Automate Infrastructure to Avoid HIPAA Violations
By Stephanie Tayengco
Every other week, news of HIPAA violations comes to light, bringing attention to the challenges of maintaining privacy in the ordinary course of doing business and providing care.
Take, for example, a recent HIPAA violation settlement. Illinois-based healthcare system Advocate Health Care agreed to pay a $5.5 million OCR HIPAA settlement in August after it was found that the company failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI. Earlier this summer, The Catholic Health Care Services of the Archdiocese of Philadelphia agreed to pay $650,000 for failing to implement appropriate security measures and address the integrity and availability of ePHI in its systems.
It is unclear in both cases whether infrastructure configurations were directly to blame. However, addressing the infrastructure-related elements of HIPAA and HITECH take considerable time and effort, time that could be spent addressing the critical application and mobile device-level security standards that result in the vast majority of violations. To refocus engineers away from time-consuming infrastructure compliance, the practices of infrastructure automation and continuous compliance are the key.
Reduce the chance for human error
The foundation for compliant IT infrastructure is implementing strong standards and having guardrails in place to protect against changes that are inconsistent with those standards at the server, operating system, and application level. This is the next evolution of compliance — building a system that can self-correct errors or malicious changes and maintain continuous compliance.
In a recent survey, IT decision-makers shared that 43 percent of their companies’ cloud applications and infrastructure are automated, highlighting that while companies already recognize the tremendous value of system automation, they can do even more.
The road to automation must begin with an IT-wide perception shift — that manual work introduces risk. Any time an engineer is going into a single piece of hardware to perform a custom change, error is possible and system-wide conformity is threatened. This does not mean replacing engineers with robots. It means tasking engineers with creating the control systems. This is an equally challenging (but far less boring) technical task for engineers, but it creates more value.
Part of this control system will be configuration management at the infrastructure level and for application deployment automation. Equally important is the operational shift to train engineers not to make isolated changes to individual machines and instead to use the control system in place and implement changes as code. Code can be easily changed and tested in non-production environments. Code can be versioned and rolled back. Software deployment tools provide an audit trail of changes and approvals that can be easily read by auditors.
Invest in transparency
One of the main causes that can lead to non-compliance is a lack of transparency, usually in one or both of two key areas:
- Lack of transparency into where critical data resides
- Lack of transparency into current state of system configurations (i.e., how/where data is encrypted, who has access to that data, how privileges are maintained, etc.)
Many companies rely on manual processes and spreadsheets to track the configuration of their systems. In a cloud environment that changes frequently, this can be a real headache.
The single biggest change to make today is to improve the visibility of data criticality and system configurations is to implement configuration management. Rather than rely on manual documentation after the fact when changes are made, configuration management tools allow describing a desired state and creating and enforcing it across the infrastructure. Ideal configurations are coded in a single place, providing the current state of all systems at any time. This is a huge leap forward and it is applicable for operating either on bare metal or in the public cloud. Making long-term investments in operational transparency can help avoid HIPAA headaches.
Focus on mission-critical apps, not infrastructure
As healthcare companies improve IT operations, they should be focused on developing or delivering great patient-centered applications and services, not infrastructure maintenance and compliance.
Migrating to the cloud is the first step. Migrating to a public cloud platform like Amazon Web Services (AWS) provides the benefits of a government-grade data center facility that has already been audited for HIPAA and HITECH compliance. Signing a BAA with Amazon means that a portion of the physical security standards is taken care of (note: regular assessments are still required). That is a huge reduction in risk and cost burden right off the bat.
In addition, the cost of change is significantly reduced in the cloud. Adding, removing, or changing infrastructure can mean a few days of work, not months. That means systems engineers can focus on improving software delivery and the configuration management system, not on manually configuring hardware.
Just one word of caution. Beware of any cloud vendor or service provider that describes the cloud as “no maintenance.” It is true that cloud systems are more efficient to maintain, but maintenance is still necessary. The IT team will focus more of their time on maintenance tasks that are more critical to the business, like building a new testing ground for an application development team or refining the code deployment process, not on undifferentiated data center tasks.
It is only a matter of time before the industry witnesses its next HIPAA violation. Automating infrastructure can significantly reduce the cost and effort of maintaining infrastructure compliance, and can refocus IT on higher-impact areas such as device security.
As health IT evolves, expect to see these two key of technologies — cloud and automation — driving the next wave of efficiencies in health IT.
Stephanie Tayengco is SVP of operations of Logicworks of New York, NY.