Relieving The Pain After A HIPAA Compliance Audit
It’s just a little HIPAA Compliance Audit. How bad could the process be, right?
Fast forward to the immediate moment after a third party has come into your environment and dropped a thick stack of findings on your conference room table. We’re not talking a dozen findings. Or even a few hundred. We’re talking tens of thousands of findings.
Your initial thought is probably along the lines of, “We’re never going to get through all of this. How are we going to do this? What do we even attack first on this list?”
As you page through thousands upon thousands of findings, you notice something peculiar: Yes, the findings are classified in security terminology as low to high, but there’s no sense of business prioritization. There’s no perspective included from a strategy standpoint.
So, without a lot of context to your infrastructure around the findings you get from a HIPAA Compliance Audit, it can be daunting to know exactly how to proceed.
Is That Fix A Major Priority Or A Minor One?
Where do we start to make sense of it all? A good place to begin is by truly quantifying whether or not a problem should be at the top of the priority list based on your resources and goals.
Let’s say one of the findings of a HIPAA Compliance Audit is that there is a known exploit of your customers’ credit card information. If that finding pertains to an Internet-accessible database, that’s a very big problem. However, if the same finding occurs on a development environment database using de-identified data that resides behind multiple layers of defense in depth, that data carries a different level of risk, doesn’t it?
No doubt it’s still an issue to be addressed but the urgency in relation to the other findings is very different depending on the circumstances.
Well, herein lies the problem: In many compliance audits, there’s no indication of how important the issue is in relation to your organization or how you use certain applications. In short, it’s not very customized at all.
It reminds us of a commercial we’ve recently seen in which a Dentist tells a patient, “Oh, I’m not a Dentist. I’m a Dental Monitor. I just tell you when you have a bad cavity.”
When you have thousands of issues uncovered, is that really enough? Not even close. Worse, what it causes you to react to the findings and resolve all of them just to get it done. However, without understanding the significance of particular findings, you’re setting yourself up to overspend in IT or inefficiently spend on a certain security piece. Things become a lot more disjointed, unproductive and yes, very expensive when they don’t need to be.
How To Break The Paradigm: Risk-Based Planning
At Silent IT, we’ve had a good amount of success by helping our clients get more focused on what findings from a HIPAA Compliance Audit they need to address right now. By examining levels of risk relative to the infrastructure, we can also keep the road ahead more efficient.
As we comb through a laundry list of issues in a compliance checklist, evaluating risk along the way, we’re also asking, “What’s the real penalty for not being in compliance here?” There are a lot of factors in play.
If we find you have certain existing tools in-house you can leverage to resolve the issues you have, that’s terrific too. For example, perhaps we find that you’re not sufficiently monitoring logins and log offs in your system. The traditional approach might be to think about a security information management (SIM) solution to collect, monitor and analyze the data from your computer logs. You’re about to put the SIM in and problem solved, right?
Hold on. Yes, that’s a key finding. But what if you have an existing monitoring solution in-house we can already leverage? Perhaps we can use that in a much bigger, smarter way instead and keep your costs down.
Since every company is different, perhaps you’ll need a SIM solution if you face a comparable data protection concern. Maybe you won’t. Above all, no matter what the solution ultimately is that we arrive at, remember that the best solution is always about the relativity to your business as opposed to following generic audit findings.
By mapping findings back to the way you do things, we can discover where the biggest holes exist and what needs to be prioritized most.
While sorting through thousands of findings may not be done in a meeting or two, a roadmap to clarity can typically be achieved within about two weeks through staff interviews and other discussions about the current state of your environment.
From Findings To Solutions
So you have true prioritization of your findings from a HIPAA Compliance Audit, which has to feel at least a little better than the bewilderment you were experiencing. Still, until you identify the type of solution and how it should happen, there’s a lot left “on paper.” How do you move from planning compliance changes to making them a reality?
What we want to do next is craft a set of select options to choose from depending on level of internal resources, budget and other factors. Could a partner like Silent IT shore you up with point solutions? Or are there certain aspects that your staff can perform internally in an efficient timeframe? Yet another option may be to take an existing function entirely out of your company and source it to us.
Having a select number of options can connect the dots from problem to solution to tactical path that’s right for you.
In our next post, we’ll talk about crafting policies for real HIPAA compliance that may be much stronger than what you have now.