David Wiseman: Preparing for HIPAA Audits
To be fully prepared, Wiseman says hospitals should:
About two years ago, Saint Luke's Health System went through what was then a very rare federal audit when the U.S. Department of Health and Human Services was attempting to measure its ability to oversee and implement the HIPAA security rule.
Now the Office for Civil Rights within HHS is gearing up to conduct HIPAA compliance audits throughout the country on a regular basis, as called for under the HITECH Act.
Wiseman was a featured speaker Feb. 28 at an all-day security workshop at the Healthcare Information and Management Systems Society Conference in Atlanta. To read a story on his presentation, click here.
HOWARD ANDERSON: This is Howard Anderson from the Information Security Media Group Today we are talking with David Wiseman, information security manager at St. Luke's Health System in Kansas City, Missouri. Thanks a lot David for taking a few minutes with us here at the HIMSS Conference.
DAVID WISEMAN: Sure.
ANDERSON: So you went through a federal audit in 2007-2008 when HHS was attempting to assess its own ability to enforce the HIPAA security rule. Now in the months ahead, the federal government is planning to ramp up HIPAA compliance audits under the HITECH Act. So give us a few lessons you learned about steps that hospitals can take now that will make things easier should they get audited.
WISEMAN: I think what is really important is that hospitals should take a look at their overall information security program and do a compliance evaluation in regards to the HIPAA security rule.... Do the evaluation, identify the gaps--the areas of weaknesses--and then put together corrective action plans.
Organizations need to approach it as being in a state of continual readiness for audits....There really hasn't been anything published in regards to how these audits are going to take place within the HHS Office for Civil Rights, but I think hospitals should approach it kind of like preparing for a Joint Commission audit--you know, a constant state of readiness.
ANDERSON: Does that mean you need to review your risk assessment and your security plan?
WISEMAN: Your risk assessments should be reviewed or updated every three years, or when you make a major upgrade to a particular system. So you need to pull out your risk assessments and take a look and see which ones need to be re-evaluated based off of those types of criteria.
ANDERSON: And based on your own experience, how widely should hospitals use encryption?
WISEMAN: Encryption should be used at every point possible because if you look at all of the new requirements coming out, encryption seems to be a common theme throughout, especially in regard to breach notification. (The HITECH breach notification rule has a "safe harbor" that states organizations don't have to report breaches if the data involved was properly encrypted.) So I think organizations should take a look at end-point encryption, encryption of your smart phones, encryption of laptops, even desktop computers.
I know a lot of people have focused on laptops, but I think you really need to look at your desktop environment and identify which areas are critical risk areas and apply encryption there. Encryption in transit is important with the pervasiveness of e-mail. Sending information through e-mail, you need to make sure you have a good, useable solution for the end users to take advantage of.
I think the only part that is going to be difficult is the data at rest within the clinical applications. I think that one is really going to take new technology from the vendors, and we will wait to see what happens there.
ANDERSON: So you don't think the major databases for the core clinical systems can be encrypted because it slows them down too much?
WISEMAN: I think it is a performance issue. So I think that we just need to get the technology up to where the performance can meet our requirements with the encryption in place.
ANDERSON: And when auditors come to my door, they are going to want to look at more than whether I have a security plan and a risk assessment in place. They want evidence that I have carried out the plan. What kind of evidence do they look for?
WISEMAN: Well, for example, if you have a security policy that you are going to enforce password changes every 90 days, you need to make sure that you are reviewing to ensure that if you have an automated control in place that it is, in fact, forcing users to meet that requirement. Because the auditors are going to poll your users and they are going to see when the last time that password was changed. So they are going to be looking for evidence that you are actually enforcing that policy.
ANDERSON: Thanks for taking some time with me David; I appreciate it.