Having survived the end of the world according to the Mayan calendar, San Diegans take in a deep breath of sunshine, optimistic about facing the challenges we foresee in IT security for 2013. Still gloating from averted apocalypse, we peer forward with hastily scrawled resolutions slapped on Post-its around the computer, overlapping the one where we jotted last year's password hints.
Meanwhile, hackers tighten the screws on a new fleet of malware variants to make our recent successes against cyberthreats a thing of the past. Virus-protection and firewall vendors ready their snappy campaigns as we diligently eke out new, longer, hard-to-guess passwords that don't fall into the 10,000 patterns already decoded by analysts as "Easily Cracked." We stay awake at night dreading that forgotten stone we left unturned that will shatter the exterior of privacy in which we have encased our client and patient private data.
Other than keeping your online perimeter safe, sniffing out "phishy" emails and fortifying your passwords, what are you doing to demonstrate compliance when you are faced with an IT security audit? The U.S. Department of Health and Human Services' Office of Civil Rights (OCR), which enforces HIPAA patient data privacy and security laws, will unveil its new HIPPA Omnibus Rule in 2013. To be ready for the new HIPAA Security Rule, OCR recommends obtaining an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). While the audit protocol guidelines specify that it is not necessary to purchase new software, hardware or technology services, they do stress the importance of improving security policies, procedures, and standards.
Assessments of privacy and security are not limited to organizations preparing to undergo a HIPAA Audit. Privacy Impact Assessments (PIA) are required under the E-Government Act by the Department of Homeland Security (DHS). Privacy Impact Assessments demonstrate how sensitive information about individuals is collected, stored, protected, shared and managed by an agency and their employees. Contractors to the government are held to the same standards and security policies under the Federal Information Security Management Act (FISMA). Failure to perform adequate annual program and system reviews, lack of system security plans, absence of system certification and accreditation, and failure to maintain comprehensive documentation are all reportable deficiencies.
Before undergoing a formal audit or assessment for required reporting or compliance, the best plan of action for any independent contractor to a health provider or government agency is to obtain a third-party independent security assessment that can objectively and discreetly make organizations aware of privacy vulnerabilities in their systems, operations and policies before they become a potential risk. The cost of an audit generally varies depending on your business objectives, the number or systems and personnel to be assessed as well as the quantity of data you manage. Having a documented assessment before the Feds come knocking is, well, priceless.
Submitted by Taranet Inc. – the Art of Risk Management. Find out more about preparing for a compliance audit. Email firstname.lastname@example.org.