding a particular system is an efficient, effective way to ensure that the necessary questions are being asked, and that superfluous questions are deleted, to avoid confusion. Devices that will be placed on a hospital's network may have additional questions for network-related security and Web-based access information. However, those that are not, such as various mobile units or more simple systems, may have security functionality addressing physical security, electronic protected health information (ePHI)-related features, audit capabilities, and so on. Recognizing the applicable questions, and posing product-specific questions, can reduce the response time and assist in acquiring only relevant information.

RFPs come in many forms. The variety in RFPs parallels the diversity of the healthcare provider organizations. Security- and privacy-related questions are often posed as an individual section or part of the general RFP, instead of a separate form or questionnaire. In these cases, it is very helpful if the information being requested is true to the format of the RFP -- meaning that the security-labeled section contains only security-related questions.

Often, manufacturers receive RFPs that include network, connectivity, DICOM, and interoperability questions that may be unrelated to security, in the HIPAA or security section. If the questions are not worded carefully to elicit the desired response, they may be misunderstood.

Keeping it simple, making sense

The subject of security is not known for being simple. However, when seeking information regarding the security of a medical device or system, the principle of simplicity can be quite useful. Multipart or multilayered questions can be difficult to answer, especially when the vendor may not be aware of aspects of the requesting organization's infrastructure or enterprise-wide security strategy. Simple, one-part questions are the best way to ensure that correct and succinct information is provided.

The following are some guidelines to improve the effectiveness of your security RFP:

  • Clinical review as well as review by IT-knowledgeable personnel will ensure clear, concise questions that produce clear, relevant answers.

  • Ask for the vendor/manufacturer's security policy for an overall understanding of its comprehensive approach to security.

  • Seek device-specific information, understanding that medical devices vary widely due to engineering specifications and device functionality, and that what may be true for one device, may not be true for another.

  • Avoid restrictive "yes," "no," or "N/A" questions. When these questions are necessary, allow for additional comments to clarify answers.

  • Simple, single-layered questions elicit the most succinct and accurate responses. Multilayered questions can be difficult to respond to -- especially without the opportunity for discussion.

  • Certain responses may have dependencies, such a hospital's infrastructure or enterprise-wide security strategy. Unless a manufacturer has in-depth knowledge of such dependencies, these questions cannot be answered accurately.

By Kristen Knight
AuntMinnie.com contributing writer
November 6, 2006

Kristen Knight is an attorney and senior marketing manager for Bothell, WA-based Phillips Medical Systems' product security division.

Related Reading

GAO: CMS needs to improve IT security, October 4, 2006

Private parts: Breast cancer screening and HIPAA compliance, October 2, 2006

Practices that embrace EHR security regulations inspire patient confidence, July 14, 2006

HIPAA compliance remains inconsistent, April 12, 2006

Dealing with HIPAA changes in 2006, April 6, 2006

Copyright © 2006 Philips Medical Systems - Product Security

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
2006 08 28 16 30 21 706
IS
A year later, Hurricane Katrina offers lessons in disaster recovery for healthcare IT
2006 08 15 14 26 04 706
IS
My career in healthcare informatics: Is it still right for me?
2006 08 03 17 22 47 706
IS
Dr. David Brailer: The AuntMinnie AudioCast
2005 11 17 17 38 29 706
IS
Source Medical Solutions
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page