|
IT's Role in Regulatory Compliance
Healthcare organisations that approach compliance using a
solid security foundation coupled with comprehensive technology solutions that
use proven IT control frameworks, best practices, and threat modeling processes
will have a defensible position when their networks are subjected to compliance
reviews, opines, Susheela Venkataraman - MD, Internet Business Solutions
Group, Cisco India
Susheela Venkataraman
MD, Internet Business Solutions Group,
Cisco India |
With an increased focus on better patient outcomes and reduced
costs, the healthcare industry is slowly but surely moving towards digitisation
and healthcare organisations today are increasingly using IT for diagnosis and
care. The availability and use, of sophisticated diagnosis techniques like teleradiology
(where the attending physician remotely interprets the patient condition using
biomedical devices), means that paperlessness is becoming the order of the day.
The growth of concepts like Telemedicine and Telehealth (including m-health
which uses mobile technology for diagnosis and care) indicates that the boundary
of the hospital is expanding and the number of points of care treatments are
increasing rapidly.
Ironically though, while enabling medical practitioners reach
out to their patients in much better ways, technology has made the delivery
of healthcare more complex. As patients and doctors become increasingly mobile,
healthcare stakeholders need to follow the right process, provide information
where and when needed, collate data from and to a variety of devices. All of
this increases the likelihood of security breaches and loss of patient health
data. Therefore, healthcare organisations today are under intense pressure and
scrutiny, for security, privacy and compliance.
According to a Healthcare Information Management Systems Society
(HIMSS) 2009 survey, the top three security concerns for Healthcare CIOs are
around the areas of internal breach, regulatory compliance, and inadequate deployment
of technology. Solutions that help meet regulatory requirements, mitigate security
threats and streamline risks are increasingly being sought after.
Being compliant helps healthcare organisations to reduce patient risk and increases
patient confidence. It prevents the resulting damage to the reputation of the
organisation and costly fines/ penalties for the organisation and its executives.
Compliance prevents loss in revenue and reduces the likelihood of professional
damage to healthcare workers. It also enables doctors to easily work with any
hospital across any geography using standards based tools for diagnosis and
care.
In emergency situations, the use of standards based tools ensures for example,
that an ambulance moving on the road easily interfaces with any nearby hospital.
Use of standardised tools also provides alarms and warnings like temperature
changes within a lab or chemical spills and increases patient safety within
a hospital. On a larger scale it helps the government in disease surveillance.
Becoming Compliant
 As
governments across the world and the general public insist that healthcare organisations
take appropriate steps to ensure the proper use, and protection of personal
information, leaders in healthcare, business, technology, and information security
need to collaborate and adopt standards that help reduce inconsistencies, inefficiencies
and high costs associated with the exchange of health information.
The process of gaining compliance calls for the coming together
of IT functions is in the areas of data confidentiality, integrity, availability,
and auditability. Compliance can be obtained through mandated standards by bodies
like the National Accreditation Board for Hospitals & Healthcare Providers
(NABH) or the Health Insurance Portability and Accountability Act (HIPAA).
Helping ensure a regulatory compliance however’ poses
a great challenge for IT managers. Most regulations do not specifically state
what they require from an IT perspective; often different regulations apply
to a given organisation making it difficult for IT managers to know what they
must do to meet their compliance goals.
Although some vital differences exist among the various regulations,
there is a substantial amount of overlap because they all deal with the fundamental
issues of data security and privacy. An optimal way to address regulations is
to first understand the potential threats and vulnerabilities of the data and
network, and then create an effective and secure technology solution built on
a well-designed infrastructure. This helps to easily deal with any new regulation
that becomes law.
Categorising Vulnerabilities
 By
grouping protection techniques and vulnerabilities into categories as under
confidentiality, integrity, availability and auditability, IT managers can create
a common baseline for establishing guidelines that help achieve compliance.
This process scales with the evolving landscape of new threats and new security
measures can be incorporated easily.
Maintaining the confidentiality of healthcare data, which
is continually exchanged between people, and across networks is critical. In
the event of interception, it is important to make sure that data cannot be
read or used by unauthorised parties. By providing for authentication through
unique user IDs and strong authentication processes; access control, wherein
access privileges are granted strictly on a need-to-know basis; and privacy,
which relies on strong encryption of data in transit and at rest, it is possible
to ensure data protection.
Firewalls, VPNs, intrusion prevention systems (IPSs), authentication,
authorisation, and endpoint protection along with encryption are important for
ensuring confidentiality of data in transit across the internet, wireless networks
and hotspots, unsecured network areas, and areas providing guest access to the
network.
In addition to confidentiality, it is also important to protect
data against improper alteration or destruction and ensure its integrity ie.,
ensure data and information are accurate, complete and inviolably preserved.
Specific threats to data integrity include data theft, copying, saving, modification,
deletion and unauthorised access. To protect from these threats it is best to
use a firewall and IPS in the network and on the endpoints.
Within the realm of regulatory compliance it is critical
to ensure that authorised users have access to regulated data at all times while
unauthorised users never access data. Compliance also means that an organisation
addresses availability within the context of business continuity and disaster
recovery. Availability is a critical function of security control because it
ensures that no legitimate users are barred from accessing the data they need.
Some specific, active threats to availability include viruses and worms and
denial-of-service (DoS) attacks besides natural disasters, power outages, and
a variety of emergency situations.
A broad range of options are available for healthcare organisations
to implement strategies that strengthen business continuity controls, improve
network and application resilience and reduce operating expenses. For starters,
mission-critical applications can be identified and classified and a minimum
amount of bandwidth established for them. They can then be policy routed and
marked for preferential treatment. Non-critical applications can similarly be
classified, policed, or blocked, as required.
Auditability is critical from a compliance perspective because it provides proof,
in the form of an audit trail, that a healthcare company is following the steps
necessary to satisfy specific regulations and secure sensitive information.
When each security action that a company takes is tracked and audited, it is
possible to demonstrate compliance and allow incident investigation.
Network and Automation
 While
seeking regulatory compliance, network operators must understand how the network
is behaving, including its response to changes. Using solutions for security,
monitoring, analysis and response helps provide intelligence to the network
infrastructure, receive alerts and notifications from firewalls, IPSs and wireless
applications, identify the threat, determine where it is occurring, to effectively
stop it and protect data. By logging all the information and actions, it is
possible to prepare incident response reports and compliance audits.
Because it touches every aspect of the extended organisation and connects all
business processes, the network plays a fundamental role in regulatory compliance.
With the inclusion of remote workers, healthcare organisations today need an
end-to-end, system-based approach that is integrated and adaptive to manage
their network security risks and addresses compliance requirements. Deploying
or migrating to new technology platforms can help companies achieve regulatory
compliance, lower costs and reduce overall security risks. Healthcare organisations
also need to adopt best practices and technologies that have proven successful
in other industries to enforce security.
Healthcare organisations who use IT resources to continuously
track everything on the network must invest in solutions that automatically
maintain a real-time inventory of these assets and how they are changing because
new assets, new applications, and configuration changes can introduce vulnerabilities
that attackers look to exploit. Automation is the key to implementing and maintaining
effective security and complying with regulatory requirements.
With threats to the network becoming faster, smarter, more prevalent, and more
elusive than ever before, people cannot be as vigilant as they need to be to
watch for policy violations or to flag abnormal network behaviours. Therefore
healthcare organisations should adopt solutions that reduce their effort not
only to install and configure the technology, but also automatically monitor
and enforce organisational network security policies, including compliance rules
and lists. Smart technologies that can provide automation in the areas of tuning,
alert routing, policy enforcement, and remediation are critical. When evaluating
security products, healthcare organisations should focus efforts on identifying
technology that offers more than a single feature because such solutions are
cost-effective and require fewer IT security staff resources to maintain on
an ongoing basis.
In addition to the above, the use of standardised nomenclatures
and code sets to describe clinical problems, procedures medications, and allergies,
clinical summaries, prescriptions etc help to establish a common, predictable,
secure communication protocol between systems and meet regulatory compliance
within a healthcare setup. Authentication, access control, and transmission
security that relate to, and span across all of the other types of standards
add to the benefit.
Adopting Standards
Network-based applications have transformed virtually every
industry, and healthcare is no exception. Solutions that allow access to Electronic
Health Records (EHRs), medical management systems, imaging, biomedical information,
material management, patient accounting, admitting information, and online claims
submissions are becoming commonplace in wireless, wired, and mobile scenarios.
Since all data on patients need to be kept secure and private, both wired and
wireless security is a significant part of the overall security strategy of
any healthcare facility.
Generally, a combination of standard wireless/wired security standards should
be considered to meet regulatory requirements. As regulatory audits become more
frequent, there is an increased need to enforce data security, and organisations
handling electronic health data need to implement measures for controlling access
to confidential medical information and protecting it against compromise and
misuse.
Healthcare organisations must establish a policy for how the institution manages
risk on the network so that the key properties are maintained. They must put
in place a process for applying risk management throughout the life cycle of
the network. They need to assign people who can execute the risk management
process, provide the necessary resources, specify the criteria by which risk
is determined to be acceptable and approve the results of the risk management
process. In order to meet regulatory requirements, healthcare organisations
that maintain and operate networks with medical devices are urged to consult
and implement regulatory recommendations to minimise the risk involved in operating
such networks.
Deploying for example, the Cisco Medical-Grade Network (MGN) architecture can
be a good option to obtain compliance because it is not just a set of firewalls
at the perimeter of the network, nor does the protection end when the information
is written to disk or sent to an offsite vault. The architecture has all the
industry best practices applied to the entire healthcare environment and provides
care providers and vendors the ability to interact with the network and its
related clinical systems, seamlessly. Wireless, virtual private network (VPN),
and collaborative technologies extend benefit further. The network provides
fundamental mechanisms and services for interaction in a highly secure manner
and enables compliancy with regulatory guidelines and best practices.
Conclusion
Architectural attributes that respond to the changing clinical requirements
help the rapid deployment and secure use of various systems for efficient healthcare
delivery while also responding to new security demands, maintaining uptime,
serviceability, and adherence to regulatory changes. Robustly designed architectures
which are scalable add to the benefit.
Healthcare organisations that approach compliance using a solid security foundation
coupled with comprehensive technology solutions that use proven IT control frameworks,
best practices, and threat modeling processes will have a defensible position
when their networks are subjected to compliance reviews. They will be able to
ready themselves for compliance challenges not only of the present but the future
as well.
|
