Phase 2 Assessment: HIPAA Readiness

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 42 minutes
Video Transcription
So you're ready to get your audit on. I mean assessment on. I always get those confused. I mean, welcome back, my Sai Buri Hackers and hacktivists. It's been a year already, and I would like to say the time sure has flied, but really, it's been a bone crushing, sleep depriving year, getting our security program to this point. And it's been a couple of months since our third party assessment team beat us up with the next 853 assessment
and all that penetration, testing and exploiting of all our weaknesses. I mean, we had no idea we had 27 users with password being their password.
Good thing we crack down on all that nonsense. So now that we've performed a final remediation work on her final cleanup efforts, it's time to bring back that same third party assessment team because they know us intimately now. And there are partners in this thing, and so it's time for them to conduct what we call a comprehensive and in depth helper HIPPA readiness assessment. So to learn what that's about,
advance to the next slide. Don't hit, pause and go check out your latest instagram messages Nope. Don't do that. Stay right here, please.
So we've come a long way together, you and me and this lecture Siris in our health care organization and our third party assessment team. They've really helped us identify the remaining holes in our security and compliance program. And today they're in our office to begin this thing called the hip a readiness assessment we're gonna cover in this lecture. What comprises the HIPPA readiness assessment? What we're gonna learn from it
and what the benefits will be to having hip. A readiness assessment performed.
And the risks are Well, if we're feeling pretty good about ourselves, maybe you're going a little full of ourselves. Look at how great we are and we roll the dice for the OCR auditor. So we're gonna make sure that doesn't happen. And we're gonna perform this thing called the hip a readiness assessment. So let's get on our helmet climbing pack. Let's put on our harness
and get into our rope pulleys. Let's get those crampons on their teeth strapped to our boots
and let's get ready and get going. And let's climb that compliance summit.
So there's a ton of work through the third party assessment team is going to be performing on our behalf in the operating this assessment. First and foremost, this is a hip assessment, not in just 853 review, which is what we just went through with these guys. This time there are they're acting willfully and with full intent to be the Office of Civil Rights Enforcement Team from the U. S. Department of Health and Human Services.
They were our partners and our friends. Now, today
they're just like the agents in The Matrix movie. Siri's their agent Smith, and our Neo are in the interrogation room on the fund is about to begin. Theus assessment will be an incredibly deep review and investigation into our HIPPA privacy and control policies, including things like acceptable use contracts and business associate agreements are hiring policies, including evidence
that we're performing criminal background checks and a review of our procedures around privacy and security in a document that we needed to provide
the administrative procedures manual or a PM,
they will then pivot into a comprehensive review of our technical controls, with specific focus on the required controls by the hippest standards and with less focus but with diligence on how we successfully navigate and most importantly, navigated around and through to get the check box on the addressable technical controls.
So the physical security walk through an assessment is equally thorough, but it's not quite what you think. For example, video cameras aren't actually a requirement. You need to remember the required and addressable criteria of your controls. So all the physical controls are addressable, not required, according to HIPPA. So, for example, according to 1 64 3 10 of the regulation
facility, access, controls and practices
are needed to implement policies and procedures to limit physical access to its electronic information systems and the facilities in which they're housed, while ensuring that properly authorized access is allowed. So all the aspects of facility security are addressable. Our records on computer equipment other than workstations are kept in locked areas or cabinets. Onley staff authorized
have access to the equipment contractors and maintenance personnel who are not. Members of the staff
have signed a business associate agreement. The facilities have appropriate fire suppression systems in place and comply with all safety and building codes. There are appropriate security alarms or surveillance equipment in place employees and visitors are wearing name badges, and employees are trained to challenge persons who are not wearing badges. Employees protect security of Ph. I
by speaking softly and when appropriate, and are not using public areas, workstations and computer monitors or positioned to prevent unauthorized persons from viewing PH. I unattended computers, quickly going to screen saver mode to obscure any pH I
that might have been left on the screen. Doors have access control mechanisms such as locks or swipe cards on all doors were closed and locked during walk through, and access to fax machines and printers was limited to authorize staff. You don't wanna leave somebody's health record on the printer for just any Joe public to see, so the assessment will be a deep look.
Now we're addressing the physical controls of our e p H I environment.
So in the administrative, safeguard controls HIPPA Regulation 1 64 308 and it's subsections. Your program is required as part of the signing security responsibility and risk management
that you ensure appropriate security training and awareness among practice staff and that you are performing one time comprehensive HIPPA security training that is required for all employees. Ongoing education of employees pertaining to hip updates throughout the year should be provided, and employers should keep their employees updated of any significant policy or procedure changes.
And all employees should be receiving annual retraining of HIPAA standards. So your hip a readiness assessment team want to see evidence of all of this documentation sample of training videos, for example, or training Web pages, a schedule of when the training was performed and who attended schedule. Future training and the employee team portals.
Does your program perform any kind of social engineering testing to reinforce what your employees should know about ensuring patient privacy? And what is your program doing with its employee security training program
to stay ahead of the always changing security and cyber threat landscape
So the benefits are huge from having a HEPA readiness assessment. The risks are so many and so severe that I'm saying right now a HEPA readiness assessment is not optional. Your program must run it and we'll run it. Or you can at least count me out of supporting your firm in any real measure with compliance. In fact, many organizations will run readiness assessment
every 18 to 24 months or so because the critical systems and network infrastructure
is always changing, and so are your personnel. They used these systems. Manage these systems and maintain these systems. Your assessment. Your assessment team will go as deep and as wide as any OCR auditor would. And they will be the OCR Agent Smith looking with an eagle eye to locate from you the path design and when the compliance war
and the hip. A readiness assessment really is the most important and crucial step
that you and your security program will take on the journey to HIPPA compliance. No other engagement will review and investigators deeply or as thoroughly into your administrative, physical and technical controls than HIPPA readiness assessment. This is your last best chance to right size your security policy. Make sure you have your technical controls up to date
and properly have aligned with the requirements of the security rule and that all your programs business continuity
de our vulnerability and system, hardening business associate agreements and vendor management policies. If you get all of that stuff correct for this assessment than the rest, well, it's a breeze are features not about heavy lifting our features about version control, update control and staying ahead of the new federal and state laws, and we will have a compliance officer to manage all of this.
Maybe that person will even be you.
This day is what we've been working so hard for were there, and we can almost taste the compliance. Cantaloupe fresh and fruity. It's our compliance duty.
So there really is a lot to a hip. A readiness assessment. There are a ton of benefits to performing them, but to review can you name three of the primary components that will be performed and conducted during your hip? A readiness assessment. So hit, pause and then plug into the Matrix and go see the oracle. The Oracle knows all, and we'll give you the answers, even though you might not fully understand them,
because she's always telling you riddles. But that doesn't matter, because you're gonna be able to grab one of her freshly baked cookies.
And when you're all better and feel right as rain here resume and we'll review our answers together in your hip a readiness assessment you will have an extremely thorough and comprehensive policy review all the way to showing your auditor that you're running background checks in your new hire process.
They'll also perform a deep technical controls and physical controls. Review all with a comprehensive investigation
and how your program is compliant with the required security and privacy controls of your hip and and the addressable controls as well. And what are you doing with your employees? To keep them aware and always diligent with ensuring that privacy and security of PH. I really great stuff? And it cannot be emphasized enough
the importance of performing a hip a readiness assessment every 18 to 24 months. It will keep you, your people and your program sharp and ready for when the OCR agents arrive.
So we're almost at the summit. In this lesson, we covered in depth all that it entails toe perform a hip, a readiness assessment. We called out many of the huge benefits of performing them and the risk well, they're so equally big that well, it's just not optional. It's mandatory
to run the HIPPA readiness assessment. So we have in our next lesson one final gaps and remediation push. We're almost there at the summit and we're almost at our goal But there are some straggling items still out there that can still bite us.
And we will cover those remaining items in our next lecture.
So thanks for being with us today. We can finally see the summit. We're so close. We could almost tasted if there weren't such a lack of oxygen at this height. So on behalf of all of us here in Sai Buri thanks so much for joining us. We're looking forward to seeing you in the next lecture. We're almost there. We can see the top were close.
But until then, until next time, take care.
Thank you. And happy journeys.
Up Next