Continuous Surveillance Patient Monitoring

Central surveillance patient monitoring has been around for more than twenty years. In fact previous VitalCom (1990s) which through a series of transactions that was migrated finally into a huge patient monitoring company validated the use and technology model. They (VitalCom) somewhat blazed the trail for this back when there was VHF and also UHF telemetry for the enterprise networked model.

Custom VHF transmitters per this technology design were then affixed to portable agnostic monitors via a proprietary interface thus allowing vital signs monitoring throughout an antenna system installed across the entire footprint of the facility. In those days they were simply called “transport monitors”.

Hence when you transferred a patient from the ER to the catheterization lab you used either a “transport monitor” or a defibrillator with a monitor, ideally connected to the antenna system in the facility.

These monitors (transport monitors) as well as patient worn telemetry transmitters were then viewed from what they called a centralized viewing area. Trained monitor technicians then viewed and watched the physiological signals for any abnormalities.

When something alarmed or looked out of the ordinary, they could send out a designated page that would alert the clinician via a standard paging system. Even several facilities from hundreds of miles away could be monitored through wide area links that were a part of this architecture and could include this paging option.

ER diversions were curtailed by this deployment because you could make any “bed” a monitored bed. Patients could leave high acuity areas lowering costs because of the increased level of patient monitoring. That was in 1997. Know a lot about this as described because I ended up designing the majority of the VHF antenna infrastructure in hospitals across the United States for this architecture to include the wide area links. First what I would consider telemedicine for the wide area links.

In 2015 many medical device companies have “portable vital signs monitor" and the term patient worn monitoring is also being used”. Instead of custom VHF antenna systems; we now have the WLAN (Wireless LAN). However the use of spot check (intermittent) vital signs use monitoring continues on unabated as this is the standard.

The challenge to simply to make every sub acute bed a monitored bed; is the cost of around approximately 5-7K per bed. You also need to have to have skilled and trained clinicians at this level of acuity to monitor “continuous” vital signs and manage alarms in the correct clinical fashion.

Disparate Solutions or One Platform to Solve Todays Point of Care Requirements

It seems like every month you hear about another device company being acquired by another company in the healthcare space.

At the same time there is a vital requirement to address the alarm management issue, integrate medical devices into the Electronic Healthcare Record, and capture all this information to improve the clinical environment, patient outcomes, and deliver real measured business value

The challenge in the industry is that there are multiple disparate companies accomplishing pieces of this puzzle with the requirement of integrating the technology to provide the end result. Not an easy job.

More important for the clinician is to simply understand the dynamics of their environment…they went into this career to take of patients…not technology. I have seen in my decades of experience a lot of "work arounds" happen when technology is forced on the user.

I am also reminded of the early days of mobile computing (before the smart pad and smart phones), you had customized mobile computers for unique point of care applications. The problem was that the clinician would have to have a tool belt to carry them all. Compliance then became a problem.

This change may follow the business dynamics of patient monitoring. If I go back to the 1980s and 1990s, decisions were made at the departmental level. Hospitals often had multiple vendors. Then came the day of integration to the Electronic Health Record. Made a lot more sense to “standardize” on one company for one “single throat to choke”.
It also made sense that if the patient was admitted to the ED, they often were transferred to multiple areas of the hospital and often to critical care. One entry, one integration.

It also has followed the trend of “wireless (WLAN) companies. Fifteen years ago with 802.11b was approved there came to market a plethora of WLAN technology companies. Those companies are by in large gone. They have been acquired by networking providers as this provides an easier path for the client to design, implement, and support.

www.cardiopulmonarycorp.com provides a comprehensive set of solutions to solve the complex needs alarm management, integration of disparate medical devices into the Electronic Health Record, and data analytics, plus a whole lot more. It simplifies things and more then likely provides a better ROI and business value than disparate companies.

Security Authentication Change is Now

Healthcare security is front and center today. News releases confirm this. We should look at this (security) from a holistic perspective for all aspects from the point of care throughout the enterprise. This current paradigm change for other vertical markets should also translate into this space. (i.e. healthcare).

The liability shift for financial transactions - This change is a part of a nationwide effort to cut down on fraud - is fast approaching. Here is what is going on: Financial Institutions are now issuing new more secure chip cards (i.e EMV cards) to consumers. Merchants are being asked to do their part by upgrading their payment terminals (authentication devices) to accept this new technology change or upgrade by October 1, 2015.

From this point on, your business could be on the hook for certain types of in-person fraudulent transactions if you do not have the technology in place to accept EMV. Previously the banks ate the cost of fraudulent changes..however well that is changing it seems.

The simple way to look at this is the liability is shifting to the party with the less secure technology.

What should be the requirement for authentication at the point of care?

Cybersecurity for Healthcare - Considerations

Cyber Security as Usual
More cyber security is better cyber security?

The reality: More traditional cyber security (such as antivirus and firewalls) is a poor choice for a CEO. It usually costs more time, money, and personnel, but doesn't always deliver better security. Security teams need to get training, build up expertise, and often interpret alerts from new security tools, and end up with diminishing benefits because of the increase in false positives.

Better technology provides better security?
The reality: Only up to a point. Cyber attacks are masterminded by people. People will always find ways around static technology. CEOs should install an Adaptive Defense approach that includes technology, intelligence, and expertise to successfully combat modern cyber threats.

Detection and prevention are the primary measures of success for security?
The reality: CEOs and CIOs need to shift the security mindset to include the entire threat life cycle. Better measures of success include:

Number of incidents resolved
- Speed of incident resolution
- Potential business impact of the incident
Sound measures of success, strong technology, timely intelligence, and knowledgeable experts are the cornerstones of security investments that will pay off for your organization in both the short and long term.

Costs Due to Deficient Security
When a breach occurs, it means your security failed. These questions will help qualify and quantify the cost of that failure:
- How efficient are you? How many false positives distract your security team, and how many actual cyber security incidents do you uncover?
- Are you prioritizing correctly? How many cyber security incidents have an actual business impact and qualify for further investigation?
- Are you learning about your attackers? How many cyber security incidents can be fully investigated to determine threat actors and/or motives?
- What is your security protecting? How many of your solutions actively support a security policy or protect a quantifiable business asset?

Costs Due to Consequences of the Breach
After a data breach, you need to figure out exactly what you will lose, how much, and what to do about it . These questions will help you calculate business losses:
- How much money will you lose based on the information such as intellectual property (IP) or personally identifiable information (PII) lost through the data breach?
- How much money will you lose to notification costs, lawsuits, fines, audits, and brand damage when the data breach becomes public?
- How much time will it take to resolve the breach--to identify and address all affected systems, and respond to attacks?
- How much will you be fined if your security practices don't comply with security policies and requirements?

Cost Analysis is a Habit
Although many security experts only ask these questions when the first set up their security programs, analyzing your costs is an ongoing process. By staying alert to changes in the cost of a data breach, you get a better sense of when and how your security programs need to be revisited or updated. This, in turn, will strengthen your security posture to manage and resolve future cyber threats.

A zero-day exploit: an advanced cyber attack defined
A zero-day vulnerability, at its core, is a flaw. It is an unknown exploit in the wild that exposes a vulnerability in software or hardware which can create complicated problems well before anyone realizes something is wrong. In fact, a zero-day exploit leaves NO opportunity for detection... at first.
A zero-day attack happens once that flaw, or software/hardware vulnerability is exploited, and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability, hence “zero-day.” Let’s break down the steps of the window of vulnerability:
- A company’s developers create software, but unbeknownst to them, it includes a vulnerability
- The threat actor spots that vulnerability either before the developer does, or acts on it before the developer has a chance to fix it
- The attacker writes and implements exploit code while the vulnerability is still open and available
- After releasing the exploit, either the public recognizes it in the form of identity or information theft, or the developer catches it and creates a patch to staunch the cyber bleeding.
Once a patch is written and used, the exploit is no longer called a zero-day exploit. These attacks are rarely discovered right away. In fact, it often takes not just days, but months, and sometimes years before a developer learns of the vulnerability that led to an attack.

Recent Zero-Day Exploits
Standard defenses are powerless against zero day threats

Zero-day attacks are cyber attacks against software flaws that are unknown and have no patch or fix.
It’s extremely difficult to detect zero-day attacks, especially with traditional cyber defenses. Traditional security measures focus on malware signatures and URL reputation. However, with zero-day attacks, this information is, by definition, unknown. Cyber attackers are extraordinarily skilled, and their malware can go undetected on systems for months, and even years, giving them plenty of time to cause irreparable harm.

Based on recently discovered types of zero-day attacks, it has become apparent that operating system level protection is becoming less effective, watering hole attacks are becoming more common, and cyber attacks are becoming more sophisticated and better at bypassing organizational defenses.