12 th National HIPAA Summit – Managing a Data Security Audit Program 2.05, 1:15 PM Chris Apgar, CISSP Apgar & Associates, LLC.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Develop an Information Strategy Plan
CIP Cyber Security – Security Management Controls
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Security Controls – What Works
Information Security Policies and Standards
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.
Network security policy: best practices
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Basics of OHSAS Occupational Health & Safety Management System
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
ISO 9000 & TOTAL QUALITY ISO 9000 refers to a group of quality assurance standards established by the International Organization for Standardization.This.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Auditing Information Systems (AIS)
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
1 Thank you for visiting our site and welcome to the “Introduction to ISO 22000” Presentation that you requested. For more information.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Eleventh National HIPAA Summit 5.04 Security Incident Response – What to do if a breach occurs and how to mitigate damages Chris Apgar, CISSP.
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Copyright © Emerson Strategic Group, Inc. All Rights Reserved 1 Ninth National HIPAA Summit Auditing for Privacy Compliance: A Case Study September.
Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA Security Final Rule Overview
Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007.
Internal Auditing ISO 9001:2015
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Chapter 8 Auditing in an E-commerce Environment
SEN 460 Software Quality Assurance. Bahria University Karachi Campus Waseem Akhtar Mufti B.E(C.S.E) UIT, M.S(S.E) AAU Denmark Assistant Professor Department.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Business Continuity Planning 101
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Managing Compliance for All Departments
Performing Risk Analysis and Testing: Outsource or In-house
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
RECORDS AND INFORMATION
Environmental Management Systems The ISO Approach Initial Environmental Review & Gap Analysis Presented by: NC Division of Pollution Prevention.
Health Care: Privacy in a Digital Age
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Security Standards Final Rule
IS4680 Security Auditing for Compliance
Introduction to the PACS Security
Presentation transcript:

12 th National HIPAA Summit – Managing a Data Security Audit Program 2.05, 1:15 PM Chris Apgar, CISSP Apgar & Associates, LLC

Overview  HIPAA Data Security Requirements  Determining Audit Needs  Developing an Effective Audit Program  Developing a Plan for Implementation  Implementing Your Audit Program  An Audit within an Audit (or Specific Versus General Audits)  The Need for a Solid Foundation

Introduction  Presentation follows Data Security Audit Chapter handout  Can substitute “privacy” for “data security”  Adaptable to small, medium & large organizations  Meets HIPAA security audit requirement  Cost in dollars and resources depends on size and complexity of organization

HIPAA Security Requirements  Security rule requires organizations, at a minimum, to conduct periodic internal audits  Often advisable to seek an external review or audit (not required by rule)  Generally determined by the size of the organization, line of business, and, sometimes, contract requirements (i.e., Medicare, Medicaid, etc.). Purpose behind audit to determine if an organization has properly documented data security practices, policies, and procedures and meets the requirements of the rule.  Internal audit defines process of determining an organization’s compliance

HIPAA Security Requirements  To support such an audit the rule describes what needs to be maintained to support such an audit.  Security rule requires covered entities establish audit controls that record and examine activity in information systems that contain electronic PHI  Audit controls also are a required technical safeguard in § of the final HIPAA data security rule.  It is important to remember that, while HIPAA mandates audit- related activity, data security, as with financial audits, represents sound business practice  Organizations need to take heed of regulatory requirements, but such requirements need to be viewed in the context of your organization’s culture and business needs. In other words, regulatory requirements need to be heeded, but if they are not viewed in the business context and are taken too lightly or seriously, the organization is adversely impacted

Determine Audit Needs  Conduct a risk assessment (see pages 7 & 8 of Data Security Chapter for sample form)  Determine business activities involving PHI or other proprietary information  Assess audit capabilities (audit logs, paper trails, etc.)  Assess size and complexity of organization  Assess legal and business requirements

Developing an Effective Audit Program  Evaluate risk assessment results  Form project team to evaluate data gathered and develop organized plan with regular schedule to conduct audits  Requires defining what looking for, evaluation of activity in conjunction with policies and procedures, evaluate technical infrastructure (see pages 10 through 13 of Data Security Audit Chapter)  Requires developing standard audit reporting documentation

Developing an Effective Audit Program  Be sure to evaluate business processes in addition to applications, data storage and transmission  Evaluate teleworkers/remote users; represents added risk and additional area to audit  Develop audit handbook defining what will be examined (i.e., data, applications, remote users, etc.)

Developing an Effective Audit Program  Designate auditor or audit team (preferably outside of information technology (IT) department)  Work with business to assess if audit program is thorough enough and doesn’t interfere with business processes  Define audit schedule and what will be done with results

Developing an Effective Audit Program  Effective audit program only as good as actions taken on findings (i.e., implementing new security practices, modifying policies & procedures, implementing staff training, etc.)  Need to accommodate legacy systems or applications where vendors have not provided adequate audit trails  Validate complete audit program using external resources, trade journals, NIST ( other organizations in same business similar in size and complexity

Developing Implementation Plan  Complete risk assessment and gap analysis.  Review existing industry standards and develop or amend existing processes and policies to support sound data security practices.  Review existing industry-specific audit criteria and determine appropriate criteria for your organization.  Develop related training programs (general and targeted) and a training schedule. (This should not be a one-time event.)  Implement training programs, including the communication of established audit criteria.

Developing Implementation Plan  Develop an audit schedule or schedules. (There may be a need to conduct a general audit annually but targeted audits at more frequent intervals.)  Develop documentation identifying the relative weights associated with audit criteria (i.e., it is more important to address a potential audit finding that indicates the organization’s web site is vulnerable to penetration versus a password problem with one device that is not used to store sensitive information).  Develop templates for communicating audit findings and suggested solutions to problems identified through the audit process.  Develop a process for findings follow-up (i.e., following through with responsible management, tracking findings and implemented solutions, etc.).

Developing Implementation Plan  Communicate the audit schedule to affected management and staff.  Implement a structured audit program.  Conduct audits according to the established schedule and communicate findings in an established fashion.  Schedule a review of the audit process following a complete cycle to evaluate the effectiveness of the audit program.

Developing Implementation Plan  Involvement of senior management critical  Need legal and compliance buy in  Presentation to senior management should include program documentation, overview of legal/regulatory requirements, cost (financial & human resources) and ROI (ROI in this case more of selling the program as an insurance policy)  Requires staff buy in – not designed to “look over your shoulder”

Implementing Your Audit Program  Make sure training is complete (staff, IS staff assigned to gather data and auditor or audit team)  Know audit program must be flexible in the beginning and as the business changes  React to audit findings in a timely manner  Make sure sanction policies are up to date to address security violations if found and related to workforce member’s actions or inactions

Implementing Your Audit Program  Create an atmosphere where audit program seen as a benefit and not as a method of penalizing workforce members  Adhere to processes established and evaluate  Clearly define audit finding retention period (good idea to keep at least summary reports for six years)  Incorporate regular risk assessments as part of audit process

Implementing Your Audit Program  Advantages and disadvantages to internal audit staff  Advantages and disadvantages to external audit staff  Importance of continuous training  Advantages of CISA certified internal auditor

Audit Program Requirements  Program management responsibility  Audit criteria review and revision schedule  Refresher and new employee training process  Audit process (the detailed procedures) review and revision schedule  Audit finding follow-up and escalation process  Individual or day-to-day mini-audit processes and management  Regulatory/accreditation compliance requirements and continuous review process

An Audit Within an Audit  See pages 27 through 29 in the Data Security Audit Chapter  Specialized audits versus general audits  Mini audits or auditing hardware, software, databases, etc. versus conducting a general audit program  Need to supply information from mini audits to auditor or audit team

An Audit Within an Audit  Examples: Firewall audit Firewall audit Web site security audit (especially secure web sites open to the public, patients or health plan members) Web site security audit (especially secure web sites open to the public, patients or health plan members) Operating system audits Operating system audits Application specific audits Application specific audits Wireless network security audit Wireless network security audit Remote user access audit Remote user access audit

References  Data Security Audit Chapter  NIST –  WEDI –  ISACA (CISA certification) - =home =home =home  SecurityMetrics (3 rd party auditors) - adp adp adp

References  Green Pages (3 rd party audit) - audits.asp?gclid=CK_s6qir0IMCFQ2hSQod1i257w audits.asp?gclid=CK_s6qir0IMCFQ2hSQod1i257w audits.asp?gclid=CK_s6qir0IMCFQ2hSQod1i257w  ISO 1799 Security Audit Tool – audit.htm audit.htmhttp://praxiom.com/iso audit.htm  CyberGuard – s/Implementing_IS.html?lang=de_EN s/Implementing_IS.html?lang=de_EN s/Implementing_IS.html?lang=de_EN  ISACA San Francisco Generic Audit Manual  Medical University of South Carolina Security & Audit Policies - controls.shtml controls.shtmlhttp:// controls.shtml

Q&A Chris Apgar, CISSP President Apgar & Associates, LLC SW 62 nd Place Portland, OR (503) (voice) (503) (mobile)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.