Best Practices For Being OCR Audit Ready
April 15, 2013
Healthcare information security staffers rightly worry about OCR audits and want to prepare their facilities for an assessment. But how do you best measure the progress of your security program?
Alain Bouit, director of IT security at Adventist Health, a 19-hospital health system based in Roseville, Calif., does a good job sharing his thoughts about data security.. good metrics are hard to find in the security realm. Nonetheless, security directors must determine the measures that are right for their organizations in order to be adequately prepared for audits.
“We use three levels of measurement at Adventist – enterprise, entity and the control level,” Bouit said. “While information security is provided at the enterprise level – and it makes sense from a cost and efficiency perspective – there are concerns that have to be assessed at the facility and control levels.”
Bouit gave examples of security threats at each level and the measures that might be tracked to determine the health system’s resilience.
An enterprise level threat might be non compliant with the HIPAA security rule. Because it is a health system policy to remain compliant with federal and state regulations, requisite security measures might include determining the number of high and moderate risk findings in an annual HIPAA review, as well as completed PCI DSS self-assessments.
At the entity, or facility, level, security threats could include a disaster in a local data center. Bouit said measures to assess preparedness might be an inventory of locally hosted applications, the existence of a disaster recovery plan, and the results from the most recent disaster exercise or test.
Finally, at the control level, a common threat would be the unauthorized access of patient protected health information. To measure adequate preparation for this crisis, healthcare organizations might require a monthly report on the number of laptops and workstations that store PHI and are not encrypted. Ideally, there should never be a finding in this area if proper security measures and policies are in place.
The reality is risk management is a constantly moving target at healthcare organizations.
Medical organizations simply must be prepared for the worst to happen.
Not to mention have in place sound business continuity plans, policies, and procedures.