HIPAA Audits: How to PrepareDavid Wiseman offers lessons learned
Speaking at a security workshop Feb. 28 at the Healthcare Information and Management Systems Society Conference in Atlanta, Wiseman stressed the need to create a "security culture" throughout the organization.
He advised hospitals to guard against assuming that everyone even those in the IT department--recognizes security as a priority. Many IT staffers who have expertise in certain applications lack awareness of security issues, he contended.
Another set of eyes
In stressing the need to have a third party perform vulnerability assessments, or penetration testing, Wiseman stressed that hospitals should not repeatedly hire the same firm to conduct the studies. It's important to frequently "get another set of eyes" for these assessments to help expose vulnerabilities, he said.
About two years ago, Saint Luke's Health System went through what was then a very rare federal audit when the U.S. Department of Health and Human Services was attempting to measure its ability to oversee and implement the HIPAA security rule.
Now the Office of Civil Rights within HHS is gearing up to conduct HIPAA compliance audits throughout the country on a regular basis, as called for under the HITECH Act.
To be fully prepared, Wiseman said hospitals should:
- Conduct a HIPAA compliance evaluation to identify areas of weakness and document risks;
- Put together an action plan for resolving those weaknesses and minimizing risks;
- Carefully monitor whether all compliance strategies, such as changing passwords every 90 days, are actually being carried out throughout the enterprise;
- Update risk assessments whenever an application is upgraded or replaced; and
- Make extensive use of encryption.
Wiseman, however, lamented that most clinical information systems perform poorly if their databases are encrypted. He called on vendors to remedy this situation to help improve security over the long haul.
If auditors know that a hospital has already identified areas of security weaknesses and are working on resolving them, that will improve the organization's audit results, Wiseman concluded.