In Part 1: Before the HIPAA Assessment, we talked about the structure and content of the HIPAA law and compliance framework. In this part we’ll dive into how we actually perform the assessment.
Part 2: Understanding the HIPAA Assessment methodology
Since we are cybersecurity professionals, we’ll focus on the Security Rule for this part. Remember the three groups of safeguards within the Security Rule? Administrative, Physical, and Technical.
These cover the planning and preparation for security and risk management within your healthcare business. In this part of the assessment we will review any policy and process documents you’ve created. We’ll first start with the overarching security policy. Does it cover the full breadth of HIPAA? Do you go into enough depth for each of the controls? We don’t need Fort Knox level security, but we do need you to document how you are applying the requirements within your business.
We will also review your businesses organizational structure to see that you have a defined hierarchy of authority (as appropriate) to govern access to ePHI. We’ll review your employee hiring, management, and termination processes to validate security throughout an employee’s time with your company. We’ll inspect how you grant access to online systems and services. We’ll see how well you make your employees aware of security threats and the security requirements that fall to them. We’ll review agreements with partners to ensure you require reasonable security from them when trusting them with your ePHI data. We’ll inspect the access and account management process to see how you assign accounts and maintain proper roles and privileges over time. Finally, we’ll look at how you’ve planned for emergencies. Do you have incident response and contingency/disaster recovery plans in place? Are they adequate to respond to a reasonably likely event or recover from a reasonably likely disaster.
Here, we will inspect your facility (or facilities) to see how you protect the physical realm where the electronic information and systems reside. We usually look at it from the perspective of a visitor. Where can I go unimpeded if I walked in the front door of your facility? From there, we’ll look at doors and locks. What type of locks do you use? Keys, Codes, or Proximity Cards? We also look for cameras and alarms. Finally, we’ll look around at your computers to make sure a passerby can’t easily see ePHI.
This is what most people think of when they think of a HIPAA or security compliance assessment. While the technical parts are important, it’s more important to implement them after planning a solid foundation. Here we’ll look for things like anti-virus, systems and software requiring accounts and passwords, audit log management, encryption, and reasonable system timeouts (for screen lock or automatic logoff). Unfortunately, the technical safeguards are not as robust as they should be. They were written many years ago and haven’t been well updated over the years. We usually look past the basics of HIPAA and will alert you to any other outstanding issues we find. These don’t count in HIPAA compliance, but will help you prevent a breach.
Notice how we listed technical safeguards last and administrative safeguards first? This is somewhat intentional. The HIPAA law text actually lists the technical safeguards last. More importantly, though, the planning and documentation part of the administrative safeguards is more important than randomly guessing at technical configurations or settings. The key to solid cybersecurity is forethought and planning. Every cybersecurity framework acknowledges this by making planning and risk management a first step in the process.
Stay tuned for Part 3: What to do after a HIPAA Assessment. We’ll talk about what you should do with the results of the assessment. How to interpret the individual results and correlate them for more cost effective remediation projects.
Need a HIPAA Assessment?
Visit our services page to see how we can help
Contact us today for a free and confidential consultation.