Alaris
Alaris Volumetric Pump Series
Alaris System PC Unit 8000 and 8015 Frequently Asked Questions Nov 2016
Frequently Asked Questions
5 Pages
Preview
Page 1
November 1, 2016
Frequently Asked Questions (FAQ’s) for External Use BD has conducted an investigation on the residual data found on a customer’s Infusion Knowledge Portal for infusion technologies application (“IKP”). The root cause of this issue stems from Alaris PC units (PCU) being moved between facilities and the data clearing procedure that may have been performed on those PC units. BD has determined that the previous data clearing procedure used for the PC units did not adequately clear all infusion data from the Alaris PC unit. The following FAQs are in reference to the customer letter dated on November 1, 2016.
Table of Contents General Questions ... 1 Actions to resolve ... 3 Privacy and Legal Questions ... 4 Contact Information... 5 General Questions 1.
What is the issue? The previous data clearing procedure used for the PC units did not adequately clear all infusion data from the Alaris PC unit. When a PC unit is moved between facilities BD recommends clearing all data from that PC unit. If the customer does not share, trade, exchange or sell your devices to a third party or another facility, there is no known risk of data leaving the facility.
2.
What devices and technologies are affected?
3.
Alaris System PC unit models 8000 and 8015 with all PC unit software versions Knowledge Portal for infusion technologies CQI Reporter Infusion Analytics Services Infusion Viewer for Alaris Viewer Suite Alaris EMR Interoperability with EPIC and Cerner
What percentage of data was affected? As part of our analysis, BD reviewed all available infusion data in the IKP system. Approximately 1% of records were affected by this issue. As a result, any effect on customer metrics is very small and likely to be unnoticeable.
© 2016 BD Corporation or one of its subsidiaries All rights reserved.
Page 1
November 1, 2016
4.
Are all customers affected by this issue? No. Only customers who sent Alaris System PC Units to another hospital or used Alaris System PC Units from another hospital are affected by this issue (i.e. rental PC units, managed assets, secondary market sale). If the customer does not share, trade, exchange or sell your devices to a third party or another facility, there is no known risk of data leaving the facility.
5.
How did this data leave the hospital? When Alaris System PC units are moved between facilities (secondary market sale, rental companies, intra-health system campus transfer) without being adequately cleared, residual data logs can be retained on the Alaris System PC unit. As a result, BD has updated the clearing procedures to ensure all data is removed.
6.
Was electronic protected health information (ePHI) data shared? No. BD engaged with a leading statistical de-identification expert, who determined that all data from the IKP application was de-identified, and therefore was not protected health information, as defined by the Health Insurance Portability and Accountability Act (“HIPAA”). Additionally, we conducted a risk assessment using the HIPAA 4-factor test and concluded there was a low probability of compromise of such data.
7.
What data is shared with Infusion Viewer for the Alaris Viewer Suite? A smaller subset of Attachment A Data Attributes including drug name, dose value, rate, volume programed to be infused, volume actually infused and patient ID, if available, is stored by the Alaris Viewer Suite. Any data not associated to a valid patient in the hospital will not be displayed by default in the Alaris Viewer Suite dashboard. This data is held by the Alaris Viewer Suite for a configurable period, typically 3-120 days, before being purged. Based on the opinion of the statistical de-identification expert, the data is de-identified, and our analysis concludes that there is no reportable breach under HIPAA based on both the statistical expert opinion and the HIPAA 4-factor risk assessment.
8.
What data is shared with the EMR? A smaller subset of Attachment A Data Attributes including drug name, dose value, rate, volume programed to be infused, volume actually infused and patient ID, if available, is stored by the EMR systems. Any data not associated to a valid patient in the hospital will likely not be used by the EMR systems. This data is held by the EMR system for a configurable period, typically 3-30 days, before being purged. Based on the opinion of the statistical deidentification expert, the data is de-identified, and our analysis concludes that there is no reportable breach under HIPAA based on both the statistical expert opinion and the HIPAA 4factor risk assessment.
© 2016 BD Corporation or one of its subsidiaries All rights reserved.
Page 2
November 1, 2016
9.
Is this a reportable event under HIPAA or other applicable privacy law? Our investigation in consultation with outside counsel determined that, under HIPAA, BD is able to demonstrate that the data in the IKP application is de-identified based on the expert determination and is therefore not PHI. The Breach Notification Rule is therefore not triggered and BD’s customers would not have an obligation to notify their patients under HIPAA. Similarly, since the data is not PHI, BD has no obligation under HIPAA to notify its covered entity customers under HIPAA. Even if one were to disagree with the expert’s determination that the data was not de-identified and is PHI, our investigation in consultation with outside counsel determined that BD is able to demonstrate a low probability of compromise based on the 4-factor risk assessment and overcome the presumption of a breach under HIPAA and notification is not required. We also concluded that no reportable event occurred under applicable state privacy laws.
10.
Since this is not a data breach, why is BD notifying customers of this issue? Although we do not have an obligation to notify, we value the partnership with our customers and the shared responsibility of protecting and securing your data and your patients’ data. When any issues arise we are committed to transparency and working diligently with you to correct them quickly.
Actions to resolve 11.
What actions has BD taken to address this vulnerability? Service Bulletin 597 has been released to inform customers of the new process to clear all infusion data logs in situations where an infusion system is leaving a customer facility (e.g. rental return). New software will be released on November 7, 2016 to block all infusion data that is not associated with your facility(ies) from transferring over to your IKP. All data from the IKP application that is not associated with your facility will be removed from view by December 31, 2016.
12.
Who is responsible for clearing the data? BD recommends that an authorized person perform the data clearing procedure from Service Bulletin 597 whenever a PCU is moved between facilities. Both hospital personnel and authorized service providers are authorized to perform the data clearing procedure.
13.
If the customer was affected by this issue and BD removed unauthorized data from their IKP, will this affect the customer’s Key Performance Indicators (KPI) or metrics? Not significantly. Our analysis shows that the amount of data that was shared in total was very small and statistically insignificant, and thus the overall effect of removing this data will be negligible.
14.
If the customer rents or uses the Alaris System from a third party, could the customer see other patients’ data? Yes. There is a potential that data can be shared if proper data clearing procedures are not followed. BD has provided updated data-clearing procedures to our authorized partners which include: Universal Hospital Services (UHS), MedOne, Freedom Medical, US Med-Equip, and Hill Rom.
© 2016 BD Corporation or one of its subsidiaries All rights reserved.
Page 3
November 1, 2016
15.
Does BD advise against the use of rental devices? No. Use of authorized partners that follow proper clearing procedures will prevent this issue.
16.
How long does the updated clearing procedure described in Service Bulletin 597 take? Depending upon the process chosen, the clearing procedure can take approximately 10 to 45 minutes.
17.
What actions can the customer take to prevent data from leaving their facility? If the customer utilizes the services of a BD authorized partner, the risk of sending patients’ data to another hospital is very low. BD’s authorized partners have received the updated clearing procedures. If the customer plans to sell, share, trade, exchange, etc. their devices to a third party hospital, market, or entity, the hospital will need to take specific actions to clear these data log files. Please see Service Bulletin 597 for details. If the customer does not share, trade, exchange or sell your devices to a third party or another facility, there is no known risk of data leaving the facility.
18.
How will the hospital validate that the PC unit’s data has been cleared? BD has confirmed through internal testing that the recommended data clearing procedures in Service Bulletin 597 will indeed clear all data logs, network configurations, and any data sets on the PC unit. By following these procedures, the above elements are reset to manufacturer defaults and all residual data is erased.
Privacy and Legal Questions 19.
Is this a reportable breach? As part of our investigation, BD analyzed data from customers who use the IKP application. We engaged a leading statistical de-identification expert who determined that infusion log data that populates the IKP application was de-identified and, therefore, was not protected health information, as defined by HIPAA. Our analysis concludes that there is no reportable breach under HIPAA based on both the statistical expert opinion and the HIPAA 4-factor risk assessment.
20.
Which law firm did BD engage to assist? BD engaged BakerHostetler to assist.
© 2016 BD Corporation or one of its subsidiaries All rights reserved.
Page 4
November 1, 2016
21.
What were BD’s legal findings? BD, in consultation with BakerHostetler, determined that, under HIPAA, BD is able to demonstrate that the data in the IKP application is de-identified based on the expert determination and is therefore not PHI. The Breach Notification Rule is therefore not triggered and BD’s customers would not have an obligation to notify their patients under HIPAA. Similarly, since the data is not PHI, BD has no obligation under HIPAA to notify its covered entity customers under HIPAA. Even if one were to disagree with the expert’s determination that the data was not de-identified and is PHI, we are able to demonstrate a low probability of compromise based on the 4-factor risk assessment and overcome the presumption of a breach under HIPAA and notification is not required.
22.
Who is the statistical de-identification expert? BD engaged Dr. Daniel C. Barth-Jones, a leading statistical de-identification expert, to determine whether data from the IKP application was de-identified.
23.
What was the statistical de-identification expert’s opinion? Dr. Barth-Jones determined that log data from PC units were de-identified, and therefore was not protected health information, as defined by HIPAA. Please contact your BD Account Executive if you would like to request a copy.
24.
Is BD notifying the Department of Health and Human Services Office of Civil Rights (“OCR”) of the incident? Given that we have concluded that there is no reportable breach under HIPAA based on both the statistical expert opinion and the HIPAA 4-factor risk assessment, BD is not notifying OCR.
Contact Information 25.
Where can the customer find more details about this issue?
BD Contact
Contact Information
Areas of Support
BD Support Center
Phone: 888-562-6018 Phone hours: 7:00am to 4:00pm PT, Monday - Friday Email: [email protected]
Questions Related to this Specific Issue
BD Product Security
Email: [email protected]
General Product Security Questions
Technical Support
Phone: 888-812-3229 Phone hours: 6:00am to 5:00pm PT, Monday – Friday Email: [email protected]
Technical Questions for Alaris System
© 2016 BD Corporation or one of its subsidiaries All rights reserved.
Page 5