Security Practices and Regulatory Compliance in the Healthcare Industry

This study examined the adoption of security practices, with the goal of identifying dominant configurations and their relationship to perceived compliance. We utilized survey data from 204 hospitals including adoption status of 17 security practices and perceived compliance levels on HITECH, HIPAA, Red Flags Rules, CMS, and State laws governing patient information security. Using cluster analysis and t-tests, we found that three clusters of security practices are significantly associated with different levels of perceived compliance. We demonstrated significant differences among non-technical practices rather than technical practices, and the highest levels of compliance are associated with hospitals that employed a balanced approach between technical and non-technical practices (or between one-time and cultural practices). Our results provide security practice benchmarks for healthcare administrators and can help policy makers in developing strategic and practical guidelines for practice adoption

A framework for secure mobile computing in healthcare

Mobile computing is rapidly becoming part of healthcare’s electronic landscape, helping to provide better quality of care and reduced cost. While the technology provides numerous advantages to the healthcare industry, it is not without risk. The size and portable nature of mobile computing devices present a highly vulnerable environment, which threaten the privacy and security of health information. Since these devices continually access possibly sensitive healthcare information, it is imperative that these devices are considered for security in order to meet regulatory compliance. In fact, the increase in government and industry regulation to ensure the privacy and security of health information, makes mobile security no longer just desirable, but mandatory. In addition, as healthcare becomes more aware of the need to reinforce patient confidence to gain competitive advantage, it makes mobile security desirable. Several guidelines regarding security best practices exist. Healthcare institutions are thus faced with matching the guidelines offered by best practices, with the legal and regulatory requirements. While this is a valuable question in general, this research focuses on the aspect of considering this question when considering the introduction of mobile computing into the healthcare environment. As a result, this research proposes a framework that will aid IT administrators in healthcare to ensure that privacy and security of health information is extended to mobile devices. The research uses a comparison between the best practices in ISO 17799:2005 and the regulatory requirements stipulated in HIPAA to provide a baseline for the mobile computing security model. The comparison ensures that the model meets healthcare specific industry requirement and international information security standard. In addition, the framework engages the Information Security Management System (ISMS) model based on the ISO 27000 standard. The framework, furthermore, points to existing technical security measurers associated with mobile computing. It is believed that the framework can assist in achieving mobile computing security that is compliant with the requirements in the healthcare industry

A framework for secure mobile computing in healthcare

Mobile computing is rapidly becoming part of healthcare’s electronic landscape, helping to provide better quality of care and reduced cost. While the technology provides numerous advantages to the healthcare industry, it is not without risk. The size and portable nature of mobile computing devices present a highly vulnerable environment, which threaten the privacy and security of health information. Since these devices continually access possibly sensitive healthcare information, it is imperative that these devices are considered for security in order to meet regulatory compliance. In fact, the increase in government and industry regulation to ensure the privacy and security of health information, makes mobile security no longer just desirable, but mandatory. In addition, as healthcare becomes more aware of the need to reinforce patient confidence to gain competitive advantage, it makes mobile security desirable. Several guidelines regarding security best practices exist. Healthcare institutions are thus faced with matching the guidelines offered by best practices, with the legal and regulatory requirements. While this is a valuable question in general, this research focuses on the aspect of considering this question when considering the introduction of mobile computing into the healthcare environment. As a result, this research proposes a framework that will aid IT administrators in healthcare to ensure that privacy and security of health information is extended to mobile devices. The research uses a comparison between the best practices in ISO 17799:2005 and the regulatory requirements stipulated in HIPAA to provide a baseline for the mobile computing security model. The comparison ensures that the model meets healthcare specific industry requirement and international information security standard. In addition, the framework engages the Information Security Management System (ISMS) model based on the ISO 27000 standard. The framework, furthermore, points to existing technical security measurers associated with mobile computing. It is believed that the framework can assist in achieving mobile computing security that is compliant with the requirements in the healthcare industry

A model for information security management and regulatory compliance in the South African health sector

Information Security is becoming a part of the core business processes in every organization. Companies are faced with contradictory requirements to ensure open systems and accessible information while maintaining high protection standards. In addition, the contemporary management of Information Security requires a variety of approaches in different areas, ranging from technological to organizational issues and legislation. These approaches are often isolated while Security Management requires an integrated approach. Information Technology promises many benefits to healthcare organizations. It helps to make accurate information more readily available to healthcare providers and workers, researchers and patients and advanced computing and communication technology can improve the quality and lower the costs of healthcare. However, the prospect of storing health information in an electronic form raises concerns about patient privacy and security. Healthcare organizations are required to establish formal Information Security program, for example through the adoption of the ISO 17799 standard, to ensure an appropriate and consistent level of information security for computer-based patient records, both within individual healthcare organizations and throughout the entire healthcare delivery system. However, proper Information Security Management practices, alone, do not necessarily ensure regulatory compliance. South African healthcare organizations must comply with the South African National Health Act (SANHA) and the Electronic Communication Transaction Act (ECTA). It is necessary to consider compliance with the Health Insurance Portability and Accountability Act (HIPAA) to meet healthcare international industry standards. The main purpose of this project is to propose a compliance strategy, which ensures full compliance with regulatory requirements and at the same time assures customers that international industry standards are being used. This is preceded by a comparative analysis of the requirements posed by the ISO 17799 standard and the HIPAA, SANHA and ECTA regulations

Integrating DevOps with Existing Healthcare IT Infrastructure and Processes: Challenges and Key Considerations

The DevOps is a set of practices and tools that aim to improve the collaboration, communication, and collaboration between software development and IT operations teams. In healthcare systems, DevOps has the potential to improve the performance, reliability, and scalability of IT systems while ensuring regulatory compliance and the protection of sensitive patient data. However, integrating DevOps with existing healthcare IT infrastructure and processes can present several challenges, including resistance to change, compliance and regulatory requirements, integration with legacy systems, lack of resources, and skill shortages. To overcome these challenges, healthcare organizations need to consider a number of key considerations when integrating DevOps with their existing IT infrastructure and processes. These include a clear understanding of the existing IT infrastructure and processes, engagement with stakeholders, a phased approach, automation where possible, a culture of continuous improvement, ensuring security and compliance, and fostering collaboration and communication. By following these key considerations, healthcare organizations can successfully integrate DevOps with their existing IT infrastructure and processes, unlocking the full benefits of DevOps for their healthcare systems. These benefits include improved performance, reliability, and scalability, increased collaboration and communication between IT and clinical teams, and increased efficiency and cost savings. DevOps has the potential to revolutionize healthcare IT by delivering more flexible, reliable, and scalable systems that support the delivery of better patient care. By adopting DevOps, healthcare organizations can transform their IT operations and processes, ensuring that they are well-equipped to meet the changing needs of the healthcare industry

Navigating Data Warehousing Implementation in Jordanian Healthcare Sector: Challenges and Opportunities

Introduction: The implementation of data warehouse systems offers great potential for improving patient care, operational efficiency, and strategic decision-making. This study explores the challenges and opportunities of implementing data storage solutions in the Jordanian healthcare industry. Objectives: To investigate current data management practices, perceptions of data warehouses, and factors influencing adoption readiness among IT professionals in Jordanian healthcare organizations. Methods: A survey was conducted involving 102 IT professionals from various healthcare organizations in Jordan. Participants responded to a structured questionnaire, providing insights into key benefits, expected challenges, technical requirements, and future prospects for data warehousing in their organizations. Results: The study demonstrated the critical role of data warehouses in enhancing decision-making, patient care coordination, and operational efficiency within the Jordanian healthcare system. However, significant challenges such as data integration, security concerns, and regulatory compliance were identified. Conclusions: The paper provides recommendations to address these challenges and maximize the benefits of healthcare data warehouses in Jordan. Key strategies include investing in technical expertise, ensuring compatibility with existing systems, and improving data management practices. This study enhances understanding of the complexities associated with implementing data warehousing in the Jordanian healthcare industry and offers valuable insights for future research and practice in this evolving field

Medical Cyber-Physical Systems Development: A Forensics-Driven Approach

The synthesis of technology and the medical industry has partly contributed to the increasing interest in Medical Cyber-Physical Systems (MCPS). While these systems provide benefits to patients and professionals, they also introduce new attack vectors for malicious actors (e.g. financially-and/or criminally-motivated actors). A successful breach involving a MCPS can impact patient data and system availability. The complexity and operating requirements of a MCPS complicates digital investigations. Coupling this information with the potentially vast amounts of information that a MCPS produces and/or has access to is generating discussions on, not only, how to compromise these systems but, more importantly, how to investigate these systems. The paper proposes the integration of forensics principles and concepts into the design and development of a MCPS to strengthen an organization's investigative posture. The framework sets the foundation for future research in the refinement of specific solutions for MCPS investigations.Comment: This is the pre-print version of a paper presented at the 2nd International Workshop on Security, Privacy, and Trustworthiness in Medical Cyber-Physical Systems (MedSPT 2017