Guest Column | October 18, 2019

Closing The Compliance Software Gap

By Craig Sproule, Crowd Machine

Bridging The Gap

Building in effective security controls into application development will help ensure patient data privacy.

By 2023, Gartner estimates 60 percent of healthcare consumers will have access to, and control health data using technology of their own choosing. Further, Gartner notes, by 2025, 50 percent of all healthcare delivery organizations (HDOs) will include material contributions from digital giants such as Google, Apple and Amazon in their clinical diagnostic or treatment processes. These trends illustrate how digital transformation is becoming a reality in the healthcare ecosystem. New digital processes are gathering more data, in different forms, from a variety of sources, digitally connecting HDOs and their business associates as data is shared.

This expanded sharing of data presents new challenges to HDOs needing to be HIPAA and GDPR compliant. Organizations also want to avoid penalties levied under the Health Information Technology for Economic and Clinical Health (HITECH) Act, a law passed in response to the development of health technology and the explosion of healthcare data. To do so, they must balance the benefits of an expanded knowledge base with workflows that support data privacy.

Ensuring Compliant Ready Processes

Healthcare CIOs charged with the task of ensuring that an effective strategy is in place to manage and protect patient data, must integrate HIPAA and GDPR compliance into any digital process they introduce into their enterprise. With each digital process added, whether it is a patient-facing application or IoT medical devices, a healthcare provider needs to ensure compliance along with its usage. However, most healthcare organizations are already facing tight budgets and IT staffing shortages. Therefore, it becomes difficult to allocate resources to build a compliance element into each new/improved process in which personal data is electronically transferred and subject to a breach threat.

One economical solution to the compliance challenge is the ‘no-code’ application development technology that can help IT teams fast track compliant-ready applications without cumbersome development time. These no-code developed apps are starting to see traction in the healthcare sector which is one of the most active industries now in adopting digital transformation technologies. Using no-code, it is possible to parse applications into components, or ‘gadgets,’ enabling non-IT personnel to develop digital processes for customized use. One of the largest health insurance company’s IT department, for example, recently used the no-code approach to quickly deliver HIPAA compliant enterprise solutions to a line of business, successfully meeting a market demand.

Supporting Compliance Via No Code Application Development

The HIPAA Security Rule operationalizes the Privacy Rule’s security standards for protecting health information that is held or transferred in electronic form (“e-PHI”). No code application development can incorporate a ‘defense in depth’ security model that will adhere to this rule.  New applications will then be compliant with a number of standard security protocols to ensure that user, device, and service provider authentication requirements are fully executed. 

An effective defense in depth security model will incorporate these HIPAA technical safeguards:

  • Access Control – implementation of tech policies and procedures that only allow authorized personnel to access ePHI.  These can include unique user IDs to sign in to a portal, procedures for accessing data in an emergency, automatic log offs or encryption/decryption. 
  • Audit Controls -implementation of hardware and software to record and examine activity in systems that contain or use ePHI. These audit reports or tracking logs will record activity and should be another means of flagging activity that signals a possible compliance violation or unauthorized access.
  • Integrity Controls – implementation of technical policies and procedures to confirm that ePHI is not altered or destroyed. A data backup and recovery system should be in operation to ensure ePHI is recovered accurately and intact. As more applications are added, HDOs must confer with IT to ascertain their recovery system is scaling along with data and can recover the most current version of critical patient data. Standards need to be set for recovery including RPO (Recovery Point Objective) which is the amount of time between the loss of data and the preceding backup. In healthcare, it’s an important standard to set since patient records need to be current.
  • Transmission Controls – implementation of technical security measures to protect ePHI that is being transmitted, whether via email, internet, private networks or private clouds.

Another consideration is legacy data. No code platforms can integrate and transform legacy systems which may be vulnerable to privacy threats. Improving the security of legacy health data will extend its useful life.

Compliance Means Constant Vigilance

According to the HHS Office for Civil Rights, May 2019 was a historical record month for healthcare data breaches with 46 reported breaches of more than 500 records – continuing a record-setting year. More healthcare records have been breached in 2019 than in all of 2016, 2017, and 2018 combined – totalling more than 35 million individuals.

The threats and breaches aren’t stopping. To counter these growing threats, HDOs should also be undertaking voluntary activities such as vulnerability scans and penetration tests. A secure no code platform will accommodate these voluntary compliance activities, including penetration testing, on a regular basis. Manual penetration testing, for example, reveals the way real life hackers might compromise data and takes a look at system software, workflow processes, and storage methods, as well as policies and procedures.

As healthcare organizations amass more data, develop more applications, and execute new digital processes, their digital ‘attack surface’ is growing exponentially. At the same time, organizations need to stay current and effective in their services. No code application development offers a solution to accelerated digital applications with a defense in depth security model that supports compliance.

By integrating security further into application development, HDOs can achieve digital transformation while remaining HIPAA and GDPR compliant.

About The Author

Craig Sproule is the CEO and founder of Crowd Machine.