HIPAA/SECURE: Security Q/A

by William Miaoulis, CISA, CISM, Principal, Phoenix Health Systems

Read past HIPAA Security Q/A articles.

QUESTION: We know we are probably behind the curve, but our organization is just beginning to plan for HIPAA's Security requirements. Do you have any suggestions on how to proceed?

ANSWER: According to Phoenix Health Systems' semi-annual HIPAA compliance survey, only 18% of provider organizations are completely compliant with HIPAA's security requirements. Most of us still have a substantial amount of planning and task execution ahead of us. Fortunately for most of us, many of the security requirements are processes we are currently utilizing in some way. Now is the time to review each of the security requirements, determine and document your compliance level, and then make an action plan to accomplish compliance by April 2005. The following 10-step plan is offered as a high-level guide of what needs to be accomplished. This should assist you in getting this important project started and completed by the deadline.

1. Formally appoint an Information Security Official to lead your organization's HIPAA Security remediation project. Doing this means you have already satisfied one of the security requirements. In an ongoing security program, this responsibility can be shifted to a group of appropriate individuals, but during the remediation effort, should really be led by one person.
   
2. Create a team of stakeholders that can assist in completing the remaining tasks (HIPAA Security Committee). Because security compliance is an organizational (not just IT) goal, be sure to include members of finance, HR, HIM and the clinical departments in your committee.
   
3. Perform a HIPAA evaluation which is commonly referred to as a HIPAA Gap Analysis. Take a look at each of the HIPAA standards and document your current compliance level.
   
4. Create an inventory of all systems that maintain ePHI within the organization - and remember, this inventory should not be restricted to only systems managed by your Information Systems department. Any standalone departmental systems or databases that reside on the network should be included in this inventory.
   
5. Perform an evaluation of each system to determine HIPAA compliance. Ask questions such as, "Do these systems have audit trail?", "Do these systems have a timeout function?", and "Are we managing who has access to these systems and who does not?"
   
6. Begin the process of Risk Analysis to identify all reasonable risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. You can use the NIST SP800-30 as a guide; an updated draft version is currently available for download (http://csrc.nist.gov/publications/nistpubs/). You can begin this process by having a brainstorming session to identify all vulnerabilities to the organization. Many organizations are creating mechanisms for employees to report risks and vulnerabilities to the information security officer. External firms can assist you in this effort and offer an objective way to identify risks and vulnerabilities within networks, operating systems, firewalls, administrative controls, and physical controls. After you have identified the vulnerabilities, it is important that you determine the probability that the risk will occur and the impact to the organization. With this information, you can classify vulnerabilities and risks; one example of this might be as Very High, High, Medium, and Low.
   
7. After you have identified the vulnerabilities within the organization, perform Risk Management to determine the actions to take for each risk or vulnerability. The options can include:
   1. Mitigate
   2. Transfer
   3. Watch
   4. Accept
      
8. Create an action plan to implement the recommended safeguards.
   
9. Create policies to guide the organization for each of the HIPAA standards. Word to the wise: HIPAA requires that organizations address and document their compliance for each of the 54 standards and implementation features. At this late date, it may be beneficial to purchase templates. Finally, if you purchase policies, you must evaluate them and make sure that they reflect your corporate culture and that you are prepared to follow the policies.
   
10. Implement the recommended safeguards.

If you follow these guidelines, you will be on your way to HIPAA compliance. Remember to document and retain all of your remediation activities for at least six years.

Bill Miaoulis, CISA, CISM, Principal, is also a senior Phoenix project leader responsible for management of enterprise security projects and other HIPAA education, assessment, planning, and remediation engagements.

Go to TOP