Professional Documents
Culture Documents
G O V E R N A N C E
GEIT FOR
H E A LT H C A R E
CONTENTS
4 Introduction and Objectives 20 / Leverage Compliance During Buy-in
20 / Include Specialists in Planning and
5 Health Care Information Technology
on the Project Team
Fundamentals
20 / Documentation of Current State
6 The Regulation of Health Care 20 / Other Considerations
Information Technology 21 / How Smaller Health Care Enterprises
7 / Pharmaceutical Regulation History Manage Regulatory Requirements
8 / Provider and Device Regulation History
22 Interoperability Requirements of
8 Health Care Regulations and Principles Health Care Data
8 / Pharmaceutical and Health Care
Technology Regulations and Principles 22 Governance Challenges for
Health Care Technology
11 / Provider Regulations
22 / Increasing Regulatory Complexity
11 / Including Regulations in
22 / Cyber Security
Governance Structure
23 / The Pace of Health Care
11 Health Care Technology Governance in the Technology Change
Pharmaceutical Industry 23 / Balancing Delivery Quality with
Delivery Cost
15 Governance of Enterprise Information
23 / Governance of the Supply Chain
Technology (GEIT) for Health Care
(Third Parties)
15 / Striated vs. Nonstriated Model
24 / Interoperability and Harmonization
16 / Striated Governance Model
17 / Nonstriated Governance Model 24 The Evolution of Provider Health Care
18 / Pharmaceutical Clinical Trial Information Technology
Example of a Nonstriated
Governance Model 26 Conclusion
ABSTRACT
Health care is one of the most complex and highly regulated sectors in the world. For
health care providers, device manufacturers, insurers and pharmaceutical enterprises,
this white paper develops critical topics including:
• How the size, scale and significance of the health care sector has changed
• Whether and how traditional governance models can Key to the question of governance of technology in the
be used in clinical environments health care sector is an understanding of the regulatory
context that surrounds the use of technology in that
• How the evolution of technology is changing
sector. The regulatory environment itself dictates some
health care governance
of the parameters within which governance structures
• How emerging challenges in health care technology must operate. Industry-specific considerations, such as
governance may be approached health and safety concerns, also dictate some of the pa-
rameters. To understand why health care requires high
The white paper discusses regulatory information for
levels of regulation and far more control and account-
various health care audiences; content specific to a
ability than other industry sectors, it helps to consider
given audience (and not applicable to other audiences)
the fundamentals of the sector and the consequences if
is presented in separate, dedicated sections whose
(and when) things go wrong.
headings indicate their relevance to specific readers.
• Payers (health insurance enterprises) Even in the smallest clinic, each appointment, test,
• Clearinghouses (entities that support transactions result and communication with a patient (or other
between providers and payers) physician, technician or specialist) can form a crucial
link in a lifesaving chain. Systems that communicate
• Veterinary (animal health) enterprises1
records, transcriptions, diagnostic images, test results,
When managed correctly, practitioners and the work etc., likewise create vital links. Taken together, these ac-
they perform in this sector can directly improve the tivities, processes and information technologies can be
health and wellbeing of patients. as complicated as they are critical in their cumulative
ability to ensure data integrity (e.g., accuracy of dosage/
Because everyone, at some point, consumes health contraindications of dispensed pharmaceuticals and
care products and services, it is unsurprising that this test results); availability (e.g., access to critical diagnos-
sector is one of the largest of all industries. Statistics tic systems and imaging modalities); and confidentiality
vary, but in the United States alone, 2016 health care (e.g., patient records).
revenue reached at least $1.6 trillion; health care
employees constituted more than seven percent of When these systems work appropriately, they support
the working population.2 Given the size of the industry patient health and safety. When they are subverted or
overall—not to mention the number and complexity work incorrectly, they can fail to do so, sometimes with
of interactions people have with the sector and its catastrophic human consequences and professional
employees—one may take for granted the enormous liability. Thus the value of the clinical information-
care and attention lavished on health care products technology ecosystem is balanced against the risk of
and services. errors that can (and unfortunately do) result in serious
1 Note that inclusion or exclusion of veterinary or animal health varies by region; for example, some countries include veterinary care in the broader context of the health care space
where some do not.
and devastating consequences. For physicians, practi- gies support clinical or other health care environments
tioners and patients of all types, getting timely access to in various mundane ways. Their ubiquity and familiarity
the information or technology they need, when they need notwithstanding, these systems also play a critical role
it, can mean the difference between life and death. in patient safety, and include technologies like door
access-control systems; email; training records storage
Not all health systems carry the potential for direct applications; heating, ventilation and air-conditioning
(or even indirect) impact on the health and safety (HVAC) systems; telephone systems that rely on Internet
of patients. However, many do: systems supporting bandwidth (such as voice over internet protocol (VoIP)
institutional clinical care (for example, those in a hos- communications); or transcription services.
pital or health system) can absolutely affect health and
safety. Other similarly risk-related systems include: Because of their role in patient care, such ordinary
applications take on special significance. Consider
• Pharmaceutical dispensary systems—for example,
email, for example. Email is sometimes used to pass
those tracking medication contraindications or
critical health-related information, even though other
dosage for patients
more specialized mechanisms are not only available but
• Imaging modalities, picture archiving and preferable for conveying information in a clinical setting
communication systems (PACS), radiology (e.g., Health Level Seven International [HL7] technology).
information systems (RISs) and their supporting What happens if critical and time-sensitive medical in-
subsystems which either create, disseminate, formation fails to be delivered to the person who needs
inspect or examine diagnostic images it, when they need it?
Beyond these examples of systems directly supporting in the health care sector requires one of the most
patient care, numerous, more commonplace technolo- structured, controlled and accountable frameworks
of any industry.
3 McDermott, John; “Report: 75% of Venture-backed Start-ups Fail,” Inc.com, 20 September 2012, www.inc.com/john-mcdermott/report-3-out-of-4-venture-backed-start-ups-fail.html
drug-production standards can be traced back to at This medical catastrophe led to a series of national and
least 1240, modern health care regulations are con- international efforts to improve reporting of adverse
sidered to have evolved mostly in the latter part of the medical events; strengthen testing of drugs before
twentieth century. market; and ensure ongoing, centralized reporting and
remediation of adverse effects.
4 Hughes, Emily; “Almost 100,000 pacemakers recalled by Medtronic,” Medical Plastics News, 2 December 2015, www.medicalplasticsnews.com/news/almost-100-000-pacemakers-
recalled-by-medtronic/
5 Rägo, Lembit; Budiono Santoso; “Drug Regulation: History, Present and Future,” Drug Benefits and Risks: International Textbook of Clinical Pharmacology, revised 2nd edition; World
Health Organization; 2008; www.who.int/medicines/technical_briefing/tbs/Drug_Regulation_History_Present_Future.pdf
6 Gad, S.C.; “Animal Models”, Reference Module in Biomedical Sciences, 2014, Elsevier Inc., www.sciencedirect.com/science/article/pii/B9780123864543008149
7 Kim, J.H.; A.R. Scialli; “Thalidomide: the tragedy of birth defects and the effective treatment of disease,” Toxicological Sciences; July 2011, 122(1):1-6;
www.ncbi.nlm.nih.gov/pubmed/21507989
Provider and Device The impact of potential failures is likely to grow given
the increasingly important role that technology plays
Regulation History in modern health care. A report in 2014 from the
Today similar standards apply to most health care UK-based Institution of Mechanical Engineers
products and services around the world. In many indicated that 309 deaths and 4,955 serious injuries
jurisdictions, standards have also been extended to were reported in 2013 to the Medicines and Health
cover information technology wherever it can affect Care products Regulatory Agency (MHRA) as a result
public health. of faulty medical equipment.9 The reported prob-
lems included faulty pacemakers; malfunctioning or
Health care increasingly depends on technology as a unavailable computed tomography (CT) and magnetic
critical component in patient care. Unlike many other resonance imaging (MRI) scanners; and many
industry sectors, mistakes in technology governance other categories.
and operations in health care can and do lead to deaths
and serious injuries. For example, a mistake in the im- Therefore, a technology that delivers health care (or
plementation of software code in the Therac-25 radia- supports its delivery) is expected to be proven fit for
tion-therapy machine produced a “race condition” (a type purpose before it is used and almost always needs to
of software programming flaw) that allowed potentially comply with numerous regulations.
lethal levels of radiation at 100 times the intended dose.8
Laws that apply to health care technology vary by territory, jurisdiction, country and locality. Health care regulations
internationally are so numerous that one introductory publication cannot cover them all. However, many health care
regulations share common principles whose understanding can help practitioners evaluate governance structures
within the clinical environment
8 Leveson, Nancy; Turner, Clark S.; “An Investigation of the Therac-25 Accidents”, IEEE Computer, Vol. 26, No. 7, July 1993, pp. 18-41,
http://courses.cs.vt.edu/professionalism/Therac_25/Therac_1.html
9 Institution of Mechanical Engineers, “New report: lack of NHS engineers is putting lives at risk,” press release, 24 July 2014,
http://www.imeche.org/news/news-article/New_report_lack_of_NHS_engineers_is_putting_lives_at_risk
10 This section introduces common principles that inform many health care regulations. Guidance offered here should not substitute for reading and understanding regulations
that apply in a given territory, industry or jurisdiction. To assess applicable local regulations and their potential effects, practitioners should consult with enterprise counsel and
any other compliance stakeholders.
What is GxP?
The letters G and P in GxP represent good practice. If a system must comply with GxP requirements, the
following principles apply:
The letter x indicates that health care regulations
are applicable. To give the acronym specific domain • The technology must demonstrate and have
reference, the x may be replaced by a different letter documentation stating that it is fit for its
indicating the type of good practice that is required: intended purpose.
When GxP is deemed applicable to a health care • The system requires a secure audit trail.
technology, US regulation 21 CFR Part 11 also applies.
• Every single action must generate an audit trail item.
Part 11 provides rules for electronic records and sig-
natures.11 Its standard is equivalent to that governing • Each audit trail item shows who performed the action,
formal paper records and handwritten signatures. In the date, the time and what was changed (the old
the European Union, the equivalent standard is Annex value and the new value).
11. Key principles of the regulation include, but are not • Every user identity is the responsibility of a specific
limited to: person and is never reused.
11 US Department of Health and Human Services Food and Drug Administration, Guidance for Industry Part 11, Electronic Records; Electronic Signatures—Scope and Application,
Pharmaceutical CGMPs, August 2003, www.fda.gov/downloads/regulatoryinformation/guidances/ucm125125.pdf
• If a signature is appended electronically, its record Although the number and complexity of requirements
establishes: across health care regulations can seem overwhelming
and abstruse, they seek to realize very straightforward
• How the signature was electronically or digitally
and simple principles.
authenticated
Falsification of paper records is usually easy fully traceable and align with the rule of 3:
Regulations governing electronic records are 3. Record the evidence. Ensure that records
intended to achieve standards of safety and document compliance with procedures and
integrity commensurate with paper records. They identities of all personnel who perform tasks.
are designed to prevent and detect any attempt
at falsification and to ensure readability and per- Almost all health care enterprises of any scale
sistence throughout mandated retention periods. have a well-developed quality assurance
function that is segregated from day-to-day
For any technology that creates, modifies, ar- operations, to help identify and address any
chives, maintains, retrieves or transmits regulated significant process gaps; to ensure appropriate
health information in digital form, these standards requirements continue to be met; and to ensure
ensure integrity, accuracy and reliability. For that reporting is confidential and privileged in
example, medical prescriptions include drug ways that encourage future transparency.
name, dosage, patient, etc.; standards help to
ensure that these critical elements are accurate,
authentic and unaltered.
Provider Regulations Commission publishes “Safe Data, Safe Care”12 and the
“Security policy framework”13 for health care
While GxP applies broadly to health care technology,
enterprises. Each enterprise must understand its indi-
other requirements govern the practice of care,
vidual context, its local jurisdiction, and should consider
or apply more narrowly to subsets of patients and
input from appropriate local and/or regional regulatory
information in particular contexts. For example, the US
organizations when outlining practices for information
Congress enacted the Health Insurance Portability and
technology and patient care.
Accountability Act (HIPAA) and the Health Information
Technology for Economic and Clinical Health (HITECH)
Act. These acts relate to health care providers and Including Regulations in
insurance enterprises in the same way that GxP relates Governance Structure
to medical device manufacturers and pharmaceutical
It is critical to account for all governing regulations
enterprises. HIPAA and HITECH define specific
when an enterprise defines requirements for its gover-
requirements for safeguarding protected health
nance structure, especially given that standards may
information (PHI) from a technology-implementation
apply from multiple and often overlapping regulatory
perspective, and provide enforcement by a different
bodies. In any governance initiative, health care
regulatory body (the Health and Human Services Office
enterprises should ensure that requirements are enu-
for Civil Rights).
merated, documented and addressed. Those using the
COBIT® 5 framework may address regulations during
Other jurisdictions enact similar requirements to
the goals cascade exercise. These regulatory goals of-
achieve substantially the same safeguards. For
ten largely coincide with stakeholder needs and thereby
example, in the United Kingdom, the Care Quality
support overall enterprise goals.
12 Care Quality Commission, “Safe data, safe care,” CQC-304-072016, United Kingdom, 2016,
www.cqc.org.uk/sites/default/files/20160701%20Data%20security%20review%20FINAL%20for%20web.pdf
Very small health care enterprises may implement GAMP guidance documents includes publications that
approved cloud services or commercial off-the-shelf are specifically designed to help enterprises meet FDA
(COTS) software that include appropriate, prepack- and other governing standards. Publications in the
aged checklists. These solutions can help minimize GAMP series include:17
the cost and effort of compliance.
• The Good Automated Manufacturing Practice
Therefore, a smaller enterprise is more likely to adopt (GAMP) Guide for Validation of Automated Systems in
technology that is prepackaged. Instead of creating and Pharmaceutical Manufacture
executing a full process of computer system validation • GAMP Good Practice Guide: A Risk-Based Approach to
(CSV), the smaller enterprise might use prebuilt CSV Compliant GxP Computerized Systems
checklists to document installation, configuration and
• GAMP Good Practice Guide: Calibration Management
deployment of technology. One approach for the small-
er pharmacy is to leverage good automated manufac- • GAMP Good Practice Guide: Electronic Data Archiving
turing practices (GAMP ©) to help ensure that compli-
• GAMP Good Practice Guide: Global Information
ance requirements and risk considerations are included
Systems Control and Compliance
in the overall governance model.
• GAMP Good Practice Guide: IT Infrastructure Control
and Compliance
ISPE and GAMP standards
• GAMP Good Practice Guide: Testing of GxP Systems
Meeting GxP regulatory requirements requires a • GAMP Good Practice Guide: Validation of Laboratory
robust and comprehensive approach to CSV. Computerized Systems
14 For more information on the International Society for Pharmaceutical Engineering, see www.ispe.org.
16 Ibid.
An online pharmacy platform for the sale of • Specific privacy and security regulations from
prescription medications required an audit to ensure many US states
that it complied with appropriate regulations. In the United States and some other countries,
All of the following regulations and standards were regulations originate at county, state and regional
found to be applicable to the technology and levels. The United States has many state-specific
supporting processes: privacy regulations, some with extremely high
financial penalties for noncompliance (for example,
Health care regulations (biomed): Texas HB.30018).
acts regulated health information in digital form. This standard applies to online platforms that
accept credit or debit card payments.
Health care and general data privacy and * Note that PCI DSS is a standard and not a regulation; however, failure to meet
security regulations: the standard can result in the withdrawal of authorization for the platform to
transact credit card payments.
The pharmaceutical example illustrates that GAMP can • Some of the security requirements can be met
be used to deliver computer system validation while at the enterprise level, such as the need to specify
other regulations and standards also apply. However, an information security officer and information
responsibility for the whole spectrum of requirements security policy.
may not optimally reside at one organizational level.
• Some of the data privacy requirements can also
Conversely, interrelated and/or overlapping standards
be met at the enterprise level, such as the need to
may not be addressed efficiently if execution is
specify a data privacy officer; a subject access rights
dispersed throughout an organization.
process; and a breach-notification process.
18 TEXAS HB 300 HIPAA made EASY; “TEXAS HB 300 HIPAA made EASY,” 2017, http://hb300.net/
20 ISACA, A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS), 2015, www.isaca.org/knowledge-center/research/researchdeliverables/pages/pci-dss.aspx
effort at more local levels. GAMP requires owners to • Confidentiality of the information to
ensure that systems are fit for purpose and not subject be maintained
to falsification of data. To the extent that an enterprise
• Subject access rights allowing subjects to see
that has efficient and effective technology governance
the information that is stored about them
for all applicable regulations, individual technology
owners may find certain GAMP requirements are • Integrity so that subject information is accu-
already provided at the enterprise level, and can rate or corrected on request
therefore avoid creating duplicative and/or overlapping
• Notification to affected subjects and appropri-
processes and documentation. Where the central GEIT
ate regulators in the event of breach
framework provides general models in advance, their
provisions, processes, templates, etc. often do not need • Portability of individual records to a new pro-
are left to capture requirements expressly for their own Although consent notice and some security
technology, and remain free of other burdens. Consider features may be accommodated by individual
managing any requirement that can be met at enter- technologies, most of the items are best met
prise level within the central governance framework. through an enterprise-level approach.
Governance of Enterprise
Information Technology (GEIT)
for Health Care
A systematic approach to GEIT will help health care • Nonstriated Model—Combine governance of
entities ensure that key regulatory considerations are regulated and nonregulated technology under a
met. However, in health care certain challenges can single framework.
complicate or even preclude accommodation through
Subject all technology (both inside and outside of
formalized enterprise-wide governance. These
the clinical environment) to an holistic governance
challenges include size; financial resources available
implementation; optimize delivery of all systems and
for technology investment; number and skill of
services, whether they are regulated or not.
technology staff; degree of access by external vendors
or service providers to clinical systems; and regulatory
Each model has advantages and disadvantages relative
requirements, among others.
to the other. An enterprise may segregate its governance
of regulated health systems for many reasons. Often, it
Striated vs. Nonstriated Model can be a function of maturity. The Capability Maturity
Model Integration (CMMI®) for example, defines a model
In striated governance models, enterprises distinguish
with five levels of maturity (figure 1).
areas where formalized governance is optimal from
areas where it may not be optimal. Naturally, the
Enterprises that have processes that are lower on the
striated model cannot realize many of the advantag-
maturity spectrum (maturity levels 1 or 2) may find a
es of a systematic global approach to GEIT (such as
striated model appealing, compared to those of higher
comprehensive coverage, specified in principle 2 of
maturity (maturity levels 3, 4 or 5) because it allows
COBIT). Although a striated approach may ultimately
them to apply more strenuous rigor only to those areas
weaken governance implementation compared to the
that explicitly require that rigor.
nonstriated approach, it can offer advantages where
formally addressing all of IT is economically or cultural- The decision to split governance can involve many
ly impracticable. other factors. The striated model can make sense for:
Two basic approaches can be taken when health care • Smaller health care enterprises
regulations apply:
• Enterprises with very few technologies subject to
and nonregulated technology. • Very large enterprises that need to leave full
accountability, over a long period of time, within
Allow some technology to run under a general, stan-
particular locations (for example, the setup and
dard, low-cost IT department, while technology with a
operation of a manufacturing plant)
higher regulatory threshold is managed separately.
• Enterprises with substantial ongoing
budgetary constraints
MATURITY
Stable and flexible. Organization is focused on continuous improvement and is
Optimizing
LEVEL
built to pivot and respond to opportunity and change. The organization’s stability
5 provides a platform for agility and innovation. 5
MATURITY
Measured and controlled. Organization is data-driven with quantitative
Quantitatively Managed
LEVEL
performance improvement objectives that are predictable and align to
4 meet the needs of internal and external stakeholders. 4
MATURITY Proactive, rather than restrictive. Organization-wide
Defined
LEVEL
standards provide guidance across projects, programs
3 and portfolios. 3
MATURITY
Managed on the project level. Projects are
Managed
LEVEL
planned, performed, measured and controlled.
2 2
MATURITY
Unpredictable and reactive.
Initial
LEVEL
Work gets completed but is
1 often delayed and over budget. 1
The decision may also be a function of staff special- and/or health IT systems, such as EMR systems and
ization. A smaller shop without dedicated IT personnel PACS. For an insurance provider, clinical technology
may find the advantages of systematic governance may refer to systems responsible for coding and billing.
planning compelling, but may lack the skills and band-
width necessary to oversee such an effort for the entire The two strata can be further delineated:
2). Note that the term “clinical” is used informally here; it that the email system is not being used as the
refers to the subset of the technology footprint used in system of record for critical health care communi-
the service of patient care or research—the areas most cations or transmission of PHI.
directly subject to governing health care regulation. The • Often, general documentation that is not deemed
specific nature of this clinical technology footprint var- subject to any formal clinical record-management
ies from enterprise to enterprise depending on mission requirement may use a standard enterprise docu-
and context. For example, in a hospital or health ment-management solution.
system, clinical technology may refer to biomedical
• Stratum 2: Clinical systems (typically subject to GxP; • Duplicate efforts are eliminated; for example, each
specific regulatory constraints such as HIPAA; con- regulated project does not invent its own documen-
text-specific regulatory frameworks or guidance such tation (e.g., based on project documentation and
as PCI DSS; or other standards) process) and does not ensure its own set of controls,
countermeasures, procedures, etc.
• Are assigned an accountable system owner to take
full responsibility for meeting regulatory require- • Resources can be better optimized because they
ments. can be scheduled and re-used across any part of the
technology landscape.
• Can be subject to independent quality-assurance
checks of documentation, product and/or processes • Individual system goals are better aligned into the
sufficient to verify that requirements are met. overall mission of the enterprise and there is better
satisfaction of enterprise objectives.
Under the striated governance model, an enterprise
may provide general IT services for nonregulated activ- Enterprises that manage their regulated and nonregulated
ities, and place the entire regulatory burden onto each technologies through a single governance framework can
system owner and conduct due diligence checks to en- achieve lower overall operational costs. However, great
sure that system owners achieve correct standards in care must be taken to ensure that regulated technologies
highly regulated instances. The general IT governance continue to be managed to the appropriate standards:
may have little to do with meeting regulatory require-
ments beyond the bare minimum set by the enterprise Even within enterprises with a single framework
A pharmaceutical enterprise looking to deliver health • Signatures: Accountability is critical in health care
care information technology through a single frame- environments. Regulated records and documents
work model usually includes the following features. need to be signed. Typically all policies and proce-
dures include formal signatures (handwritten or
• Process documentation: All significant policies
electronic) from at least an author and a separate
and processes within the governance model are
approver. Signatures are also expected within oper-
described efficiently in a controlled document
ational records (such as key project milestone docu-
that is subject to periodic review. This documen-
ments, project plans) and change control records for
tation includes all items usually found in a COBIT
GxP technology or supporting hardware.
framework plus the additional industry items,
such as policies and processes for managing • A formal quality defect-management procedure:
Optimizing Health Care The most effective health care technology governance
For enterprises that have not worked under a docu- • Meet a regulatory requirement,
mented, lean-and-refined governance model, the effort or
to set one up may seem substantial and unjustifiable. • Improve efficiency
Understandably, some small enterprises may feel they
Health care enterprises, like any other, have budgetary
can only approach governance obligations reactively.
constraints. Balancing appropriate quality and cost is
However, global enterprises often have much leaner,
often critical to optimize delivery of health care prod-
smaller, and more efficient policies and procedures
ucts and services. At the same time, too little oversight
than enterprises a fraction of the size. Spending time on
can result in regulatory breaches; the suspension of
a disciplined and reflective approach to GEIT ultimately
a product or service; and, in extreme cases, serious
helps streamline processes rather than slow them.
illness, injury or death. Lack of oversight can also lead
to substantial financial fines.
Thus risk-based approaches should be used to achieve tion.21 Others may find the white paper, “Getting Started
appropriate balance when governance frameworks with GEIT: A Primer for Implementing Governance of
assimilate regulatory requirements—with the clear Enterprise IT,” a better place to start.22 Large enterpris-
caveat that no risk process is ever allowed to permit or es that seek to adapt COBIT 5 systematically may find
authorize any regulation to be hidden, ignored or con- the more expansive COBIT® 5: Implementation to be
travened, or knowingly to place patient safety at risk. the best resource, because it thoroughly describes the
implementation process and allows for customization.
Small enterprises may prefer “Getting Started with
Learn and Confirm GEIT: A Primer for Implementing Governance of Enter-
prise IT” because it focuses on rapid implementation of
Most health care enterprises are not entirely
standard environments.
unique—peer enterprises typically undertake
similar efforts, and their successes (or failures) Either way, the process of implementation is relatively
can instruct other enterprises. Employees of hos- straightforward. Yet before they begin, health care
pitals or clinics can interact with counterparts at enterprises should consider aspects specific to their
other institutions and learn how they approach industry. These considerations are described in the
governance. Employee peers may even provide following sections.
access to review policies and procedures.
Learning what works and what does not in the Include Health care-specific Factors
governance models of similar enterprises almost in Goals Analysis
always leads to greater efficiency; sharing knowl- Implementation of any governance framework depends
edge and experience can help to elevate the on systematic understanding of stakeholder require-
general quality of the industry by encouraging ments and enterprise goals. It is critical to ensure that
proliferation of successful practices. regulatory, compliance and other considerations specif-
ic to health care are represented in this analysis. Here
the COBIT 5 goals cascade can be extremely helpful.
Enterprises should ensure that regulatory consider-
22 ISACA, “Getting Started with GEIT: A Primer for Implementing Governance of Enterprise IT,” 2016, www.isaca.org/bookstore/Pages/Product-Detail.aspx?Product_code=WCGEIT
Leverage Compliance During Buy-in with EU General Data Protection Regulation (EU GDPR),
One critical task for GEIT implementation is the the enterprise can leverage associated documentation
solicitation of buy in from executives, peers and to locate current-state elements that are (or could be)
stakeholders about the need for, and role of, GEIT germane to the implementation.
any specialized areas—e.g., lab, pharmaceutical, Each regulated health system has a duty of care to en-
diagnostic imaging, and biomedical engineering—in sure that information it contains remains accurate. When
early planning to ensure that the areas are represented. information is passed between two regulated systems,
Include representatives from all specialized areas during the chain of custody describes the responsibility to
the project planning and execution phases of the imple- ensure that the digital information received is identical
mentation. Likewise, include them later in the process, to the information sent and that a clear record of data
during the analysis of resources and dependencies. “ownership” is maintained. This assurance can some-
times involve hash values or other checksums, but other
methods can also be employed. For example, if a digital
Documentation of Current State
prescription is passed from a doctor to a pharmacy, the
During the documentation and analysis of the current
chain of custody requires digital prescription information
state of the environment, ensure that the full scope
to be confirmed as identical to that signed by the doctor.
of the technology footprint is addressed. Include all
systems, processes, applications and other entities. COST OF MEETING CLINICAL
Note that care should be taken at this stage to work REGULATORY STANDARDS
with specialists to ensure that all relevant components
To streamline implementation and optimize expen-
and entities are addressed. Leverage documentation
diture, health care enterprises must recognize when
that may already exist to make the process easier. For
regulations do and do not apply to given technologies.
example, if the enterprise already conducted a business
impact assessment (BIA)—typically used for business Systems that need to be built and maintained in
continuity management (BCP) and disaster recovery compliance with health care regulatory standards are
(DR)—or a privacy impact assessment (PIA) to comply
Interoperability Requirements of
Health Care Data
While it would be highly desirable to harmonize health care data is the mandate that data arriving in each sys-
care data standards globally, regulatory requirements tem be confirmed as identical to the data that was sent.
and restrictions vary from country to country, especially Other localized interoperability standards can apply in
as they relate to patient records. The only universal in- some territories or commercial systems.
teroperability standard that applies to regulated health
However, today the cybercrime fraternity recognizes that technology is still in use, it often runs on operating
many health care environments are a goldmine of easily systems that are no longer supported and cannot be
compromised technologies and information. secured (especially when connected to networks or
external devices). Therefore, health care technology
governance models confront a much broader range of
Hollywood Presbyterian Hospital Pays $17,000
devices, with much shorter lifespans and more com-
in Bitcoin to Hackers23
plex interrelationships and security concerns.
The Pace of Health Care associate agreement (BAA) is always executed prior to
any sharing of PHI. This mandate applies to contrac-
Technology Change tors and subcontractors that come into contact with
When a hospital purchased a piece of medical tech- or process PHI, including cloud-service providers. If an
nology twenty years ago, they may have reasonably enterprise has a critical dependency on a supplier, the
expected to get 10 years or more of serviceable life enterprise should adjust its processes and practices to
from it. Now, with so many rapid advancements in the ensure that the supplier product or service continues to
functionality and connectivity of medical technologies, function to the correct specification.
types of devices proliferate, costs decrease, and
service life becomes ever shorter. If older medical
23 Winton, Richard; “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating,” Los Angeles Times, 18 February 2016,
www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
controlled, held locally or left to market forces. The a governance challenge depends on the purpose and
challenge can minimal for enterprises that work within function of each enterprise as well as its sources of
a single country, or colossal for those operating in information. Large enterprises and enterprises that
Tests and checks once administered reactively in make surgery possible in locations where no human
clinical environments—often only after symptoms surgeons are present. The new term “telesurgery” refers
appeared—will soon run continuously in the background to procedures administered via robotic technology over
of patients’ everyday lives. This emerging field of health great distances.
care telematics—the ongoing monitoring, alerting, and
automated selection of appropriate responses—will Medical imaging has begun to leverage mixed reality (a
improve early response rates exponentially. form of augmented reality) to create three-dimensional
medical scans that surgeons manipulate in virtual space
Interaction between patients and health care profession- in order to target surgical objectives. Holoportation relays
als like doctors and psychologists is also changing. three-dimensional images across great distances in real
Major gains in data-transfer rates and improvement time, using nothing more than a few cameras and depth
of home testing now allow many people to consult sensors. The same technologies allow medical students
practitioners online using a webcam and microphone. to acquire much more informative training in human phys-
iology: students can explore simulated human models
Machine learning and artificial intelligence are now instead of looking at two-dimensional photographs.
applied to medical diagnosis with increasing refinement.
Patients will soon be pre-assessed on an automated Using microscopic robots, nanotechnology may one
basis and have a range of tests performed before ever day facilitate procedures on formerly inoperable medical
seeing a human physician. conditions that require cellular repair. The technology
already helps administer drugs that would not be ab-
3D printing is set to change how some medical devices sorbed and distributed effectively in the human
are supplied. 3D printing already makes it easier to build body otherwise.
certain prosthetics and customize them according to
individual measurements. If the cost of biomedical Another fascinating area of emerging technology is
3D printing becomes more affordable, patients may called “wet wiring” or “Direct Neural Interface” (DNI).
find that their custom-measured, custom-built medical DNI connects devices to the human body so that
device is printed at a clinic or hospital while they wait. patients can use them in place of damaged or missing
organic parts. Examples include artificial camera lenses
For many years, technology has enabled surgeons that replace part of an eye; devices equivalent to
to perform procedures that are not possible by direct microphones that restore hearing; and prosthetic limbs
use of human hands. Surgeons operate controls that that respond to instructions from the brain.
guide robotic arms into areas with minimal incision and
little disruption of tissue. Although the term “robots” As these technologies evolve and become more
is sometimes used in the news media or popular widely accessible, they will revolutionize medical care
press to describe this type of device, surgery-assisting and its delivery: today human beings are supported by
technology is still administered directly by the physi- technology to deliver care; tomorrow technology will
cian and, therefore, is not fully automated as the word deliver not only the same care, but also more and better
“robot” implies. However, the combination of robotics procedures, with support from human beings.
and advancements in communication technology now
Conclusion
Health care is one of the largest industries in the At the same time, health care enterprises are under in-
world. Unlike other sectors, defects or mistakes can creasing pressure to improve resilience to cyberattacks
have life-changing consequences. Regulation and by improving their cyber security. Adoption of an IT
compliance become critical for health care technology: governance framework is critical to ensure that the
the systems manage not only vital medical information enterprise implements a credible cyber security program.
but also sensitive personal data, and often combine
both with financial transactions, credit card numbers, Effective technology governance can seem dauntingly
billing information, addresses, and the like. complex given the regulatory context of the health care
industry; however, most governance requirements are
Some enterprises cope by separating systems that based on very logical and straightforward principles:
require the most complex clinical validation, so they
• Patient safety is always the top governance priority.
can be managed independently from the general
information technology framework. Other organiza- • Any technology of significance must prove it is fit
tions gain efficiency through governance models that for purpose.
integrate all technology across the enterprise, both
• Appropriate confidentiality, integrity and availability
regulated and nonregulated systems. Even small
must be sustained.
enterprises find it necessary to apply systematic
technology governance to meet minimum regulatory • Records must be managed in accordance with
Acknowledgments
ISACA would like to recognize:
Tichaona Zororo
Lead Developer ISACA Board of Directors
CISA, CRISC, CISM, CGEIT, COBIT 5
Raef Meeuwisse Theresa Grafenstine Certified Assessor, CIA, CRMA, EGIT |
CISA, CISM, Cyber Simplicity Ltd, UK CISA, CRISC, CGEIT, CGAP, CGMA, Enterprise Governance of IT (Pty) Ltd,
CIA, CISSP, CPA, U.S. House of South Africa, Director
Expert Reviewers Representatives, USA, Chair
Christos K. Dimitriadis, Ph.D.
Chris Brown Robert Clyde CISA, CRISC, CISM, Intralot, S.A.,
CRISC, Ernst & Young, USA CISM, Clyde Consulting LLC, USA, Greece, Past Chair
Vice-Chair
Bill Dean Robert E Stroud
CCE, GCFA, GCIH, GPEN, CCE, Brennan Baybeck CRISC, CGEIT, Forrester Research, Inc.,
LBMC, USA CISA, CRISC, CISM, CISSP, Oracle USA, Past Chair
Corporation, USA, Director
Clyde Hewitt Tony Hayes
MS, CISSP, ISO 27001 Lead Auditor, Zubin Chagpar CGEIT, AFCHSE, CHE, FACS, FCPA,
CynergisTek, Inc., US CISA, CISM, PMP, Amazon Web FIIA, Queensland Government, Australia,
Services, UK, Director Past Chair
Dave Newell
Loptr LLC, USA Peter Christiaans Matt Loeb
CISA, CRISC, CISM, PMP, Deloitte CGEIT, FASAE, CAE, ISACA,
Uday Ali Pabrai
Consulting LLP, USA, Director USA, Director
MSEE, CISSP, CCSFP, Security+,
ecfirst, USA Hironori Goto
CISA, CRISC, CISM, CGEIT, ABCP, Five-I,
Steve Tarr
LLC, Japan, Director
Steve Tarr Consulting LLC, USA
Mike Hughes
CISA, CRISC, CGEIT, Haines Watts,
UK, Director
Leonard Ong
CISA, CRISC, CISM, CGEIT, CPP, CFE,
PMP, CIPM, CIPT, CISSP ISSMP-ISSAP,
CSSLP, CITBCM, GCIA, GCIH,
GSNA, GCFA, Merck & Co., Inc.,
Singapore, Director
R.V. Raghu
CISA, CRISC, Versatilist Consulting India
Pvt. Ltd., India, Director
Jo Stewart-Rattray
CISA, CRISC, CISM, CGEIT, FACS CP,
BRM Holdich, Australia, Director
Ted Wolff
CISA, Vanguard, Inc., USA, Director
About ISACA
ISACA® (isaca.org) helps professionals around the globe realize the posi-
tive potential of technology in an evolving digital world. By offering indus- 3701 Algonquin Road, Suite 1010
try-leading knowledge, standards, credentialing and education, ISACA Rolling Meadows, Il 60008 USA
of the COBIT® framework, which helps organizations effectively govern Website: www.isaca.org
and manage their information and technology. Through its Cybersecurity
Nexus™ (CSX), ISACA helps organizations develop skilled cyber workforces
and enables individuals to grow and advance their cyber careers.
Provide Feedback:
www.isaca.org/GEITforHealthcare
DISCLAIMER
ISACA has designed and created “GEIT for Health Care” (the “Work”) primar- Participate in the ISACA
ily as an educational resource for professionals. ISACA makes no claim that Knowledge Center:
use of any of the Work will assure a successful outcome. The Work should www.isaca.org/knowledge-center
not be considered inclusive of all proper information, procedures and tests
Follow ISACA on Twitter:
or exclusive of other information, procedures and tests that are reasonably
www.twitter.com/ISACANews
directed to obtaining the same results. In determining the propriety of any
specific information, procedure or test, professionals should apply their Join ISACA on LinkedIn:
own professional judgment to the specific circumstances presented by the www.linkd.in/ISACAOfficial
particular systems or information technology environment.
Like ISACA on Facebook: