PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2024-10-23T23:05:00+00:00

SE Radio 639: Cody Ebberson on Regulated Industries

Cody Ebberson, CTO of Medplum, joins host Sam Taggart to discuss the constraints that working in regulated industries add to the software development process. They explore some general aspects of developing for regulated industries, such as healthcare and finance, as well as a range of specific considerations that can add complexity and effort. Cody describes how translating regulatory requirements into test specifications and automating those tests can help streamline software development in these regulated environments.  Brought to you by IEEE Computer Society and IEEE Software magazine.

Cody Ebberson, CTO of Medplum, joins host Sam Taggart to discuss the constraints that working in regulated industries add to the software development process. They explore some general aspects of developing for regulated industries, such as medical and finance, as well as a range of specific considerations that can add complexity and effort. Cody describes how translating regulatory requirements into test specifications and automating those tests can help streamline software development in these regulated environments. Brought to you by IEEE Computer Society and IEEE Software magazine.

Show Notes

Related Episodes

  • SE Radio 523: Jessi Ashdown and Uri Gilad on Data Governance
  • SE Radio 571: Jeroen Mulder on Multi-Cloud Governance
  • SE Radio 342: István Lam on Privacy by Design with GDPR

Transcript

Transcript brought to you by IEEE Software magazine and IEEE Computer Society. This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number.

Sam Taggart 00:00:35 This is Sam Taggart for SE Radio. I’m here today with Cody Ebberson to talk about navigating regulated environments. Cody is a co-founder and CTO of Medplum, a developer platform that provides tools for security, interoperability and compliance in the healthcare sector. Cody began his career as a software development engineer at Microsoft over 15 years ago and has since held various roles in a variety of healthcare related tech companies such as director of engineering, COO and CEO. Welcome.

Cody Ebberson 00:01:01 Thanks Sam. Happy to be here.

Sam Taggart 00:01:03 Yeah. So we’re going to talk about regulated industries. Why don’t we start by just defining what we mean by regulated industries?

Cody Ebberson 00:01:09 Yeah, it’s a great question. I think it applies in quite a few different places. Typically, people think of it as, I mean, everywhere has regulations, but when we think of excessively regulated or high regulation, it’s places like healthcare or finance or security where there’s quite a few additional layers of requirements to make sure that you’re meeting legal requirements, ethical requirements, you’re protecting user rights, user data, user safety, and they’re all over the place. And I think there’s regulation everywhere, but maybe there’s a spectrum of some that are more or less regulated.

Sam Taggart 00:01:40 Yeah, I was going to say a lot around financial stuff I imagine and personal information and those type of things as well.

Cody Ebberson 00:01:47 Absolutely, yep. Certainly compared to something like video games where, it’s fun, but when you’re talking about financial data or healthcare data, I think people have a higher expectation of reliability and security.

Sam Taggart 00:01:57 Yeah. So who makes these regulations? Like where do they come from?

Cody Ebberson 00:02:01 That’s a great question. It’s typically a government or an industry standards body. So in our case, we’re primarily in healthcare. It’s usually originating from healthcare government bodies like HHS, Health and Human Services. And they provide a whole bunch of different regulations. Most famously HIPAA, but there’s quite a long list. There’s also quite a few industry standard bodies and customers will often dictate those. So where the government might not fully regulate something, the market ends up filling those as well.

Sam Taggart 00:02:30 Is that like the, what is it, PCIS or the credit card?

Cody Ebberson 00:02:33 It’s finance. Yeah, PCIS. Like SOC 2 is a big one to make sure that you have adequate data and security controls and those are typically driven by the market.

Sam Taggart 00:02:42 And what are these regulations generally trying to prevent?

Cody Ebberson 00:02:45 I think there’s a lot of it that’s, you might hear about it and think, well that’s kind of common sense, right? Like that the user’s data is being adequately protected, that you have sufficient controls to make sure that like a rogue software engineer can’t go and steal data or do something malicious. That it’s protecting the user’s data to protecting the user’s safety on the ethical side, not that you can truly regulate ethics, but trying to codify those in into systems so that the software is going to be reliable. I mean I think the CrowdStrike attack from what that last week was or two weeks ago, was a notable one of there was a lot of damage that was financial damage, human time wasted. Those regulations are often put in place to try to protect against incidents like that.

Sam Taggart 00:03:27 So how do regulations vary over geography and what challenges have you run into with that?

Cody Ebberson 00:03:33 Thatís a great question. Regulations are often quite different cross-country boundaries. The US healthcare system is perhaps one of the largest healthcare systems. It has its own idiosyncratic regulations, but there are quite a few that go across international boundaries as well. For example, sometimes there’s data format requirements and there’s regulations to try to improve interoperability across those different systems. There is a push from the ISOs so there are many of these ISO standards now which are an attempt to try to standardize and regulate as an international standards body. There’s a long list of the ISO standards and the US government is oftentimes steering into those to align with like the rest of the world.

Sam Taggart 00:04:14 So in the US we have the federal government, we also have state governments. Do you notice any differences between states that apply to healthcare in particular since that’s your area?

Cody Ebberson 00:04:23 There’s definitely a lot of state level requirements for the practice of medicine, so on doctors and nurses and the variety of different rules. As a healthcare provider with regards to healthcare technology, the rules are typically pretty similar. One thing that’s interesting for healthcare is there’s the notion of an HIE and Health Information Exchange, which allows regional hospitals to share data with each other. And you can kind of think of those like a homeownerís association where they have all their special rules that define who can share what data between different hospitals. And that’s very, very regional, but not typically so much from the state at that point. It’s typically going to be the market driving those rules.

Sam Taggart 00:05:01 So have you ever encountered regulations that are at odds with each other and what do you do in those situations?

Cody Ebberson 00:05:07 That’s a great question. In healthcare, a good example of this would be the US government involved. A lot of governments are now pushing the right to be forgotten, for patients to be able to request their data to be deleted and purged and which is a very sensible consumer protection. But then on, if you think about the medical legal liability requirements where you have to retain many of your records for seven years and up to 18 years in some cases. So now you have to retain records for legal purposes. And those two are totally at odds with each other in practice. Those don’t come into conflict very often. And when they do, that’s when you call up your lawyers and try to figure out how you’re going to handle that. Putting data into vaults or escrow or trying to semi anonymize data. It’s often a long and complicated process, but when the conflicts come, you typically get the lawyers involved.

Sam Taggart 00:05:53 Yeah, I was going to say, I would imagine if you told your doctor you were allergic to something, you would probably want him to remember that.

[...]

Original source

Reply