In Action –
Healthcare IT Compliance Examples

HIPAA Security Rule Technical Requirements

One of the most pressing and costly issues facing all healthcare organizations is compliance with the HIPAA/HITECH Security Rule requirements related to Information Technology.

Providers are faced with losing government funding, significant penalties and costly public notification and other expense for not adhering to the Security Rule’s required risk analysis, controls, systematic process and records keeping.

To add to the complexity of compliance, these requirements are predominantly descriptive (not prescriptive) and are meant to provide broad requirements for compliance not specifics.. As such, each organization is left to decide on its own controls and how to maintain and record those controls based on its own identified risks and vulnerabilities.

What do Auditors want?

Lessons learned from previous penalties assessed by The Office of Civil Rights (OCR) reveal that, in the cases involving the most significant penalties, auditors focused on the fact that the entities had not performed required risk analyses, had not set required controls and had not regularly reviewed and assessed those controls. Specifically, The OCR auditors and leadership focused their penalties on violations that were preventable by sound IT asset management and configuration reporting including identifying and protecting assets potentially storing electronic protected health information (ePHI), identifying and addressing their weaknesses with controls and maintaining the corporate records to prove it all.

Concierge Service to Establish Compliance Support

While each individual organization must decide on its own controls and process for compliance, at Symphion, we’re able to provide key facts, analysis, and records to enable those decisions and to help prove the chosen controls.

Essential Asset Inventory

Having an accurate and complete inventory of Windows computing devices that might store ePHI is an essential to effectively managing risk. However, maintaining that inventory can be one of the most daunting of all information technology challenges because of the dynamic nature of IT Eco Systems—especially for acute care providers. Your Symphion concierge team will utilize our core technologies and process to work with you to establish your complete inventory of Windows computing devices (both virtual and physical) regardless of make, model or location, both initially and throughout the delivery of our service and the lifecycle of the device.

Software Inventory

Our teams will inventory all installed software on the subject Windows computing devices including: encryption software, endpoint protection (virus) software and many others.

Patch Management Delivered

Another of our healthcare IT compliance examples – enterprise patch management is a challenge faced by all businesses. Our teams will keep you informed on current patching needed in your Windows fleet.

Weaknesses Identified, Ranked and Reported

Each month (or more frequently), your concierge team will scan each Windows computing device and will automatically compare its configuration to the then current weaknesses in the National Vulnerability Database. They will then report on 1,000’s of known weaknesses in a monthly executive, actionable report pack including identifying and ranking them by asset and enterprise wide.  Some key weaknesses include:

  • Unsupported operating systems
  • Open ports
  • ftp software
  • Bad passwords
  • Exposed browsers
  • No Encryption Software Installed
  • Unpatched Software
  • Unsecure Software Installed
  • No Virus Protection

Configurations Compared to Government “Gold Standard”

Your team will also compare each device’s configuration against the Government “Gold Standard” for configurations to help you gauge your level of security.

Other Enterprise Exposures Identifiable

Because our concierge teams will use multiple Symphion Software Products to deliver this Service, other key enterprise exposures can be reported such as:

  • Database inventory
  • Rogue databases
  • Rogue wireless networks
  • Administrator rights changes
  • Active Directory Services reports
  • Unauthorized networks

Records Maintained, Process Established

Each month, your dedicated team will prepare a report pack of these results for you and will record it in your onsite historical repository. Our disciplined process of monthly scanning, reporting and recording automatically establishes a regular risk analysis, security evaluation and historical records of your chosen controls and measures for the subject assets and controls.

How Our Process Works For You

Where Are We Weak?

As a monthly discipline, we will help identify, rank and report on Windows fleet vulnerabilities/weaknesses.

How Are We Doing?

You will be able to make decisions about how best to establish (both physical and financial feasibility) your controls and how to adapt them to changes in your IT Eco System.

How Do We Prove It?

The records of your efforts will be recorded and available in the monthly report packs and in your historical repository, when you need to prove it.

How Do We Account for Changes?

Finally, our concierge team will be there to help you keep your reporting comprehensive and accurate regardless of your enterprise changes and to account for those changes such as mergers, acquisitions or normal IT asset lifecycle changes.