IT's Role in Regulatory Compliance
Susheela Venkataraman - MD, Internet Business Solutions Group, Cisco India
With an increased focus on better patient outcomes and reduced costs, the healthcare industry is slowly but surely moving towards digitisation and healthcare organisations today are increasingly using IT for diagnosis and care. The availability and use, of sophisticated diagnosis techniques like teleradiology (where the attending physician remotely interprets the patient condition using biomedical devices), means that paperlessness is becoming the order of the day. The growth of concepts like Telemedicine and Telehealth (including m-health which uses mobile technology for diagnosis and care) indicates that the boundary of the hospital is expanding and the number of points of care treatments are increasing rapidly.
Ironically though, while enabling medical practitioners reach out to their patients in much better ways, technology has made the delivery of healthcare more complex. As patients and doctors become increasingly mobile, healthcare stakeholders need to follow the right process, provide information where and when needed, collate data from and to a variety of devices. All of this increases the likelihood of security breaches and loss of patient health data. Therefore, healthcare organisations today are under intense pressure and scrutiny, for security, privacy and compliance.
According to a Healthcare Information Management Systems Society (HIMSS) 2009 survey, the top three security concerns for Healthcare CIOs are around the areas of internal breach, regulatory compliance, and inadequate deployment of technology. Solutions that help meet regulatory requirements, mitigate security threats and streamline risks are increasingly being sought after.
Being compliant helps healthcare organisations to reduce patient risk and increases patient confidence. It prevents the resulting damage to the reputation of the organisation and costly fines/ penalties for the organisation and its executives. Compliance prevents loss in revenue and reduces the likelihood of professional damage to healthcare workers. It also enables doctors to easily work with any hospital across any geography using standards based tools for diagnosis and care.
In emergency situations, the use of standards based tools ensures for example, that an ambulance moving on the road easily interfaces with any nearby hospital. Use of standardised tools also provides alarms and warnings like temperature changes within a lab or chemical spills and increases patient safety within a hospital. On a larger scale it helps the government in disease surveillance.
As governments across the world and the general public insist that healthcare organisations take appropriate steps to ensure the proper use, and protection of personal information, leaders in healthcare, business, technology, and information security need to collaborate and adopt standards that help reduce inconsistencies, inefficiencies and high costs associated with the exchange of health information.
The process of gaining compliance calls for the coming together of IT functions is in the areas of data confidentiality, integrity, availability, and auditability. Compliance can be obtained through mandated standards by bodies like the National Accreditation Board for Hospitals & Healthcare Providers (NABH) or the Health Insurance Portability and Accountability Act (HIPAA).
Helping ensure a regulatory compliance however' poses a great challenge for IT managers. Most regulations do not specifically state what they require from an IT perspective; often different regulations apply to a given organisation making it difficult for IT managers to know what they must do to meet their compliance goals.
Although some vital differences exist among the various regulations, there is a substantial amount of overlap because they all deal with the fundamental issues of data security and privacy. An optimal way to address regulations is to first understand the potential threats and vulnerabilities of the data and network, and then create an effective and secure technology solution built on a well-designed infrastructure. This helps to easily deal with any new regulation that becomes law.
By grouping protection techniques and vulnerabilities into categories as under confidentiality, integrity, availability and auditability, IT managers can create a common baseline for establishing guidelines that help achieve compliance. This process scales with the evolving landscape of new threats and new security measures can be incorporated easily.
Maintaining the confidentiality of healthcare data, which is continually exchanged between people, and across networks is critical. In the event of interception, it is important to make sure that data cannot be read or used by unauthorised parties. By providing for authentication through unique user IDs and strong authentication processes; access control, wherein access privileges are granted strictly on a need-to-know basis; and privacy, which relies on strong encryption of data in transit and at rest, it is possible to ensure data protection.
Firewalls, VPNs, intrusion prevention systems (IPSs), authentication, authorisation, and endpoint protection along with encryption are important for ensuring confidentiality of data in transit across the internet, wireless networks and hotspots, unsecured network areas, and areas providing guest access to the network.
In addition to confidentiality, it is also important to protect data against improper alteration or destruction and ensure its integrity ie., ensure data and information are accurate, complete and inviolably preserved. Specific threats to data integrity include data theft, copying, saving, modification, deletion and unauthorised access. To protect from these threats it is best to use a firewall and IPS in the network and on the endpoints.
Within the realm of regulatory compliance it is critical to ensure that authorised users have access to regulated data at all times while unauthorised users never access data. Compliance also means that an organisation addresses availability within the context of business continuity and disaster recovery. Availability is a critical function of security control because it ensures that no legitimate users are barred from accessing the data they need. Some specific, active threats to availability include viruses and worms and denial-of-service (DoS) attacks besides natural disasters, power outages, and a variety of emergency situations.
A broad range of options are available for healthcare organisations to implement strategies that strengthen business continuity controls, improve network and application resilience and reduce operating expenses. For starters, mission-critical applications can be identified and classified and a minimum amount of bandwidth established for them. They can then be policy routed and marked for preferential treatment. Non-critical applications can similarly be classified, policed, or blocked, as required.
Auditability is critical from a compliance perspective because it provides proof, in the form of an audit trail, that a healthcare company is following the steps necessary to satisfy specific regulations and secure sensitive information. When each security action that a company takes is tracked and audited, it is possible to demonstrate compliance and allow incident investigation.
Network and Automation
While seeking regulatory compliance, network operators must understand how the network is behaving, including its response to changes. Using solutions for security, monitoring, analysis and response helps provide intelligence to the network infrastructure, receive alerts and notifications from firewalls, IPSs and wireless applications, identify the threat, determine where it is occurring, to effectively stop it and protect data. By logging all the information and actions, it is possible to prepare incident response reports and compliance audits.
Because it touches every aspect of the extended organisation and connects all business processes, the network plays a fundamental role in regulatory compliance. With the inclusion of remote workers, healthcare organisations today need an end-to-end, system-based approach that is integrated and adaptive to manage their network security risks and addresses compliance requirements. Deploying or migrating to new technology platforms can help companies achieve regulatory compliance, lower costs and reduce overall security risks. Healthcare organisations also need to adopt best practices and technologies that have proven successful in other industries to enforce security.
Healthcare organisations who use IT resources to continuously track everything on the network must invest in solutions that automatically maintain a real-time inventory of these assets and how they are changing because new assets, new applications, and configuration changes can introduce vulnerabilities that attackers look to exploit. Automation is the key to implementing and maintaining effective security and complying with regulatory requirements.
With threats to the network becoming faster, smarter, more prevalent, and more elusive than ever before, people cannot be as vigilant as they need to be to watch for policy violations or to flag abnormal network behaviours. Therefore healthcare organisations should adopt solutions that reduce their effort not only to install and configure the technology, but also automatically monitor and enforce organisational network security policies, including compliance rules and lists. Smart technologies that can provide automation in the areas of tuning, alert routing, policy enforcement, and remediation are critical. When evaluating security products, healthcare organisations should focus efforts on identifying technology that offers more than a single feature because such solutions are cost-effective and require fewer IT security staff resources to maintain on an ongoing basis.
In addition to the above, the use of standardised nomenclatures and code sets to describe clinical problems, procedures medications, and allergies, clinical summaries, prescriptions etc help to establish a common, predictable, secure communication protocol between systems and meet regulatory compliance within a healthcare setup. Authentication, access control, and transmission security that relate to, and span across all of the other types of standards add to the benefit.
Network-based applications have transformed virtually every industry, and healthcare is no exception. Solutions that allow access to Electronic Health Records (EHRs), medical management systems, imaging, biomedical information, material management, patient accounting, admitting information, and online claims submissions are becoming commonplace in wireless, wired, and mobile scenarios. Since all data on patients need to be kept secure and private, both wired and wireless security is a significant part of the overall security strategy of any healthcare facility.
Generally, a combination of standard wireless/wired security standards should be considered to meet regulatory requirements. As regulatory audits become more frequent, there is an increased need to enforce data security, and organisations handling electronic health data need to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.
Healthcare organisations must establish a policy for how the institution manages risk on the network so that the key properties are maintained. They must put in place a process for applying risk management throughout the life cycle of the network. They need to assign people who can execute the risk management process, provide the necessary resources, specify the criteria by which risk is determined to be acceptable and approve the results of the risk management process. In order to meet regulatory requirements, healthcare organisations that maintain and operate networks with medical devices are urged to consult and implement regulatory recommendations to minimise the risk involved in operating such networks.
Deploying for example, the Cisco Medical-Grade Network (MGN) architecture can be a good option to obtain compliance because it is not just a set of firewalls at the perimeter of the network, nor does the protection end when the information is written to disk or sent to an offsite vault. The architecture has all the industry best practices applied to the entire healthcare environment and provides care providers and vendors the ability to interact with the network and its related clinical systems, seamlessly. Wireless, virtual private network (VPN), and collaborative technologies extend benefit further. The network provides fundamental mechanisms and services for interaction in a highly secure manner and enables compliancy with regulatory guidelines and best practices.
Architectural attributes that respond to the changing clinical requirements help the rapid deployment and secure use of various systems for efficient healthcare delivery while also responding to new security demands, maintaining uptime, serviceability, and adherence to regulatory changes. Robustly designed architectures which are scalable add to the benefit.
Healthcare organisations that approach compliance using a solid security foundation coupled with comprehensive technology solutions that use proven IT control frameworks, best practices, and threat modeling processes will have a defensible position when their networks are subjected to compliance reviews. They will be able to ready themselves for compliance challenges not only of the present but the future as well.