AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)
-
Upload
amazon-web-services -
Category
Technology
-
view
369 -
download
0
Transcript of AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Whalley - AWS Medical Security Team Lead
Mitsuhiro YANO - Senior Planner, Information Solution , Sysmex Corporation
November 29, 2016
SAC314
Common Considerations for Data
Integrity Controls in Healthcare
What to expect from the session
Overview of Data Integrity in Healthcare
Applying Data Integrity in GxP Medical Systems
Top 10 Data Integrity Controls
Protected health
informationHIPAA*
Human subject
research dataIRB
Controlled access
genomic datadbGaP
Part 11 electronic
records and electronic
signatures
GxP
Personal health
recordsFTC
AWS Healthcare Security Assurance Scope
Customer Content
PRIVACY
IntegrityAvailability
RISKS CONTROLS FOCUS
PRIVACY /
CONFIDENTIALITY
Loss of privacy,
unauthorized access,
theft
Encryption,
authentication, access
controls
Information security
INTEGRITY
Data is no longer
reliable or accurate,
fraud
Maker/checker, quality
assurance, audit logsOperational controls
AVAILABILITY
Work disruption,
inability to make data-
driven decisions, loss of
user confidence,
regulator penalties
BCP plans and tests,
backup storage,
capacity planning
Business continuity
planning
Data Integrity in Healthcare and Life Sciences
Human safety decisions
based on data require that
the data be trustworthy.
Attributable
Legible
Contemporaneous
Original
Accurate
Scientific Data
Applies to:
Business Process
Software Application
Examples:
pH of chemical solution is 6.6
Severe reactions from new
drug product was significantly
reduced compared to old drug
product (p<0.001)
Define: Data
Computer Data
Applies to:
Virtualized Infrastructure
Infrastructure Software Tools
Physical Infrastructure
Examples:
5 (decimal) = 101 (binary)
1 KB = 1,024 bytes
File object SHA1 checksum:
B0FADEC093EEC1F0DA5695
A5106B5E845CF8E2E9
Regulator View on Data Integrity
Data was not reviewed & evaluated by your
firm when making batch release decisions
Regulators published
5 new data integrity
guidance documents
in last 12 months
In 2015, 79% of FDA
warning letters
involving data integrity
were issued to
international firms
Data Integrity Bits on a disk>
Applying Data Integrity Principles
Controls for Humans:
Training for System Users &
Developers
Policies & Procedures for…
o IT Purchasing
o DevSecOps &
Computer Validation
o Data Monitoring & ReviewApp
Virtual Infrastructure
AWS Products
System Users
Healthcare Protocol
Data
Applying Data Integrity Principles
Controls for Machines:
I/O checks between machines
and services
Logging data access, use, and
modification
Access controls
Top 10 coming after systemsApp
Virtual Infrastructure
AWS Products
System Users
Healthcare Protocol
Data
Corporate Philosophy
Shaping the advancementof healthcare
systematical + medics + x
Who are we?
Where do we operate?Diagnosis /
Treatment
Interview/
PalpationComplete
Recovery
Image Scanning
Respiratoryfunction testing
Ultrasonography
In-Vivo
Diagnostics
Blood testing
Immunochemistrytesting
Clinical chemistry
testingetc.
In-Vitro
Diagnostics
etc.
Clinical Testing
Patient
room
Test equipment operable at bedside
minimizes patient discomfort
Operatin
g
room
Compact test equipment ready for
emergency tests during surgery
Examination
room
Examination (interview) and
testing performed simultaneouslyRapid confirmation of doctor’s diagnosis
Laborator
y
High-quality and efficient testing
Comprehensive analysis of patient’s blood
and urine
Sysmex at a Glance
20
40
60
0
50
100
150
200
250
'00 '05 '10 '15
Net Sales
Operating Income
Net Income
Net Sales (million $) Profits (million $)
28th
15.7%
23.6%27.0%
25.7%
7.9%
Japan
Americas
AP
EMEA
China
Sales by Region
Missions - Information Solution Dep.
IT HeadquartersIT Strategy
Development
System Operation
On-going Support
User Requirements for Infrastructure
Follow-the-sun
SupportSecurityAgility
To leverage Cloud
Security Guideline
Understanding
Cloud Service
Check SheetSecurity Policy
AWS Assessment
Market Leader Listen to UsersLarge Community
Quality Complaint Management Project
Considerations for Infrastructure
Global Network Required AvailabilityLong Term
Data storage
Project ScheduleOND 15 JFM 16 AMJ 16 JAS 16 OND 16
Validation
Sandbox DEV VER / PROD
Feasibility Decision
Hardware Era Virtualization Era Cloud Era
Protocol-driven
manual activities
Procedure-driven
manual activities
Code-driven
automated activities
White Paper
AWS Reliability Study
ISO
27001
7.3 Support your ISMS by making people aware of their responsibilities
8.1 Carry out operational planning and control processes
9.1 Monitoring, measurement, analysis and evaluation
9.3 Management Review
6.3 Performing Maintenance and Checking Management
(1) The Operation Manager should have persons in charge
conduct maintenance, and record and retain its results.
“AWS Reference”
6.5 Backup and Restore
The Operation Manager should have the designated persons
designated conduct the following activities in accordance
with the Operations Management Code, etc
(1) Backup (2) Restore (3) Document and retain records
ISO
9001
4.2 Documentation requirements
4.2.1 General
4.2.2 Quality manual9.3 Management Review
5.3 Quality Policy
SOC1/2 Check upon NDA with AWS
“AWS Reference”
Common Rules
Suppli
er
A Lifecycle Model of Computerized Systems - Appendix 1
On-going Operation Management
Highly-reliable operationsGame Change
System Architecture / Validation Target
System Architecture / Validation Target
System Architecture / Validation Target
Validation Activities - Recap
IQ EffortOperation PlanningProcurement
Automation Support NeededLeverage Third-party Certificate
docomo
Cloud Package
AWS
Environment
Set-up
Validation
Activities
Document
Support
Special Thanks to
Key Learning and To move forward
Infrastructure
ChoiceListen to UsersLarge Community
With the latest available resources Eco-system Development More GxP friendly functions
Shaping the advancementof healthcare
1. Use risk-based software design and testing
AWS features and controls Customer guidance
AWS enables customers to retain
control of business process, data,
applications, and virtual
infrastructure
AWS provides user-configurable
infrastructure software tools with
features to address a wide range of
data risks
Use your risk assessment to
identify the impact of data integrity
risks to your product or service
Use AWS documentation, support,
and partners to define the software
design and testing controls needed
to mitigate your risks
2. Restrict data access
AWS features and controls Customer guidance
AWS implements physical
infrastructure access controls that
are validated by third-party auditors
Review AWS audit reports
Implement physical access
controls to your assets & user
environment
2. Restrict data access
AWS features and controls Customer guidance
AWS provides data access control
features in infrastructure software
tools that are validated by third-
party auditors
Implement your virtual
infrastructure access controls using
AWS features in IAM, Amazon
VPC, AWS Directory Service, and
other AWS products
Implement your software access
controls using AWS SDKs
AWS Identity and
Access Management
AWS
SDKs
AWS Directory
ServiceAmazon Virtual
Private Cloud (VPC)
3. Restrict audit trail access
AWS features and controls Customer guidance
AWS implements physical
infrastructure access controls that
are validated by third-party auditors
Review AWS audit reports
Implement physical access
controls for your on-premises
infrastructure and mobile devices
AWS provides audit trail access
control features in infrastructure
software tools like AWS CloudTrail
that are validated by third-party
auditors
Review AWS audit reports
Implement your virtual
infrastructure audit trail access
controls using AWS features in
IAM, VPC, Directory Service, and
other AWS products
Implement your software audit trail
controls using AWS SDKs
4. Record data contemporaneously
AWS features and controls Customer guidance
AWS provides time-stamped audit trail control
features in infrastructure software tools Enable virtual infrastructure audit
trail features in AWS products like
CloudTrail, CloudWatch, and Config
AWS provides time zone control features in
infrastructure software tools Configure virtual infrastructure time
zone control features in AWS
products like RDS, EC2, and others
AWS provides SDKs
Implement software time-stamped
audit trails
Synchronize software time-stamped
audit trails across time zones
Ensure that software logic commits
data to storage at time of activity
5. Control blank paper forms
AWS features and controls Customer guidance
AWS provides flexible, low-cost infrastructure
software tools and SDKs that enable rapid
development and testing of highly secure
software
Replace paper forms with secure
electronic data capture software
6. Periodically review a sample of audit
trails, data, and metadata AWS features and controls Customer guidance
AWS provides infrastructure
software tools like AWS Lambda
and Amazon SNS that enable
customers to build continuous
monitoring solutions
Define validation rules (functions)
and triggers (events) for data
Define notification groups for failed
validations
Implement validation functions,
events, and notification rules in
AWS products
AWS Marketplace partners can
provide out-of-the-box solutions for
continuous monitoring of audit
trails, data, and metadata
Find and try partner solutions in the
AWS Marketplace
7. Retention of full audit trails
AWS features and controls Customer guidance
AWS provides infrastructure software tools
like CloudTrail and CloudWatch that produce
virtual infrastructure audit trails in a fully
portable format
Review and revise record retention
schedule
Configure CloudWatch and
CloudTrail
Retain virtual infrastructure audit
trails wherever you want for as
long as you want
AWS provides infrastructure software tools
like Amazon S3 and Amazon Glacier for
storage and retention of audit trails
Configure and use storage tools for
virtual infrastructure and software
audit trails
8. Validate regulated software applications
AWS features and controls Customer guidance
AWS certifies our infrastructure software tools
to commercial-off-the-shelf (COTS) product
standards
Review AWS audit reports for ISO,
SOC, and NIST
AWS provides features to create and enforce
“gold standard” virtualized infrastructure
resources
Configure AWS features like EC2
AMIs and CloudFormation
Templates
AWS provides features to automate creation
and error reporting of infrastructure resources
Review and revise your
infrastructure qualification SOPs
Configure AWS features like
CloudTrail
AWS enables customers to retain control of
application SDLC
Follow your existing software
validation process
9. Senior management is responsible for
implementing data governanceAWS features and controls Customer guidance
AWS Partner Network and AWS Professional
Services provide consultations for data
governance and cloud adoption strategies
Seek advice for your cloud
adoption plan
AWS provides industry-specific case studies
and customer workshops
Review case studies and attend
workshops with others in your
industry
AWS offers online documentation, self-paced
training labs, in-person classes, and user
certification programs
Provide your team with
opportunities to develop their cloud
competencies
10. Senior management should encourage
an open culture for reporting errorsAWS features and controls Customer guidance
AWS provides information and training
resources about DevOps and DevSecOps
methodologies that encourage continuous
improvement
Review our DevOps and
DevSecOps resources
AWS operates an open culture for reporting
errors and continuous improvement
Ask us how AWS teams work
together and use the Amazon
leadership principles to encourage
open culture for reporting errors
Thank you!
Remember to complete
your evaluations!
Related sessions