AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Chris Whalley - AWS Medical Security Team Lead

Mitsuhiro YANO - Senior Planner, Information Solution , Sysmex Corporation

November 29, 2016

SAC314

Common Considerations for Data

Integrity Controls in Healthcare

What to expect from the session

Overview of Data Integrity in Healthcare

Applying Data Integrity in GxP Medical Systems

Top 10 Data Integrity Controls

Protected health

informationHIPAA*

Human subject

research dataIRB

Controlled access

genomic datadbGaP

Part 11 electronic

records and electronic

signatures

GxP

Personal health

recordsFTC

AWS Healthcare Security Assurance Scope

Customer Content

PRIVACY

IntegrityAvailability

RISKS CONTROLS FOCUS

PRIVACY /

CONFIDENTIALITY

Loss of privacy,

unauthorized access,

theft

Encryption,

authentication, access

controls

Information security

INTEGRITY

Data is no longer

reliable or accurate,

fraud

Maker/checker, quality

assurance, audit logsOperational controls

AVAILABILITY

Work disruption,

inability to make data-

driven decisions, loss of

user confidence,

regulator penalties

BCP plans and tests,

backup storage,

capacity planning

Business continuity

planning

Data Integrity in Healthcare and Life Sciences

Human safety decisions

based on data require that

the data be trustworthy.

Attributable

Legible

Contemporaneous

Original

Accurate

Scientific Data

Applies to:

Business Process

Software Application

Examples:

pH of chemical solution is 6.6

Severe reactions from new

drug product was significantly

reduced compared to old drug

product (p<0.001)

Define: Data

Computer Data

Applies to:

Virtualized Infrastructure

Infrastructure Software Tools

Physical Infrastructure

Examples:

5 (decimal) = 101 (binary)

1 KB = 1,024 bytes

File object SHA1 checksum:

B0FADEC093EEC1F0DA5695

A5106B5E845CF8E2E9

Regulator View on Data Integrity

Data was not reviewed & evaluated by your

firm when making batch release decisions

Regulators published

5 new data integrity

guidance documents

in last 12 months

In 2015, 79% of FDA

warning letters

involving data integrity

were issued to

international firms

Data Integrity Bits on a disk>

Applying Data Integrity Principles

Controls for Humans:

Training for System Users &

Developers

Policies & Procedures for…

o IT Purchasing

o DevSecOps &

Computer Validation

o Data Monitoring & ReviewApp

Virtual Infrastructure

AWS Products

System Users

Healthcare Protocol

Data

Applying Data Integrity Principles

Controls for Machines:

I/O checks between machines

and services

Logging data access, use, and

modification

Access controls

Top 10 coming after systemsApp

Virtual Infrastructure

AWS Products

System Users

Healthcare Protocol

Data

Corporate Philosophy

Shaping the advancementof healthcare

systematical + medics + x

Who are we?

Where do we operate?Diagnosis /

Treatment

Interview/

PalpationComplete

Recovery

Image Scanning

Respiratoryfunction testing

Ultrasonography

In-Vivo

Diagnostics

Blood testing

Immunochemistrytesting

Clinical chemistry

testingetc.

In-Vitro

Diagnostics

etc.

Clinical Testing

Patient

room

Test equipment operable at bedside

minimizes patient discomfort

Operatin

g

room

Compact test equipment ready for

emergency tests during surgery

Examination

room

Examination (interview) and

testing performed simultaneouslyRapid confirmation of doctor’s diagnosis

Laborator

y

High-quality and efficient testing

Comprehensive analysis of patient’s blood

and urine

Sysmex at a Glance

20

40

60

0

50

100

150

200

250

'00 '05 '10 '15

Net Sales

Operating Income

Net Income

Net Sales (million $) Profits (million $)

28th

15.7%

23.6%27.0%

25.7%

7.9%

Japan

Americas

AP

EMEA

China

Sales by Region

Missions - Information Solution Dep.

IT HeadquartersIT Strategy

Development

System Operation

On-going Support

User Requirements for Infrastructure

Follow-the-sun

SupportSecurityAgility

To leverage Cloud

Security Guideline

Understanding

Cloud Service

Check SheetSecurity Policy

AWS Assessment

Market Leader Listen to UsersLarge Community

Quality Complaint Management Project

Considerations for Infrastructure

Global Network Required AvailabilityLong Term

Data storage

Project ScheduleOND 15 JFM 16 AMJ 16 JAS 16 OND 16

Validation

Sandbox DEV VER / PROD

Feasibility Decision

Hardware Era Virtualization Era Cloud Era

Protocol-driven

manual activities

Procedure-driven

manual activities

Code-driven

automated activities

White Paper

AWS Reliability Study

ISO

27001

7.3 Support your ISMS by making people aware of their responsibilities

8.1 Carry out operational planning and control processes

9.1 Monitoring, measurement, analysis and evaluation

9.3 Management Review

6.3 Performing Maintenance and Checking Management

(1) The Operation Manager should have persons in charge

conduct maintenance, and record and retain its results.

“AWS Reference”

6.5 Backup and Restore

The Operation Manager should have the designated persons

designated conduct the following activities in accordance

with the Operations Management Code, etc

(1) Backup (2) Restore (3) Document and retain records

ISO

9001

4.2 Documentation requirements

4.2.1 General

4.2.2 Quality manual9.3 Management Review

5.3 Quality Policy

SOC1/2 Check upon NDA with AWS

“AWS Reference”

Common Rules

Suppli

er

A Lifecycle Model of Computerized Systems - Appendix 1

On-going Operation Management

Highly-reliable operationsGame Change

System Architecture / Validation Target

System Architecture / Validation Target

System Architecture / Validation Target

Validation Activities - Recap

IQ EffortOperation PlanningProcurement

Automation Support NeededLeverage Third-party Certificate

docomo

Cloud Package

AWS

Environment

Set-up

Validation

Activities

Document

Support

Special Thanks to

Key Learning and To move forward

Infrastructure

ChoiceListen to UsersLarge Community

With the latest available resources Eco-system Development More GxP friendly functions

Shaping the advancementof healthcare

1. Use risk-based software design and testing

AWS features and controls Customer guidance

AWS enables customers to retain

control of business process, data,

applications, and virtual

infrastructure

AWS provides user-configurable

infrastructure software tools with

features to address a wide range of

data risks

Use your risk assessment to

identify the impact of data integrity

risks to your product or service

Use AWS documentation, support,

and partners to define the software

design and testing controls needed

to mitigate your risks

2. Restrict data access

AWS features and controls Customer guidance

AWS implements physical

infrastructure access controls that

are validated by third-party auditors

Review AWS audit reports

Implement physical access

controls to your assets & user

environment

2. Restrict data access

AWS features and controls Customer guidance

AWS provides data access control

features in infrastructure software

tools that are validated by third-

party auditors

Implement your virtual

infrastructure access controls using

AWS features in IAM, Amazon

VPC, AWS Directory Service, and

other AWS products

Implement your software access

controls using AWS SDKs

AWS Identity and

Access Management

AWS

SDKs

AWS Directory

ServiceAmazon Virtual

Private Cloud (VPC)

3. Restrict audit trail access

AWS features and controls Customer guidance

AWS implements physical

infrastructure access controls that

are validated by third-party auditors

Review AWS audit reports

Implement physical access

controls for your on-premises

infrastructure and mobile devices

AWS provides audit trail access

control features in infrastructure

software tools like AWS CloudTrail

that are validated by third-party

auditors

Review AWS audit reports

Implement your virtual

infrastructure audit trail access

controls using AWS features in

IAM, VPC, Directory Service, and

other AWS products

Implement your software audit trail

controls using AWS SDKs

4. Record data contemporaneously

AWS features and controls Customer guidance

AWS provides time-stamped audit trail control

features in infrastructure software tools Enable virtual infrastructure audit

trail features in AWS products like

CloudTrail, CloudWatch, and Config

AWS provides time zone control features in

infrastructure software tools Configure virtual infrastructure time

zone control features in AWS

products like RDS, EC2, and others

AWS provides SDKs

Implement software time-stamped

audit trails

Synchronize software time-stamped

audit trails across time zones

Ensure that software logic commits

data to storage at time of activity

5. Control blank paper forms

AWS features and controls Customer guidance

AWS provides flexible, low-cost infrastructure

software tools and SDKs that enable rapid

development and testing of highly secure

software

Replace paper forms with secure

electronic data capture software

6. Periodically review a sample of audit

trails, data, and metadata AWS features and controls Customer guidance

AWS provides infrastructure

software tools like AWS Lambda

and Amazon SNS that enable

customers to build continuous

monitoring solutions

Define validation rules (functions)

and triggers (events) for data

Define notification groups for failed

validations

Implement validation functions,

events, and notification rules in

AWS products

AWS Marketplace partners can

provide out-of-the-box solutions for

continuous monitoring of audit

trails, data, and metadata

Find and try partner solutions in the

AWS Marketplace

7. Retention of full audit trails

AWS features and controls Customer guidance

AWS provides infrastructure software tools

like CloudTrail and CloudWatch that produce

virtual infrastructure audit trails in a fully

portable format

Review and revise record retention

schedule

Configure CloudWatch and

CloudTrail

Retain virtual infrastructure audit

trails wherever you want for as

long as you want

AWS provides infrastructure software tools

like Amazon S3 and Amazon Glacier for

storage and retention of audit trails

Configure and use storage tools for

virtual infrastructure and software

audit trails

8. Validate regulated software applications

AWS features and controls Customer guidance

AWS certifies our infrastructure software tools

to commercial-off-the-shelf (COTS) product

standards

Review AWS audit reports for ISO,

SOC, and NIST

AWS provides features to create and enforce

“gold standard” virtualized infrastructure

resources

Configure AWS features like EC2

AMIs and CloudFormation

Templates

AWS provides features to automate creation

and error reporting of infrastructure resources

Review and revise your

infrastructure qualification SOPs

Configure AWS features like

CloudTrail

AWS enables customers to retain control of

application SDLC

Follow your existing software

validation process

9. Senior management is responsible for

implementing data governanceAWS features and controls Customer guidance

AWS Partner Network and AWS Professional

Services provide consultations for data

governance and cloud adoption strategies

Seek advice for your cloud

adoption plan

AWS provides industry-specific case studies

and customer workshops

Review case studies and attend

workshops with others in your

industry

AWS offers online documentation, self-paced

training labs, in-person classes, and user

certification programs

Provide your team with

opportunities to develop their cloud

competencies

10. Senior management should encourage

an open culture for reporting errorsAWS features and controls Customer guidance

AWS provides information and training

resources about DevOps and DevSecOps

methodologies that encourage continuous

improvement

Review our DevOps and

DevSecOps resources

AWS operates an open culture for reporting

errors and continuous improvement

Ask us how AWS teams work

together and use the Amazon

leadership principles to encourage

open culture for reporting errors

Thank you!

Remember to complete

your evaluations!

Related sessions