Guest Post: The New Need for Auditing: Privacy and Breach Notification Mandates

Ali Pabrai
Feb 03, 2012

The HITECH Act, HIPAA, as well as mandates from State regulations (e.g. Massachusetts 201 CMR 17.00), are raising the minimal requirements that organizations such as healthcare-covered entities and business associates must implement to prevent unauthorized access. Further, the Connecticut Attorney General’s lawsuit against Health Net of Connecticut for failing to secure approximately 446,000 enrollees’ Protected Health Information (PHI), and to notify State authorities and enrollees of a security breach, is a reminder that breaches are not just a risk to information, but a risk to the organization.

HITECH Audit Preparedness
Organizations need to take compliance mandates for HIPAA, HITECH and State regulations seriously. Compliance requirements establish the minimal capabilities that organizations must manage and maintain. To be audit-ready, organizations must at a minimal:

  • Ensure a robust life cycle is maintained for account access, modification and termination
  • Enable proactive audit and monitoring capabilities are used to track and detect unauthorized access
  • Establish Role-Based Access Control (RBAC) to manage job roles and associated access rights (this requires Human Resources to work closely with the Information Technology department)

With the new world order in healthcare driven by privacy and data breach mandates, secure authentication to access patient information is directly in the sights of state AGs and Federal agencies across the country in a concerted effort to tighten data security and ensure patient privacy. As such, effective user authentication is a critical component to avoiding potential breaches and it should enable quick reporting capabilities to prove compliance and appropriate actions taken should anything happen.

More than ever, the Boards of Directors at hospitals, health systems, business associates and others are taking notice and asking an important question – “is the organization compliant with HIPAA and HITECH mandates?” Are you?

Ali Pabrai, chief executive of ecfirst is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.