aws re:invent 2016: common considerations for data integrity controls in healthcare (sec314)
TRANSCRIPT
![Page 1: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Whalley - AWS Medical Security Team Lead
Mitsuhiro YANO - Senior Planner, Information Solution , Sysmex Corporation
November 29, 2016
SAC314
Common Considerations for Data
Integrity Controls in Healthcare
![Page 2: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/2.jpg)
What to expect from the session
Overview of Data Integrity in Healthcare
Applying Data Integrity in GxP Medical Systems
Top 10 Data Integrity Controls
![Page 3: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/3.jpg)
Protected health
informationHIPAA*
Human subject
research dataIRB
Controlled access
genomic datadbGaP
Part 11 electronic
records and electronic
signatures
GxP
Personal health
recordsFTC
AWS Healthcare Security Assurance Scope
Customer Content
PRIVACY
IntegrityAvailability
![Page 4: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/4.jpg)
RISKS CONTROLS FOCUS
PRIVACY /
CONFIDENTIALITY
Loss of privacy,
unauthorized access,
theft
Encryption,
authentication, access
controls
Information security
INTEGRITY
Data is no longer
reliable or accurate,
fraud
Maker/checker, quality
assurance, audit logsOperational controls
AVAILABILITY
Work disruption,
inability to make data-
driven decisions, loss of
user confidence,
regulator penalties
BCP plans and tests,
backup storage,
capacity planning
Business continuity
planning
![Page 5: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/5.jpg)
Data Integrity in Healthcare and Life Sciences
Human safety decisions
based on data require that
the data be trustworthy.
Attributable
Legible
Contemporaneous
Original
Accurate
![Page 6: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/6.jpg)
Scientific Data
Applies to:
Business Process
Software Application
Examples:
pH of chemical solution is 6.6
Severe reactions from new
drug product was significantly
reduced compared to old drug
product (p<0.001)
Define: Data
Computer Data
Applies to:
Virtualized Infrastructure
Infrastructure Software Tools
Physical Infrastructure
Examples:
5 (decimal) = 101 (binary)
1 KB = 1,024 bytes
File object SHA1 checksum:
B0FADEC093EEC1F0DA5695
A5106B5E845CF8E2E9
![Page 7: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/7.jpg)
Regulator View on Data Integrity
Data was not reviewed & evaluated by your
firm when making batch release decisions
Regulators published
5 new data integrity
guidance documents
in last 12 months
In 2015, 79% of FDA
warning letters
involving data integrity
were issued to
international firms
![Page 8: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/8.jpg)
Data Integrity Bits on a disk>
![Page 9: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/9.jpg)
Applying Data Integrity Principles
Controls for Humans:
Training for System Users &
Developers
Policies & Procedures for…
o IT Purchasing
o DevSecOps &
Computer Validation
o Data Monitoring & ReviewApp
Virtual Infrastructure
AWS Products
System Users
Healthcare Protocol
Data
![Page 10: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/10.jpg)
Applying Data Integrity Principles
Controls for Machines:
I/O checks between machines
and services
Logging data access, use, and
modification
Access controls
Top 10 coming after systemsApp
Virtual Infrastructure
AWS Products
System Users
Healthcare Protocol
Data
![Page 11: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/11.jpg)
![Page 12: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/12.jpg)
Corporate Philosophy
Shaping the advancementof healthcare
systematical + medics + x
![Page 13: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/13.jpg)
Who are we?
![Page 14: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/14.jpg)
Where do we operate?Diagnosis /
Treatment
Interview/
PalpationComplete
Recovery
Image Scanning
Respiratoryfunction testing
Ultrasonography
In-Vivo
Diagnostics
Blood testing
Immunochemistrytesting
Clinical chemistry
testingetc.
In-Vitro
Diagnostics
etc.
Clinical Testing
Patient
room
Test equipment operable at bedside
minimizes patient discomfort
Operatin
g
room
Compact test equipment ready for
emergency tests during surgery
Examination
room
Examination (interview) and
testing performed simultaneouslyRapid confirmation of doctor’s diagnosis
Laborator
y
High-quality and efficient testing
Comprehensive analysis of patient’s blood
and urine
![Page 15: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/15.jpg)
Sysmex at a Glance
20
40
60
0
50
100
150
200
250
'00 '05 '10 '15
Net Sales
Operating Income
Net Income
Net Sales (million $) Profits (million $)
28th
15.7%
23.6%27.0%
25.7%
7.9%
Japan
Americas
AP
EMEA
China
Sales by Region
![Page 16: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/16.jpg)
Missions - Information Solution Dep.
IT HeadquartersIT Strategy
Development
System Operation
On-going Support
![Page 17: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/17.jpg)
User Requirements for Infrastructure
Follow-the-sun
SupportSecurityAgility
![Page 18: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/18.jpg)
To leverage Cloud
Security Guideline
Understanding
Cloud Service
Check SheetSecurity Policy
![Page 19: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/19.jpg)
AWS Assessment
Market Leader Listen to UsersLarge Community
![Page 20: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/20.jpg)
Quality Complaint Management Project
![Page 21: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/21.jpg)
Considerations for Infrastructure
Global Network Required AvailabilityLong Term
Data storage
![Page 22: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/22.jpg)
Project ScheduleOND 15 JFM 16 AMJ 16 JAS 16 OND 16
Validation
Sandbox DEV VER / PROD
Feasibility Decision
Hardware Era Virtualization Era Cloud Era
Protocol-driven
manual activities
Procedure-driven
manual activities
Code-driven
automated activities
![Page 23: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/23.jpg)
White Paper
AWS Reliability Study
![Page 24: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/24.jpg)
ISO
27001
7.3 Support your ISMS by making people aware of their responsibilities
8.1 Carry out operational planning and control processes
9.1 Monitoring, measurement, analysis and evaluation
9.3 Management Review
6.3 Performing Maintenance and Checking Management
(1) The Operation Manager should have persons in charge
conduct maintenance, and record and retain its results.
“AWS Reference”
6.5 Backup and Restore
The Operation Manager should have the designated persons
designated conduct the following activities in accordance
with the Operations Management Code, etc
(1) Backup (2) Restore (3) Document and retain records
ISO
9001
4.2 Documentation requirements
4.2.1 General
4.2.2 Quality manual9.3 Management Review
5.3 Quality Policy
SOC1/2 Check upon NDA with AWS
![Page 25: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/25.jpg)
“AWS Reference”
Common Rules
Suppli
er
A Lifecycle Model of Computerized Systems - Appendix 1
![Page 26: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/26.jpg)
On-going Operation Management
Highly-reliable operationsGame Change
![Page 27: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/27.jpg)
System Architecture / Validation Target
![Page 28: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/28.jpg)
System Architecture / Validation Target
![Page 29: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/29.jpg)
System Architecture / Validation Target
![Page 30: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/30.jpg)
Validation Activities - Recap
IQ EffortOperation PlanningProcurement
Automation Support NeededLeverage Third-party Certificate
![Page 31: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/31.jpg)
docomo
Cloud Package
AWS
Environment
Set-up
Validation
Activities
Document
Support
Special Thanks to
![Page 32: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/32.jpg)
Key Learning and To move forward
Infrastructure
ChoiceListen to UsersLarge Community
With the latest available resources Eco-system Development More GxP friendly functions
![Page 33: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/33.jpg)
Shaping the advancementof healthcare
![Page 34: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/34.jpg)
1. Use risk-based software design and testing
AWS features and controls Customer guidance
AWS enables customers to retain
control of business process, data,
applications, and virtual
infrastructure
AWS provides user-configurable
infrastructure software tools with
features to address a wide range of
data risks
Use your risk assessment to
identify the impact of data integrity
risks to your product or service
Use AWS documentation, support,
and partners to define the software
design and testing controls needed
to mitigate your risks
![Page 35: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/35.jpg)
2. Restrict data access
AWS features and controls Customer guidance
AWS implements physical
infrastructure access controls that
are validated by third-party auditors
Review AWS audit reports
Implement physical access
controls to your assets & user
environment
![Page 36: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/36.jpg)
2. Restrict data access
AWS features and controls Customer guidance
AWS provides data access control
features in infrastructure software
tools that are validated by third-
party auditors
Implement your virtual
infrastructure access controls using
AWS features in IAM, Amazon
VPC, AWS Directory Service, and
other AWS products
Implement your software access
controls using AWS SDKs
AWS Identity and
Access Management
AWS
SDKs
AWS Directory
ServiceAmazon Virtual
Private Cloud (VPC)
![Page 37: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/37.jpg)
3. Restrict audit trail access
AWS features and controls Customer guidance
AWS implements physical
infrastructure access controls that
are validated by third-party auditors
Review AWS audit reports
Implement physical access
controls for your on-premises
infrastructure and mobile devices
AWS provides audit trail access
control features in infrastructure
software tools like AWS CloudTrail
that are validated by third-party
auditors
Review AWS audit reports
Implement your virtual
infrastructure audit trail access
controls using AWS features in
IAM, VPC, Directory Service, and
other AWS products
Implement your software audit trail
controls using AWS SDKs
![Page 38: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/38.jpg)
4. Record data contemporaneously
AWS features and controls Customer guidance
AWS provides time-stamped audit trail control
features in infrastructure software tools Enable virtual infrastructure audit
trail features in AWS products like
CloudTrail, CloudWatch, and Config
AWS provides time zone control features in
infrastructure software tools Configure virtual infrastructure time
zone control features in AWS
products like RDS, EC2, and others
AWS provides SDKs
Implement software time-stamped
audit trails
Synchronize software time-stamped
audit trails across time zones
Ensure that software logic commits
data to storage at time of activity
![Page 39: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/39.jpg)
5. Control blank paper forms
AWS features and controls Customer guidance
AWS provides flexible, low-cost infrastructure
software tools and SDKs that enable rapid
development and testing of highly secure
software
Replace paper forms with secure
electronic data capture software
![Page 40: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/40.jpg)
6. Periodically review a sample of audit
trails, data, and metadata AWS features and controls Customer guidance
AWS provides infrastructure
software tools like AWS Lambda
and Amazon SNS that enable
customers to build continuous
monitoring solutions
Define validation rules (functions)
and triggers (events) for data
Define notification groups for failed
validations
Implement validation functions,
events, and notification rules in
AWS products
AWS Marketplace partners can
provide out-of-the-box solutions for
continuous monitoring of audit
trails, data, and metadata
Find and try partner solutions in the
AWS Marketplace
![Page 41: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/41.jpg)
7. Retention of full audit trails
AWS features and controls Customer guidance
AWS provides infrastructure software tools
like CloudTrail and CloudWatch that produce
virtual infrastructure audit trails in a fully
portable format
Review and revise record retention
schedule
Configure CloudWatch and
CloudTrail
Retain virtual infrastructure audit
trails wherever you want for as
long as you want
AWS provides infrastructure software tools
like Amazon S3 and Amazon Glacier for
storage and retention of audit trails
Configure and use storage tools for
virtual infrastructure and software
audit trails
![Page 42: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/42.jpg)
8. Validate regulated software applications
AWS features and controls Customer guidance
AWS certifies our infrastructure software tools
to commercial-off-the-shelf (COTS) product
standards
Review AWS audit reports for ISO,
SOC, and NIST
AWS provides features to create and enforce
“gold standard” virtualized infrastructure
resources
Configure AWS features like EC2
AMIs and CloudFormation
Templates
AWS provides features to automate creation
and error reporting of infrastructure resources
Review and revise your
infrastructure qualification SOPs
Configure AWS features like
CloudTrail
AWS enables customers to retain control of
application SDLC
Follow your existing software
validation process
![Page 43: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/43.jpg)
9. Senior management is responsible for
implementing data governanceAWS features and controls Customer guidance
AWS Partner Network and AWS Professional
Services provide consultations for data
governance and cloud adoption strategies
Seek advice for your cloud
adoption plan
AWS provides industry-specific case studies
and customer workshops
Review case studies and attend
workshops with others in your
industry
AWS offers online documentation, self-paced
training labs, in-person classes, and user
certification programs
Provide your team with
opportunities to develop their cloud
competencies
![Page 44: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/44.jpg)
10. Senior management should encourage
an open culture for reporting errorsAWS features and controls Customer guidance
AWS provides information and training
resources about DevOps and DevSecOps
methodologies that encourage continuous
improvement
Review our DevOps and
DevSecOps resources
AWS operates an open culture for reporting
errors and continuous improvement
Ask us how AWS teams work
together and use the Amazon
leadership principles to encourage
open culture for reporting errors
![Page 45: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/45.jpg)
Thank you!
![Page 46: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/46.jpg)
Remember to complete
your evaluations!
![Page 47: AWS re:Invent 2016: Common Considerations for Data Integrity Controls in Healthcare (SEC314)](https://reader034.vdocuments.us/reader034/viewer/2022051521/586f7afb1a28ab10258b75c3/html5/thumbnails/47.jpg)
Related sessions