Maintenance of Assessment Criteria

Maintenance of Assessment Criteria

This is the topic for our tenth post in our “compliance - why and how” series. In this post we will introduce The Guard, a software application from the Compliancy Group that we use here at DTS InfoTech to Achieve HIPAA compliance, Illustrate compliance to auditors and Maintain full compliancy.

The Guard

The documentation of assessment criteria and activities is maintained in The Guard, which tracks regulatory compliance projects and issues. By storing the information in a database, modifications only have to be performed once when there is a change in the entities environment.

Goals and Activities

The application provides users with the ability to link goals and activities across the organization to avoid duplication of documentation. In addition, users can run reports to identify changes to the entities environment over time or to summarize the auditing and incident response activities.

The Guard encompasses the following key areas:

System Security

One of the biggest issues plaguing regulated organizations is the security and integrity of their protected information. For any organization to be fully compliant, the information they possess must be secured. It is important to understand that breaches in security mean much more than “lost data.” In the wrong hands, this information can be used for such serious offenses as identity theft.

Today’s regulatory acts require two main categories of security:

  1. Cyber-attacks/hacks
  2. Physical theft

Stolen Laptops

One big factor leading to such gross mishandling of information occurs when protected health information (PHI) is stored on portable machines (i.e. laptop computers). Often people consider security factors as cyber-based attacks, not physical ones. However, recent history shows that most of the large-scale security failures result from stolen machines.

To become compliant, an organization must take some basic steps to prevent both physical and computer-based attacks. The following lists some common best practices to start the process. Please note, this is by no means an exhaustive list, and one should consult with a security expert to ensure they are doing everything possible to maintain both the integrity and validity of their protected information.

Tasks to include but not limited to:
• Understand what protected information is. Don’t assume certain pieces of information do not fall under the “protected” category.

• Store all protected information on machines that do not directly connect to the Internet. If the machine must have access to the Internet, make sure it is behind its own firewall and close off ALL ports that are not needed. Furthermore, make sure all connections to the machine are encrypted (i.e. use HTTPS access and standard PKI for connections).

• Keep the machines that hold protected information in a secure facility where only registered employees can gain access (either through smart cards, keys or some other form of identification). It is very important to document which employees have access, and every organization should be able to revoke such access if needed.

• Make sure ALL machines require login and password. Furthermore, force users to periodically change their login information (i.e. every 3 months) and ensure that the password pattern is strong (i.e. minimum of 8 characters requiring at least 1 uppercase and 1 non-alpha character).

• Keep a detailed log of all access to these machines and periodically review these logs to ensure there have been no breaches in security.

• Back up your data and safely store the encrypted media in a secure location, such as a safe or a HIPAA-compliant cloud-based secure data center.

• Hire a security officer who understands data security. If you are in a small organization with little technical knowledge, hire a consulting company to periodically review your security procedures and validate that they are up-to-date.

• Encrypt your data. If someone ever does get access to PHI, make sure the data itself is encrypted and not in human readable format.

• Install antivirus software on all machines within your organization, making sure that such malware as “Trojan Horse” threats are not accidentally installed on an employee’s computer.

• Perform periodic audits and document all of it. Regulatory Acts are about showing due diligence, not solving every problem. If something ever does go wrong, having backup procedures and documentation will be your biggest asset.
It is important to recognize that no security plan is bulletproof. With good procedures in place and periodic system review, your organization can recover from almost any security breach in a timely fashion.

In our next post will discuss a Timeline to Compliance.

DTS InfoTech Can Help

Most small health care providers do not have the technical resources to understand all this geek stuff. And many health care providers are not HIPAA Compliant. If this describes you, we can help you Achieve compliance, Illustrate compliance to auditors and Maintain full compliancy.

Return to main HIPAA page

For more information:

Dedicated to your success,

Wally Moore
General Manager and Compliance Officer
dts|infotech . . . computer networks that work