After hacking into an organization, hackers were able to steal sensitive data for an average of 127 days according to our latest forensic research. A HIPAA compliance audit is one way to fill holes that lead hackers to your patient data. In this webinar, we'll discuss the steps to prepare for a HIPAA audit.
Watch this webinar as Trevor Hansen, Principal Security Analyst (QSA, CISSP, CISA, CCSFP) discusses:
- Why you should conduct HIPAA compliance audits
- How to properly scope your environment
- How to be prepared when your auditor arrives onsite
This webinar was hosted on June 26th, 2019.
0:00 Alright everyone Welcome to our webinar. This is how to prepare for a HIPAA Audit and my name is Andrew. I work in marketing here at SecurityMetrics and our presenter today is Trevor Hansen.
0:20 Trevor is a Principal Security Analyst here at SecurityMetrics. He's been here for almost seven years and he holds the credentials of QSA CISSP. So we're looking forward to hearing from Trevor today and we hope that his experience working with Healthcare organizations to meet HIPAA requirements will prove beneficial for you today. Just another note. We wanted to bring to your attention this morning at SecurityMetrics. We've recently started offering HITRUST assessments and HITRUST assessment consulting services. So we wanted to make you aware of that.
1:02 If you don't already know HIPAA is a framework created by security industry experts which includes aspects of HIPAA, HITRUST can help provide measurable criteria and objectives for applying appropriate administrative technical and physical safeguards so HITRUST does not replace compliance or prove that an entity is HIPAA compliant, but it is widely accepted as a good approach for evaluating risk. So if that's something you're interested in it, if you've looked at HITRUST assessments and that's something that intrigues you, feel free to reach out to us. We can give you more information on that at SecurityMetrics our HITRUST assessors are certified common security framework practitioners. So it's commonly referred to as a CSF practitioner. We can offer Consulting as a separate service before conducting your assessment. So then when the time comes for your HITRUST assessment and feel prepared and make sure you get all your questions answered and make sure you fill all those gaps before conducting the assessment. So just wanted to make you aware of that before we dive in today.
2:18 That's a new service that we're offering and we wanted to talk about that. So just a couple of housekeeping items before we get started. One question we get asked quite a bit is will we be sending out the recording and the answer is yes. We are recording this presentation and keep an eye on your emails in the next couple of days. We will send out a recording for your review as well as the slide deck we will make sure to get that out in the next couple of days to the email that you used to register for the webinar.
2:50 So what this time? We're going to go ahead and dive into the webinar. We will go through the slide deck and then we will at the conclusion of the slides. We're going to show a quick demo video. It's about a two to three minute video that shows an example of our audit management tool and following that we will leave about 10 to 15 minutes for a Q&A session with Trevor. So make sure to chat your questions in and we will answer as many of those as we can. If we run out of time and we don't get to your question during the webinar, we will make a note of it and make sure to reach out to you on an individual basis so you can get that question answered. Well at this time, I'll go ahead and pass the mic off to Trevor and we'll get started. Thanks.
3:55 All right. Thanks Andrew.
3:58 Just to begin with our with our webinar. Thank you guys for attending today. I'm glad to share this information with you. Our first slide is about the agenda. Our agenda today is how to be prepared when your assessor comes on site, how to properly scope your environment for a HIPAA assessment and how to get the most out of your audit.
4:25 So before we dive into that I want to talk about why you would why perform an audit or a HIPAA audit. There's actually a difference between a HIPAA audit and a HIPAA assessment. And so let's put some context behind it. So you can understand it a little bit.
4:42 The HHS, the US Department of Health and Human Services is responsible for HIPAA their office of civil rights. The OCR is responsible for enforcing the privacy and security rules. One of OCR's main responsibilities is to investigate complaints filed with it. If a complaint describes an action, that could be a violation of HIPAA OCR may contact your organization and perform an audit and when that happens it can be a scary thing for you because they contact you and let you know that they're going to be pouring through all your policies and all your systems and they're looking, their job is to implement fines for lack of compliance to any of the parts of HIPAA. These fines are generally very large and can hurt businesses.
5:29 Hiring a third-party organization to perform an assessment prior to any complaints being filed is a great way to help ensure your stakeholders that data is being protected.
5:39 So you can perform a HIPAA assessment or hire a third-party company to come in and evaluate your systems and evaluate your compliance against HIPAA to help assure or ensure your organization that things are properly prepared and that if there ever is a breach or a complaint against you that you will be able to provide the information required to the HHS and not get a fine.
6:04 If you wait until the OCR is performing an audit, it's very difficult to correct important items and show that you're doing everything in your power to protect your data.
6:18 We have seven tips to prepare for your HIPAA assessment.
6:23 The first step is, assign a compliance leader. You need to formally identify a security official who is responsible for the development and implementation of security rule policies and procedures. Organizations who spread out security compliance responsibilities amongst many or all individuals tend to put Security on the back burner. Most people in your organization are responsible for making money; so they'll focus on things that will help your organization make money and they're not going to spend the appropriate amount of time on things that prevent the loss of money, like security. Assigning compliance responsibilities to an individual such as a security officer will foster a sense of ownership and accountability.
7:05 In addition, IT will almost always have a conflict of interest. If IT is responsible for security of the environment, they're going to have to make a choice between making the system work or making the system secure and often those two things kind of conflict with each other. If your responsibility is to make a system available and work to the public you're inherently making it less secure against attackers who also exist out in the public. So IT personnel, they'll often be very lenient on enforcing compliant issues that will lead them to that could lead to them having more work to do as far as finding a way to be both available and secure. It's human nature to play dumb in order to avoid work.
7:51 So it's important to separate duties between IT and security. Having one person or department responsible for enforcing compliance can help provide the checks and balances to accomplish your valuable security goals. You need to, when you assign this responsibility to a security officer, it's important to determine what responsibilities they need to do who's in charge of what, who's responsible for what parts of the system, like encryption and firewall. So everyone needs to know their own unique and individual responsibilities and it needs to be documented. It is a surprisingly often occurrence for an organization to lose some valuable time during an assessment trying to figure out which individual’s responsible for managing a particular part of their PHI flow. You you might be discussing with an assessor that there is a website and they handle your PHI data in a certain way and during this discussion the assessor finds a link to another website that allows them to store something and you could spend several days tracking down who's responsible for that second website and how things actually work over there. It's better to get this done in advance, it’s better to know who's responsible for things so that you don't waste valuable time with your assessor in tracking down people in responsibilities.
9:19 Also some things, over time in an IT organization, some things just work and nobody worries about how or why until they break. So remember, securities are prevention mechanism.
9:30 You want to figure out who is in charge of what before there is a breach so you can take action and prevent a breach. Step two. You want to get stakeholders involved. Executives need to be aware of their organization security needs and weaknesses. They should also be the ones to promote a culture of security and HIPAA compliance. Your HIPAA compliance program should be organized from the top down. Executives should understand the importance of maintaining HIPAA compliance and understand how the compliance program is being managed and receive reports as to the compliance status and issues throughout the year. Begin discussing the importance of HIPAA compliance and patient data security with management, for example, your VP of Finance your CIO, etc help them and help them to understand the potential cost of the institution. Help them understand the potential cost the institution would face in the event of a breach or the fines that could be levied for non-compliance. If you want them to be on your side, they've got to understand what the implications are and what's at risk besides just having your data stolen. What could it do your organization?
10:40 It will be important to have this executive backing when you begin to work with other departments because if you don't you won't be able to have the authority to tell people to do more work than they're used to doing, you won't have the authority to be able to make changes unless you have the executive departments behind you.
11:03 Step number three; understand your risks. HHS and OCR is putting a lot of emphasis on this step. This is an important part of HIPAA; understanding your risks. You need to conduct a risk analysis. At least annually. Ideally you could do it more often, especially when there's anything new in your environment. You should do a risk analysis to do a risk analysis. It's important to review and update on an annual basis all environmental changes, new computer systems, consider mergers and acquisitions and the impact they have on your security profile.
11:41 We're going to talk a little bit more about the risk analysis.
11:45 First step for a risk analysis is to analyze your environment. You need to assess current controls; you need to determine the likelihood of occurrence, determine the potential of impact, determine the level of risk and identify security measures controls mitigations. The first thing to do is determine what vulnerabilities exist. Well first thing to do is to determine what assets exist and and what you were trying to protect and then you begin the risk analysis by determining what are the vulnerabilities to those assets. The vulnerability is a flaw in a component procedure design implementation or internal controls of vulnerability is a weakness.
12:31 Then you need to identify what are the threats. Threats are the potential for a person, group or thing to trigger a vulnerability. Threats are our actors. They're usually external events or people that can exploit a vulnerability in your environment.
12:49 Then you need to determine; what are the risks? This is the whole purpose of the risk analysis, is to identify your risks and those other steps help you get to this point. Risks are the probability that a particular threat will exercise a particular vulnerability, and the resulting impact.
13:08 Think of a fire as a risk to your data being available.
13:15 What are the vulnerabilities? Well most servers are vulnerable to fire. Most servers are flammable and can burn and can be destroyed making your data unavailable. What are the threats in this situation? In this case, the threat might be the fire itself, the threat may be nature or the threat may also be an outside entity. It depends on what kind of data you're trying to keep secure.
13:41 Some organizations have higher risks from external actors than others. If you guys, if your organization is, for example, if it's doing something that's controversial in some people's minds then you could be at risk for activists or extreme activists trying to exploit vulnerabilities in your environment. Arson isn't an unheard-of thing in the healthcare industry for things, like some people have taken action against abortion clinics because they didn't agree with all the policies, the act of abortion, so they'll go and make those clinics unavailable and one of the ways they've done that in the past is to start fires.
14:24 So certain types of health organizations have to worry about arson. Location can also be a determining factor in your risk of fire. If you're located in the hills of a dry desert area, then fires a very high risk. If you live in a very humid or cool climate like Seattle, there's a very low risk of fire. So these things need to be considered when you're doing a risk analysis.
14:53 The final part of your risk analysis, as far as determining the risks is you need to determine the risk level. You assign risk levels to create priorities so that you know what to address and what order. Sometimes you want to pick the low-hanging fruit but sometimes you need to address the things that have the highest impact and the highest likelihood. You assign risk levels based on the things discussed on the previous slide. So where we talk about risk threats and vulnerabilities, most best practices say risk equals impact times probability.
15:27 If you have a high level of impact, let's say your clinic provides medical services for the president, than a vulnerability with low probability, it may ultimately be evaluated as a high risk because you can impact the entire nation by leaking certain data or making data unavailable. You should also consider factors such as annual rate of occurrence, single loss expectancy, etc. An example of this is if you spend $30,000 annually to protect an asset with a thousand dollars single loss expectancy. So if you spend thirty thousand dollars every year to protect something that only costs a thousand dollars to replace it may not make sense. Unless you're expecting that to occur 30 times a year, you expect it to occur 30 times a year and it's a thousand dollars each time, it does make sense to spend $30,000 to protect it.
16:22 These are these are all part of best practices for doing risk analysis and risk identifying your risk profile. Example, here is a trucking company, they may identify a risk of losing tires where they’re having to replace tires on their trucks. They have a high rate of occurrence because trucks have lots and lots of tires and trucking companies have lots and lots of trucks. They can lose tires pretty regularly. It's a low-impact. Those tires only cost a couple hundred dollars. So they budget the appropriate amount of money to do their appropriate vehicle maintenance.
17:02 Also, don't delay risk mitigation. Mitigating risks will require time and resources to address. When we discover risks it requires time and resources to address the issues, but the issues aren't going to go away on their own. So prepare, fix, address. Do everything you can to address the risks right now. An example of this would be data encryption. If you're not encrypting your data, there could be a very high risk that if the data gets exploited, there's a high risk that they'll have access to the sensitive data that you're trying to protect.
17:41 That's something that is not going to go away on its own. Encryption is not going to suddenly appear in your environment unless it's in a way that's not very helpful to you, like ransomware. You also have a risk of viruses with solutions like antivirus and file integrity monitoring. A small shock can immediately reduce risk by fortifying. by installing antivirus and file Integrity monitoring or by, you know, fortifying their firewall rules. They can immediately reduce risk and getting viruses and intruders.
18:14 The other thing that's important, is that HIPAA does allow for flexibility in your approach. They allow you to consider risks and to consider good approaches to be creative and think of valuable ways that help you solve the problems that you face there. It's not a hard fast rule that says either do this or else. It's always protect the data in a reasonable way and use flexibility to be able to protect that data. What they care about is that you're protecting the data.
18:52 And in HIPAA, you're responsible for protecting the integrity of your data, which means making sure that it doesn't change, your medical records need to be accurate. If something says that somebody had a hip replacement when they never did they might get different medical treatment than if the records are actually accurate. So HIPAA requires that you protect the integrity of your data, the availability of your data, so if there's a hospital and they perform surgeries, it's very important that they have access to x-rays, you know, the medical records that they use when they're doing those surgeries.
19:32 And then you also have to protect confidentiality of the data which is probably the biggest portion of HIPAA. They want you to protect the data itself so that other people don't have access to it. And so it can't be leaked out to the public.
19:50 Step number four, for preparing for a HIPAA assessment is you need to keep your documentation updated.
19:59 If how PHI moves through your organization ever changes, update your documentation to show it. For example, if it's ever moved to a different database, then your record should be updated to show it. Your diagram should be up to date to show it. It's important to note that sometimes it feels like the only thing worse than no documentation is incorrect documentation. I’ve seen in the industry, I've seen more than once when the wrong server got rebooted and shut down services because somebody was trying to solve a simple problem on a known important server, but the documentation was ten years out of date and so the wrong server got rebooted and it caused more problems than it fixed.
20:44 Just like all of your other weekly activities, documentation should be an ongoing part of your entire business-as-usual-security-strategy. It should be something that you do every day. Try to examine and adjust at least one piece of documentation each week or as you make organizational updates. Don't pile it into one day or one month in the year, then you're not going to get all the accuracy that you need.
21:14 One really important part of your documentation is the business associate agreements. If you guys are attending this webinar, you probably already know what a business associate agreement is, but we'll talk about it for a moment just to make sure everybody does understand. Business associate agreements are the contracts that you have with other entities that can impact the security of your health information. They're also the contracts you have with the covered entities. If you're a business associate for a covered entity, you'll have a business associate agreement with them telling them how you're going to protect their data and how you're going to handle it.
21:59 They're not just required. Business associate agreements aren't just required for compliance, they are a foundation of managing your business associates. They help determine the rules of engagement.
22:09 If there ever is a breach, business associate agreements are very important for determining who has to take action and what steps, who notifies authorities, who notifies the press, who notifies the people whose data gets impacted. Business associate agreements also help organizations understand what is being done with their data and who it's being shared with. They provide legal authority to enforce guidelines for how the business associate should use and handle your PHI. It is also the authority to verify that those policies are being followed and to terminate your relationship if they are not. Just like policies and procedures are required to document how you protect patient data and rights, business associate agreements or BAA’s are required to document how you manage your business associates.
23:01 When I when I work with organizations to evaluate their HIPAA compliance status, business associate agreements are one of the most important things you can even think about for it. They really determine what kind of responsibilities you have. What kind of responsibilities you're relying on another company. You can't just make assumptions. It has to be documented in these BAA's.
23:29 Step number five; determine your scope.
23:34 You need to know when and how you create, receive, store or transmit all the information that you're supposed to protect.
23:42 When you're getting ready for a for a PHI, sorry, for a HIPAA assessment or any sort of third party assessment, it's important for you as an organization to understand what goes on in the organization with the data that you're going to be getting assessed.
23:59 This is important to do even before you decide to get an assessment. You should be doing this as soon as you are made responsible for any data in the organization. You should be determining how you create, receive, store and transmit that data. In HIPAA there are many different elements that need to be protected and depending on how you use those elements. There's a lot of things you might not even be thinking about that you should be protecting. A lot of people think that health information means medical records and Social Security numbers. But HIPAA defines protecting information can include a lot of things.
24:39 There's a list of 18 elements, for example, that are commonly used things that everybody should be protecting if they're related to health records. These 18 items are your names, geographical information, such as address, city, country, zip, dates related to an individual, like a birthday, their mission date, discharge date, phone numbers, fax numbers, email, Social Security numbers, medical record numbers, Health Plan beneficiary numbers, account numbers, certificates, license numbers. Even your VIN and license plate numbers for your car can be considered PHI elements if they're related to a medical record.
25:23 Or payment of a medical service, device IDs, serial numbers, URLs, IP addresses, biometric identifiers, full-face photos, incomparable images and any other unique number characteristic or code. Anything that can uniquely identify a person with a service that was received can be considered protected health information and that's stuff that you have to protect under the HIPAA law.
25:54 You need to know your PHI flows. So you need to understand all those things that we just spoke about. You need to understand where those go and what is done with them. You can do this by meeting with each department in your environment, each department in your organization and understand how patient data is used. We often work with hospitals to do HIPAA risk analysis and assessments, and those usually involve several days of walking around the office talking with people that that lots of people in the organization think never see patient data, we talk to these people and find out yes, paperwork flows through this office, payments come through this office. We spend a lot of time going through an organization talking to different departments and understanding if they ever see patient data and how they handle it. You need to document it. You document how and where you create, receive, store and transmit PHI.
26:54 And you also need to document how you found it out.
26:58 Best way to document what happens with this data is to create a flow diagram and it's not only the best way, pretty much any assessor, especially the OCR, if they come in to do an assessment they're going to want you to have a PHI flow diagram. So we have a simple example on the next page and we intentionally simplified this so that it won't get you too caught up on details about what could possibly happen with PHI. This is a real life example that I've seen in a couple different scenarios where data was handled this way. So we made it as simple as possible. So you can understand the process of a PHI flow diagram. It's amazing how many organizations we work with when they first show us the diagram, it doesn't actually communicate any information. So this is a good example of a diagram that shows what happens and how it happens.
27:56 So in this diagram, we have a doctor up on the left corner, we have the internet represented, the doctors connecting to some sort of web portal over the internet.
28:09 This diagram is representing a doctor posting lab results for a patient to view. So he posts these lab results on the portal and the patient will later login and the patient will view the data. So step number one is the doctor logs into the portal and uploads lab results for a patient to view. If you see on the diagram, we have an arrow that shows the direction of the flow of PHI and it shows that it comes in through the internet through the firewall to the web portal. And so we've identified that arrow or those three arrows with the number one show that's where that flow occurs. Number two, the portal saves lab results to the database. In this instance the portal is separate from the database on separate VLANs and the data has to pass through the firewall and pass the checks the firewall has in order to make it to the database. So step number two shows data go from the portal through the firewall to the database.
29:08 Step number 3 is the portal is going to send a notification to the patient to let them know that they have lab results that they need to log in and check. So the portal is going to communicate directly to the SMTP server. Because in this scenario the SMTP server isn't isolated from the portal, they communicate directly without going through the firewall. So in this scenario the portal sends the notification through the SMTP server to the patient who notifies them that there's activity on your account.
29:42 So this diagram itself shows when an assessor looks at that. That's one of the things he's going to notice is that step three doesn't go through the firewall. Is that on purpose? What's the purpose? Why do you have the portal communicating directly through the SMTP server and I'm not saying that's something you can't do, but the assessor will see that and they'll want to know, they're going to believe what they see in the diagram and then they're supposed to verify.
30:11 So it's important to have a diagram that shows what's actually happening.
30:16 And it should be something that shows in order of events. That's why we have a numbered one, two and three.
30:25 The next diagram is going to show how the patient retrieves those same lab results the doctor loaded. So we begin this one with another step one, which is where the SMTP server, the email server notifies the patient that they have a record where there are lab results available for them to view. So it shows the arrow go out through the firewall through the internet to the patient.
30:51 The patient then logs in to the portal and requests lab results.
30:58 You can see that step number two goes to the firewall into the portal again the portal communicates through the firewall to the database to pull those lab results and then the portal displays the lab results back to the patient.
31:12 So this is another good example of a flow diagram that shows you an order of events.
31:16 It shows you where the data is, how it moves through the network and where it is stored. These things are all very important for an assessor, for anybody who is coming in to evaluate your systems and your risk.
31:32 We need to understand the flow. If we found out that this passes through some FTP server on the way out, there might be some red flags that they put up because people in this security industry understand the FTP is insecure protocol. So when we see this in the diagram that helps people understand that something that needs to be looked at really close to make sure the right mitigations are in place for that risk.
31:57 And this just like I said couple slides ago, it's important to note that sometimes the only thing worse than no documentation is to have incorrect documentation. If your flow shows it going somewhere when it's really, if you're flow shows it going from the portal through the firewall to the database, but it's really going straight from the portal to the database, that can cause a lot of assumptions that leave you in trouble. It's important to try and understand what's really happening and to document accurately. If those things ever change you want to update these same diagrams.
32:37 Step number six; internal examination. Remember we're talking about steps to prepare for a HIPAA assessment either from a third-party organization or from the OCR, you want to do internal examination, want to conduct internal audits so that you can find sorts of issues that might appear during assessment when you're doing an internal audit if you're doing an internal examination.
33:07 Services to mail you might find that there are no diagrams that talked about the email server that we know is notifying patients of lab results.
33:18 So it's important to do these internal assessments as internal audits. It's also critical that an internal staff monitors and test critical systems and processes throughout the year. It's important that you log things for example, and it's important to log access to things like this portal. If you don't have anybody ever looking at those logs, they're not doing you any good. It's pretty common for logs not to be getting the right data or all of a sudden they just stopped working. If you don't have staff monitoring these regularly throughout the year, you might go six months without having any logs and then when it becomes important in checking as odds to find something they're not there. So think about it throughout the year. Think of compliance like brushing your teeth. Think of an audit, it's similar to having a dentist check up, the dentist can tell if and where you have these or other problems. If you don't maintain brushing your teeth flossing habits throughout the year between your checkups. Are you putting your oral health at risk? And the next visit with your dentist will likely be more painful and more expensive.
34:29 Some valuable tools that you can use for internal assessments and it's important to note that in HIPAA there is a law that you are supposed to monitor and test your environment and your security. They don't spell out how that's done but in the security industry in the cyber security industry, it's best practice to test your systems with vulnerability scans and penetration tests. There's other ways to do it as well. But almost every security standard out there, once you get one of those scans or penetration tests, they're very effective and they are very helpful. You want to schedule scans, vulnerability scans as often as possible.
35:10 You want to do penetration tests on critical systems and it's recommended to do it at least annually and after any changes. They are probably recognizing some other standards like PCI. Just make sure everybody understands at least from a high-level the difference between a vulnerability scan and the penetration test is that vulnerability scans are an automated process. You can put them on a schedule with systems going to run and it's going to check if it's going to communicate with your web portal with your servers and it's going to send certain types of information and see what kind of responses that gets back to determine if you have common known vulnerabilities. It will check version numbers and things like that. It's actually amazing when you connect to the server on the internet.
35:56 They like to give information that's their job. So if you ask it the right questions, it can tell you a lot of information about it and hackers can do this as well and they start by doing vulnerability scans. So if you do a vulnerability scan, you can see what kind of information your server is providing and if it shows information about vulnerabilities, those are the things you need to be addressing, you need to be fixing those and then scanning them again to show that those vulnerabilities have been addressed. So vulnerability scan, it's an automated process and it starts with a system basically sending certain kinds of network commands to your system. A penetration test goes further. The penetration test begins usually with vulnerability scan, but it's followed up by an actual human-being being involved. This person is going to try and exploit the vulnerabilities. They're going to use creative thinking experience to help.
36:57 Help attack things in your environment. They're going to go out further than a vulnerability scan goes. Vulnerability scans just say hey, you're using an older version of Apache, that means you're susceptible to someone could eavesdrop your communication, maybe see your PHI. The penetration test they're going to see that vulnerability and then they're actually going to try and listen and capture some of that data. They're going to usually a penetration tester authenticate it and so they're going to be able to you're going to have them comb through your environment comb through your website or web portal and try different types of methods and make sure they're all secure. This is good compared to waiting for a hacker to breach your environment because all that a hacker, all that an attacker is required to do is find one hole one way into your environment. All they have to do is find one path in and then they've got your data.
37:56 When you do a penetration test, a tester is going to try and find all the holes into your environment. They're going to try and find every vulnerability every weakness in their environment. You do a systematic approach to evaluate everything and then tell you how to close those holes.
38:12 It's a lot harder for them than it is for an attacker, but they're also a lot more thorough than an attacker.
38:21 Our final step for preparing for an assessment is working with an assessor. We say this because usually you're not going to get just one assessment. You're not going to just do an assessment and be done forever. Most people get an annual assessment because they want to make sure that they're staying compliant and staying protected. So you should have some sort of reputation with an assessor. Even if you know you're going to get an assessment and six months from now you can start working with an organization like SecurityMetrics and establish a reputation with that assessor so that you can ask him questions throughout the year. Most organizations will let you send your PHI flow diagrams and things. Send your business associate agreements to them so that they can evaluate and help you prepare, help you make little changes to them so that when he actually comes on site to do an assessment things will be in better shape.
39:16 Don't just assume that you're compliant. Don't hope that you accidentally found a way to be compliant. Most of HIPAA is better to be proactive and work with an assessor to do to evaluate the gaps in the environment there for them. Another thing that's important is don't hide weaknesses. If you're hiding weaknesses from an assessor, it's not helping. Lots of people kind of have, you know, especially in the IT industry, they'll have the tendency to try and hide things that they've done wrong because they're afraid that the boss is going to find out and they’re going to be in trouble. You have to think about it kind of like George Costanza on Seinfeld. He lies a lot, it never works out for him because when he lies he ends up having to lie more and more and more. If you're hiding weaknesses from an assessor, eventually you're going to have to defend that. Eventually it will come to you. Even if it's not with the assessor, it can be if an attacker. It's better to get the assessor to identify it. Let him know what's going on. Let him identify and help you get it addressed.
40:26 If you're communicating with an assessor throughout the year, your auditing process your assessment process will go a lot more smoothly. So be aware of that because if you've given him surprises if he hasn't been there for a year and suddenly you're like, well we implemented all these new servers were doing this a completely different way.
40:46 You might find out that you forgot to do a lot of really important things. The assessor is a professional , he does this for a living he understands that there's lots of things that organizations don't normally think about and can help identify those so you can think about those. So talk to them year-round probably at least quarterly, if not more. I have clients and you think that you can get annoyed by them, but actually I'm really proud of these clients to talk to me very regularly. I have some clients I hear from on a weekly basis throughout the year where they're asking you questions we’re thinking about searching our antivirus to this version. Is that a good idea? And it gives me a chance to give them some feedback so that they're not making decisions that will cause them more work in the future. Communicate with them any time your environment changes. They're there to help you.
41:43 Some common questions you can ask your assessor are what are the new changes that I need to be aware of? What are the changes to the HIPAA standards or what are the changes to the standard you're looking at? I need to be aware of what I need to do to protect against certain types of vulnerabilities. If you hear about something, I want to try how are you going to protect against that you can ask your assessor for advice on it?
42:07 You can ask how certain things impact your environment. The assessor is usually pretty well connected to the cybersecurity world news that's occurring out there. So they'll be able to provide good advice.
42:22 All right. So let's talk about the takeaways from this presentation, from this webinar. If there's anything I want you to learn it's remember to regularly update your documentation, particularly your PHI flow. You need to validate it anytime your PHI clothes change. You need to make sure that your diagram is accurate, correct?
42:45 You need to regularly conduct internal audits and you know do vulnerability scans and pen tests and you need to talk to your assessor at least quarterly. Make sure that they are aware of the things you're doing in your environment.
43:01 That's what we had for this webinar on how to prepare for a HIPAA audit. We have a couple other things we want to show you real quick.
43:12 We have a demo that can help explain some of the tools that we use at SecurityMetrics when conducting an assessment. So I'll let Andrew go ahead and describe that and get it going. All right. Thanks Trevor. So we're going to show you a brief demo of our audit management tool Suralink.
43:32 Today we're going to be taking a look at Suralink which is a tool that we use for creating and tracking tasks, exchanging files and overall just to help the audit process move along more smoothly. So upon logging in you'll see under active engagements is a list of projects that are currently in progress. This is nice because if you are a larger company such as a university or a restaurant chain, you can have anywhere from five to fifty engagements going at a time. But it also works great if you're just a single company, you can take a quick high-level glance at the progress of each project from here and on the bottom left, you'll see a list of what's called my team.
44:12 This is the personnel from your company that we've added to help work on these projects. One other nice feature of Suralink is I'm going to hop over real quick to the view of SecurityMetrics to show you this but if you have you know over 20 or 30 people and they don't want to have access to all the engagements at one time you can restrict who has access to which engagements. I use have to request that through us.
44:40 So that's the company team. Over in the bottom right is the SecurityMetrics team. This is the personnel from SecurityMetrics that have been assigned to the project and it gives you their email address. So, you know who to contact if you have any problems or questions. Now, we'll go ahead and take a look at one of the engagements. Once you click on it you'll see a list of all of the requests clicking on any of those will give you a more descriptive kind of a better description of what we're looking for to close the request and you'll notice on some of these is a link with firm provided files. These are documents or files that we provided to you to help you with completing the requests.
45:23 Each request has three statuses. There is outstanding which is this blank status. This is how they all start once you attach a file, which we're going to do now.
45:39 You'll get a little yellow exclamation point which means it's fulfilled. This will flag it for the QSAs review. If any of them are returned, you'll get this red X here and in that case you'll want to scroll down and check the comments. So I left one for myself here. This is please revise and update your network diagrams. This is just a description of what needs to be done in order to fulfill that requirement. Now if you ever have a request that is outstanding, but you don't have a file to attach you can change the request here manually to fulfilled or if a file that is attached to another request will fulfill this one. You can change it to fulfilled and leave a comment explaining that. Once the requirement is fulfilled it'll turn green. One of the things I want to note here is we break up all of the requirements into different sections for each of the requirements for the PCI DSS. So it's easy to navigate between each section here. When it's fulfilled though, you'll get this little green check mark and it'll be closed.
46:48 That was just a high-level look at Suralink. If you'd like a more in-depth look or have any questions, please feel free to reach out to your account manager. We're going to go ahead and move into the Q&A.
Question and Answers
47:02 We do have a few questions that come in.
47:07 So at this time, we'll go ahead and address some of those with Trevor. All right Trevor. The first question that is coming in here. You said there's a difference between an audit and an assessment. If you could speak to that, clarify that a little bit more and then you went on to explain the HHS and OCR. So if you could maybe explain the difference between those entities as well. Okay, great. So so the general difference between an audit and an assessment is an audit is a point in time snapshot. It's a pass or fail evaluation of your systems. And audit is what the HHS or the OCR is going to do. If there's a complaint against your environment they're going to audit you. What they find are things that you could be in trouble for and you're going to be fined for. An assessment is an evaluation of your environment that gives you time to fix those issues. There's usually remediation period involved with an assessment.
48:18 Another important thing in the HIPAA world is that HHS the government department that is responsible for HIPAA does not allow anybody else to do HIPAA audits for compliance. They don't allow anybody else to certify you and say you're compliant. The HHS only allows the OCR the office of civil rights. They only do audits. They can allow other companies come in and do assessments and help say look, these are the things that we think you need to do to prepare for HIPAA. This is our understanding of HIPAA law and this is what you need to do to be compliant with it and then give your remediation period. If you don't do some sort of assessment either internally or externally before HHS is contacting you but you know that you have an audit you're going to get a lot of surprises and getting a lot of trouble.
49:18 The next question that's coming in here is about roles and we had a question about combining the security officer and the privacy officer roles into one position.
49:33 What are your thoughts on that? Is that something that should be allowed or is it important that they are kept separate? That's a really good question. And I think that might be something we're going to have to get back to you offline about I think that it's probably fine. And I think I've seen in some organizations but there's something in the back of my head saying that there's a really good reason for actually keeping them separate and usually when I see hospitals they do specifically have it as a separate environment, separate officer. So we'll get back to you on that one. Okay, great. The next question here is are there templates for the risk analysis that are specified by HIPAA?
50:23 No, there aren't specifically templates they want you to follow in these guidelines. So there's the NIST special publication 800-53 you'll probably hear that a lot that the NIST SP 800-53. Its guidelines and doing a risk assessment or a risk analysis and it's an extremely large document that will put you to sleep in the first 10 pages. But those are the guidelines they want you to follow for doing a risk analysis or risk assessment. Usually you can dumb it down to something that's more tailored to your specific environment. But you do want to follow that as the main guideline for how you do things and it starts with identifying assets and then identifying vulnerabilities.
51:13 There are templates from HHS, it's not exactly an audit protocol, but they do have information about what kind of things they look at when they come on site for an assessment, but I don't believe they provide anything specifically for a risk analysis.
51:34 Okay, thanks. The next question here and we'll probably just wrap up after the next probably two more questions here. But we had a question come in. Do we need to separate PHI from PII or just protect all PII?
51:55 That's a great question. I guess it depends on what you're using your other PII for and you know PII is for personally identifiable information where PHI is your personal health information. I can't think of a good reason that would require you to separate them. Unless you're using that PII for a different reason. If PII is being used for billing services for storage space for example, but you also help doctors offices bill patience, you'll want to separate the PII that's for storage from the doctor stuff.
52:36 Unless you want to protect it all equally the best approach really is to protect it all as if it's information that HIPAA applies to and that way you won't have to worry about if you forgot something. That's really important.
52:51 Okay, great. And then we'll end on the final question here. Then we're going to try to show our demo again. Is there a HIPAA difference between patient data at a medical facility and member data in an insurance company? So I guess the question would be does HIPAA treat to say that treat those differently.
53:17 No, to my knowledge, they don't and an insurance company is going to have information about what kind of medical services you received and what's being paid for. So if you got a knee replacement for example insurance is going to have that record that ties it to you as an individual and because that's a medical service that ties into using individual HIPAA law applies to it the same way as it would of that medical record being in the hospital itself.
53:43 And so HIPAA insurance companies and health care providers are equally responsible for HIPAA and we see both for assessments all the time.
53:57 Well at this time we're going to go ahead and conclude. We did have a few more questions that came in that we weren't able to get to but as I mentioned earlier, we will be reaching out to you via email to make sure you get your questions answered and we want to thank Trevor today for joining us and sharing some very valuable information with us today about how to prepare for a HIPAA audit. So we want to thank Trevor, and we also want to thank all of you for joining us today. We hope to see you again at another webinar very soon. Thanks everyone and we'll see you next time.