Healthcare & Pharmaceuticals
The entire health care services delivery chain - including providers, payers, contract research organizations (CROs) and pharmaceutical/biotech companies - faces a range of risk and compliance needs arising from heavy government regulation and a heavy dependence upon public trust. At the same time, IT is becoming integral to the delivery of health care services, research and product development. The Health Insurance Portability and Accountability Act (HIPAA) has impacted the entire health care services delivery chain. Pharmaceutical companies are required to comply with FDA GMP (Good Manufacturing Practices) regulations which emphasize IT change management and security. Publicly traded health care and pharmaceutical companies also need to comply with the Sarbanes-Oxley Act (SOX).
To achieve superior operational performance and proactive risk and compliance management, health insurers, health care providers and pharmaceutical companies need to ask key questions:
- IT Governance, Risk and Compliance process: Do we have one?
- Quality: Are we obtaining reliable results?
- Cycle Time: How long does it take to get reports?
- Cost: How much are we paying?
- Resiliency: Can the process adapt to change?
The Challenge
Keeping up with changing regulations in a multi-regulatory environment is challenging enough. Keeping up with the distribution of HIPAA's electronic protected health information (EPHI) is more difficult because the regulation includes any network that transmits or maintains the information in any form or medium, electronic or otherwise. While the enforcement plan for HIPAA transactions and security violations implies a low risk in terms of fines, collateral risks of noncompliance, such as civil liability and brand damage, remain significant.
It's quite the challenge to know where this data is stored and what controls are already in place to protect it. On top of that, ongoing risk assessments require that those controls be tested routinely. The challenge is further compounded by the complexity of the organizations in terms of the geographic distribution of offices, data centers and business units, the state of ongoing mergers and acquisitions, and the data-intensive business processes. And finally, add to the mix the hundreds - even thousands - of affiliates typically utilized by large health care and pharmaceutical organizations to deliver patient services and drug therapies. It's easy to understand how an organization's visibility into its risk posture gets clouded.
Key IT-related risk and compliance regulations and mandates that health care providers, insurers, and pharmaceutical manufacturers must comply with include:
- HIPAA (Health Insurance Portability and Accountability Act) – requires the protection of personal health information (PHI) stored in health care and insurance provider networks
- SOX 404 (Sarbanes-Oxley Act, section 404) – requires publicly traded companies to protect the integrity of financial reporting information
- PCI DSS (Payment Card Industry Data Security Standard) – ensures ongoing risk assessments to protect personal credit card data
- FDA GMP (Food and Drug Administration Good Manufacturing Process) – requires that packagers of drugs, medical devices and blood take proactive steps to ensure that their products are safe, pure and effective
- California SB 1386 and emerging equivalent federal laws – also requiring protection of personal information, this law is on track to become a federal law
The Solution
Agiliance IT-GRC 3.0 provides health care providers and pharmaceutical companies with the ability to:
- Establish a resilient IT-GRC business process providing a holistic, real time view into risk and compliance across the enterprise, including partners and vendors
- Implement a robust operational IT risk program including automating survey workflow throughout the organization, developing key risk indicators for IT, and assessing threats using COSO and AS/NZ 3460 standard methodologies
- Demonstrate continuous multi-regulatory compliance with a “test once, comply with many” capability, dramatically reducing the cost, quality and cycle time of testing and reporting
- Integrate and automate technical controls by leveraging existing IT investments in security and change management systems by taking in data from vulnerability scanners, CMDBs, IdM systems, Segregation of Duty systems, and other systems to automatically generate reports, drill down to critical controls, and establish priorities based on areas with the highest risk
- Migrate over time to standard control frameworks such as ISO 17799/27001, CobiT, NIST
- Create enforceable policies and monitor controls across functional and geographical boundaries