How to prepare for a HIPAA technical risk assessment or auditAlex Fields
I have had to help a number of smaller-sized health services clinics with this kind of thing recently, so I figured a place to collect notes on these experiences was in order. Hopefully others will find it valuable; just know that there is no such thing as “HIPAA compliant”–no auditor is going to come back with a stamp of approval: “You’re compliant!” No. You are always expected to be in process of making things better, tighter, and the bar will be raised as time moves forward.
Still, it pays to have these things gathered in advance–do not wait for an audit to happen, and then scramble to cover your bases. Go through the exercises now (and revisit at least 1-2x/year)–it’s worth it, trust me.
My disclaimer: The following checklist is not exhaustive, and I offer no guarantees explicit or implied. The landscape will evolve over time, so this post could become outdated quickly. For a lot of SMB’s and small clinics / offices out there, this is probably still an okay place to start. But it doesn’t necessarily cover everything, and it won’t stop here–even if you took care of everything on this list in advance of your audit–you wouldn’t be “compliant,” and you wouldn’t be bullet proof. Again, there is no such thing.
That having been said, here are some things I know would be/could be included in a HIPAA risk assessment or audit based on my recent experiences, and what you can do to prepare for them:
Computer system security:
- Identify a list of systems & locations where ePHI resides on the network; also take screenshots of permissions / Access Control Lists (ACL’s) for these locations, and corresponding screenshots of the group memberships listed in the ACL’s from Active Directory
- Clean-up Active Directory: identify, then remove old user & computer accounts. You can use tools from companies such as ManageEngine to quickly identify these objects, but there are free ways of accomplishing this also. Check out this resource, for example.
- Enforce a strong password policy, and record the policy settings with a screenshot
- Enforce automatic screen lock (e.g. auto-lock screens after 5-10 minutes of inactivity)
- Be sure to have automatic updates enabled for computer systems; take dated screenshots of policy settings or a management console that shows systems are reporting as up-to-date
- Be able to answer whether you are enforcing some form of device encryption for systems with ePHI (and have evidence/screenshots if so).
Firewall & antivirus software:
- If you have a firewall (you should), take dated screenshots of the following settings: Intrusion Prevention (IPS), Anitivirus/Malware filtering, and active subscription status for updates to these security services
- Same for antivirus/antimalware software–include dated screenshots from any management consoles
- Be able to answer & provide evidence as to whether you have a separate guest network for Wi-Fi. Are your guests on the same network as the staff Wi-Fi–even if they connect to a different SSID? You want to avoid this.
- Be able to show evidence of how Wi-Fi is configured, and what type of encryption is being used (WPA2, AES, etc.)
- Do you know when the Wi-Fi keys were last changed for staff & guests? Also do you know if there have been any terminations since the last time these keys were changed? Keep records of these events (keys should be changed regularly, especially when employees leave)
Policy & procedure / documentation:
- Make sure you have an active and up-to-date employee list, and a list of the users (including vendors) who should have access to ePHI (electronic Protected Health Information). Also include a list of authorized privileged access (such as Administrator) that would have access to ePHI.
- Update & print out any company policies such as Acceptable Use, Data Access & Authorization, New hire/onboarding procedures, Termination/off-boarding procedures and so forth
- If you have any hosted data, such as Office 365, any online Electronic Health Record (EHR) system, or even online backups: be sure that you can find or produce a Business Associate Agreement (BAA) for each of these vendors. Microsoft makes one available for download here.
- Find & schedule a training for users on how to avoid becoming the victim of technology attacks and social engineering; do this annually.
- Review and document your premises-based / physical security controls. For example, take pictures of locked doors, key card access, video monitoring, etc. Take photographs of network equipment closets / server rooms, and be able to show/explain how access to these places is restricted or permitted.
- Take photos of any public areas, and show evidence of protective measures such as “screen filters” on computer screens that might be publicly visible (like in a lobby or front desk / waiting area).
- Also be able to identify, list and explain all the fax machines, multi-function and/or shared printers that are in use. Have pictures of these as well.
- If you have old or retired systems on-premises, or external storage devices such as tapes or USB devices, photograph and document how they are stored, what they are for and whether/how they are used. It is better if these are not being kept around or used / permitted.
These are the kinds of things an auditor will likely be looking for, and again this list is not exhaustive–but I’m telling you: It does help to have this stuff gathered in advance. If you can’t answer for every item here, or you can’t give the “right” answer at this time (oh crap, we’re not doing this!)–no worries. That just becomes a “to-do” item for you. An auditor likes to see that you are aware of your gaps and are actively working on closing them–you don’t have to be perfect (there is no such thing anyway)–you just have to be in process.