In the ever-evolving realm of healthcare IT, the impact of regulations and technological advancements is profound.

Take, for instance, the 21st Century Cures Act, which was enacted back in 2016. While it’s been on the books for some time, we’re still in the midst of witnessing its provisions, particularly those related to healthcare data interoperability, being fully implemented across our industry.

Looking to Previous Trends for a Glimpse of the Future

This situation is reminiscent of the evolution of consumer technology. In the past, getting connected to the internet at home was a cumbersome process, involving phone calls and expert assistance. Fast forward to today, where a smartphone app effortlessly guides us through complex tasks. As consumers, we don’t delve into the technical intricacies; we simply appreciate the improved speed and efficiency.

Similarly, in healthcare, patients are eager for a seamless experience when it comes to their health data. They don’t need to understand the intricacies of data authentication or transmission; they just expect it to work seamlessly. Hence, any regulations that pave the way for efficient, secure, and safe healthcare data movement between patients and their providers will undoubtedly impact healthcare IT significantly.

The Impact of Interop, Internet of Things, and Artificial Intelligence

One prime example of this impact is interoperability. It’s the key to ensuring that healthcare data flows effortlessly and securely, just like our smartphone apps streamline tasks for us.

Furthermore, the rise of the Internet of Things (IoT) is transforming traditional healthcare, enabling tasks to be accomplished via mobile devices and online tracking technologies in patients’ homes and other locations. For healthcare IT to keep pace, it must collaborate closely with the business side to comprehend the data’s lifecycle – from creation and reception to transmission and maintenance. A recent FTC/HHS announcement on online tracking technologies underscores the risks associated with healthcare data disclosure, highlighting the need for vigilant oversight.

Artificial Intelligence is another game-changer, even if we don’t fully grasp its inner workings. We experience its impact when, for instance, online platforms recommend products based on our previous searches. The realms of machine learning, blockchain technology, and IoT devices are rapidly evolving, requiring close scrutiny to ensure adherence to established standards and robust privacy and security controls.

An Ever-Changing Landscape

While the focus of privacy laws may seem less directly tied to healthcare IT, it’s crucial to keep an eye on the evolving landscape of state-specific comprehensive privacy regulations. The ideal scenario would involve a unified set of privacy laws with consistent core concepts, reducing complexity for healthcare IT. However, the constant changes in patient rights, data control at a granular level, and shifting business rules do influence technical development within the healthcare industry.

In this ever-changing landscape, the intersection of regulations and technology will continue to shape the future of healthcare IT. Adapting to these changes and embracing opportunities for improvement will be key to providing a seamless and secure healthcare experience for all stakeholders.

Regulatory Guidelines for AI, Blockchain, and IoT Implementation

As an Assessor, I have the responsibility of evaluating each organization’s privacy and security compliance against established benchmarks. Within the healthcare and data exchange domain, these benchmarks primarily revolve around fundamental standards like HIPAA Privacy, Security/Cybersecurity, HITECH Breach, and NIST Special Publication 800-171 requirements. These standards are the bedrock of the industry, ensuring the security and confidentiality of healthcare data. Additionally, a well-defined Systems Development Life Cycle is a crucial element in maintaining control over technical operations.

What’s important to emphasize is that emerging technologies, both today and in the future, invariably involve the handling of patient and individual data. This realization underscores the necessity of incorporating two key components into our regulatory framework:

  1. Data Risk Assessment. Any technical development endeavor must commence with a comprehensive business assessment of the data being handled and its classification. Much like the obligations imposed by HIPAA, organizations must thoroughly understand how they create, receive, maintain, and transmit Protected Health Information (PHI) across their technical infrastructure and among their workforce members. This encompasses all possible avenues through which data may be managed, spanning from production to testing, encompassing the usage of USB drives, personally owned devices, websites, and mobile applications. Proper documentation of these processes, alongside the assessment of data classification and risk levels associated with potential unauthorized access, must be integral to the design. Significantly, the industry is moving toward heightened focus on risk, as evidenced by the recent adoption of cybersecurity rules by the Security and Exchange Commission for publicly traded companies, outlining Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.
  1. Secure and Sound Systems Development. In the realm of healthcare data, any developmental effort should adhere to foundational systems development lifecycle processes. These should encompass robust change control methods, the incorporation of ongoing enterprise risk management in decision-making, technology solutions designed to ensure individual accountability through unique user access methods, access controls fortified with multi-factor authentication, stringent communication controls, comprehensive systems and technology monitoring, meticulous business continuity planning, and disaster preparedness. This holistic approach guarantees the creation of technical systems that are not only secure but also efficient and reliable.

Looking Toward the Future

Recently, the Biden Administration made headlines with the announcement of “Voluntary Commitments from Companies to Manage AI Risk.” This development is indeed noteworthy, as several leading tech companies have voluntarily pledged to “manage risks associated with the development and deployment of artificial intelligence.” These commitments revolve around core principles of safety, security, and trust in AI development. Companies undertaking these commitments acknowledge their responsibility to ensure the safety of their products before introducing them to the public. They also emphasize the paramount importance of prioritizing security and building systems that instill public trust.

In conclusion, the evolving landscape of healthcare and technology necessitates a multifaceted approach to regulation. This approach should encompass rigorous data risk assessment and a commitment to secure and reliable systems development, as well as a keen eye on industry trends and voluntary commitments that enhance safety, security, and public trust.

This post was contributed by Lesley Berkeyheiser, CCSFP, CHQP, a Senior Assessor for DirectTrust.