IT security of POCT devices – not everything is picture-perfect

In the modern clinical environment, however, IT security of POCT devices is becoming increasingly important, in Germany also due to new industry-specific safety standards under the Act on the Federal Office for Information Technology. Professor Dr Thomas Streichert of the Institute of Clinical Chemistry at the University Hospital Cologne, Germany, explains the state of affairs.

Professor Dr Thomas Streichert is managing director of the Center for Laboratory Diagnostics and acting director of the Institute of Pharmacology, Therapeutic Drug Monitoring at the University Hospital Cologne

At the University Hospital Cologne, about 300 POCT devices are used by approx. 3,000 employees. “Many different users with very different requirements and qualifications,” as Professor Streichert describes the situation in a nutshell. Thus, implementing a POCT IT security concept that works smoothly and is feasible in the everyday hustle and bustle of the hospital is no mean feat.

POCT devices and their security gaps

While it makes sense to aim at fully integrating the devices with all data being available in the facility-wide system, this approach does have its pitfalls: the devices being used in the wards might be lying around unlocked and can be accessed by unauthorized persons. This is a major data security gap since the devices contain not only measured values but also personal patient data.  In order to protect this data, the devices have to be intelligent, with user identification, access authorisation, role-specific privileges and encrypted communication. For the lab specialist, implementing such a concept strictly across the entire hospital is “an enormous technical and organisational challenge”.

High level of security and service

The University Hospital Cologne maintains high security standards. POCT accreditation per ISO 22817 triggered a quantum leap in terms of quality assurance. Every member of the care staff, be it physician or nurse, has to attend an initial training  session and refresher training sessions which, in addition, are available online as e-learning modules. Hospital management considered the time and money spent on the training well-invested since compliance with quality standards enjoys top priority throughout the facility. All POCT devices are centrally managed by the hospital’s clinical laboratory. This is a sensible approach since the lab medicine specialists have the relevant knowledge and can ensure facility-wide highly competent and target-oriented quality assurance. “The colleagues like to use our service offering. While dealing with the ins and outs of the POCT systems is daily fare for us, the care staff in the wards or the physicians in the ICU are grateful that they don’t have to bother. They have important other tasks to tend to.” Professor Streichert underlines that this level of service requires a constructive partnership with the IT department: “In the lab, we need quite a bit of IT support, thus, over the years we have developed a very good working relationship with the IT team.”

Not always on the same page: data security standards and clinical work

Nevertheless, Professor Streichert identified definite room for improvement: “Despite all the activities, we are not perfect when it comes to IT security.” This is partially due to the so-called KRITIS bylaw in Germany which requires the operators of critical infrastructure to establish state-of-the-art protection of their IT systems, components and processes against disruptions in availability, integrity, authenticity and confidentiality in line with Federal Office for Information Security (BSI) specifications. “In order to be able to comply with these requirements, each industry has to develop specific security standards that are reviewed by the BSI for adequacy and suitability.” The major hurdle: security standards and everyday operation of a hospital, particularly with regard to POCT, are very difficult to align.

Authentification in a clinical environment

Case in time-consuming point: the blood gas analyser. As a POCT device, it is used in the OR to control ventilation in certain regular intervals. If such a device fails, the consequences for the patient can be fatal. Under BSI law, these devices require a time-consuming and overly complicated authentification procedure. The user name and a 16-digit password have to be entered on a tiny screen – unthinkable in an emergency: much too long-winded and much too error-prone. While technically speaking, the biometric fingerprint might be an option, it requires personal data to be stored on the central servers, which is something that has to be avoided in view of the EU GDPR. “Currently, we scan the employee ID card with a barcode,” Professor Streichert explains and adds that theoretically, a second type of authentification, such as a password, is required. This combination, however, is problematic as IDs get lost or end up in coat pockets in the hospital laundry and passwords are forgotten or no longer valid. In the ER or in an understaffed ward, this procedure is unrealistic. Another idea that is being bandied about is a personnel number and a PIN, but this option is currently not technically feasible. There are further potential security gaps such as remote maintenance accesses that are used by external providers, ports, hard disks with unencrypted data or SSDs with data that is unencrypted and/or cannot be deleted.

Round table on IT security

“In view of the complexity of the problem and the fact that we need to establish standards accepted by all stakeholders, we launched a round table with the POCT providers to discuss possible options as well as options that might already be in the pipeline and common denominators.” This debate was  very constructive – quite surprisingly since today, IT security is a major issue in procurement and there were understandable fears that competing providers were loath to engage in an open discussion. The round table did show that the companies are well aware of all issues and that they are working hard on solutions – and in fact some at least partial solutions seem to be in the wings. One of the major issues that remain to be solved is the user procedure in an emergency context. The good news is that there was a consensus around the round table: technical requirements alone won’t do. Any solution has to reflect the everyday situation in a hospital and it has to fit in the overall IT approach. Professor Streichert summarizes the credo: “The leaner the organisation, the simpler the process, the better the solution.” A follow-up round table with the same cast of characters is planned for next year.

Profile:

Professor Dr Thomas Streichert is managing director of the Center for Laboratory Diagnostics (Clinical Chemistry, Microbiology, Virology, Pharmacology, Endocrinology) and acting director of the Institute of Pharmacology, Therapeutic Drug Monitoring at the University Hospital Cologne, Germany. Born in South Africa, Professor Streichert studied medicine in Hamburg, Germany, where he also worked as junior and senior physician. In 2013, the specialist physician for laboratory medicine joined the University Hospital Cologne. He is chairman of the advisory committee “E-learning” at the University Hospital Cologne and member of the German Society for Clinical Chemistry and Laboratory Medicine.

23.04.2020

• IT (882)
• laboratory (1070)
• POCT (148)
• security (447)