Software Vulnerability Endangers EHR, Devices; HHS Websites Unaffected

The “Heartbleed” bug, discovered last week by two information technology (IT) security teams, caused a vulnerability in a popular encryption software used by many medical professionals to protect patient data. Electronic health record (EHR) systems often use OpenSSL’s encryption software to secure protected health information (PHI). Heartbleed can reveal the contents of a server’s memory to hackers, including private data such as usernames, passwords, and credit card numbers. Attackers are also able to obtain copies of a server’s digital keys, and use those keys to impersonate servers or to decrypt communications. Security experts estimate that 66 percent of all devices connected to the internet, including internet-capable medical devices, could be attacked using Heartbleed.

Heartbleed Danger

According to members of the security team that discovered Heartbleed, the bug allows anyone on the internet to access and read the memory of systems protected by the vulnerable versions of the OpenSSL software. Affected information includes secret keys used to identify service providers and to encrypt data, as well as user names, passwords, and actual saved content, allowing attackers to steal data directly from the services and users and to impersonate services and users. A fixed version of OpenSSL has been released, but the vendors of operating systems, appliances, and independent software all must adopt the fix for each program that uses OpenSSL. Further, users and administrators should change their passwords to prevent use of their accounts by anyone who has accessed their private account information. Passwords changed before the fixed version is installed are not secure.

The security team that discovered Heartbleed said, “We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.”

Impact on Health Industry

OpenSSL is an open source protocol. Open source means users are universally granted free license to the product, which is not copyrighted. As a result, many health IT-related programs and devices use the protocol, including those that use Apache servers. A “cursory review” conducted by health IT developer Lauren Still found many web-based EHR platforms were vulnerable to the bug. Additionally, some Health Insurance Exchanges operated by states under the Patient Protection and Affordable Care Act (ACA) (P.L. 111-148) were exposed. Medical Device and Diagnostic Industry says that the bug could be used to attack systems used to communicate with insulin pumps, home health care networks, and medical devices such as MRI machines.

Safety of HealthCare.gov, MyMedicare.gov

When the discovery of Heartbleed was announced, the Department of Homeland Security’s (DHS) U.S.-Computer Emergency Readiness Team (US-CERT) issued an immediate alert. Other DHS teams have reached out to vendors and asset owners to notify and assist them in determining vulnerabilities and protecting their data. DHS announced that “the Federal government’s core citizen-facing websites are not exposed to risks from this cybersecurity threat.” Building on DHS’s announcement, a CMS spokesperson stated “Due to CMS’s security protections, HealthCare.gov consumer accounts are not affected by this vulnerability. Additionally, other CMS consumer accounts, including MyMedicare.gov, were not affected by this vulnerability. Per standard practice, CMS continues to work with the states to monitor this issue and ensure that appropriate security measures continue to be in place.”

Developer and cryptography consultant Filippo Valsorda published a tool that allows users to check websites for Heartbleed vulnerability. For websites that require passwords, Last Pass created a similar checker tool. Wolters Kluwer tested a number of HHS websites, and confirmed that in addition to HealthCare.gov, Medicare.gov and the FDA’s online Drug Registration and Listing system were not vulnerable to Heartbleed; tests revealed that MyMedicare.gov and CMS’s EHR Incentive Program Registration & Attestation system may possibly be affected.

Sponge-Filled Syringe to Treat Gunshot Wounds Approved for Military Use

The FDA has approved a first-of-a-kind hemostatic dressing to control bleeding from battlefield wounds in the pre-hospital setting. The XStat™, manufactured by RevMedx, Inc., of Wilsonville, Oregon, is a temporary dressing for wounds in areas that a tourniquet cannot be placed, such as in the pelvis/groin or shoulder/armpit regions. The dressing can be used up to four hours, which could allow time for the patient to receive surgical care.

Necessity

According to the U.S. Army Medical Department, Medical Research and Materiel Command, since mid-World War II, nearly 50 percent of combat deaths have been due to bleeding out. Of those, half could likely have been saved if timely, appropriate care had been available. At the present time, military field medics have to pack layers of gauze into a wound to stop the bleeding, a time-consuming process that does not always work. Moreover, medics are taught that if the bleeding does not stop within three minutes, to go through the extremely painful process of pulling out the gauze and starting the process again.

The Device

According to the FDA, the XStat consists of three, syringe-style applicators containing 92 compressed, cellulose sponges that have an absorbent coating. RevMedx’s XStat syringe injects these hemostatic sponges into deep wounds. After approximately 20 seconds of contact with water from blood or bodily fluid, the sponges expand to fill the wound cavity, creating a temporary physical barrier to blood flow. No direct manual pressure is required. The number of sponges needed for effective hemorrhage control will vary depending on the size and depth of the wound. Up to three applicators may be used on a patient.

The Sponges

The tablet-shaped sponges are each 9.8 millimeters in diameter and 4 to 5 millimeters in height. They can absorb 3 milliliters of blood or body fluid. An applicator filled with 92 sponges can absorb about 300 milliliters of fluid.The sponges cannot be absorbed by the body and all sponges must be removed from the body before a wound is closed. For ease of visualization and to confirm removal of every sponge, each sponge contains a marker visible via X-ray.

FDA Review

The FDA reviewed XStat through its de novo classification process, a regulatory pathway for novel, low- to moderate-risk medical devices that are first-of-a-kind. In a preclinical model with aggressive non-compressible hemorrhaging, Xstat provided statistically significant improvement in hemostasis and survival 60 minutes after injury with a large reduction in blood loss, resuscitation fluid requirement, and medic treatment time compared to conventional hemorrhage control dressings.

The FDA’s review of XStat included animal studies demonstrating its effectiveness at stopping bleeding and the absorption capacity of the device. Non-clinical biocompatibility data and human factors testing were also provided to demonstrate the safety and usability of the device.

Interview with Co-Developers

On March 5, 2014, RevMedx’s Chief Executive Officer, Andrew Barofsky, and Director of Strategic Development, John Steinbaugh (a former special forces medic), appeared on Fox Business Channel’s Opening Bell and explained how their device can be used both on the battlefield to seal wounds and in civilian application by first responders.

HHS Proposes Framework for Development and Use of Health IT Products

HHS has issued a draft report, setting forth a proposed strategy and recommendations for a health information technology (health IT) risk-based framework. The report is the culmination of an intra-agency effort between the FDA, the HHS Office of the National Coordinator for Health IT (ONC), and the Federal Communications Commission (FCC), to promote product innovation, clarify health IT product oversight, and to reduce the inherent risks involved in such product use.

“This proposed strategy will facilitate innovation, protect patients and support FDA’s focused oversight on higher risk technology, similar to medical devices that are currently regulated,” stated FDA Director Jeffrey Shuren, M.D.in an HHS news release. “FDA looks forward to additional stakeholder feedback on the proposed framework in this draft report.”

Health IT

According to HHS, innovative health IT products offer significant benefits to patients, including better prevention of medical errors, reductions in unnecessary testing, better patient engagement, and quicker detection and response to health threats and emergencies. However, without a framework that guides the design, development, customization, implementation, integration, and use of such products, they could pose varying degrees of risk to patients who use them.

“The diverse and rapidly developing industry of health information technology requires a thoughtful, flexible approach,” stated HHS Secretary Kathleen Sebelius. “This proposed strategy is designed to promote innovation and provide technology to consumers and health care providers while maintaining patient safety.”

Draft Report

Consequently, the draft report sets forth three health IT categories that a product could fall under depending on its function and level of risk: (1) products with administrative health IT functionality, which could include software for billing and claims processing and poses little or no risk to patient safety; (2) products with health management health IT functionality, which could include software for health information and data management and poses a low risk to patient safety; and (3) products with medical device health IT functionality, which could include radiation treatment software and computer-aided detection software, and has potentially larger risks to patient safety.

“The draft report reflects FCC’s narrow but important role in encouraging new and innovative wireless medical technologies and ensuring that developers and users of these technologies are minimizing the potential for causing potentially harmful interference to radio services,” stated FCC Director Matt Quinn. “We look forward to future collaboration with all stakeholders to achieve the promise of health IT.”

The intra-agency draft report was released pursuant to the health IT requirements of the Food and Drug Administration Safety and Innovation Act of 2012 (P.L. 112-144).

Study: Video Glasses Help Keep Patients’ Minds Off Medical Procedures, Reduce Anxiety

Video glasses, an effective yet uncommon method of calming anxious patients, may also be effective in easing the stress of patients undergoing interventional radiology treatments, according to a study by researchers at the University of Rochester Medical Center. The study, which was recently presented at the Society of Interventional Radiology’s 39th Annual Scientific meeting, showed that, compared to video, music and hypnosis “have modest benefits at best,” according to a press release.

The Study

The study involved 49 patients between the ages of 18 and 87. While undergoing an outpatient interventional radiology treatment (like a biopsy or catheter placement in the arm or chest), 25 of the participants wore video glasses playing a video chosen out of 20. None of the videos were violent. The other 24 did not wear video glasses. Before and after the procedures, the participants completed the State-Trait Anxiety Inventory Form Y, “a standard 20-question test,” according to the press release, in order to assess anxiety levels.

The Results

The results showed that the patients wearing video glasses during the procedure were 18.1 percent less anxious after the treatment than before the treatment. The patients who did not wear glasses were 7.5 percent less anxious than before the procedure. The study also showed that there was “no significant effect on blood pressure, heart rate, respiratory rate, pain, procedure time, or amount of sedation or pain medication.”

“Whether they were watching a children’s movie or a nature show, patients wearing video glasses were successful at tuning out their surroundings,” noted David L. Waldman, M.D., Ph.D., FSIR, who led the study. “it’s an effective distraction technique that helps focus the individual’s attention away from the treatment.”

Interventional radiology—minimally-invasive, image-guided procedures—involve less risk, pain, and recovery time than open surgery, but anxiety can arise in patients both about the procedures and the outcomes, according to the press release.