How to Prepare for HIPAA Audits and Risk Assessments

There is no step-by-step outline.

There are no clear definitions.

No certifications or being “approved.”

But there is a lot of vague language like “ where practical” or “reasonable.”  

And you still have to be ready for risk assessment where the auditor may or may not agree with what you’ve picked as “practical” and “reasonable.”

Did that scare you? (Sorry.)

It doesn’t have to, though. 

As it’s a law and not a framework, security teams are left to fill in the blanks for how to prepare for a HIPAA audit. 

Your team needs to be ready to answer why or why not specific controls weren’t implemented.

It’s an opportunity to create a set of policies and procedures, testing and verifications, that will protect patients’ privacy, not put them at risk, and create a compliant environment.

Weighing the Costs of Non-Compliance

Potential exploiters can target some of the biggest areas of weakness, including:

  • Accessing healthcare systems via personal devices (at home or work.)
  • Implementing new technologies that are improperly configured, secured, or integrated.
  • Failure to implement automated patch management across all healthcare systems.

It’s not just data breaches themselves that are the catalyst.

It can also be:

  • A copy of Office 2010 running.
  • Vuze or uTorrent working on a workstation.
  • Third-party software with non-compliant environments that have access to Protected Health Information (PHI).
  • Full access is granted to everyone.
  • Healthcare workers who think it’s “fun” to look at patient records.
  • No documentation.
  • No incident response protocol.
  • Having compromised servers (and not caring.)

Enter the worst offender contributing to risk: the bare minimum.

What is appropriate for your situation? There is no one answer for everyone. 

But if you work with a vendor who doesn’t know what HIPAA compliance is, you should find someone who does. Lack of due diligence has a high cost. Ignorance and neglect will not protect you. On the flip side, innocence doesn’t necessarily protect you, either.

We don’t believe in scaremongering (overused in the cyber industry, if you ask us.)

But patients need protection. They need you. It’s not fear-mongering—it’s an honor and a responsibility. One that doctors take under oath. It is not a choice. 

Preparing for a HIPAA Audit: Making a Living List

HIPAA safeguards Protected Health Information (PHI), the transfer of healthcare records between providers, reduces healthcare fraud, and standardizes electronic billing and healthcare information.

NIST 800-53 covers the compliance framework you can use to assess your current situation.

The protective security solutions inside cover your systems and assets with the policies, procedures, and agreements you need to meet for compliance.

You won’t know when an audit is going to happen. 

That’s why your vulnerability management plan needs to be developed and implemented. 

Is the access to your systems and assets controlled?

Do you have a way to monitor unauthorized connections, devices, and software?

The best way to prepare for an audit is to have a living list that evolves as you continually check and verify compliance is met.

“I Need Help With HIPAA Compliance.”

HIPAA compliance requires an in-depth understanding of the laws and regulations surrounding it, but it’s also something that can be done with the right help.

You need to be able to secure patient records with PHI so they aren’t readily available to those who don’t need to see them.

Access needs to be monitored and limited.

And the best way to do that is through continuous security postures.

Real-time visibility and control over your endpoints, networks, and cloud infrastructure protect your organization against cyber threats and the risk of being HIPAA non-compliant. 

Syxsense Enterprise centralizes and automates endpoint and vulnerability management, including patching and other remediations, such as configuration changes. As a single cloud-based platform supporting all operating systems and mobile devices, the automation and orchestration engine, Syxsense Cortex, that underpins the platform provides a drag-and-drop UI to easily build workflows or playbooks that simplify your complex environments.

Releasing the burdens of repetitive tasks while keeping PHI safe (and much more)? Your Syxsense Solution Architect is ready to tell you all about it. Schedule a demo today