Ensuring patients receive the best medical care is the goal of medical legislation. A&S takes the pulse of what's on the books for health care security.
Nearly all countries have legislative mandates covering health care institutions. These mandates govern security as well, making them key benchmarks for technology.
U.S. and U.K. Mandates
As one of the most populous nations in the world, the United States has passed a number of health-related laws to care for its citizens. Several accreditation organizations are in place, including the Joint Commission; Community Health Accreditation Program; Accreditation Commission for Health Care, Inc.; The Compliance Team; Healthcare Quality Association on Accreditation; and TüV Healthcare Specialists.
For Britain, hospitals must conform to National Health Service standard security building regulations, said Andrew Fulton, Business Development Director of Tyco International's CEM Systems.
The Joint Commission releases standards on health care technology. "When Joint Commission started the standards, security and safety were together," said Evelyn Meserve, Executive Director of the International Association for Health Care Security and Safety. "Over the years as the needs in both areas expanded, they were separated. Now they have been combined again to simplify the standards. IAHSS members feel this is a set back and potentially could take focus away from the very specific needs in each area."
Access for all patients is the focus of the Americans with Disabilities Act. This makes facilities as accessible as possible, whether by building wheelchair-friendly ramps or installing automatic doors, ensuring all patients receive medical attention.
Other patient concerns are privacy, covered in HIPAA (U.S. Health and Human Services Law 104-191). This stipulates health care providers to protect the privacy of patient health records, but also covers physical security. "It includes provision for visitor sign-in, access to equipment with health information, and storage hardware destruction," said Mike Bliss, Honeywell Senior Marketing Manager.
A law more commonly associated with the notorious Enron scandal also affects health care security. "The Sarbanes-Oxley Act of 2002 is legislation enacted to protect shareholders of a corporation and the general public from accounting errors and fraudulent practices in the enterprise," Bliss said. "Administered by the Securities and Exchange Commission (SEC), Sarbanes-Oxley defines which records are to be stored and for how long."
This directly affects how patient records are stored. "The legislation not only affects the financial side of corporations, but also affects the IT departments whose job it is to store a corporation's electronic records," Bliss said. "IT departments are increasingly faced with the challenge of creating and maintaining a corporate records archive in a cost-effective fashion that satisfies the requirements put forth by the legislation."
Electronic medical files on smart cards make data regulations even more pertinent. Texas adopted state-wide Medicaid health insurance smart cards in December 2007, after a successful pilot. As more states consider similar smart card rollouts, with some countries already deploying national health insurance cards, safeguarding the data on physical smart cards will likely see further regulation.
Securing patient records forms a focus for health care legislation in the Netherlands as well.
"Nictiz — the National IT Institute for Healthcare in the Netherlands — is the national coordination point and knowledge centre for IT and innovation in the health care sector," said Werner Hulst, Business Unit Manager Care Solutions, Isolectra Netherlands.
Several laws specifically govern health care, such as AORTA. Not a chamber of the heart, it stands for a national infrastructure for electronic communication and data exchange between health care organizations, said Marieke Vermaa, Care Consultant, Isolectra Netherlands. "Goed beheerd zorgsysteem" refers to high quality standards, such as the standardization of messages, safety guidelines, performance and availability demands.
Another health guideline is Nen 7510, developed by NEN, the normalization institute. It specifies information security for the management and exchange of medical information, Hulst said, ensuring only authorized parties have access to it.
As technology changes, the corresponding legislation to regulate it will be passed. The advent of networking has increased the profile of logical security laws, as thousands of records could be compromised without the proper safeguards in place. For all health care laws, they boil down to one aim: To protect a patient's rights and well-being.