Sep

14

Security - The Pieces that are Missing and the Auditor in Wait

In the midst of the scramble to comply with the NPI rule and the adoption of expanded electronic health information exchange sometimes security is overlooked. I would say that overlooking security is at the peril of the organization. Not only (especially in the healthcare industry) are there specific regulations regarding security with penalties for violation, there are significant liability issues, risk to reputation, etc. that lie in wait for the unwary or unprepared.

In my experience, there are five general areas that are often overlooked or do not receive sufficient attention in many organizations when it comes to security. Generally when I conduct a privacy and security audit of an organization, no matter the size, I find issues in the area of policies and procedures, disaster recovery plans, audit programs, risk assessments and training – all important components of any security program and also all HIPAA security rule requirements. In this blog, I will touch on deficiencies as I see it from an auditor’s perspective in the areas of policies and procedures and disaster recovery plans. Look for more information about the other areas I mentioned in future blogs.

Now that the US Department of Health and Human Services (HHS) Office of the Inspector General (OIG) has conducted its first HIPAA security audit not related to any filed complaint and with OIG’s announcement that such audits will continue nationally, it is probably a very good time to evaluate whether or not if an auditor shows up on your doorstep, you are prepared to demonstrate you are not only complying with federal regulations but also have implemented a sound security program.

One of the key things to remember about auditors is they love documentation. More often than not, the quality and completeness of the documentation you provide the auditor up front will have a direct bearing on how long they stick around. You may be doing all the right things but if you haven’t documented it through policy, procedure and process descriptions – such as how your audit program works – the auditor will likely do more digging because you failed to demonstrate compliance, due diligence and the fact that you do have a sound security program.

In the area of specifics, I mentioned five different areas where organizations, large and small, generally are deficient. The first area I mentioned was policies and procedures. I’ve audited a number of organizations who are appropriately managing security risk but they have: failed to document the related policies and procedures, are continuing to operate from draft policies that have not been officially adopted by the organization, do not have a complete set of policies and procedures, have not regularly reviewed policies and procedures to determine if they need updating and/or have implemented policies that are not understandable or are unenforceable. In addition, there may be policies and procedures but if they are not communicated to the workforce (and this relates to training), it is difficult to believably state that the workforce knows what is required of them and that the policies are enforced.

Another area of deficiency is in the development, implementation and management of disaster recovery plans (which relate closely to emergency mode operations plans). A number of organizations have either not developed a disaster recovery plan at all or only have a draft version that has yet to be adopted, let alone disseminated and tested. Other organizations have developed beautiful disaster recovery plans. One problem – they are very much technology infrastructure centric. It is appropriate to document how the technical infrastructure will be recovered. It is equally or more important to also address the business side of the organization. As an example, if the US (or a particular area of the country) experiences a pandemic, the problem is not getting the computers running. The problem is one of no or insufficient staff to perform the functions of the business.

For those organizations who have adopted disaster recovery plans, a number have failed to develop the associated emergency mode operations plan or how do you plan to address your mission critical business functions while systems and processes are recovered. When the disaster hits is not the time to try to figure out how to perform those mission critical functions. Also, disaster recovery plans can quickly become out of date as staff move around and contact information changes. I’ve noted issues with outdated disaster recovery plans and issues with testing or the lack thereof.

The bottom line is security needs to be alive and well within your organization. This generally starts with appropriate documentation but doesn’t end there. Policies, procedures, disaster recovery plans, etc. need to be regularly reviewed for accuracy and to determine if changes are needed; need to address the whole business and all of what are considered appropriate security requirements (which may go beyond HIPAA security rule requirements); and need to be communicated to the workforce, trading partners, business associates, etc.

You will more often than not recognize any ROI from sound security. On the other hand, if you are a business, you pay for liability insurance. If you’re a doctor, you pay for malpractice insurance. If you’re a CPA you pay for errors and omissions insurance. Sound security can be likened to an insurance policy. It does have a price tag but not having it can be considerably more expensive and, in some cases, has resulted in businesses closing their doors due to liability costs, adverse headlines, loss of business due to loss of customer trust and onerous regulatory mandates (such as what can occur with the Federal Trade Commission (FTC) – stiff fines and a mandate that businesses report to the FTC regarding their security program for 20 years). My thoughts for the week – good luck out there!

Chris Apgar, CISSP
President