[BreachExchange] Preparing for an OCR HIPAA Risk Assessment Audit

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 27 18:45:40 EDT 2017


http://healthitsecurity.com/news/preparing-for-an-ocr-
hipaa-risk-assessment-audit

While healthcare organizations should not panic over the idea of a
potential HIPAA audit or risk assessment, they should ensure that their
privacy and security measures are comprehensive and current. This will not
only keep sensitive data, such as PHI, secure, but it will also help the
entire audit process run smoothly.

Night Nurse, a 24-hour, 365 day per-year triage support and medical-home
compliance provider went through an in-depth risk assessment audit. Night
Nurse COO Stuart Pologe explained to HealthITSecurity.com in an email that
the goal of the audit was to verify the integrity of patient-identifiable
information (PII) and PHI in the organization’s systems.

“The audit was initiated in order to achieve a higher degree of compliance,
affording us the opportunity to provide secure triage services large
hospital system,” Pologe said. “Organizations are subjected to the greatest
amount of scrutiny. The goal was to increase our service and security
levels to meet or exceed the meticulous standards of the nation’s largest
and most respected hospital systems.”

The HIPAA risk assessment audit consists of three phases, taking place
across approximately one year, Pologe noted. Phase one was comprised of
meeting more than 400 interrogatories from the auditors.

“The questions required everything from base descriptions of our services
and procedures to in-depth descriptions of each technical component of our
system infrastructure,” he stated. “The report also required a
vulnerability assessment for each technology component, and how these risks
were mitigated.”

Pologe added that may be surprised to learn how each component – even
printers - can be a HIPAA liability or a key security stronghold, depending
on how they’re configured and managed.

“Phase one was a long process,” recalled Pologe. “In addition to compiling
the extensive amount of documentation required, Night Nurse needed to gain
auditor approval on each of the responses in order to move into the second
phase of the process. This often involved multiple iterations of the
documentation and submission process, requiring verification of all
specifications, statistics, and policies.”

Phase two consisted of the detailed, on-site inspection phase, Pologe
explained. This included everything from the physical security of the
building and data center, to patient data security.

“The edifice security standards required appropriate locks at all stages of
access, with at least two locked doors to any area housing PII or PHI, with
security systems and video cameras required to ensure access control and
record-keeping,” he noted. “In addition, all areas where patient
information is discussed or viewed must meet appropriate isolation
standards. This includes the seclusion of printers, fax machines and paper
archive access.”

After physical safeguards were addressed, Pologe said that the auditors
began hacking attempts to penetrate the Night Nurse IT systems. Both
inbound and outbound information transmissions were monitored with
Wireshark technologies, and the audit team examined data flow to try and
find any non-encrypted information.

If any readable information, not just PII or PHI, was found it would have
been an immediate failure, he stated.

“The next section of the audit was focused on remediation,” Pologe
explained. “The auditors provided extensive reporting and required areas of
improvement, based on the many examinations conducted. Anything and
everything considered a tangible risk was highlighted for mitigation.
Additional requirements were provided with compliance time frames of 30
days, six months and one year to achieve the maximum level of compliance.”

BUILDING A COMPLIANT IT INFRASTRUCTURE FOR DATA SECURITY

Pologe maintained that organizations must ensure that they have necessary
access controls anywhere information is stored. This is true for paper or
electronic data storage.

“We’ve always placed a high priority on IT security, but we needed to add
even more levels of premises security,” he said. “Now, each person has to
sign a log on why they enter areas containing PII or PHI. When building
your premises security strategy, allow as few people as possible into
sensitive areas to reduce risk of exposure to information.”

Covered entities should also consider ways to isolate sound or viewing
angles. For example, waiting rooms cannot permit visitors to overhear
patient discussions, Pologe pointed out. Waiting rooms should also not have
any over the shoulder line-of-sight to paperwork or a computer screen.

All types of office devices could lead to unexpected HIPAA violations, he
added. With printers, they must be appropriately password protected. That
access needs to be restricted through access cards or managed network
switches, he stressed. Printers should also have static IPs to avoid known
HIPAA vulnerabilities.

Night Nurse receives and transmits approximately 50,000 patient encounters
per month, Pologe explained. Protecting paper documents is as vital as
protecting its electronic documents. Having fax machines export images, in
real time, to a secured server is mission-critical to archiving fax data in
a compliant manner, he said.

“Printers and scanners provide a critical connection between digital
healthcare systems and physical paper documents, and security is a top
concern,” Pologe explained. “We’ve had excellent experiences with Brother
devices since 2004, as they deliver the security features and customization
levels that enable HIPAA compliance.”

Pologe added that organizations should ensure they have consistent access
to electric power. Any power interruptions, even for a few minutes,
degrades patient care and introduces risks. Night Nurse’s entire facility
is backed up by a dedicated natural gas generator, he noted.

Overall, organizations should make sure they take care of the basics right
up front so they don’t have to do a lot of work on the back-end.

“Organize all of your documentation in a single file location, including
protocol manuals, security manuals and disaster recovery plans,” advised
Pologe. “Make sure these documents are in a secure, yet easy to access
location. And institute a ‘clean-desk’ policy.”

Covered entities also need to be prepared to carve out the time for their
HIPAA audit. Night Nurse’s took approximately 10 months, Pologe noted. Even
with internal and external assistance, organizations will be required to
produce and edit a tremendous amount of documentation.

“For many healthcare organizations, a HIPAA audit is a dreaded task,”
Pologe concluded. “While it consumes an extensive amount of time, it also
produces multiple benefits. Today, Night Nurse’s expanded level of
compliance ensures that we’re able to support any size institution,
including the largest hospital systems with the most stringent
requirements.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170327/18a57827/attachment.html>


More information about the BreachExchange mailing list