Disadvantages of Spreadsheets – Obstacles to Compliance in the Healthcare Industry

Most of the regulatory compliance issues we talked about concerning spreadsheets have been related to financial data. But there are other kinds of data that are stored in spreadsheets which may also cause regulatory problems in the future.

In the US, a legislation known as HIPAA or Health Insurance Portability and Accountability Act is changing the way health care establishments and practitioners handle patient records. The HIPAA Privacy Rule is aimed at protecting the privacy of individually identifiable health information a.k.a. protected health information (PHI).

Examples of PHI include common identifiers like a patient’s name, address, Social Security Number, and so on, which can be used to identify the patient. HIPAA covers a wide range of health care organisations and service providers, including: health plan payers, health care clearing houses, hospitals, doctors, dentists, etc.

To protect the confidentiality, integrity, and availability of PHI, covered entities are required to implement technical policies such as access controls, authentication, and audit controls. These can easily be implemented on server-based systems.

Sad to say, many health care organisations who have started storing data electronically still rely on spreadsheet-based systems. Those policies are hard to implement in spreadsheet-based systems, where files are handled by end-users who are overloaded with their main line of work (i.e. health care) and have very little concern for data security.

In some of these systems, spreadsheet files containing PHI may have multiple versions in different workstations. Chances are, none of these files have any access control or user authentication mechanism whatsoever. Thus, changes can easily be made without proper documentation as to who carried out the changes.

And because the files are normally easily accessible, unauthorised disclosures – whether done intentionally or accidentally – will always be a lingering threat. Remember that HIPAA covered entities who are caught disclosing PHI can be fined from $50,000 up to $500,000 plus jail time.

But that’s not all. Through the HITECH Act of 2009, business associates of covered entities will now have to comply with HIPAA standards as well. Business associates are those companies who are performing functions and services for covered entities.

Examples of business associates are accounting firms, law firms, consultants, and so on. They automatically need to comply with the standards the moment they too deal with PHI.

More Spreadsheet Blogs

Spreadsheet Risks in Banks

Top 10 Disadvantages of Spreadsheets

Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry

How Internal Auditors can win the War against Spreadsheet Fraud

Spreadsheet Reporting – No Room in your company in an age of Business Intelligence

Still looking for a Way to Consolidate Excel Spreadsheets?

Disadvantages of Spreadsheets

Spreadsheet woes – ill equipped for an Agile Business Environment

Spreadsheet Fraud

Spreadsheet Woes – Limited features for easy adoption of a control framework

Spreadsheet woes – Burden in SOX Compliance and other Regulations

Spreadsheet Risk Issues

Server Application Solutions – Don’t let Spreadsheets hold your Business back

Why Spreadsheets can send the pillars of Solvency II crashing down

amazon.co.uk

amazon.com

Check our similar posts

Symbion Pharmacy Services? Definition of Responsibility

A ?symbion? is an organism in a symbiotic (i.e. mutually beneficial) relationship with another one. In the case of Australia?s giant Symbion Pharmacy Services, this means supplying and delivering over-counter Chemmart medicines to more than 3,000 hospital and retail pharmacies, while remaining mindful of its carbon footprint.

In 1999, the company with the tagline ?life matters? and a desire to be seen as ?a good corporate citizen? decided it was time to measure exactly what it was pumping out from 12 facilities and over 200 vehicles. This was a voluntary decision as even now there is still no carbon emissions law in Australia (although no doubt being a ?first mover? will put the company in a competitive position when this inevitably comes).

Symbion decided to install emission detection devices and connect these to a central monitoring system with the intention of managing what these measured. There were two stages to this process. First, Symbion determined its reporting requirements based on one of its larger warehouses. Following that, it established a carbon footprint for each of its wholly owned and managed facilities. This put it in a position to:

Analyse total emissions down to a level of detail where it understood the contribution of each source
Use big data management tools to identify carbon hotspots for priority remedial action
Inform the affected workforce, explain the monitoring system and keep them in the loop
Separately manage energy abatement programs such as lighting and delivery routes

The program also had productivity spin-offs in that it focused management attention on the processes behind the emissions that were ripe for material and system improvements. It also provided marketing leverage. Symbion?s customers are in the wellness business, ahead of the curve when it comes to how emissions contribute to chronic illness, and aware of the cost of this in terms of human capital.

EcoVaro could help you manage your throughputs by analysing your data on our cloud-based system. This includes trending your metrics, comparing them to your industry seasonal average, and providing you with a business-like view of how well you are doing.

Our service reduces your reliance on (and the cost of) third party audits, and simplifies the reporting process to your controlling authority. It simply makes more sense to contract your software out this way, and only pay for it when you need it.

What is Servitisation?

In the current generation, innovation has transformed industries, businesses, economies, and livelihoods. Those who’ve accepted to embrace the changes have prospered and remained afloat and relevant in their respective industries.?

However, failure to embrace change has seen companies like Blockbuster pushed out of business by more innovative and technology-oriented companies like Netflix.?

What does this tell you?

That the only way to stay in business, despite the many challenges your business could be facing, is to remain alert to the dynamic demands of customers, many of which are dictated by technological advancements.?

So, if you’re a manufacturer and you’re keen on diving deeper into technology to stay on top of the game and beat your competition, you must also be expectant of the fast-approaching servitisation-centred economy. Companies like Rolls Royce that have already embraced servitisation are making great gains in their areas of expertise.?

What is Servitisation?

Servitisation can be defined as the transformation of a manufacturing firm from the mere offering of products to the market to providing innovative and invaluable services alongside their products. By so doing, the sale becomes an ongoing engagement and not a one-off event. Cranfield University professors call it “the innovation of an organisation’s capabilities and processes to better create mutual value through a shift from selling a product to selling product-service systems.”?

As foreign as it may seem for some professionals, servitisation has been a need that, though not embraced, its demand remains evident. Nonetheless, firms have hesitated to implement it. Shifting from manufacturing products only to incorporating product-centric services alongside the products is not a walk in the park. It boils down to completely changing the company’s entire structure and processes.

All the same, change is never comfortable, and that’s why it’s always best to focus on the positive for motivation.

Servitisation Case Study

Some manufacturing firms have already embraced servitisation, and they’re reaping big from it. They’ve understood the benefits of offering more value to customers at less cost. What Rolls Royce is doing currently with its “power-by-the-hour” program is a good example of servitisation.

Instead of selling Aero Engines and letting customers take charge of maintenance and uptime, Rolls-Royce now offers a full package that includes a product and relevant services.?

Essentially, what the company is creating is an intimate and long-term relationship with its customers.

The total care package by Rolls Royce means it’s essentially renting out its engines to customers and monitoring data for potential maintenance needs. The plan guarantees that maintenance is only done when necessary and avoidable damage detected in good time. As a result, there is a clear reduction in the overall cost.

Initially, Rolls Royce would make money by basically selling and repairing engines. That meant that the worse the engines, the more repairs required and the more the money the company would make.?

However, things changed when the company realised there is no demand for a product that’s constantly in the repair shop. That prompted Rolls Royce to embrace servitisation.

Servitisation aligns the interests of the customer and those of the manufacturer to ensure everyone benefits. Rolls Royce has been offering this package to airlines since 2010, and the company has seen significant returns as a result.

Benefits

There are several benefits of incorporating servitisation into your manufacturing firm. Below are three of the strongest benefits

Financial Stability– Servitisation establishes a more secure revenue stream because of the long term connection between manufacturer and customer. This also translates to loyal customers, meaning more profit.
Strong Customer Retention Rate– Being more experienced about the equipment and the constant tracking and monitoring that comes with servitisation; manufacturers are realising that they can keep more customers.
Selling a Solution And a Product– Today customers are not just looking to buy a product, instead, they want both the product and the solution to their problem. Meaning you make more money for the product you manufacture and the service you offer to your customers.

Implementation of Servitisation in the Industry

To effectively implement servitisation, there must be an effective two-way flow of information and data in the supply chain. Meaning you may require software like FieldElite for scalable condition monitoring of performance. With FieldElite, for example, servitisation is made easier for you because it enables you to monitor the performance of your assets remotely.

Maintenance and monitoring of assets were traditionally very expensive and time-consuming until the arrival of intelligent software that makes work easier and cost-effective for manufacturers. FieldElite uses advanced learning algorithms to remotely automate the entire process, allowing you to detect, in real-time, the performance and need for maintenance on your asset.

Required Organisational Changes

A few important steps include;

Companies that invest in continuous training and development always have a more competitive edge than their counterparts. Meaning an important step towards servitisation is training the workforce. This is important, considering that the company structure, focus, and process will have to change.

Set up a team that is focused on the challenge, change, and creation. With this, you can easily adjust to industry changes. The team should always work on knowing what should be adjusted and when it should be.?

In the shift to servitisation, adopting a comprehensive service technology is an important step. Such service technology software includes FieldElite. This technology will ensure that you’re able to monitor your product in real-time, meaning you can maintain good performance for as long as possible.

Because servitisation essentially focuses on the customer, take time to study customer behaviour. Knowing what your customers need and want will help you remain relevant in the industry.

Conclusion

As the demand for more benefits and long-lasting relationships with dealers grow, so is the need for manufacturers to adjust. Hence more and more manufacturing companies are leaning towards embracing servitisation as a solution to the growing demand.?

In turn, manufacturers who’re attaching service contracts to their product sales are making more than those who remain stuck in the traditional approach to sales.?

Essentially, servitisation will ensure that, as a manufacturer, you remain relevant to your customers now and in years to come. This is a much better arrangement in terms of saving costs and making more returns. Remember to be successful, you have to be flexible enough to change with demand.

How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.