TRENDING:

HIPAA Audit Prep and Breach Prevention

Attorney Points to Government Report for Insights Howard Anderson (ismg_editor) • January 6, 2012     15 Minutes   
One good way to prepare for a HIPAA compliance audit is to read a recent government report that identified vulnerabilities that could lead to breaches, says attorney Timothy McCrystal.

Last year's report from the Department of Health and Human Services' Office of the Inspector General focused on technical vulnerabilities identified in seven audits, McCrystal, a HIPAA compliance expert, explains. These included: vulnerabilities related to wireless access, access control, audit control, integrity control, person or entity authentication and transmission security.

In an interview with HealthcareInfoSecurity, McCrystal reviews the details of the OIG report, written to call attention to a lack of HIPAA enforcement. The report, for example, found that some hospitals had not updated anti-virus software and had audit logging functions disabled.

"We are suggesting to our clients that they understand this report and develop a potential work plan and self-audit mechanism to go through their own operations in light of the findings within the report to see where they may have vulnerabilities," he says.

The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, plans to conduct about 150 HIPAA compliance audits in 2012 (see: HIPAA Audits Move Forward).

In the interview, McCrystal also:

  • Notes that the HHS Office for Civil Rights has stressed in resolution agreements following breaches and other HIPAA violations that staff training is essential. "I have participated in discussions with OCR on a resolution agreement, and a particular point of focus was that the organization not just have policies and procedures ... but that employees and others had been trained on them, understood them and were actually implementing them in their day-to-day responsibilities."
  • Offers advice on preventing breaches, emphasizing the need for an updated risk assessment and the use of encryption to protect data;
  • Outlines breach notification preparation steps, including creating a team to investigate incidents;
  • Provides advice on working with business associates to prevent breaches. He provides a long list of questions to ask vendors before entering a contract.

    • McCrystal is a partner in the healthcare group of the law firm Ropes & Gray. He works with healthcare clients on wide variety of regulatory issues, including HIPAA privacy and security rule compliance.

    Previous
    HIPAA Audits: A Guidance Source
    Next
    Privacy Laws: 'Find the Commonalities'



    Around the Network

    Is It Generative AI's Fault, or Do We Blame Human Beings?
    Is It Generative AI's Fault, or Do We Blame Human Beings?
    Protecting Medical Devices Against Future Cyberthreats
    Protecting Medical Devices Against Future Cyberthreats
    Evolving Threats Facing Robotic and Other Medical Gear
    Evolving Threats Facing Robotic and Other Medical Gear
    Transforming a Cyber Program in the Aftermath of an Attack
    Transforming a Cyber Program in the Aftermath of an Attack
    How 'Security by Default' Boosts Health Sector Cybersecurity
    How 'Security by Default' Boosts Health Sector Cybersecurity
    Medical Device Cyberthreat Modeling: Top Considerations
    Medical Device Cyberthreat Modeling: Top Considerations
    How the NIST CSF 2.0 Can Help Healthcare Sector Firms
    How the NIST CSF 2.0 Can Help Healthcare Sector Firms
    Safeguarding Critical OT and IoT Gear Used in Healthcare
    Safeguarding Critical OT and IoT Gear Used in Healthcare
    Identity Security and How to Reduce Risk During M&A
    Identity Security and How to Reduce Risk During M&A
    Properly Vetting AI Before It's Deployed in Healthcare
    Properly Vetting AI Before It's Deployed in Healthcare

    Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.