Five steps to prepare for your compliance audit

August 07, 2014
By John McCann

The rapid adoption of electronic health records has led to new regulatory requirements and increased HIPAA compliance audits by the Department of Health and Human Services. Combined with added data privacy concerns brought on by the HER movement, it is no surprise that having the proper technical safeguards in place is more important than ever.

Despite growing compliance and data security concerns, many are not implementing the proper network security protocols. These organizations choose to wait and scramble to meet compliance standards once they have been informed of an upcoming audit or worse, after a breach has already occurred.

The HIPAA Security Rule (45 CFR 164.3081) requires health care organizations to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”

Organizations are already being fined simply because they did not conduct an assessment and then correct their system’s vulnerabilities.

With that in mind, in order to better secure patient data and begin preparing for your next HIPAA compliance audit, here are five technical safeguards health care organizations should be implementing now:

1. Conduct a risk assessment
Before doing anything else, conduct a thorough risk assessment of your company’s data security policies. Not only is it required by law, but it will also provide you with an accurate depiction of the current state of your network and what areas need improvement in order to meet all compliance standards. Be sure to look at all devices, in and out of your facility, that generate, store, maintain or transmit patient information. All devices, even ones not connected directly to the network, are bound by HIPAA regulations.

To help you get started, check out the free Security Risk Assessment Tool provided by HHS. This tool provides step-by-step instructions on how to properly conduct a thorough HIPAA risk assessment.

2. Customize your security policies
No two heath care providers, or even departments, have the same structure and data security needs. This makes it important that each department helps choose what policies to adopt and how they should be executed. Doing so eliminates all vulnerabilities across the organization that would likely exist if one department spearheaded this process.

3. Establish integrity controls
There are many ways data integrity can be compromised, the most common being human error, hardware failure or a computer virus. There is only so much that can be done to prevent these situations from happening. What health care organizations can do is prepare a comprehensive contingency plan in case a threat or breach is detected.

The most important part of your contingency plan is your backup system. Determining what data and how much data to back up will differ from organization to organization, as it largely depends on your budget and how much critical data you have on hand. Speak with your executive team, IT leaders and outside compliance experts to ensure you have the correct amount of protection.

4. Stop managing manually
Despite more stringent compliance regulations, many health care organizations still manage user accounts and network access privileges by hand. Even for the smallest of practices, this method is less than optimal. It increases the risk of human error occurring when manually entering the data, causes prolonged turnaround times for creating user accounts and increased stress on the IT team.

One way organizations can eliminate these risks is by adopting an automated solution – cutting manual costs and eliminating the risks associated with human error.

5. Strengthen your audit controls
Even with consistently applied access controls in place, health care organizations are still at risk to outsiders or even malicious employees gaining access to confidential information. Like with access management, many health care organizations audit their network’s activity manually. Because this requires a great deal of time, many times a breach is not discovered until days or even weeks after it already happened.

Consider adopting a third-party solution that helps automate the network auditing process. Most solutions will track every logon attempt and file access. In addition, they will record specific information about each logon. For instance, if a failed logon occurs, the software will record the error type, IP address and workstation name. They also typically provide real-time alerting options, allowing IT managers to find out immediately when an intruder is trying to break into the network.

About the author: John McCann, cofounder of Visual Click Software, has more than 36 years experience in the software industry. Since 1986, he has developed an array of network, security and asset management and reporting tools for Novell’s NetWare and Microsoft’s Windows networks.