Home | Press | Contact Us | Clients | Testimonials
ecfirst Home

Tip of the month of October, 2007 - Week 4

AUDIT BEST PRACTICES

Audits provide insight into vulnerabilities of an organization. A secure computing infrastructure is a strategic business asset. Regular audits ensure the enterprise is secure and that any “gaps” that are identified as a result of an audit as in fact “closed and locked” to maintain the security of the computing infrastructure. In today’s environment where organizations demand secure access anytime, anywhere on any device, it is necessary to audit on a regular basis so valuable information assets might be protected from unauthorized users and attacks.

Security professionals, especially the security officer, need to be knowledgeable about security audit techniques and tools. They are responsible for making sure the audits conducted are thorough and comprehensive. While there is no such thing as a 100% secure business, the application of information from audits can go a long way in defending an organization’s strategic business assets.

Strong audit trails are a critical component of an organization’s security strategy and help the entity ensure the confidentiality, integrity and availability of all vital information.

An audit provides valuable information that can determine if security violations did in fact take place and the scope of the damage experienced. The information analyzed can also provide insight into areas such as the following:

  • Are users accessing information that does not relate to their job function?
  • Are there attempts being made to access specific areas of the system?
  • Are there accounts that consistently have authentication failures?

For a quick reference card on Sarbanes-Oxley, please email technologysolutions@aha.org

HOW PREPARED IS YOUR ORGANIZATION FOR AN HIPAA AUDIT?

Recently, it was reported that Piedmont Hospital became the first organization in the United States to be audited for compliance with the HIPAA Security Rule. The audit was conducted by the office of the inspector general at the U.S. Department of Health and Human Service (HHS) and is being seen by some in the health care industry as a precursor of similar audits to come at other institutions. It was further reported that Piedmont Hospital was presented with a list of 42 items that U.S. Department Health and Human Services (HHS) officials wanted information on within 10 days of the request.

Learn more about the HIPAA Academy’s 42-point assessment service for HIPAA compliance. This is a fixed price, no expense, service that results in a HIPAA Academy Report that details the state of your organization’s compliance with the HIPAA Security Rule. The HIPAA Academy, the gold standard in HIPAA training, certification and consulting services, is offering an assessment of the 42 areas that HHS identified in its recent audit!

To schedule your HIPAA Audit contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net

On-Site HIPAA Training. Get HIPAA Academy to Your Site!
Save Time and Money

HIPAA Academy, the industry’s leading provider of HIPAA training, certification and consulting, has delivered content and exams for HIPAA Academy’s Certified HIPAA Professional (CHP) and the Certified Security Compliance Specialist™ (CSCS™) to organizations at their site. We can customize the content to meet your requirements. 2007 clients include many hospitals, long term care organizations, BCBS, several business associates and leading firms such as IBM, HP, E&Y, Kaiser Permanente and others. For details, please visit www.HIPAAAcademy.Net.

For more information visit www.aha-solutions.org, contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net

HIPAA Tip

HIPAA Security Rule

The Resource Guide for Implementing the HIPAA Security Rule published by the NIST (Special Publication 800-66) provides the following information to address the requirements of the Audit Controls Standard (§ 164.312(b)) in the HIPAA Security Rule:

-Determine the activities that will be tracked or audited.

-Identify the tools that will be deployed for auditing and system activity reviews.

-Develop and deploy the information system activity review and audit policy.

-Develop appropriate standard operating procedures. For example, determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports.

-Implement the audit and system activity review process.

Organizations will need to clearly establish where is electronic Protected Health Information (EPHI) at risk in the organization. Further, need to determine what systems, applications, or processes make data vulnerable to unauthorized or inappropriate tampering, uses, or disclosures. The types of activities that will be monitored needs to be determined. This may include the creation, reading, updating or deleting of files or records containing EPHI. The key elements of the audit record will need to be defined (e.g. such as User ID, event type, date/time).

COMPLIMENTARY 2-DAY CHP PROGRAM DELIVERED AT YOUR SITE

For a complimentary 2-day Certified HIPAA Professional (CHP) program delivered at your site, please contact Lorna Waggoner at 1.877.899.9974 x17 or visit www.HIPAAAcademy.net Only qualified organizations will be considered. Session will be confirmed after review by the HIPAA Academy.  Certain terms and conditions apply. 

 

 

Last updated: October 10, 2007