make a good business better

Blog Information Security

Print Divider Print Divider Branding

5 Steps to Bolster Your OCR Audit Readiness

10/22/2014  |  By: Mark Fulford, CISSP, CISA, ABCP, HITRUST, Shareholder, Information Security


Social Logo Social Logo Social Logo Social Logo

The first step in preparing for a possible OCR audit is to conduct a risk analysis on your organization. Using guidelines provided by the OCR, the Office of the National Coordinator for Health Information Technology (ONC) and standards organizations like the National Institute of Standards and Technology (NIST), you can assess your risk and evaluate safeguards needed to make sure your organization is up-to-date on compliance policies and procedures. Beyond the usual risk analysis recommendation, we have identified 5 key areas that you will want to pay close attention to, both in your risk analysis and the policies and procedures that you put in place.

Preparing for an OCR Audit: 5 Key Areas

1. Asset Management: Know where your data ‘lives.’ Simply put, you can’t protect what you don’t know you have. Most organizations are good at identifying ePHI in major applications and databases, but unstructured data—e.g., data in spreadsheets, file transfers, mobile devices, multi-function copier/printers and portable media—can get lost in the shuffle, which puts the organization at high risk for a breach. It’s critical to identify where all of your confidential patient data lives. We recommend going beyond simply reviewing a list of applications and interviewing business process owners. A complete analysis of individually identifiable health information should include scanning networks with tools that can locate and report on ePHI hiding in out-of-the-way places. There are a number of good tools—both open source and proprietary—that can be used for this purpose.

2. Vendor Management: Know your business associates. Take inventory of every company you share ePHI with. Each of these business relationships should be examined to make sure that appropriate agreements are in place. But be aware—having a viable business associate agreement does not absolve you of your responsibility or eliminate your risk. If one of your business associates is responsible for a breach, the subsequent investigation will most likely include you. If you are concerned that the IT department’s list of companies with whom PHI is shared is not comprehensive, have the accounts payable department provide you with a list of all of your vendors. Review it carefully to identify companies that might be receiving your organization’s PHI. Given the number of data breaches attributable to business associates, we recommend that you develop a strategy to verify that your vendors have legitimate procedures in place to protect your data. This might include security questionnaires, obtaining independent audit reports (e.g., SOC or HITRUST), and/or conducting your own audit, particularly for vendors who might be at high risk due to the nature or volume of data they handle.

3. Monitoring: Keep an active eye on your data. Many organizations struggle a bit when it comes to monitoring—the task can be overwhelming. Here are a few technology solutions that can help you put a compliant monitoring program in place:

  • Intrusion Detection Systems / Intrusion Prevention Systems (IDS/IPS)
  • Data Leak Prevention Systems (DLP)
  • Vulnerability Management Systems
  • Antivirus / Antimalware Software
  • Firewalls
  • Application Logs
  • System and Event Logs

Of note: What often goes undetected is the difference between ‘logging’ and ‘monitoring.’ Logging is capturing system events for later analysis, while monitoring is proactively paying attention to these events and taking appropriate action as necessary. And don’t forget—from the perspective of putting safeguards in place to monitor protected health information in paper form, a simple sweep of office areas that handle hard copies of patient information can check for adherence to your organization’s clean desk policy. It is important that you document how and when you perform those sweeps—as well as your findings—to provide evidence that you are exercising due care.

4. Incident Response: Report breaches appropriately. Your policies and procedures should address the proper way to assess whether or not a breach is reportable by using the 4 factor risk assessment prescribed in the Omnibus HIPAA rule. And while most organizations do have an incident response policy, it’s important to make sure the following steps are included in an actual plan:

  • Identify and Log
  • Classify and Prioritize
  • Investigate and Diagnose
  • Resolve and Recover
  • Closure and Lessons Learned

You will want to use a framework that collects events from various triggers—e.g., help desk calls, IDS alerts, lost/stolen equipment and virus notifications. These events should then be categorized, the damage limited and appropriate action taken. Incident response plans also need to be tested periodically to ensure that the team understands the plan and can deploy it as needed.

5. Encryption: Make it impossible for outsiders to read your data. The majority of reported data breaches involve lost and/or stolen systems or media containing ePHI. Lost laptop? Lost backup tapes? Stolen desktop computers from a physician’s office? Without encryption, you are most likely looking at a reportable breach. Encrypt the following as appropriate based on your risk analysis and as is feasible:

  • Laptop computers (full disk encryption preferred)
  • Backup tapes
  • USB backup disks
  • USB “thumb drives”
  • Smart phones and tablets
  • Files transferred to business associates on CDs or other removable storage
  • Files transferred to business associates via FTP or On-line Portals
  • Electronic Mail Messages containing ePHI
  • Desktop computers & servers
  • Databases containing ePHI
  • Websites and other Internet sessions (i.e., remote access) where ePHI is transmitted
  • Personal health records provided to patients on electronic media

Be thorough in your review of these 5 key areas. Your ability to pass an OCR audit with flying colors depends on it. Download the free guide below to learn more. On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.


Posted in: Healthcare