Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Similar documents
Managed Security Service Providers vs. SIEM Product Solutions

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

The Case for Managed Security Services for Log Monitoring and Management

NEC Managed Security Services

HIPAA/HITECH Compliance Using VMware vcloud Air

The Impact of HIPAA and HITECH

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

PCI DSS READINESS AND RESPONSE

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

SECURETexas Health Information Privacy & Security Certification Program FAQs

Obtaining CSF Certification Lessons Learned and Why Do It

HIPAA and HITRUST - FAQ

Sustainable Compliance: A System for Ongoing Audit Readiness

HITRUST CSF Assurance Program

Bridging the HIPAA/HITECH Compliance Gap

Guided HIPAA Compliance

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

How To Buy Nitro Security

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

Preemptive security solutions for healthcare

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Governance, Risk, and Compliance (GRC) White Paper

Compliance Management, made easy

HIPAA: Compliance Essentials

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Hans Bos Microsoft Nederland.

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Achieving Security through Compliance

Secure Cloud Hosting for Healthcare Organizations

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

IT Security & Compliance Risk Assessment Capabilities

2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Securing the Cloud Infrastructure

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

HIPAA and HITECH Compliance for Cloud Applications

Nine Network Considerations in the New HIPAA Landscape

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Real-Time Security for Active Directory

The CIO s Guide to HIPAA Compliant Text Messaging

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

2016 OCR AUDIT E-BOOK

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

igrc: Intelligent Governance, Risk, and Compliance White Paper

HIPAA and HITECH Compliance Simplification. Sol Cates

ALERT LOGIC FOR HIPAA COMPLIANCE

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Brown Smith Wallace, LLC

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

5 TIPS FOR MAXIMIZING THE VALUE OF YOUR SECURITY ASSESSMENT

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Security solutions White paper. Acquire a global view of your organization s security state: the importance of security assessments.

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

WHITE PAPER. PCI Compliance: Are UK Businesses Ready?

Transcription:

White Paper Risks Associated with Missing Documentation for Health Care Providers Well-Documented Controls Reduce Risk and Support Compliance Initiatives www.solutionary.com (866) 333-2133

Many Health Care Organizations Lack Well-Documented Controls or Processes Health care organizations are challenged to protect patient data and comply with regulations governing health care entities. Having well-documented policies and controls is an important part of reducing risk and achieving compliance. This paper discusses the need for well-documented controls to reduce risk, along with expert suggestions for improving documentation. The absence of well-documented controls leads to gaps in security risk control processes. The absence of well-documented controls leads to gaps in security risk control processes. This creates a security environment that is difficult to monitor or measure and can lead to non compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements and extensive fines. Some areas that are frequently found to be to be deficient during HIPAA gap or compliance reviews include annual and ongoing risk assessments, undocumented policies and controls and unwritten processes or procedures. The descriptions below define examples of some common findings Solutionary has uncovered while conducting these assessments. Risk Assessment Organizations typically have tried to create controls without properly identifying the risks which define the controls. A proper risk assessment will highlight areas that are in need of monitoring, controls which need to be defined and a way to measure and monitor the controls to ensure the controls are operating as designed. A properly executed risk assessment will address risks of loss and exposure of protected health information (PHI) as well as supporting clinical and non clinical systems. Quantifying the risk, giving the risk a priority ranking and then documenting the risk gives the organization a starting point to identify the required controls. 2

Policies and Controls Policies are the over arching documentation which sets the position and tone of the organization s control posture. Controls are written and established by an organization to verify a regulatory requirement or risk is properly addressed and monitored. Health care organizations often address controls in silos or by specific departments in the organization, not looking at the whole picture. For example, the outpatient clinic may have a set of controls in place to monitor access to patient information, but the controls are different from the patient information controls used at the admissions office for the hospital. Why isn t there a unified set of controls for all areas that handle patient information? A disjointed approach often leads to duplicate controls, an environment which is not easily monitored and the inability to determine if the controls are operating effectively. Processes or Procedures Processes and procedures are the activities that support documented controls and enforce policies or standards. These documented controls then provide measures and checks to support the policies or standards in place. Processes and procedures are usually repetitive and, based on experience, are not well documented. Unfortunately, even if a health care organization has controls in place, lack of proper documentation can still lead to an audit finding for noncompliance. Properly identifying risks and then documenting the risks, controls and processes or procedures creates a measurable environment which can be assessed to determine if there are gaps or areas which can be improved. For example: Joan works at the help desk. Every day, Joan comes into work, logs into the network and checks her email for trouble tickets. She responds to the tickets based on her experience and sends them to the proper group for remediation or repair. Joan repeats this process daily, as well as everyone else who works the help desk. Everyone on the help desk is familiar with the process flow and where to send trouble tickets; however the process for logging in, groups or persons to be notified, logging tickets and closing out tickets, is not documented, and is, therefore, not truly HIPAA compliant. In the example above, there are a lot of problems that may not be obvious to an organization. Some of the areas of concern are common and often overlooked. Some of the questions an assessor might ask to help the organization define and fix the identified gaps are listed below: What groups are supposed to receive the trouble tickets? How does the help desk verify the jobs are closed out? What is the data flow for trouble tickets? How does an assessor or internal auditor measure the effectiveness of the help desk without documented processes to verify the controls are in place? 3

The assessor can verify the processes supporting the controls around the help desk are in place by observing the help desk personnel, but how does the assessor provide proof without documented controls and processes or procedures? Properly identifying risks and then documenting the risks, controls and processes or procedures creates a measurable environment which can be assessed to determine if there are gaps or areas which can be improved. At an Office of Civil Rights (OCR) and National Institute of Standards and Technology (NIST) conference, OCR conducted a presentation on the initial results of the HIPAA privacy and security audits. The biggest privacy findings included the lack of policies and procedures. Non-compliance with Administrative Safeguards requirements within the HIPAA Security Rule accounted for 42% of the audit findings, of which, some of the biggest issues noted involved the absence of risk assessments. Properly identifying risks and then documenting the risks, controls and processes or procedures creates a measurable environment which can be assessed to determine if there are gaps or areas which can be improved. Questions to consider when reviewing documented controls or procedures to understand if they are in place: Has a proper risk assessment been completed to determine if areas needing documented controls have those controls in place? Do the controls have properly documented processes and procedures in place to monitor controls in the environment? Does the control structure have an overarching security or risk policy to ensure all controls have been defined? Does the organization understand all of the areas which need to have documentation to mitigate their risk when handling ephi? Does the documentation support the identified areas of risk? 4

Documentation to Maintain Compliance Maintaining compliance is a process. Processes need to be recorded in documents. No documents equals no compliance equals increased risk. Good documentation consists of processes, recurring procedures and a set of controls that mitigate identified risks and protect system security and patient information. Maintaining compliance is a process. Processes need to be recorded in documents. No documents equals no compliance equals increased risk. NO DOCUMENTS NO PROCESS Increased RISK 5

About Solutionary Security Consulting Services Solutionary Security Consulting Services (SCS) specializes in the delivery of independent security guidance, security controls validation, standards-based compliance and remediation design and support. SCS consultants engage in recurring, scheduled security and compliance initiatives or short term, one time projects; whichever best meets the needs of the organization. SCS Offensive Security Services include technical security testing like Penetration Testing and Application Security Assessments as well as Physical Security Assessments and Social Engineering Assessments. Governance Risk and Compliance services include Vendor Risk Management and Risk Methodology as well as services to support compliance with security frameworks and mandates like the Payment Card Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA/HITECH and others. Solutionary is a trusted consulting leader in the health care industry with demonstrable understanding of the entire health care value chain. Solutionary is an expert in protecting data while also enabling health care organizations to fulfill their mission to save lives. SCS Services for Health Care Include: HIPAA Assessment (including HITECH and Omnibus) HIPAA Readiness Assessment HIPAA Compliance Attestation Meaningful Use Attestation HITRUST Assessment HITRUST Assessment Validated Report HITRUST Assessment Certified Report Yearly Risk Assessment (Non-certification years) MyCSF Population Assistance (HITRUST GRC tool) Security Practices Third Party Assessments Risk Assessment Methodology 6

About Solutionary Solutionary, an NTT Group security company (NYSE: NTT), is the next generation managed security service provider (MSSP), focused on delivering managed security services and global threat intelligence. Comprehensive Solutionary security monitoring and security device management services protect traditional and virtual IT infrastructures, cloud environments and mobile data. Solutionary clients are able to optimize current security programs, make informed security decisions, achieve regulatory compliance and reduce costs. The patented, cloud-based ActiveGuard service platform uses multiple detection technologies and advanced analytics to protect against advanced threats. The Solutionary Security Engineering Research Team (SERT) researches the global threat landscape, providing actionable threat intelligence, enhanced threat detection and mitigating controls. Experienced, certified Solutionary security experts act as an extension of clients internal teams, providing industry-leading client service to global enterprise and mid-market clients in a wide range of industries, including financial services, healthcare, retail and government. Services are delivered 24/7 through multiple state-of-the-art Security Operations Centers (SOCs). Learn More To learn more about security consulting services and to meet your compliance needs, contact Solutionary today at SCSManagement@solutionary.com For more information, visit www.solutionary.com Contact Solutionary at SCSManagement@solutionary.com or 866-333-2133 Solutionary, an NTT Group security company, is the next generation managed security services provider (MSSP), focused on delivering managed security services and global threat intelligence. ActiveGuard US Patent Numbers: 7,168,093; 7,424,743; 6,988,208; 7,370,359; 7,673,049; 7,954,159; 8,261,347. Solutionary, the Solutionary logo, ActiveGuard, the ActiveGuard logo, are registered trademarks or service marks of Solutionary, Inc. in the United States. Other marks and brands may be claimed as the property of others. The product plans, specifications, and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2014 Solutionary, Inc. 7 Solutionary.com Solutionary, Inc. 9420 Underwood Avenue Omaha, NE 68114 5005WP 02/2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information