The Future State of Technology

Auditing

To most, the term Auditing is a "bad word". Immediately, you may think of a tax audit and the negative impact it has upon your business and resources.

Network Auditing is quite different. A network audit uncovers the areas in which your network and/or documentation may be weak. By doing so, the network audit protects you from liability. A network audit assists in the creation of documentation for business continuity, disaster recovery, corporate policies, network and end-user security and much more. In addition, a network audit can prepare you for compliance with the regulatory requirements of HIPAA, HITECH, and ISO17799 to name a few.

Consider the following questions when determining if your organization needs an audit:

- Is your technology and its related processes fully documented? Can you provide a list of your IT assets?
- Do you have a business continuity or disaster recovery plan? Do you perform backups off-site?
- Do your employees understand and sign an agreement regarding acceptable use of technology?
- Do any employees access personal information of clients, patients, etc. that may require confidentiality?
- Is accessibility, access control and authentication documented in your security controls?
- Is your organization compliant with HIPAA, HITECH, and/or ISO17799?

HIPAA COMPLIANCE and PORTABLE DEVICES

June 3, 2010 - Reprinted from hipaa4mt.com

The healthcare industry often uses portable devices for the storage and transmission of protected health information. I find it concerning to hear many of the people I speak with thinking that because they use a jump drive or an external hard drive to store patient information, they are compliant. It simply isn’t true.

The HITECH Act now specifically says that information must be encrypted during transmission AND at rest. That means all of the patient information you are storing on any kind of portable device must also be encrypted. In the publication by OCR of breaches, you will find a good many of them are as the result of theft or loss of a laptop or jump drive.

In a recent conversation I had with a transcription service owner, who is a business associate and thus subject to these new laws, the response to the above information was “well, the customers don’t care so I can’t be responsible for it.” If you read the laws, you realize this is not the case and that business associates are held to the same standards as the covered entity. In addition, you are responsible for the actions of your subcontractors. Simply “telling them to use an external drive for storage” doesn’t relieve you of that responsibility.

Simply storing things on an external drive without encryption isn’t good enough. Be sure you are not caught in this situation. If you are audited, it could mean monetary penalties and fines for you.