When it comes to healthcare security and the forthcoming Office for Civil Rights (OCR) audits, healthcare organizations face a dilemma.
The OCR audits – which have now been delayed from 2014 to 2015, and then again from the beginning of this year to an undetermined date – are forthcoming. But as the audits are repeatedly delayed, reportedly due to technical challenges, organizations' impetus to ready themselves slowly diminishes. A sense of urgency is reduced, and in an environment of constant transformation and competing priorities, healthcare providers and other affected organizations turn their attention elsewhere. Ultimately they take the OCR audits less seriously, perhaps out of a sense that OCR isn't taking them seriously themselves.
That's a shame. And more than a shame, it's dangerous. Because many organizations are woefully underprepared to protect their healthcare data. If organizations let down their guard, they will become vulnerable to both data breaches and the OCR audits themselves when they inevitably arrive. And all indications are that the audits will bring an unprecedented level of scrutiny and enforcement to healthcare security.
How then should organizations prepare for these audits that hover on an uncertain horizon? How can they prioritize security and ensure that they are ready for both evaluation and attack?
How to prepare for audits (and attacks)
First, it's important to understand that an audit isn't an enforcement action – if your organization is selected for an audit, you are simply being called on to demonstrate HIPAA compliance. In most cases, you will need to submit documentation that demonstrates your compliance. Because HIPAA guidance isn't always highly specific and allows for a range of security approaches, you will have the opportunity to explain the reasoning behind your security decisions.
As you plan your audit readiness strategy, consider the following steps:
- Assemble an appropriate team. Your organization's security and privacy officials should be part of your audit response team, along with your compliance officer (if you have one) and legal counsel.
- Conduct a risk assessment. Before OCR evaluates you, evaluate yourself. This process will help you ensure that all of your data assets have been covered, including servers, personal computers, mobile devices, and more.
- Document everything. By making sure that you keep detailed records of your security measures and procedures as well as your incident response plans, you will be much better prepared to respond to requests for information from OCR.
- Identify your business associates. Verify that these entities' security is appropriately calibrated; their compliance or lack thereof can impact you.
- Train your team and stay-up-to-date. Ensure that your employees are trained to respond to phishing, social engineering, and malware attacks – security is a team effort. Confirm that the appropriate team members are up-to-date on current attack vectors, exploits, and vulnerabilities, and that they are applying security patches and updates swiftly.
- If you're audited, respond in a timely manner. Appoint one individual to be responsible for audit-related correspondence, and then work together to ensure that your responses are as complete, accurate, and timely as possible.
By taking these steps, you will simultaneously work to protect your organization and its private data and prepare for the eventuality of an OCR audit. When the audits arrive, it is a guarantee that many healthcare providers and associated entities will be taken by surprise. But if you prioritize security and ready your organization thoughtfully, you can make the process as smooth and painless as possible.
Mark Fulford is a Partner in LBMC's Security & Risk Services practice group. He has over 20 years of experience in information systems management, IT auditing, and security. Marks focuses on risk assessments and information systems auditing engagements including SOC reporting in the healthcare sector.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.