THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

Similar documents
table of contents INTRODUCTION...3 CHAPTER 1: WHAT IS HITRUST?...4 CHAPTER 2: THE BENEFITS OF USING HITRUST...6

The Relationship Between HIPAA Compliance and Business Associates

Top 5 Must Do IT Audits

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

How to Finish the HIPAA Security Risk Analysis and Meaningful Use Risk Assessment

OCR Audits: 2012 Results Overview

Privacy Officer s Guide to Evaluating Cloud Vendors

a physicians guide to security risk assessment

CONSULTING & CYBERSECURITY SOLUTIONS

HITRUST CSF Assurance Program

Collaboration with Business Associates on Compliance

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

CRISC EXAM PREP COURSE: SESSION 4

Unified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

Clearwater and Encompass Case Study Creating an OCR-Quality Risk Management Plan

View the Recording. Webinar: Accounting of Disclosures: Practical Approaches & Enforcement Update. November 17 th, FairWarning, Inc.

2017 Healthcare Compliance Benchmark Study

RSA ARCHER IT & SECURITY RISK MANAGEMENT

Big Data, Security and Privacy: The EHR Vendor View

Simple, Scalable, Real-time Protection

Driving Accountability Through An Effective Risk Register

Preparing for an OCR Audit: What is Expected of You

Navigating the New Health Economy

THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS :

How to Secure Your Healthcare Communications in a World of Security and Compliance Threats

Strengthening Vendor Risk Management Program

ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA

IT Risk Advisory & Management Services

Update on Audits of Entity Compliance with the HIPAA Rules

Best Practices: Effective Program Implementation

PCI Toolkit

Adopting HITRUST as the Backbone of Your Information Security Program. Mangoné Fall, Kelly Robertson, Sean Murphy

SOLUTION BRIEF HELPING ADDRESS GDPR CHALLENGES WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

They re Back! Phase 2 OCR Audits Are Underway

Praticamente GDPR Spike Reply PART 1

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

Why BSI? Our products and services. To find out more visit: bsigroup.com/en-au. Conclusion

RSA ARCHER INSPIRE EVERYONE TO OWN RISK

REGULATORY HOT TOPIC Third Party IT Vendor Management

Securing Intel s External Online Presence

GDPR. Are you ready for the GDPR countdown?

IBM Data Security Services for activity compliance monitoring and reporting log analysis management

GDPR and Microsoft 365: Streamline your path to compliance

Welcome to today s Live Event we will begin shortly. Please feel free to use Chat or Q&A to tell us any burning questions you may have in advance

PREVENTING FRAUD. Take-and-Use Guidelines for Chubb Crime Insurance Customers

Pega Care Management for Healthcare

Financial Supply Chain Transactions: The Rising Importance of Information Protection and Secure Connectivity for Data Exchange

Expert Reference Series of White Papers. ITIL Implementation: Where to Begin

Visualize Your Compliance

Mind the Gap: GDPR Ahead. Rakesh Sancheti. Author. July Vice President and Business Head - Analytics, Europe and Nordic

BUILDING A BUSINESS CASE FOR PAPERLESS TREASURY SOLUTIONS

Achieve Continuous Compliance via Business Service Management (BSM)

Data rich governance. Three keys to leading consumer data and information practices. kpmg.com

White paper. Taking the pain out of data migrations

Does Audit Make us Secure? A practical response

Accelerate GDPR compliance with the Microsoft Cloud Henrik Mønsted

PREVENTIA. Where security begins... Five Best Practices of Vendor Application Security Management

GDPR BEST PRACTICES ESSENTIAL PROCESSES TO MEET THREE KEY OBLIGATIONS

Security Monitoring Service Description

SOLUTION BRIEF HELPING PREPARE FOR RISK ASSESSMENT & COMPLIANCE CHALLENGES FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

MATURITY MODEL SNAPSHOT REGULATORY & CORPORATE COMPLIANCE MANAGEMENT

What does the GDPR mean for recruitment?

Why Your SIEM Isn t Adding Value And Why It May Not Be The Tool s Fault Co-management applied across the entire security environment

Completing the ERM Circle

Ensuring the health of endpoints in healthcare IT

Role Based Access Governance and HIPAA Compliance: A Pragmatic Approach

AS/NZS 4801 and OHSAS Your implementation guide

IAASB Main Agenda (July 2007) Page Agenda Item

Assessments for Certified and Non-Certified Vendors

Contingency Planning

Latest update March Final Standard. ISO Understanding the new international standard for Occupational Health & Safety.

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

CITY & GUILDS SCOTLAND EMPLOYEE TRAINING ACCREDITATION

Case Study. How Gemalto s Trust ID Network is revolutionizing self-sovereign digital identities by leveraging R3 s Corda blockchain platform

EFFECTIVE STRATEGIES IN PLANNING AND EXECUTING A SUCCESSFUL INTERNAL AUDIT

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Detect. Resolve. Prevent. Assure.

7 STEPS TO BUILD A GRC FRAMEWORK ALIGNING BUSINESS RISK MANAGEMENT FOR BUSINESS-DRIVEN SECURITY

SECURITY ANALYTICS: WHAT NOW?

HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant!

PRACTICE SOLUTION. They love us on GET MORE LOVE. Leveraging Yelp to Enhance Your Online Reputation and Grow Your Practice.

CRITICAL OF CHOOSING THE SOLUTION

HCL s HITRUST SOLUTION Redefining Healthcare Security Compliance

5 Technology Trends Construction Contractors Can t Afford To Ignore

Meaningful Use Audit Process: Focus on Outcomes and Security

Prepare for GDPR today with Microsoft 365

On the Alert: Incident Response Plan for Healthcare 111/13/2017

INTERNAL AUDIT PLAN AND CHARTER 2018/19

The GDPR and its requirements for implementing data protection impact assessments (DPIAs)

Project Remedies Solution Set s Ability to Transform your IT Organization. A Selection of Use Cases from Project Remedies Inc.

Internal Audit Division FY 18 - Audit Plan Overview

American Well Hosting Operations Guide for AmWell Customers. Version 7.0

Driving healthy growth

Third Party Risk Management ( TPRM ) Transformation

Transcription:

WHITEPAPER THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM ANDREW HICKS MBA, CISA, CCM, CRISC, HCISSP, HITRUST CSF PRACTITIONER PRINCIPAL, HEALTHCARE AND LIFE SCIENCES

TABLE OF CONTENTS HIPAA audits: Look out, here they come... 3 The inventory... 3 The risk analysis... 4 The compliance program assessment... 4 Technical testing... 4 The remediation plan... 5 Be ready get your house in order... 5 2

HIPAA AUDITS: LOOK OUT, HERE THEY COME The HIPAA compliance audit program (pilot version), which launched last month and is slated to continue through the end of this year, is paving the way for a permanent program. The audits will help organizations improve their compliance with the HIPAA privacy, security, and breach notification rules, and the Office for Civil Rights (OCR) plans to share best practices gleaned from the audit process. A recent survey highlights many shortcomings in healthcare organizations IT security efforts, including: 26% of organizations have yet to conduct a risk assessment, as mandated by HIPAA. 43% rate their ability to counter information security threats as poor, failing, or in need of improvement. 25% say they've experienced an information breach of a size that had to be reported to federal authorities. Some experts say a much larger percentage of organizations have likely experienced breaches, but they may be unaware of the incidents. In this perspective we ll review the common gaps and vulnerabilities in IT security programs that we ve seen in our engagements with clients in the healthcare industry. We recently heard from an MIS director at a large health plan organization in the Midwest who has recently wrapped up one of the surprise audits by the OCR. The director stressed how important it was for them to have an external audit completed before the OCR auditors arrived. The external audit allowed them to identify gaps in their IT security program, gain insights on preventing breaches, learn about incident response plans, and get tips on working with business associates to prevent breaches. THE INVENTORY Do you know what electronic protected health information (ephi) you have and where is resides? This is a logical first question for an assessor what is the scope of my assessment going to cover? A prepared organization will know the answer to that question. You should have an inventory of your organization s ephi. We sometimes refer to this inventory as the ephi environment. It should consist of formal documentation that identifies the application systems, databases and data stores, and system components that support or protect the ephi. It should also identify third parties who receive or send ephi as well as service providers that create, receive, maintain, or transmit ephi on behalf of your organization. 3

THE RISK ANALYSIS Do you know how your ephi environment might be susceptible to compromise? After you know what ephi you have, how you get it, where you store it, and where it goes, you need to assess the risks that are posed to the ephi in each of those areas. This is a formal activity, required by administrative safeguard #1 risk analysis. Many providers and payers have not developed a HIPAAcompliant risk analysis. To do so, the scope of the risk analysis must cover the ephi environment, and each point in the flow of ephi must be analyzed to identify vulnerabilities, threats, and the related risk management activities and controls, if any. Out of this analysis, your organization can identify where the risks to ephi are unacceptable and develop the remediation plan to reduce those risks. I know we think of risk analysis more in terms of Meaningful Use at present; however, it is foundational to the HIPAA Security Rule and supports your organization s decision-making regarding the Rule s addressable implementation specifications. THE COMPLIANCE PROGRAM ASSESSMENT Are you doing the right things to protect the ephi and to comply with HIPAA? The only way to reach the point where worries about compliance subside is to start the journey. Starting involves taking stock of what your organization has done, or is doing, to meet the requirements of HIPAA and the HITECH Act. This can be a tedious activity. The organization must thoughtfully review each requirement, understand it, document the control activities that address them, assess whether there is evidence that the control activities are performed, identify shortfalls, and add to the remediation plan as necessary. TECHNICAL TESTING Are you performing the tests to confirm that your program elements are effective? After reviewing the HIPAA compliance program and the design of controls, the organization must perform tests to confirm that the compliance program elements and controls are operating effectively. The scope of testing should include administrative, physical, and technical safeguards. Though not absolutely required by HIPAA, we recommend performing a vulnerability assessment using scanning software. This should focus on both the publicly visible elements of the ephi environment as well as the internal network. This provides useful feedback on the effectiveness of some of the controls. For the other controls, old-fashioned tests of compliance are the only way to see if processes like security provisioning and de-provisioning are operating effectively. 4

THE REMEDIATION PLAN Are you making progress in remediating the compliance gaps? No organization is perfect; there will be issues. Your organization must put in place a plan of action to close the gaps. The gaps should be prioritized and progress milestones established such that you can manage them to closure. Those gaps that pose the greatest risk of a breach should be addressed urgently. Within that group, it may be desirable to prioritize those activities that are both easy and inexpensive to deal with as the highest priorities. They are many ways that an organization can fall short of HIPAA compliance. We see some common themes from our HIPAA compliance assessments: The ephi inventory is missing or known to be incomplete. The risk analysis is missing entirely, it is at too high of a level, or it is missing support for unimplemented addressable implementation specifications. HIPAA Security policies and/or procedures are not documented. Unimplemented addressable implementation specifications are not documented. Unencrypted drives and media with ephi are not adequately secured. Excessive access to ephi exists. BE READY GET YOUR HOUSE IN ORDER There s no doubt that having your ducks in a row can help make the potential of a government audit less painful. Compliance, best-practice frameworks, or internal policies and standards are not one-time processes. Automating these processes with leading-edge IT governance, risk, and compliance (GRC) toolkits establishes a foundation for ongoing compliance and can ensure that your processes, information, reputation, and bottom line are protected and enhanced. And with the increasing trends of moving data to the cloud with its associated security concerns, the need for employee training programs to help alleviate data breaches, and the security issues surrounding mobile device usage in the workplace all of these risks should, and must, be addressed now. 5

ABOUT COALFIRE Coalfire is the global technology leader in cyber risk management and compliance services for private enterprises and government organizations. Our professionals are renowned for their technical expertise and unbiased assessments and recommendations. Coalfire s approach builds on successful, long-term relationships with clients to achieve multiple cyber risk management and compliance objectives, tied to a long-term strategy to prevent security breaches and data theft. Copyright 2016 Coalfire Systems, Inc. All Rights Reserved. WP_HIPAA_AuditPrep_050616 6

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback