1 G E I T F O R H E A LT H C A R E

G O V E R N A N C E

GEIT FOR
H E A LT H C A R E

© 2017 ISACA. All Rights Reserved.

2 G E I T F O R H E A LT H C A R E

CONTENTS
4 Introduction and Objectives 20 / Leverage Compliance During Buy-in
20 / Include Specialists in Planning and
5 Health Care Information Technology
on the Project Team
Fundamentals
20 / Documentation of Current State
6 The Regulation of Health Care 20 / Other Considerations
Information Technology 21 / How Smaller Health Care Enterprises
7 / Pharmaceutical Regulation History Manage Regulatory Requirements
8 / Provider and Device Regulation History
22 Interoperability Requirements of
8 Health Care Regulations and Principles Health Care Data
8 / Pharmaceutical and Health Care
Technology Regulations and Principles 22 Governance Challenges for
Health Care Technology
11 / Provider Regulations
22 / Increasing Regulatory Complexity
11 / Including Regulations in
22 / Cyber Security
Governance Structure
23 / The Pace of Health Care
11 Health Care Technology Governance in the Technology Change
Pharmaceutical Industry 23 / Balancing Delivery Quality with
Delivery Cost
15 Governance of Enterprise Information
23 / Governance of the Supply Chain
Technology (GEIT) for Health Care
(Third Parties)
15 / Striated vs. Nonstriated Model
24 / Interoperability and Harmonization
16 / Striated Governance Model
17 / Nonstriated Governance Model 24 The Evolution of Provider Health Care
18 / Pharmaceutical Clinical Trial Information Technology
Example of a Nonstriated
Governance Model 26 Conclusion

18 / Optimizing Health Care Governance 27 Acknowledgments

19 / Implementing GEIT for Health Care
19 / Include Health care-specific Factors
in Goals Analysis

© 2017 ISACA. All Rights Reserved.

3 G E I T F O R H E A LT H C A R E

ABSTRACT
Health care is one of the most complex and highly regulated sectors in the world. For
health care providers, device manufacturers, insurers and pharmaceutical enterprises,
this white paper develops critical topics including:

• How the size, scale and significance of the health care sector has changed

• How health care usage of information technology (IT) differs from

other industries

• How those differences affect enterprise IT governance

• Whether and how traditional governance models can be used in

clinical environments

• How the evolution of technology is changing health care governance

• How emerging challenges in health care technology governance may

be approached

© 2017 ISACA. All Rights Reserved.

4 G E I T F O R H E A LT H C A R E
Introduction and Objectives
Health care is one of the most complex and highly
regulated sectors in the world. For health care provid-
ers, device manufacturers, insurers and pharmaceutical
enterprises, this white paper develops critical
topics including:
• How the size, scale and significance of the
health care sector has changed
• How health care usage of information technology (IT)
differs from other industries
• How those differences affect enterprise
IT governance
• Whether and how traditional governance models can
be used in clinical environments
• How the evolution of technology is changing
health care governance
• How emerging challenges in health care technology
governance may be approached
The white paper discusses regulatory information for
various health care audiences; content specific to a
given audience (and not applicable to other audiences)
is presented in separate, dedicated sections whose
headings indicate their relevance to specific readers.
The information in this white paper reflects real-world
experience in auditing and managing IT operations
across many different health care environments in the
United States, Europe and other regions across the
globe. This white paper also discusses emerging
patterns in the delivery of health care products and
services, all of which can affect enterprise governance.
Regulations governing technology in health care
enterprises vary by territory, country and jurisdiction.
Regulatory goals and mandates also vary according to
the different missions of health care enterprises. For
© 2017 ISACA. All Rights Reserved.
example, a multi-institution health system in the United
States and a pharmaceutical enterprise in the United
Kingdom are subject to vastly different regulations.
For that reason, this white paper does not explicitly
address all major regulations that may apply to a given
enterprise or address in detail the various regulatory
environment(s) of local geographies. Instead, the paper
focuses on themes, principles and goals that regula-
tions share; among the common elements, the paper
highlights those likely to affect governance significantly.
References to useful supporting materials and websites
are included where appropriate.
Key to the question of governance of technology in the
health care sector is an understanding of the regulatory
context that surrounds the use of technology in that
sector. The regulatory environment itself dictates some
of the parameters within which governance structures
must operate. Industry-specific considerations, such as
health and safety concerns, also dictate some of the pa-
rameters. To understand why health care requires high
levels of regulation and far more control and account-
ability than other industry sectors, it helps to consider
the fundamentals of the sector and the consequences if
(and when) things go wrong.
In addition to regulatory and compliance requirements,
effective governance of enterprise information
technology (GEIT) in health care enterprises relies, at
least in part, on a much higher level of documented
control and accountability than is usual in most
sectors. This white paper explains the drivers behind
health care’s heightened emphasis on documentation
and accountability. Finally, the paper also outlines the
main principles that enterprises apply to govern
health care technology above and beyond the structures
and principles associated with regulatory compliance.
5 G E I T F O R H E A LT H C A R E

Health Care Information

Technology Fundamentals
The health care sector is one of the most diverse, For example, consider the lifecycle of a medication.
sensitive and rewarding sectors in which to work. Extreme care is required to invent, develop, screen
Among other businesses, it includes: for toxicity, clinically trial, manufacture, package,
distribute and prescribe a medication. Even after a drug
• Pharmaceutical enterprises
is brought to market, the work continues; for example,
• Medical device manufacturers and their every adverse side effect reported by any person is cen-
supply chains trally collated, and upon review, safety advice may be
updated accordingly. An average pharmaceutical drug
• Institutional providers (hospitals, health
relies on hundreds of highly regulated and accountable
systems and clinics)
systems—to test the drug, to evaluate its efficacy and
• Physician offices safety on animals and people, to discover unanticipated
• Biotechnology firms side effects, etc.—before it receives market approval.

• Payers (health insurance enterprises) Even in the smallest clinic, each appointment, test,

• Clearinghouses (entities that support transactions result and communication with a patient (or other

between providers and payers)
• Veterinary (animal health) enterprises1
When managed correctly, practitioners and the work
they perform in this sector can directly improve the
health and wellbeing of patients.
Because everyone, at some point, consumes health
care products and services, it is unsurprising that this
sector is one of the largest of all industries. Statistics
vary, but in the United States alone, 2016 health care
revenue reached at least $1.6 trillion; health care
employees constituted more than seven percent of
the working population.2 Given the size of the industry
overall—not to mention the number and complexity
of interactions people have with the sector and its
employees—one may take for granted the enormous
care and attention lavished on health care products
and services.
physician, technician or specialist) can form a crucial
link in a lifesaving chain. Systems that communicate
records, transcriptions, diagnostic images, test results,
etc., likewise create vital links. Taken together, these ac-
tivities, processes and information technologies can be
as complicated as they are critical in their cumulative
ability to ensure data integrity (e.g., accuracy of dosage/
contraindications of dispensed pharmaceuticals and
test results); availability (e.g., access to critical diagnos-
tic systems and imaging modalities); and confidentiality
(e.g., patient records).
When these systems work appropriately, they support
patient health and safety. When they are subverted or
work incorrectly, they can fail to do so, sometimes with
catastrophic human consequences and professional
liability. Thus the value of the clinical information-
technology ecosystem is balanced against the risk of
errors that can (and unfortunately do) result in serious

1 Note that inclusion or exclusion of veterinary or animal health varies by region; for example, some countries include veterinary care in the broader context of the health care space
where some do not.

2 2016 Statistic Brain Institute, “Health Care Industry Statistics,” www.statisticbrain.com/health-care-industry-statistics

© 2017 ISACA. All Rights Reserved.

6 G E I T F O R H E A LT H C A R E
and devastating consequences. For physicians, practi-
tioners and patients of all types, getting timely access to
the information or technology they need, when they need
it, can mean the difference between life and death.
Not all health systems carry the potential for direct
(or even indirect) impact on the health and safety
of patients. However, many do: systems supporting
institutional clinical care (for example, those in a hos-
pital or health system) can absolutely affect health and
safety. Other similarly risk-related systems include:
• Pharmaceutical dispensary systems—for example,
those tracking medication contraindications or
dosage for patients
• Imaging modalities, picture archiving and
communication systems (PACS), radiology
information systems (RISs) and their supporting
subsystems which either create, disseminate,
inspect or examine diagnostic images
• Electronic Medical Records (EMR) systems—
systems that maintain patient records
• Laboratory Information Systems—systems that
perform tests or record and store results
• Patient monitors—biomedical systems, including
patient monitors or other feedback monitoring
Beyond these examples of systems directly supporting
patient care, numerous, more commonplace technolo-
The Regulation of Health Care
Information Technology
In many industries, achieving an 80-percent success
or availability rate can be considered exceptionally
good. For example, in the venture-capital world, some
statistics have reported average failure rates as
3 McDermott, John; “Report: 75% of Venture-backed Start-ups Fail,” Inc.com, 20 September 2012, www.inc.com/john-mcdermott/report-3-out-of-4-venture-backed-start-ups-fail.html
© 2017 ISACA. All Rights Reserved.
gies support clinical or other health care environments
in various mundane ways. Their ubiquity and familiarity
notwithstanding, these systems also play a critical role
in patient safety, and include technologies like door
access-control systems; email; training records storage
applications; heating, ventilation and air-conditioning
(HVAC) systems; telephone systems that rely on Internet
bandwidth (such as voice over internet protocol (VoIP)
communications); or transcription services.
Because of their role in patient care, such ordinary
applications take on special significance. Consider
email, for example. Email is sometimes used to pass
critical health-related information, even though other
more specialized mechanisms are not only available but
preferable for conveying information in a clinical setting
(e.g., Health Level Seven International [HL7] technology).
What happens if critical and time-sensitive medical in-
formation fails to be delivered to the person who needs
it, when they need it?
Likewise, air-conditioning and refrigeration can be
critical to health care; some pharmaceutical products,
for example, degrade or become compromised if
they are not continually maintained within the correct
temperature range.
For all these reasons, governance of enterprise IT
in the health care sector requires one of the most
structured, controlled and accountable frameworks
of any industry.
high as 75 percent;3 therefore, a success rate of 80
percent in the venture-capital industry would be
considered exceptional.
7 G E I T F O R H E A LT H C A R E

However, in the health care sector, many activities,

including those delivered using technology, require
success or accuracy levels that are as close to 100
percent as possible, especially if failure can result in
death, serious injury or illness. Although a 100-percent
target may not always be achievable, failures in certain
health care systems are expected to be detected and
corrected comprehensively within an appropriate
amount of time. For example, consider devices like
pacemakers, that should achieve 100% compliance
with specifications and standards, but may still reach
hospitals with defects and be given to patients. In 2015,
96,000 pacemakers were recalled, after 30 devices
experienced battery issues.4
The regulation of health care technology, like
the regulation of other health care products and
processes, strives to minimize the potential for
preventable deaths, injuries and other adverse
outcomes. Understanding how and why regulations
were introduced to govern technology in health care
environments requires a brief look back at health care
regulation in general.
In the past, people could claim to cure ailments or con-
ditions without being subject to any controls or verifi-
cation. When no regulations existed, most of the health
care treatments were not very effective and some were
outright dangerous. Although the first known regulation
of health care dates to England in 1540 and the first
Pharmaceutical Regulation
History
Like many regulations, laws governing health care came
into existence after inadequately tested products and
services caused substantial numbers of deaths or even
larger numbers of preventable disabilities and serious
injuries. For example, in 1937 over 100 people in the
United States died after taking an elixir produced
without adequate testing; subsequently, Congress
enacted the Federal Food, Drug and Cosmetic Act
in 1938.6
A drug called Thalidomide—and the failure to correlate
thousands of deaths and disabilities over a long period
with its consumption during pregnancy—led to even
more stringent regulations around the world. This drug
was invented in 1953 and began to be marketed soon
after. By 1960, it was estimated to be on sale across 46
countries and was often sold over the counter, without
prescription, particularly for use by pregnant women to
help reduce morning sickness and
generally reduce stress. Unfortunately, the drug was
subsequently associated with effects on unborn
children. Although many reports and alerts were
issued, the company that sold the drug, prescribers and
others failed to understand the problem and respond
quickly; as a result, thousands suffered death and
severe disabilities.7
5

drug-production standards can be traced back to at
least 1240, modern health care regulations are con-
sidered to have evolved mostly in the latter part of the
twentieth century.
This medical catastrophe led to a series of national and
international efforts to improve reporting of adverse
medical events; strengthen testing of drugs before
market; and ensure ongoing, centralized reporting and
remediation of adverse effects.

4 Hughes, Emily; “Almost 100,000 pacemakers recalled by Medtronic,” Medical Plastics News, 2 December 2015, www.medicalplasticsnews.com/news/almost-100-000-pacemakers-
recalled-by-medtronic/

5 Rägo, Lembit; Budiono Santoso; “Drug Regulation: History, Present and Future,” Drug Benefits and Risks: International Textbook of Clinical Pharmacology, revised 2nd edition; World
Health Organization; 2008; www.who.int/medicines/technical_briefing/tbs/Drug_Regulation_History_Present_Future.pdf

6 Gad, S.C.; “Animal Models”, Reference Module in Biomedical Sciences, 2014, Elsevier Inc., www.sciencedirect.com/science/article/pii/B9780123864543008149

7 Kim, J.H.; A.R. Scialli; “Thalidomide: the tragedy of birth defects and the effective treatment of disease,” Toxicological Sciences; July 2011, 122(1):1-6;
www.ncbi.nlm.nih.gov/pubmed/21507989

© 2017 ISACA. All Rights Reserved.

8 G E I T F O R H E A LT H C A R E

Provider and Device The impact of potential failures is likely to grow given
the increasingly important role that technology plays
Regulation History in modern health care. A report in 2014 from the
Today similar standards apply to most health care UK-based Institution of Mechanical Engineers
products and services around the world. In many indicated that 309 deaths and 4,955 serious injuries
jurisdictions, standards have also been extended to were reported in 2013 to the Medicines and Health
cover information technology wherever it can affect Care products Regulatory Agency (MHRA) as a result
public health. of faulty medical equipment.9 The reported prob-
lems included faulty pacemakers; malfunctioning or
Health care increasingly depends on technology as a unavailable computed tomography (CT) and magnetic
critical component in patient care. Unlike many other resonance imaging (MRI) scanners; and many
industry sectors, mistakes in technology governance other categories.
and operations in health care can and do lead to deaths
and serious injuries. For example, a mistake in the im- Therefore, a technology that delivers health care (or
plementation of software code in the Therac-25 radia- supports its delivery) is expected to be proven fit for
tion-therapy machine produced a “race condition” (a type purpose before it is used and almost always needs to
of software programming flaw) that allowed potentially comply with numerous regulations.
lethal levels of radiation at 100 times the intended dose.8

Health Care Regulations

and Principles
10

Laws that apply to health care technology vary by territory, jurisdiction, country and locality. Health care regulations
internationally are so numerous that one introductory publication cannot cover them all. However, many health care
regulations share common principles whose understanding can help practitioners evaluate governance structures
within the clinical environment

Pharmaceutical and Health Care Technology

.

Regulations and Principles

The core concepts that inform health care regulations health care activities under FDA jurisdiction. The
are commonly known as predicate rules. Within the combination of predicate rules and other supporting
United States, these rules determine many US Food guidance are known as GxP requirements.
and Drug Administration (FDA) regulations that govern

8 Leveson, Nancy; Turner, Clark S.; “An Investigation of the Therac-25 Accidents”, IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18-41,
http://courses.cs.vt.edu/professionalism/Therac_25/Therac_1.html

9 Institution of Mechanical Engineers, “New report: lack of NHS engineers is putting lives at risk,” press release, 24 July 2014,
http://www.imeche.org/news/news-article/New_report_lack_of_NHS_engineers_is_putting_lives_at_risk

10 This section introduces common principles that inform many health care regulations. Guidance offered here should not substitute for reading and understanding regulations
that apply in a given territory, industry or jurisdiction. To assess applicable local regulations and their potential effects, practitioners should consult with enterprise counsel and
any other compliance stakeholders.

© 2017 ISACA. All Rights Reserved.

9 G E I T F O R H E A LT H C A R E
What is GxP?
The letters G and P in GxP represent good practice.
The letter x indicates that health care regulations
are applicable. To give the acronym specific domain
reference, the x may be replaced by a different letter
indicating the type of good practice that is required:
• GCP—Good Clinical Practice
• GDP—Good Distribution Practice
• GLP—Good Laboratory Practice
• GMP and cGMP—clinical Good Manufacturing
Practice
• GQP—Good Quality Practice
• GRP—Good Regulatory Practice
GxP requirements are usually considered applicable
to any health care technology whose failure to oper-
ate as intended can affect health and safety.
When GxP is deemed applicable to a health care
technology, US regulation 21 CFR Part 11 also applies.
Part 11 provides rules for electronic records and sig-
natures.11 Its standard is equivalent to that governing
formal paper records and handwritten signatures. In
the European Union, the equivalent standard is Annex
11. Key principles of the regulation include, but are not
limited to:
11 US Department of Health and Human Services Food and Drug Administration, Guidance for Industry Part 11, Electronic Records; Electronic Signatures—Scope and Application,
Pharmaceutical CGMPs, August 2003, www.fda.gov/downloads/regulatoryinformation/guidances/ucm125125.pdf
© 2017 ISACA. All Rights Reserved.
If a system must comply with GxP requirements, the
following principles apply:
• The technology must demonstrate and have
documentation stating that it is fit for its
intended purpose.
• Every step of the requirements, build (or
configuration), test, release and operational proce-
dures must be appropriately documented, and
each step must be traceable and accountable to a
specific person. This principle ensures that any
quality defects can be traced back to the specific
person responsible; that all people involved are
appropriately and verifiably trained; and that they
understand their responsibilities and act accordingly.
• The release process must include documented
testing to prove that the installation, functional
testing and full operation-process testing has been
independently passed.*
* “Independently passed” in this context means that tests
were designed and performed by people who were not part
of the design and build of the technology being verified.
• The system requires a secure audit trail.
• Every single action must generate an audit trail item.
• Each audit trail item shows who performed the action,
the date, the time and what was changed (the old
value and the new value).
• Every user identity is the responsibility of a specific
person and is never reused.
• The date and time is always generated from a single,
authoritative source.
• The audit trail is in a human readable form, so that
it can be used to trace activities.
10 G E I T F O R H E A LT H C A R E
• If a signature is appended electronically, its record
establishes:
• How the signature was electronically or digitally
authenticated
• What role the signature indicates (for example, the
signature corresponds to an approver)
• What date and time the signature was made
The previous list represents only some of the
requirements that can apply to health care technologies.
Why were electronic records
regulations developed?
Falsification of paper records is usually easy
to detect. For example, an altered value might
appear as stricken text or a visible correction.
If a paper record is substituted later, the age of
the paper would differ verifiably from that of
contemporary records.
Regulations governing electronic records are
intended to achieve standards of safety and
integrity commensurate with paper records. They
are designed to prevent and detect any attempt
at falsification and to ensure readability and per-
sistence throughout mandated retention periods.
For any technology that creates, modifies, ar-
chives, maintains, retrieves or transmits regulated
health information in digital form, these standards
ensure integrity, accuracy and reliability. For
example, medical prescriptions include drug
name, dosage, patient, etc.; standards help to
ensure that these critical elements are accurate,
authentic and unaltered.
© 2017 ISACA. All Rights Reserved.
Although the number and complexity of requirements
across health care regulations can seem overwhelming
and abstruse, they seek to realize very straightforward
and simple principles.
Basic Principles for Health Care Technology
Governance Frameworks
Regulations applying to health care technology
have a common goal. They require that technol-
ogy and data are demonstrably, verifiably fit for
purpose and that records cannot be falsified.
Fit for purpose indicates that the design, build,
test and operation of a given technology are all
fully traceable and align with the rule of 3:
1. Say what you do. Always document the
processes to describe what needs to happen.
2. Do what you say. The processes must be
enforced and practical enough to be followed.
3. Record the evidence. Ensure that records
document compliance with procedures and
identities of all personnel who perform tasks.
Almost all health care enterprises of any scale
have a well-developed quality assurance
function that is segregated from day-to-day
operations, to help identify and address any
significant process gaps; to ensure appropriate
requirements continue to be met; and to ensure
that reporting is confidential and privileged in
ways that encourage future transparency.
11 G E I T F O R H E A LT H C A R E

Provider Regulations Commission publishes “Safe Data, Safe Care”12 and the
“Security policy framework”13 for health care
While GxP applies broadly to health care technology,
enterprises. Each enterprise must understand its indi-
other requirements govern the practice of care,
vidual context, its local jurisdiction, and should consider
or apply more narrowly to subsets of patients and
input from appropriate local and/or regional regulatory
information in particular contexts. For example, the US
organizations when outlining practices for information
Congress enacted the Health Insurance Portability and
technology and patient care.
Accountability Act (HIPAA) and the Health Information
Technology for Economic and Clinical Health (HITECH)
Act. These acts relate to health care providers and Including Regulations in
insurance enterprises in the same way that GxP relates Governance Structure
to medical device manufacturers and pharmaceutical
It is critical to account for all governing regulations
enterprises. HIPAA and HITECH define specific
when an enterprise defines requirements for its gover-
requirements for safeguarding protected health
nance structure, especially given that standards may
information (PHI) from a technology-implementation
apply from multiple and often overlapping regulatory
perspective, and provide enforcement by a different
bodies. In any governance initiative, health care
regulatory body (the Health and Human Services Office
enterprises should ensure that requirements are enu-
for Civil Rights).
merated, documented and addressed. Those using the
COBIT® 5 framework may address regulations during
Other jurisdictions enact similar requirements to
the goals cascade exercise. These regulatory goals of-
achieve substantially the same safeguards. For
ten largely coincide with stakeholder needs and thereby
example, in the United Kingdom, the Care Quality
support overall enterprise goals.

Health Care Technology Governance

in the Pharmaceutical Industry
Pharmaceutical enterprises often face complex are selected based on the enterprise’s unique
governance challenges related to health care requirements and needs. A smaller enterprise might
technology. The follow example illustrates one path not have specialized staff on hand to address specific
to solving critical issues with optimal efficiency. technology areas while a larger enterprise like a hospi-
tal or health system, large pharmaceutical company or
Different health care enterprises have different needs large health insurance provider likely has specialized
and budgets, so how can a small pharmacy, for security, risk, compliance and technology resources
example, achieve the same level of compliance as a on staff.
large one? Robust governance ensures that the
best and most appropriate governance structures

12 Care Quality Commission, “Safe data, safe care,” CQC-304-072016, United Kingdom, 2016,
www.cqc.org.uk/sites/default/files/20160701%20Data%20security%20review%20FINAL%20for%20web.pdf

13 GOV.UK, “Guidance: Security policy framework,” Update 7 July 2014, www.gov.uk/government/publications/security-policy-framework

© 2017 ISACA. All Rights Reserved.

12 G E I T F O R H E A LT H C A R E

Very small health care enterprises may implement
approved cloud services or commercial off-the-shelf
(COTS) software that include appropriate, prepack-
aged checklists. These solutions can help minimize
the cost and effort of compliance.
Therefore, a smaller enterprise is more likely to adopt
technology that is prepackaged. Instead of creating and
executing a full process of computer system validation
(CSV), the smaller enterprise might use prebuilt CSV
checklists to document installation, configuration and
deployment of technology. One approach for the small-
er pharmacy is to leverage good automated manufac-
turing practices (GAMP ©) to help ensure that compli-
ance requirements and risk considerations are included
in the overall governance model.
ISPE and GAMP standards
GAMP guidance documents includes publications that
are specifically designed to help enterprises meet FDA
and other governing standards. Publications in the
GAMP series include:17
• The Good Automated Manufacturing Practice
(GAMP) Guide for Validation of Automated Systems in
Pharmaceutical Manufacture
• GAMP Good Practice Guide: A Risk-Based Approach to
Compliant GxP Computerized Systems
• GAMP Good Practice Guide: Calibration Management
• GAMP Good Practice Guide: Electronic Data Archiving
• GAMP Good Practice Guide: Global Information
Systems Control and Compliance
• GAMP Good Practice Guide: IT Infrastructure Control
and Compliance
• GAMP Good Practice Guide: Testing of GxP Systems

Meeting GxP regulatory requirements requires a • GAMP Good Practice Guide: Validation of Laboratory
robust and comprehensive approach to CSV. Computerized Systems

• GAMP Good Practice Guide: Validation of Process

The not-for-profit International Society for
Control Systems
Pharmaceutical Engineering (ISPE)14 has an
established and continually evolving set of guide- GxP is often not the only governance consideration. The
lines known as good automated manufacturing following requirements may also be considered:
practices (GAMP).15

GAMP publications and guidelines help explain

and socialize principles and procedures required
to achieve CSV, including how to take an appro-
priate risk-based view toward validation efforts.16

14 For more information on the International Society for Pharmaceutical Engineering, see www.ispe.org.

15 ISPE; “GAMP © 5: A Risk-Based Approach to GxP Compliant Systems,” 2017, www.ispe.org/gamp-5

16 Ibid.

17 ISPE, “Guidance Documents & Publications,” 2017, www.ispe.org/publications-guidance-documents

© 2017 ISACA. All Rights Reserved.

13 G E I T F O R H E A LT H C A R E
Pharmaceutical Example: Additional Regulatory Requirements
An online pharmacy platform for the sale of
prescription medications required an audit to ensure
that it complied with appropriate regulations.
All of the following regulations and standards were
found to be applicable to the technology and
supporting processes:
Health care regulations (biomed):
• Good Clinical Practice (GCP)
The regulations relating to clinical practice
apply because the system manages the sale of
prescription medication.
• US FDA 21 CFR Part 11 (electronic records
and electronic signatures)
This regulation applies because the system trans-
acts regulated health information in digital form.
Health care and general data privacy and
security regulations:
• HIPAA
In the United States, this regulation applies when
certain information classified as protected health
information is transacted; the information required
to manage prescriptions in the United States falls
within this definition.
The pharmaceutical example illustrates that GAMP can
be used to deliver computer system validation while
other regulations and standards also apply. However,
responsibility for the whole spectrum of requirements
may not optimally reside at one organizational level.
Conversely, interrelated and/or overlapping standards
may not be addressed efficiently if execution is
dispersed throughout an organization.
18 TEXAS HB 300 HIPAA made EASY; “TEXAS HB 300 HIPAA made EASY,” 2017, http://hb300.net/
19 Sarbanes-Oxley Act 2002; “The Sarbanes-Oxley Act,” 2006, www.soxlaw.com
20 ISACA, A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS), 2015, www.isaca.org/knowledge-center/research/researchdeliverables/pages/pci-dss.aspx
© 2017 ISACA. All Rights Reserved.
• Specific privacy and security regulations from
many US states
In the United States and some other countries,
regulations originate at county, state and regional
levels. The United States has many state-specific
privacy regulations, some with extremely high
financial penalties for noncompliance (for example,
Texas HB.30018).
Financial processing regulations and standards:
• Sarbanes Oxley19
This US regulation relates to financial processing
and applies to enterprises of a certain size.
• PCI DSS* (Payment Card Industry Data
Security Standard)20
This standard applies to online platforms that
accept credit or debit card payments.
* Note that PCI DSS is a standard and not a regulation; however, failure to meet
the standard can result in the withdrawal of authorization for the platform to
transact credit card payments.
Although this example is based on a US platform,
most of the regulations shown have equivalents
within Europe and the rest of the world.
• Some of the security requirements can be met
at the enterprise level, such as the need to specify
an information security officer and information
security policy.
• Some of the data privacy requirements can also
be met at the enterprise level, such as the need to
specify a data privacy officer; a subject access rights
process; and a breach-notification process.
14 G E I T F O R H E A LT H C A R E

• Some requirements entail additional standards and

conditions for system specification. For example, A typical data privacy regulation can require all
certain credit card information (such as security of the following and more:
code) cannot be retained per the PCI DSS standard,
• Registration of the existence and purpose of
whose granular, specific provisions might not reflect
the information asset
enterprise retention policy.
• Consent from the people (the data subjects) to
A robust and effective enterprise information
allow the information to be collected
technology governance structure can help individual
system owners meet requirements without excessive • Security of the system to be appropriate

effort at more local levels. GAMP requires owners to
ensure that systems are fit for purpose and not subject
to falsification of data. To the extent that an enterprise
that has efficient and effective technology governance
for all applicable regulations, individual technology
owners may find certain GAMP requirements are
already provided at the enterprise level, and can
therefore avoid creating duplicative and/or overlapping
processes and documentation. Where the central GEIT
framework provides general models in advance, their
provisions, processes, templates, etc. often do not need
• Confidentiality of the information to
be maintained
• Subject access rights allowing subjects to see
the information that is stored about them
• Integrity so that subject information is accu-
rate or corrected on request
• Notification to affected subjects and appropri-
ate regulators in the event of breach
• Portability of individual records to a new pro-

to be repeated or restated. In this way, system owners vider when requested

are left to capture requirements expressly for their own Although consent notice and some security
technology, and remain free of other burdens. Consider features may be accommodated by individual
managing any requirement that can be met at enter- technologies, most of the items are best met
prise level within the central governance framework. through an enterprise-level approach.

Governing frameworks can be extended whenever

new standards or requirements are deemed applicable.
For example, data privacy requirements for an
enterprise can be accommodated during the goals
analysis process.

© 2017 ISACA. All Rights Reserved.

15 G E I T F O R H E A LT H C A R E

Governance of Enterprise
Information Technology (GEIT)
for Health Care
A systematic approach to GEIT will help health care • Nonstriated Model—Combine governance of
entities ensure that key regulatory considerations are regulated and nonregulated technology under a
met. However, in health care certain challenges can single framework.
complicate or even preclude accommodation through
Subject all technology (both inside and outside of
formalized enterprise-wide governance. These
the clinical environment) to an holistic governance
challenges include size; financial resources available
implementation; optimize delivery of all systems and
for technology investment; number and skill of
services, whether they are regulated or not.
technology staff; degree of access by external vendors
or service providers to clinical systems; and regulatory
Each model has advantages and disadvantages relative
requirements, among others.
to the other. An enterprise may segregate its governance
of regulated health systems for many reasons. Often, it

Striated vs. Nonstriated Model can be a function of maturity. The Capability Maturity
Model Integration (CMMI®) for example, defines a model
In striated governance models, enterprises distinguish
with five levels of maturity (figure 1).
areas where formalized governance is optimal from
areas where it may not be optimal. Naturally, the
Enterprises that have processes that are lower on the
striated model cannot realize many of the advantag-
maturity spectrum (maturity levels 1 or 2) may find a
es of a systematic global approach to GEIT (such as
striated model appealing, compared to those of higher
comprehensive coverage, specified in principle 2 of
maturity (maturity levels 3, 4 or 5) because it allows
COBIT). Although a striated approach may ultimately
them to apply more strenuous rigor only to those areas
weaken governance implementation compared to the
that explicitly require that rigor.
nonstriated approach, it can offer advantages where
formally addressing all of IT is economically or cultural- The decision to split governance can involve many
ly impracticable. other factors. The striated model can make sense for:

Two basic approaches can be taken when health care • Smaller health care enterprises
regulations apply:
• Enterprises with very few technologies subject to

• Striated Model—Separate governance of regulated health care regulation

and nonregulated technology.
Allow some technology to run under a general, stan-
dard, low-cost IT department, while technology with a
higher regulatory threshold is managed separately.
• Very large enterprises that need to leave full
accountability, over a long period of time, within
particular locations (for example, the setup and
operation of a manufacturing plant)
• Enterprises with substantial ongoing
budgetary constraints

© 2017 ISACA. All Rights Reserved.

16 G E I T F O R H E A LT H C A R E

MATURITY
Stable and flexible. Organization is focused on continuous improvement and is
Optimizing
LEVEL
built to pivot and respond to opportunity and change. The organization’s stability
5 provides a platform for agility and innovation. 5
MATURITY
Measured and controlled. Organization is data-driven with quantitative
Quantitatively Managed
LEVEL
performance improvement objectives that are predictable and align to
4 meet the needs of internal and external stakeholders. 4
MATURITY Proactive, rather than restrictive. Organization-wide
Defined
LEVEL
standards provide guidance across projects, programs
3 and portfolios. 3
MATURITY
Managed on the project level. Projects are
Managed
LEVEL
planned, performed, measured and controlled.
2 2
MATURITY
Unpredictable and reactive.
Initial
LEVEL
Work gets completed but is
1 often delayed and over budget. 1

F I G U R E 1 : CMMI Capability Maturity Levels

Source: The CMMI Institute – How Capable is Your Organization? Copyright 2017. Used with Permission from CMMI Institute, LLC.

The decision may also be a function of staff special-
ization. A smaller shop without dedicated IT personnel
may find the advantages of systematic governance
planning compelling, but may lack the skills and band-
width necessary to oversee such an effort for the entire
and/or health IT systems, such as EMR systems and
PACS. For an insurance provider, clinical technology
may refer to systems responsible for coding and billing.
The two strata can be further delineated:

technology ecosystem. Therefore, limiting the footprint

• Stratum 1: Enterprise information technology that
under which governance aspects of technology are
is for general use (not expected to meet governing
systematically and formally addressed can help ensure
standards and regulation except in very particular,
the best return on investment.
well-defined circumstances)

• Can include networks and computers for general

Striated Governance Model
administration. For example, the payroll department
This section shows how segregating governance of
in a hospital usually has no need for its systems to
regulated and nonregulated technology works. The
meet health care regulations.
approach defines two strata: general use information
technology (stratum 1) and clinical technology (stratum • Can also include services such as email, provided

2). Note that the term “clinical” is used informally here; it that the email system is not being used as the

refers to the subset of the technology footprint used in system of record for critical health care communi-

the service of patient care or research—the areas most cations or transmission of PHI.

directly subject to governing health care regulation. The
specific nature of this clinical technology footprint var-
ies from enterprise to enterprise depending on mission
and context. For example, in a hospital or health
system, clinical technology may refer to biomedical
• Often, general documentation that is not deemed
subject to any formal clinical record-management
requirement may use a standard enterprise docu-
ment-management solution.

© 2017 ISACA. All Rights Reserved.

17 G E I T F O R H E A LT H C A R E
• Stratum 2: Clinical systems (typically subject to GxP;
specific regulatory constraints such as HIPAA; con-
text-specific regulatory frameworks or guidance such
as PCI DSS; or other standards)
• Are assigned an accountable system owner to take
full responsibility for meeting regulatory require-
ments.
• Can be subject to independent quality-assurance
checks of documentation, product and/or processes
sufficient to verify that requirements are met.
Under the striated governance model, an enterprise
may provide general IT services for nonregulated activ-
ities, and place the entire regulatory burden onto each
system owner and conduct due diligence checks to en-
sure that system owners achieve correct standards in
highly regulated instances. The general IT governance
may have little to do with meeting regulatory require-
ments beyond the bare minimum set by the enterprise
to meet baseline goals.
The short-term advantage of a striated governance
model is that it makes procuring and operating stan-
dard IT services cheaper and easier. A key disadvan-
tage, however, is that governance gets more expensive
when procuring and operating regulated technology.
Under this model, every regulatory challenge must be
solved individually, each time, by each system owner.
Nonstriated Governance Model
Enterprises that can run their regulated and nonreg-
ulated technologies under a single governance and
management model have distinct advantages. Although
the initial effort to create and document the overarching
framework is higher, the following efficiencies can
be created:
• The processes become lean and efficient through
continuous improvement.
© 2017 ISACA. All Rights Reserved.
• Duplicate efforts are eliminated; for example, each
regulated project does not invent its own documen-
tation (e.g., based on project documentation and
process) and does not ensure its own set of controls,
countermeasures, procedures, etc.
• Resources can be better optimized because they
can be scheduled and re-used across any part of the
technology landscape.
• Individual system goals are better aligned into the
overall mission of the enterprise and there is better
satisfaction of enterprise objectives.
Enterprises that manage their regulated and nonregulated
technologies through a single governance framework can
achieve lower overall operational costs. However, great
care must be taken to ensure that regulated technologies
continue to be managed to the appropriate standards:
Even within enterprises with a single framework
for governance of regulated and nonregulated health
care technologies, single-point accountability for
regulated systems with system owners and full
traceability for all actions still need to be maintained.
It is not unusual for system owners to refuse to apply
a procedure or request a procedure change if they
identify any process deficit that can harm the
regulatory status of their technology.
18 G E I T F O R H E A LT H C A R E

Pharmaceutical Clinical Trial Example of a Nonstriated Governance Model

A pharmaceutical enterprise looking to deliver health
care information technology through a single frame-
work model usually includes the following features.
• Process documentation: All significant policies
and processes within the governance model are
described efficiently in a controlled document
that is subject to periodic review. This documen-
tation includes all items usually found in a COBIT
framework plus the additional industry items,
such as policies and processes for managing
• Signatures: Accountability is critical in health care
environments. Regulated records and documents
need to be signed. Typically all policies and proce-
dures include formal signatures (handwritten or
electronic) from at least an author and a separate
approver. Signatures are also expected within oper-
ational records (such as key project milestone docu-
ments, project plans) and change control records for
GxP technology or supporting hardware.
• A formal quality defect-management procedure:

GxP technologies. Any known or suspected quality issue and require-

ments for its remediation enter a formal process
• Segregated Quality Assurance: A function, sepa-
for evaluation and treatment. Resolution times are
rated from day-to-day operations, is dedicated to
usually subject to limits; escalation procedures are
checking that documented policies and proce-
sometimes specified by regulation.
dures are maintained and followed.
• A formal audit schedule: Regular, independent
• Formal records management: Record retention
inspection of all critical products and services
periods are explicitly defined for regulated infor-
ensures that they continue to follow procedures
mation; procedures are explicitly defined to ensure
and maintain appropriate records.
safe disposal at all records’ end of life.
These features enable the governance model to
achieve continuous improvement at the same time it
ensures that the framework is followed.

Optimizing Health Care The most effective health care technology governance

Governance model controls only what it must in order to:

For enterprises that have not worked under a docu-
mented, lean-and-refined governance model, the effort
to set one up may seem substantial and unjustifiable.
Understandably, some small enterprises may feel they
can only approach governance obligations reactively.
However, global enterprises often have much leaner,
smaller, and more efficient policies and procedures
than enterprises a fraction of the size. Spending time on
a disciplined and reflective approach to GEIT ultimately
helps streamline processes rather than slow them.
• Meet a regulatory requirement,
or
• Improve efficiency
Health care enterprises, like any other, have budgetary
constraints. Balancing appropriate quality and cost is
often critical to optimize delivery of health care prod-
ucts and services. At the same time, too little oversight
can result in regulatory breaches; the suspension of
a product or service; and, in extreme cases, serious
illness, injury or death. Lack of oversight can also lead
to substantial financial fines.

© 2017 ISACA. All Rights Reserved.

19 G E I T F O R H E A LT H C A R E
Thus risk-based approaches should be used to achieve
appropriate balance when governance frameworks
assimilate regulatory requirements—with the clear
caveat that no risk process is ever allowed to permit or
authorize any regulation to be hidden, ignored or con-
travened, or knowingly to place patient safety at risk.
Learn and Confirm
Most health care enterprises are not entirely
unique—peer enterprises typically undertake
similar efforts, and their successes (or failures)
can instruct other enterprises. Employees of hos-
pitals or clinics can interact with counterparts at
other institutions and learn how they approach
governance. Employee peers may even provide
access to review policies and procedures.
Learning what works and what does not in the
governance models of similar enterprises almost
always leads to greater efficiency; sharing knowl-
edge and experience can help to elevate the
general quality of the industry by encouraging
proliferation of successful practices.
Implementing GEIT for
Health Care
If an enterprise appreciates the benefits of a systematic
approach to GEIT and selects a model to apply GEIT
principles (either whole or in part), how does it imple-
ment the model? The process is not as difficult as one
might think. One key option is to employ COBIT (though
other models also exist).
A full description of COBIT implementation is out-
side the scope of this paper. Practitioners looking for
plenary guidance may consult COBIT® 5: Implementa-
21 ISACA, COBIT® 5: Implementation, 2012, www.isaca.org/COBIT/Pages/COBIT-5-Implementation-product-page.aspx
22 ISACA, “Getting Started with GEIT: A Primer for Implementing Governance of Enterprise IT,” 2016, www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=WCGEIT
© 2017 ISACA. All Rights Reserved.
tion.21 Others may find the white paper, “Getting Started
with GEIT: A Primer for Implementing Governance of
Enterprise IT,” a better place to start.22 Large enterpris-
es that seek to adapt COBIT 5 systematically may find
the more expansive COBIT® 5: Implementation to be
the best resource, because it thoroughly describes the
implementation process and allows for customization.
Small enterprises may prefer “Getting Started with
GEIT: A Primer for Implementing Governance of Enter-
prise IT” because it focuses on rapid implementation of
standard environments.
Either way, the process of implementation is relatively
straightforward. Yet before they begin, health care
enterprises should consider aspects specific to their
industry. These considerations are described in the
following sections.
Include Health care-specific Factors
in Goals Analysis
Implementation of any governance framework depends
on systematic understanding of stakeholder require-
ments and enterprise goals. It is critical to ensure that
regulatory, compliance and other considerations specif-
ic to health care are represented in this analysis. Here
the COBIT 5 goals cascade can be extremely helpful.
Enterprises should ensure that regulatory consider-
ations are given attention in goals analysis—including
not only security and privacy, but also quality and safe-
ty of the environment of care for patients, customers,
and information subjects alike.
Some stakeholders may view regulatory compliance
as an implied, rather than explicit, goal and may omit it
from conversations about outcomes and goals. Imple-
menters may therefore want to raise regulatory com-
pliance explicitly during discussions about stakeholder
goals to ensure that it is appropriately acknowledged
and accommodated.
20 G E I T F O R H E A LT H C A R E
Leverage Compliance During Buy-in
One critical task for GEIT implementation is the
solicitation of buy in from executives, peers and
stakeholders about the need for, and role of, GEIT
throughout the enterprise. One way to help gain traction
in a health care entity is to allude specifically to the
value associated with GEIT from a regulatory-compli-
ance standpoint. Enterprise executives are likely already
versed in the value of compliance with governing regu-
lations, because, in some cases, there can be regulatory
action—including jail time in some jurisdictions—if those
requirements are not met. Because there are direct ben-
efits in improving regulatory compliance associated with
a governance implementation, use those benefits as a
selling point to help secure buy in from the outset.
Include Specialists in Planning and on the
Project Team
Including specialized systems in the scope of a GEIT
effort is feasible and practical. It is important to include
any specialized areas—e.g., lab, pharmaceutical,
diagnostic imaging, and biomedical engineering—in
early planning to ensure that the areas are represented.
Include representatives from all specialized areas during
the project planning and execution phases of the imple-
mentation. Likewise, include them later in the process,
during the analysis of resources and dependencies.
Documentation of Current State
During the documentation and analysis of the current
state of the environment, ensure that the full scope
of the technology footprint is addressed. Include all
systems, processes, applications and other entities.
Note that care should be taken at this stage to work
with specialists to ensure that all relevant components
and entities are addressed. Leverage documentation
that may already exist to make the process easier. For
example, if the enterprise already conducted a business
impact assessment (BIA)—typically used for business
continuity management (BCP) and disaster recovery
(DR)—or a privacy impact assessment (PIA) to comply
© 2017 ISACA. All Rights Reserved.
with EU General Data Protection Regulation (EU GDPR),
the enterprise can leverage associated documentation
to locate current-state elements that are (or could be)
germane to the implementation.
Other Considerations
Other considerations beyond those listed above may
prove useful during the implementation process. These
are outlined in the following subsections.
SCOPE OF HEALTH CARE REGULATORY STANDARDS
Not every technology in a health care enterprise needs
to meet all regulatory requirements. If a technology is
not a formal system of record; has no foreseeable im-
pact on patient health or safety; does not store, process
or transmit PHI; is logically sequestered and cannot in-
teract with systems that do, an enterprise may consider
waiving compliance with health care standards that are
otherwise applicable.
DATA CHAIN OF CUSTODY IN HEALTH CARE
Each regulated health system has a duty of care to en-
sure that information it contains remains accurate. When
information is passed between two regulated systems,
the chain of custody describes the responsibility to
ensure that the digital information received is identical
to the information sent and that a clear record of data
“ownership” is maintained. This assurance can some-
times involve hash values or other checksums, but other
methods can also be employed. For example, if a digital
prescription is passed from a doctor to a pharmacy, the
chain of custody requires digital prescription information
to be confirmed as identical to that signed by the doctor.
COST OF MEETING CLINICAL
REGULATORY STANDARDS
To streamline implementation and optimize expen-
diture, health care enterprises must recognize when
regulations do and do not apply to given technologies.
Systems that need to be built and maintained in
compliance with health care regulatory standards are
21 G E I T F O R H E A LT H C A R E

significantly more expensive than exempt technologies.

Cost varies greatly between technology for regulated
How Smaller Health Care
clinical use (on the one hand) and non-health care Enterprises Manage
environments (on the other hand). The cost of comput- Regulatory Requirements
er system validation (CSV) can also depend on the level
The main objective for any enterprise handling or
of customization and the scale of intended use.
managing health care technologies is that patient
safety is never compromised. Beyond personal
In very large projects, it is not uncommon for costs
safety, a basic level of governance will ensure that
of CSV to be the same or higher than all other
the few computer systems of smaller health care
technology license, hardware and project costs togeth-
enterprises are secure and have adequate back-up
er. Thus, smaller environments may opt for solutions
and contingency measures.
with prepackaged checklists to facilitate more cost-
effective validation. Less expensive cloud services are
More and more options to acquire and use regulated
accredited for use in certain territories.
technologies are becoming available at lower cost.
For example, certain health systems were once
Some large-scale environments are so expensive to
beyond the financial reach of smaller enterprises, but
set up and validate that it is not uncommon for them to
cloud-based services that are centrally validated and
be air-gapped (i.e., built on isolated networks with no
approved to appropriate regulatory standards are
external connections) and left without any technology
becoming increasingly available.
updates for many years. This is often the case in clinical
manufacturing environments.
Although smaller health care enterprises usually
require a formal governance model for their information
Although compliance can be costly, it is important
technology, provisions in their policy and procedure
to note that there is also a cost for not complying.
frameworks can be designed to satisfy the smallest
This cost can include fees and fines, impacts to
possible essential subset of regulatory requirements
operations, expenses associated with recovery, and
necessary to pass inspections, at maximally efficient
losses associated with potential lawsuits.
cost points.

Many small environments also continue to rely on

printing and storing paper records—or digital equivalents,
such as scanned PDFs—to help meet their medium- to
long-term record retention requirements.

Note that scanned PDFs are usually not accepted

as master records unless sufficient evidence has
been preserved to support the authenticity of each
PDF file.

© 2017 ISACA. All Rights Reserved.

22 G E I T F O R H E A LT H C A R E

Interoperability Requirements of
Health Care Data
While it would be highly desirable to harmonize health care data is the mandate that data arriving in each sys-
care data standards globally, regulatory requirements tem be confirmed as identical to the data that was sent.
and restrictions vary from country to country, especially Other localized interoperability standards can apply in
as they relate to patient records. The only universal in- some territories or commercial systems.
teroperability standard that applies to regulated health

Governance Challenges for

Health Care Technology
The typical enterprise managing governance of health
care technology faces many evolving challenges. Some
emerging trends are described in the following sections.
Increasing Regulatory
Complexity
One of the most significant challenges facing health
care enterprises is—and will continue to be—increased
regulation. Territories are now writing legislation that
spans borders to provide their citizens with rights even
when residing in other countries. The EU GDPR is a
good example of this type of legislation. It confers nu-
merous responsibilities on any enterprise that manages
information relating to EU citizens—even if they are not
living in the EU—and carries fines of up to four percent
of an enterprise’s global revenue.
This is an ongoing challenge for health care enterpris-
es, requiring frequent review of changes and advances
in regulation that may affect operations and require
adjustment of the governance model. Although regu-
lations are rarely harmonized, health care technology
governance models can often simplify the challenge by
encouraging frameworks in which single policies and
procedures satisfy multiple standards.
Cyber Security
Health care environments have become one of the prima-
ry targets for cyberattacks. Cybercrime and cyberattacks
intentionally prioritize targets that offer potential for high
returns and have weak and easily compromised security.
Computer users who are not properly trained are often the
cause of security compromise.

Until a few years ago, health care enterprises (especial-

In some circumstances, health care enterprises can
ly smaller ones) were rarely targeted. Very few clinical
find themselves in a position where compliance with
systems were connected to the Internet. Data bandwidth
one regulation (for example, retention of clinical
was much lower. And the effort required to perform a
data without an ability to delete it) may contravene
cyberattack was higher. For those reasons, most health
compliance with another (the right of individuals to
care environments rarely had anything other than basic
have their data deleted).
information security measures in place.

© 2017 ISACA. All Rights Reserved.

23 G E I T F O R H E A LT H C A R E
However, today the cybercrime fraternity recognizes that
many health care environments are a goldmine of easily
compromised technologies and information.
Hollywood Presbyterian Hospital Pays $17,000
in Bitcoin to Hackers23
On Friday, February 5, 2016, a hacker attacked
the Hollywood Presbyterian Medical Center with
ransomware, shutting down the center’s computer
systems and preventing the staff from commu-
nicating with those systems. The medical center
paid the hacker a ransom of the equivalent of US
$17,000 in bitcoins and regained control of all of its
systems by Monday, February 8, 2016. According to
the medical center, patient care and records were
not compromised. Its staff resorted to pen-and-pa-
per record keeping while the systems were down.
Many health care enterprises are now even more
attractive for hackers because they are extremely
vulnerable to ransomware. Removing or disabling
access to critical systems can disrupt users and, in
some cases, seriously jeopardize patients. Most
health care enterprises store large amounts of very
sensitive personal information that can be resold. As
a result, cyber security has become one of the main
governance priorities for every health care enterprise.
The Pace of Health Care
Technology Change
When a hospital purchased a piece of medical tech-
nology twenty years ago, they may have reasonably
expected to get 10 years or more of serviceable life
from it. Now, with so many rapid advancements in the
functionality and connectivity of medical technologies,
types of devices proliferate, costs decrease, and
service life becomes ever shorter. If older medical
23 Winton, Richard; “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating,” Los Angeles Times, 18 February 2016,
www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
© 2017 ISACA. All Rights Reserved.
technology is still in use, it often runs on operating
systems that are no longer supported and cannot be
secured (especially when connected to networks or
external devices). Therefore, health care technology
governance models confront a much broader range of
devices, with much shorter lifespans and more com-
plex interrelationships and security concerns.
Balancing Delivery Quality with
Delivery Cost
Health care environments are usually not built and run
on infinite resources, so it is important to achieve the
maximum quality of health care delivery for a given in-
vestment. The pace of technology change, coupled with
other factors like the need to increase security, means
that the governance of information technology in health
care enterprises must continually reevaluate priorities,
processes and resource requirements. Although it is
never appropriate to consider putting patients at risk in-
tentionally, it is both necessary and suitable to focus on
achieving appropriate quality with optimum efficiency.
Governance of the Supply
Chain (Third Parties)
Like other industry sectors, health care enterprises
more often subcontract or purchase products and
services that they deliver, rather than create them. The
US HIPAA regulation refers to third parties as busi-
ness associates (BAs) and mandates that a business
associate agreement (BAA) is always executed prior to
any sharing of PHI. This mandate applies to contrac-
tors and subcontractors that come into contact with
or process PHI, including cloud-service providers. If an
enterprise has a critical dependency on a supplier, the
enterprise should adjust its processes and practices to
ensure that the supplier product or service continues to
function to the correct specification.
24 G E I T F O R H E A LT H C A R E
Interoperability and
Harmonization
A further challenge for health care technology
governance is the lack of agreement and consistency
(especially internationally) across data standards
for health information.
Patient records that are held in digital format—often
referred to as electronic health records (EHR) or
electronic medical records (EMR)—are one of the
most challenging areas of regulation. Each country
decides what it wants to mandate, and whether the
records should be centralized, patient controlled, state
controlled, held locally or left to market forces. The
challenge can minimal for enterprises that work within
a single country, or colossal for those operating in
multiple territories.
Even when there are data standards, such as the Inter-
national Classification of Diseases (ICD), two medical
The Evolution of Provider
Health Care Information Technology
Rapid progression in technology is transforming
the delivery of health care. These forces in turn drive
the governance of health care IT forward at ever
increasing velocity.
Most advanced smartphones can now measure a
user’s activity, heart rate and blood-oxygen levels as
standard features. Such tests and scans once required
a clinical environment, expensive special equipment
and days or months to process. Today simple software
applications are replacing them using nothing more
than a microphone, camera or other sensor built into a
standard smartphone.
© 2017 ISACA. All Rights Reserved.
professionals may record the same problem in different
ways. For example, one professional may record a
condition as general knee pain and another may record
the specific complaint, such as osteoarthritis.
However, even if health care information can be more
easily harmonized, many philosophical issues arise
in providing access to personal information. It may
seem like a great idea to have all of a patient’s medical
information in one place, but does the patient want a
nurse who needs to review a single test result to have
access to his or her full medical history?
Whether interoperability of health care data presents
a governance challenge depends on the purpose and
function of each enterprise as well as its sources of
information. Large enterprises and enterprises that
need to work internationally often establish processes
and standards to ensure that data standards are care-
fully specified and confirmed before new technologies
are procured or implemented.
An electrocardiogram (EKG) to evaluate heart health
previously required fitting patients with multiple
sensors in a clinical environment, not to mention the
expert cardiologist who reviewed the output. Now,
FDA-approved smartphone applications and peripher-
als enable individuals to check their EKG whenever they
want, even continuously, by simply wearing or touching
a few sensors. Although their diagnostics are more
basic, some applications even alert patients if abnor-
malities are detected, so they can seek appropriate
medical guidance.
25 G E I T F O R H E A LT H C A R E
Tests and checks once administered reactively in
clinical environments—often only after symptoms
appeared—will soon run continuously in the background
of patients’ everyday lives. This emerging field of health
care telematics—the ongoing monitoring, alerting, and
automated selection of appropriate responses—will
improve early response rates exponentially.
Interaction between patients and health care profession-
als like doctors and psychologists is also changing.
Major gains in data-transfer rates and improvement
of home testing now allow many people to consult
practitioners online using a webcam and microphone.
Machine learning and artificial intelligence are now
applied to medical diagnosis with increasing refinement.
Patients will soon be pre-assessed on an automated
basis and have a range of tests performed before ever
seeing a human physician.
3D printing is set to change how some medical devices
are supplied. 3D printing already makes it easier to build
certain prosthetics and customize them according to
individual measurements. If the cost of biomedical
3D printing becomes more affordable, patients may
find that their custom-measured, custom-built medical
device is printed at a clinic or hospital while they wait.
For many years, technology has enabled surgeons
to perform procedures that are not possible by direct
use of human hands. Surgeons operate controls that
guide robotic arms into areas with minimal incision and
little disruption of tissue. Although the term “robots”
is sometimes used in the news media or popular
press to describe this type of device, surgery-assisting
technology is still administered directly by the physi-
cian and, therefore, is not fully automated as the word
“robot” implies. However, the combination of robotics
and advancements in communication technology now
© 2017 ISACA. All Rights Reserved.
make surgery possible in locations where no human
surgeons are present. The new term “telesurgery” refers
to procedures administered via robotic technology over
great distances.
Medical imaging has begun to leverage mixed reality (a
form of augmented reality) to create three-dimensional
medical scans that surgeons manipulate in virtual space
in order to target surgical objectives. Holoportation relays
three-dimensional images across great distances in real
time, using nothing more than a few cameras and depth
sensors. The same technologies allow medical students
to acquire much more informative training in human phys-
iology: students can explore simulated human models
instead of looking at two-dimensional photographs.
Using microscopic robots, nanotechnology may one
day facilitate procedures on formerly inoperable medical
conditions that require cellular repair. The technology
already helps administer drugs that would not be ab-
sorbed and distributed effectively in the human
body otherwise.
Another fascinating area of emerging technology is
called “wet wiring” or “Direct Neural Interface” (DNI).
DNI connects devices to the human body so that
patients can use them in place of damaged or missing
organic parts. Examples include artificial camera lenses
that replace part of an eye; devices equivalent to
microphones that restore hearing; and prosthetic limbs
that respond to instructions from the brain.
As these technologies evolve and become more
widely accessible, they will revolutionize medical care
and its delivery: today human beings are supported by
technology to deliver care; tomorrow technology will
deliver not only the same care, but also more and better
procedures, with support from human beings.
26 G E I T F O R H E A LT H C A R E

Conclusion
Health care is one of the largest industries in the
world. Unlike other sectors, defects or mistakes can
have life-changing consequences. Regulation and
compliance become critical for health care technology:
the systems manage not only vital medical information
but also sensitive personal data, and often combine
both with financial transactions, credit card numbers,
At the same time, health care enterprises are under in-
creasing pressure to improve resilience to cyberattacks
by improving their cyber security. Adoption of an IT
governance framework is critical to ensure that the
enterprise implements a credible cyber security program.
Effective technology governance can seem dauntingly

billing information, addresses, and the like.
Some enterprises cope by separating systems that
require the most complex clinical validation, so they
can be managed independently from the general
information technology framework. Other organiza-
tions gain efficiency through governance models that
integrate all technology across the enterprise, both
regulated and nonregulated systems. Even small
enterprises find it necessary to apply systematic
technology governance to meet minimum regulatory
complex given the regulatory context of the health care
industry; however, most governance requirements are
based on very logical and straightforward principles:
• Patient safety is always the top governance priority.
• Any technology of significance must prove it is fit
for purpose.
• Appropriate confidentiality, integrity and availability
must be sustained.
• Records must be managed in accordance with

thresholds and operate effectively. privacy and health care requirements.

• Documented processes and records must

CMMI maturity modelling can be particularly useful
to help benchmark and set objectives for health care
technology environments, because processes tend to
become optimally accurate and efficient when they are
lean, streamlined and subject to continuous review
and improvement.
The role of technology in health care environments is
also changing:
• Technology is becoming central to the delivery of
health care.
• The lifecycle for technologies is becoming shorter.
include evidence that required quality levels are
delivered consistently.
GEIT can itself play an important role in meeting
regulatory obligations as well as increasing overall en-
terprise maturity by achieving better and more efficient
use of technology. When health care organizations
approach governance holistically, they can help ensure
that resources are used most effectively to address their
respective missions: healing the sick, improving peoples’
lives, and sustaining higher quality of life over longer
periods of time.

• Medical technologies are becoming more

commoditized. Cloud platforms and products
designed to work with less onsite testing make health
care technology easier to purchase and deploy.

© 2017 ISACA. All Rights Reserved.

27 G E I T F O R H E A LT H C A R E

Acknowledgments
ISACA would like to recognize:

Tichaona Zororo
Lead Developer ISACA Board of Directors
CISA, CRISC, CISM, CGEIT, COBIT 5
Raef Meeuwisse Theresa Grafenstine Certified Assessor, CIA, CRMA, EGIT |
CISA, CISM, Cyber Simplicity Ltd, UK CISA, CRISC, CGEIT, CGAP, CGMA, Enterprise Governance of IT (Pty) Ltd,
CIA, CISSP, CPA, U.S. House of South Africa, Director
Expert Reviewers Representatives, USA, Chair
Christos K. Dimitriadis, Ph.D.
Chris Brown Robert Clyde CISA, CRISC, CISM, Intralot, S.A.,
CRISC, Ernst & Young, USA CISM, Clyde Consulting LLC, USA, Greece, Past Chair
Vice-Chair
Bill Dean Robert E Stroud
CCE, GCFA, GCIH, GPEN, CCE, Brennan Baybeck CRISC, CGEIT, Forrester Research, Inc.,
LBMC, USA CISA, CRISC, CISM, CISSP, Oracle USA, Past Chair
Corporation, USA, Director
Clyde Hewitt Tony Hayes
MS, CISSP, ISO 27001 Lead Auditor, Zubin Chagpar CGEIT, AFCHSE, CHE, FACS, FCPA,
CynergisTek, Inc., US CISA, CISM, PMP, Amazon Web FIIA, Queensland Government, Australia,
Services, UK, Director Past Chair
Dave Newell
Loptr LLC, USA Peter Christiaans Matt Loeb
CISA, CRISC, CISM, PMP, Deloitte CGEIT, FASAE, CAE, ISACA,
Uday Ali Pabrai
Consulting LLP, USA, Director USA, Director
MSEE, CISSP, CCSFP, Security+,
ecfirst, USA Hironori Goto
CISA, CRISC, CISM, CGEIT, ABCP, Five-I,
Steve Tarr
LLC, Japan, Director
Steve Tarr Consulting LLC, USA
Mike Hughes
CISA, CRISC, CGEIT, Haines Watts,
UK, Director

Leonard Ong
CISA, CRISC, CISM, CGEIT, CPP, CFE,
PMP, CIPM, CIPT, CISSP ISSMP-ISSAP,
CSSLP, CITBCM, GCIA, GCIH,
GSNA, GCFA, Merck & Co., Inc.,
Singapore, Director

R.V. Raghu
CISA, CRISC, Versatilist Consulting India
Pvt. Ltd., India, Director

Jo Stewart-Rattray
CISA, CRISC, CISM, CGEIT, FACS CP,
BRM Holdich, Australia, Director

Ted Wolff
CISA, Vanguard, Inc., USA, Director

© 2017 ISACA. All Rights Reserved.

28 G E I T F O R H E A LT H C A R E

About ISACA
ISACA® (isaca.org) helps professionals around the globe realize the posi-
tive potential of technology in an evolving digital world. By offering indus- 3701 Algonquin Road, Suite 1010

try-leading knowledge, standards, credentialing and education, ISACA Rolling Meadows, Il 60008 USA

enables professionals to apply technology in ways that instill confidence,

Phone: +1.847.660.5505
address threats, drive innovation and create positive momentum for their or-
Fax: +1.647.253.1755
ganizations. Established in 1969, ISACA is a global association serving more
than 500,000 engaged professionals in 188 countries. ISACA is the creator Support: support@isaca.org

of the COBIT® framework, which helps organizations effectively govern Website: www.isaca.org
and manage their information and technology. Through its Cybersecurity
Nexus™ (CSX), ISACA helps organizations develop skilled cyber workforces
and enables individuals to grow and advance their cyber careers.
Provide Feedback:
www.isaca.org/GEITforHealthcare
DISCLAIMER
ISACA has designed and created “GEIT for Health Care” (the “Work”) primar- Participate in the ISACA
ily as an educational resource for professionals. ISACA makes no claim that Knowledge Center:

use of any of the Work will assure a successful outcome. The Work should www.isaca.org/knowledge-center
not be considered inclusive of all proper information, procedures and tests
Follow ISACA on Twitter:
or exclusive of other information, procedures and tests that are reasonably
www.twitter.com/ISACANews
directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, professionals should apply their Join ISACA on LinkedIn:
own professional judgment to the specific circumstances presented by the www.linkd.in/ISACAOfficial
particular systems or information technology environment.
Like ISACA on Facebook:

RESERVATION OF RIGHTS www.facebook.com/ISACAHQ

© 2017 ISACA. All rights reserved.

© 2017 ISACA. All Rights Reserved.