June’s column on information technology opportunities noted that the FDA sees radio frequency identification (RFID) technology as critical for the long-term safety and integrity of the U.S. drug supply. RFID allows pharmaceutical packages to be tracked, traced and authenticated throughout the chain of distribution from manufacturer to pharmacy.
The FDA also is evaluating RFID as part of an initiative to improve identification systems for medical device equipment, both to deter counterfeits and enhance patient safety (e.g., by tracking track devices that may be associated with an incident or that may have been improperly sterilized).
But product tracking is not the only use of RFID that has the FDA’s attention. RFID is an integral part of at least two types of medical devices. This month’s column discusses issues that potential developers or manufacturers of medical devices utilizing RFID should consider.
Medical devices incorporating RFID technology
In 2004, the FDA authorized marketing of two different types of medical devices that incorporate RFID. The first type is the SurgiChip tag, an external surgical marker that is intended to minimize the likelihood of wrong-site, wrong-procedure and wrong-patient surgeries. The tag consists of a label with passive transponder, along with a printer, an encoder and a RFID reader. The tag is labeled and encoded with the patient’s name and the details of the planned surgery, and then placed in the patient’s chart. On the day of surgery, the adhesive-backed tag is placed on the patient’s body near the surgical site. In the operating room the tag is scanned and the information is verified with the patient’s chart. Just before surgery, the tag is removed and placed back in the chart.
The second type of RFID medical device is the implantable radiofrequency transponder system for patient identification and health information. One example of this type of medical device is the VeriChip Health Information Microtransponder System, which includes a passive implanted transponder, inserter and scanner. The chip stores a unique electronic identification code that can be used to access patient identification and corresponding health information in a database. The chip itself does not store health information or a patient’s name.
Practical and information security considerations
Companies developing RFID-containing medical devices must consider product development issues common to other medical devices that come into contact with the body, are implanted in the body, or use computer software. For example, as part of product development, a company must implement controls and conduct testing on issues such as product performance, sterility, adverse tissue reactions, migration of the implanted transponder, electromagnetic interference, and software validation.
Medical devices that use RFID technology to store, access, and/or transfer patient information also raise significant issues regarding information security. The FDA defines “information security” as the process of preventing the modification, misuse or denial of use, or the unauthorized use of that information. At its core, this means ensuring the privacy of patient information.
Four components of information security
The FDA has recommended that a company’s specifications for implantable RFID-containing medical devices address the following four components of information security: confidentiality, integrity, availability and accountability (CIAA).
• Confidentiality means data and information are disclosed only to authorized persons, entities and processes at authorized times and in the authorized manner. This ensures that no unauthorized users have access to the information.
• Integrity means data and information are accurate and complete, and the accuracy and completeness are preserved. This ensures that the information is correct and has not been improperly modified.
• Availability means data, information and information systems are accessible and usable on a timely basis in the required manner. This ensures that the information will be available when needed.
• Accountability is the application of identification and authentication to ensure that the prescribed access process is followed by an authorized user.
Although the FDA made these recommendations in the context of implantable RFID-containing medical devices, these principles are relevant to all uses of RFID in connection with pharmaceuticals and medical devices.
RFID is considered by some to be dangerous because it can be used for undesirable surveillance. Yet RFID has the potential to greatly enhance many aspects of healthcare and patient safety. To ensure that this potential is realized – and accepted by consumers and healthcare providers – companies considering developing medical devices utilizing RFID or evaluating the use of RFID to track pharmaceuticals or medical devices should ensure that they carefully address each element of CIAA.
See previous WTN coverage on RFID and healthcare technology:
• Challenging times for FDA and drug companies equals IT opportunities
• Digitizing hospitals with the right tools
The opinions expressed herein or statements made in the above column are solely those of the author and do not necessarily reflect the views of The Wisconsin Technology Network, LLC. (WTN). WTN, LLC, accepts no legal liability or responsibility for any claims made or opinions expressed herein.