One of the HIPAA Security Rule requirements is that covered entities and business associates have administrative controls in place. Once you have completed your HIPAA risk analysis, you should have a good idea of what administrative controls are appropriate for your organization to protect ePHI. Having administrative safeguards in place is important for both the prevention and mitigation of a data breach.

Stephanie Rodrigue discusses HIPAA Administrative Safeguards

What are Administrative Safeguards?

According to the Office for Civil Rights, the Security Rule defines administrative safeguards as, “administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (ePHI) and to manage the conduct of the covered entity’s workforce in the relation to the protection of that information.”

Examples of administrative controls can be things like employee training, security awareness, written policies and procedures, incident response plans, business associate agreements, and background checks.

In order to satisfy this requirement, your organization must demonstrate and provide evidence that you have the appropriate administrative controls in place and that they are operating effectively. This means that your risk analysis results have been analyzed, and the appropriate administrative controls and security measures have been put in place to effectively address these risks. For more help on determining whether you have the appropriate administrative controls in place, contact us today.

What is an SDLC?

What is a software/systems development lifecycle? What elements should be included in an SDLC? What is the most important phase in an SDLC? What are the different frameworks? What are the methodology terms? How do you validate compliance with an SDLC? Is the OWASP an SDLC? This webinar educates listeners with an overview on the individual phases and elements that should be included in an SDLC and with some basic knowledge about SDLCs.

An SDLC is…

  • A framework that defines each task to be performed at each step in the software development process.
  • A structure that should be followed by a development team within the software’s organization.
  • A detailed plan describing how to develop, maintain, and replace specific software.
  • Composed of clearly defined work phases which are used by systems engineers and systems developers to plan for, design, build, test, and deliver information systems.
  • Comprised of policies, procedures, and standards.
  • Meant to maintain a secure environment that supports business needs.

The basics steps of an SDLC are…

  1. A preliminary analysis in which the organization defines its objectives and decides what needs to be accomplished. Business, technical, functional, and user requirements are gathered. Discovering what your requirements are is the foundation of this process. What is needed to make this program successful?
  2. A system analysis where the project goals are defined into functions and deficiencies are identified.
  3. A system design phase that describes desired features and operations in detail. The new system requirements, based off of the deficiencies found, are addressed in a proposal for improvement.
  4. A development process in which plans are laid out concerning the physical construction, hardware, operating systems, programming, communications, and security issues. Users of the system must be trained.
  5. The use of the new system and the gradual replacement of the old.
  6. Testing for errors, bugs, and inoperability.
  7. An evaluation to assess if goals were achieved.
  8. A disposal plan to discard system information, hardware, and software while marking the
  9. transition to the new system.
  10. Continued rigorous maintenance to ensure the system does not become obsolete.

Watch the full webinar to learn how your organization can have a fully-functioning application in a hardened environment. For more information, contact us today.

Now, with more than 200 Phase 2 HIPAA desk audits completed, Devin McGraw, Deputy Director of the Department of Health and Human Services’ Office for Civil Rights, is encouraging healthcare organizations to take a look at lessons learned from the completed desk audits to prepare for future HIPAA audit enforcement.

Understanding and navigating HIPAA audit enforcement has been on the minds of healthcare professionals for several years. Many covered entities and business associates have struggled to know what to focus on and in which areas they are lacking safeguards. Devin McGraw made an exclusive address at HIMSS17 to share with the healthcare industry the top findings from the 2016 Phase 2 HIPAA audits.

Top 8 Lessons Learned from Phase 2 HIPAA Desk Audits

Let’s look at the top 8 lessons learned from the Phase 2 HPAA audits and make sure you have all of these things in place before you’re audited by the OCR.

  • Lack of Business Associate Agreements

HIPAA law mandates that you have a signed agreement in place with any contractor or subcontractor who is considered a business associate. This means any vendor or third party that has access to protected health information (PHI) is required to sign a contract pertaining to the protection and use of that PHI. This also applies to any business associates using subcontractors.

  • Incomplete or Inaccurate Risk Analysis

An incomplete or inaccurate risk analysis has still been a prevalent issue, mainly for organizations who are underestimating their full scope and leaving out major systems. Don’t forget that the HIPAA risk analysis is a risk-based, prescriptive approach to HIPAA compliance and should be step number one for any organization working towards HIPAA compliance. KirkpatrickPrice has published numerous resources for a step-by-step approach to performing a HIPAA risk analysis.

  • Failure to Manage Risk

Once your risks have been identified, it’s important to mitigate and properly manage those risks. If there are un-addressable risks, then be sure to document those and what you will be doing to manage those risks in the meantime and fully document your remediation plan. Risk management is a critical component of any information security program.

  • Lack of Transmission Security

Encrypt everything! Any and all electronic transmission of protected health information (PHI) MUST be encrypted. No exceptions. And as always, if there is something that for whatever reason is not addressable, then it needs to be formally documented along with ways that you are able to address and mitigate that particular risk.

  • No Patching of Software

We all saw the wake of WannaCrypt in the headlines this month and how not updating critical patches can lead to a devastating loss of business and operability. WannaCrypt targeted more healthcare organizations than any other kind of organization, so don’t learn this lesson twice! Patches must be up to date, as you will become an easier target with outdated software and patching. If there is a critical piece of software that you must use that comes with outdated patches, be sure you’re documenting that and what you are doing to address any associated concerns.

  • Insider Threat

Whether your organization is small or large, it’s always important to have employee termination policies clearly defined, in place, and to ensure that you’re following them. Do you remove employee access from terminated employees? Are you using default passwords that can be easily cracked? Don’t fall victim to insider threat.

  • PHI Disposal

What good are strong administrative and technical safeguards if you’re exposing the low-hanging fruit? Improper disposal of PHI was a common issue found in the Phase 2 HIPAA audits. Make sure you’re properly disposing of PHI and don’t leave anything available for dumpster divers.

  • Lack of Incident Response Plan

Another common finding from the Phase 2 HIPAA audits is insufficient backup and contingency planning. With the risks of ransomware, we must not only be focusing on prevention but also have an Incident Response Plan tested and ready to deploy if, and when, necessary. Regular data backups also go hand-in-hand with incident response as a way to help minimize the damage from a breach or malicious attack.

Preparing for HIPAA audit enforcement may seem like an overwhelming task. Start with a risk analysis and don’t forget these common 8 findings when developing your HIPAA compliance program. If you have any questions or would like help preparing for Phase 2 HIPAA audits, contact us today.

Independent Audit Verifies E-STET’s Internal Controls and Processes

Los Angeles, CA – May 2017 – KirkpatrickPrice announced today that E-STET, a California-based eDiscovery and legal technology provider, has received their SOC 2 Type II attestation report. The completion of this engagement provides evidence that E-STET has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of E-STET’s controls to meet the criteria for these principles.

“Data security is non-negotiable. It’s a critical component of any organization’s day-to-day operations, including the legal process,” said Bhuvan Singh, E-STET’s Chief Operating Officer. “Adhering to the AICPA’s SOC 2 Type 2 framework demonstrates E-STET’s continuing dedication to data security. Our clients love the fact that we are as dedicated to the security of their data as they are.”

“The SOC 2 audit is based on the Trust Services Principles and Criteria. E-STET has selected the security, availability, and confidentiality principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “E-STET delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on E-STET’s controls.”

About E-STET

E-STET is a California-based legal technology company making the practice of law more efficient through technology and innovative business solutions for corporations, AmLaw 100 and boutique law firms, and government agencies. Founded in 2007, E-STET’s cutting-edge team of lawyers and computer engineers enjoys pushing the legal tech envelope for its clients with next-generation technology and service offerings. E-STET has been on Inc. Magazine’s 5000 fastest growing companies in America, and on Deloitte’s Fast 500 list of fastest growing technology companies in North America. Email E-STET at contact@e-stet.com or visit http://www.e-stet.com for more information.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more info, visit www.kirkpatrickprice.com.

Independent Audit Verifies HealthFirst Financial’s Internal Controls and Processes for Protecting Healthcare Provider Data and Personal Health Information

Springfield, OR – May 16, 2017 – HealthFirst Financial, a leader in patient financing, has successfully completed a voluntary SOC 1 Type II audit. This attestation, established by the American Institute of Certified Public Accountants (AICPA), verifies that HealthFirst Financial has the proper internal controls and processes to protect provider and patient data and deliver high quality services to its healthcare clients. HealthFirst stands out among other patient financing firms in securing this designation for the second time.

“Protecting our provider clients and their patients’ data is paramount,” said KaLynn Gates, President and Corporate Counsel for HealthFirst Financial. “The recent ransomware attacks hijacking hundreds of thousands of computers in more than 150 countries underscores the importance of ensuring partners and vendors deliver the highest level of security for safeguarding personal health information through robust technology and procedures.  Even before these recent attacks, nearly nine in 10 healthcare organizations had experienced a data breach that involved patient data being stolen, according to a study by the Ponemon Institute.”

KirkpatrickPrice, a licensed CPA firm, performed the audit and appropriate testing of HealthFirst Financial’s controls that may affect its clients’ financial statements. The Service Organization Control 1 (SOC 1) Type II audit report includes HealthFirst Financial’s description of controls as well as the detailed testing of its controls for a one-year period.

“Providers and their patients rely on HealthFirst Financial to protect personal health information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, HealthFirst Financial has implemented the best-practice controls that all healthcare providers should require of their partners to manage information security and compliance risks.”

Federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers. KirkpatrickPrice’s expert review validates HealthFirst Financial’s controls and the tests they perform provide assurance regarding the security, confidentiality and privacy of patient payment programs provided by HealthFirst Financial.

About HealthFirst Financial

Founded in 2001, HealthFirst Financial is a national patient financing leader that has helped hundreds of thousands of patients afford care while improving the financial performance of healthcare organizations. HealthFirst Financial is the first and only company awarded the prestigious Peer Review Designation from the Healthcare Financial Management Association for its patient financing programs following a rigorous evaluation of the overall effectiveness, quality and value of its payment solutions.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 11 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.

###

Media Contact for HealthFirst Financial

Shannon Conklin

206.618.7801

sconklin@healthfirstfinancial.com