14.5 THE AUDIT PROCESS

14.5.1 Interviewing Staff

The evaluators or auditors should begin by obtaining the internal documentation that states what the organization's procedures are for handling PHI. Those staff that will be of assistance to the audit process should be identified. Early on in the process, the auditors and the Information Technology team should realize that this is not a combative process and many times, the use of external auditors provides the IT staff additional leverage for improving current security practices.

14.5.2 Determining Time of Day, Testing Methods, Limitation of Effect on Production Systems

As in any audit process, there are times that the audit is best done in a 'surprise manner' and those times that it is best done at an arranged time. For procedures that are testing staff and their interpretation of the policies and procedures, working with the organization to determine timing of the interviews is wise. For those procedures that are more of a pro-active testing nature, advanced notification is not necessarily needed. The auditor will inform you of their techniques.

14.5.3 Arrange for Site Visits

In order to properly evaluate and observe physical procedures in place to protect PHI, a site visit is required for external auditors. Informing your staff of the presence of auditors may be required to ensure the proper functioning of your organization.

14.5.4 Ensure They Have Indemnification Statement [Including Internet Service Provider]

As many of the external testing procedures may require procedures that appear to be attempted 'access' of the data, ensure that only required staff performs these needed vulnerability procedures and while doing so they have an indemnification statement in their possession. Notification of your Internet Service Provider may also been needed. You may wish to perform vulnerability assessments in a more confined manner to ensure that your network testing is not being performed over open Internet connections. Consider setting up a temporary machine to test access points, firewalls, etc, without going through the external internet.

14.5.5 Inventory of Systems, Physical Location

As was stated earlier, your organization must first have documentation in place that lists all of your systems and physical locations of these assets. The evaluation or audit process should review this inventory to ensure that all systems are accounted for. Any loss of an asset with PHI information on it should be considered a security risk that needs immediate action.

14.5.6 List of Software

Software can introduce vulnerabilities into a system. Ensuring that only approved software is installed in an organization allows a proper risk management to be performed. The ICAT Metabase ^[14] is just one resource that can be used to search for vulnerabilities introduced by software.

14.5.7 Network Topology

While a diagram of the network topology of a firm is not required, it is helpful to the auditor to have at the beginning of the process to properly plan the most efficient way to audit the organization. This diagram may also point out physical security weaknesses as well. Network jacks in areas that are open to the public are not recommended. Having a full map of the physical layout of the infrastructure may help to point out these weak areas. Included in this mapping should be the network configuration used [Class A, B or C] and the reasoning behind the use of range.

14.5.8 Operating Systems

All operating systems of all devices used within the organization should be reviewed to ensure that they are still supported platforms, obtaining security patches. Older, non supported platforms should not be maintained . The patch level of all attached devices of the systems should be monitored on a constant basis. In any sized organization should have a plan in place to test, evaluate and deploy security patches needed by operating systems and programs. Vendors should be contacted to set up such systems if they are already not in place. ^[15]

14.5.9 Review Written Policies and Prepare Recommend Changes

The internal or external auditor should ensure that the organization is, above all else, adhering to their written procedures. This is the foundation of the audit process. Ensuring that the organizations internal processes and procedures are properly implementing what they said they would be doing is key to ensuring that you are in compliance with the intentions of the regulations. While the internal or external auditor is reviewing the adherence with the written procedures, attention should be given to recommended improvements or noted weaknesses in the system. These comments should be provided to management or the audit committee in order to improve the handling of PHI.

14.5.10 Review of Past Incident Reports

As part of the review process, the handling of prior incidents should be reviewed. Handing forms should indicate the corrective actions taken and the follow up procedures performed. Audits may need to be performed to ensure that eradication, containment and communication was properly performed.

14.5.11 Review and Inspection of Training Procedures

Security training and awareness is a key element in ensuring that PHI data is properly handled. The manner in which training is performed should be reviewed and recommendations for changes and improvements made. Best practices can and should be monitored, reviewed, written down or captured for interactive video viewing by anyone handling PHI data.

14.5.12 Use of Tools During Audit Process-Comparison to Industry Best Practices, Gold Standards

During the audit procedure, the internal or external auditor should identify tools, vendors and other sources of benchmark data to ensure that while you are in compliance for 'minimum requirements', you also strive for best practices. These tools and information can come from a variety of resources, ranging from web sites ^[16] , to industry consortiums ^[17] , to vendor resources for best practices ^[18] .

14.5.13 Interview Staff to Determine their Understanding of the Firm's Policies and Procedures

Security is very much intertwined with human interaction. Vulnerabilities are typically introduced by the inadvertent introduction of an unapproved process or procedure. Thus ensuring that staff that handle PHI fully understand and have had proper communication of their responsibilities ensures that the systems will function as they were intended. The security of systems, affect the security of the firm, thus effective communication ensures that risks are minimized.

14.5.14 Interview CIO, Technical Systems Administrator, Network Manager, Security Director, Medical Records Director, Legal Department or Counsel

Interviewing those individuals who prepared the security communication and comparing their intended interpretations when the actual interpretations by the staff handing the PHI may point out unintended flaws in the system. Many times those in technical positions may not properly communicate procedures to staff in a manner that is easily understood by all affected. There are times that staff, in order to properly complete their assigned tasks may inadvertently introduce work-arounds and other measures that circumvent the security measures intended. A review and comparison of what was intended by those who set the security policies and procedures and what is actually being implemented will provide the internal or external auditor with those items that obviously need to be corrected, revised, or perhaps merely the communication clarified to ensure that intentions are being carried out by all of those affected.

This does not, by any means, fully include any and all procedures that an auditor may use in performing the task of ensuring that those items that are required by sections 164.308 to section 164.312 are 'required' or merely 'addressable'. The audit should be changed and adjusted to meet the needs of your organization.

^[14] http://icat.nist.gov/icat.cfm

^[15] Download details: Guide to Security Patch Management v1: http://www.microsoft.com/downloads/details.aspx?familyid=73ac38b75826421d-99e8-cdcc608b8992displaylang=en

^[16] Strategic National Implementation Process: http://www.wedi.org/snip/public/articles/dis_publicDisplay.cfm?docType=6wptype=2

^[17] Center for Internet Security provides benchmark tools for Operating systems and routers

^[18] Threats and Countermeasures Guide: http://www.microsoft.com/technet/security/topics/hardsys/TCG/TCGCH00.asp?frame=true