My Security Risk Audit Is Complete. Now What?

Posted by Ken Reiher

9 tips for risk mitigation after performing security risk audits

ComplyAssistant recently contributed an article on security risk audits in the February 2019 edition of Compliance Today. The following blog post covers some of the key points.

Risk areas can be found in virtually every corner of a hospital or healthcare provider these days. How do you keep up with it all? By performing rigorous and regular security risk audits.

Why perform audits

First and foremost, the HIPAA Security Rule requires covered entities and business associates to perform regular security risk assessments. Secondly, you want to make sure you’ve done due diligence to uncover and mitigate risk to protect your organization and your patients. Finally, you’ll want to make sure you have documented evidence of due diligence in case of a reportable breach or random OCR audit.

The difference between an audit and an assessment

While the terms are often interchangeable, a security risk assessment is typically a “yes/no” questionnaire to indicate if security protocols are in place. Security risk audits go deeper, documenting the actual policies and procedures and gathering evidence of due diligence.

In performing a security risk audit, you should be able to document every location of protected health information, such as email, workstations, servers and the like. In the audit, you should also demonstrate the controls that exist to protect the data, such as encryption, workforce education and more.

How often audits should be completed

We recommend intensive security risk audits be completed annually, but there are exceptions. For example, if external audits with any business associates revealed high-risk gaps, you’ll want to audit them again in 4-6 months to ensure they are properly mitigating those risk areas. Additionally, if there has been a change to your organizational structure (e.g., merger or acquisition), this is also a good time to conduct additional audits. And, you should also schedule supplementary audits if and when changes to federal regulations or cybersecurity frameworks occur.

What to do after an audit is completed

Whatever you do, don’t put the file in a drawer and forget about it. Risk management is key to this process. Here are 9 quick tips to make sure you’re getting the most out of your security risk audits:

  1. Prioritize gaps by level of risk, from high to low. This will help focus risk management efforts on the most important gaps.
  2. Create and implement a risk management action plan.
  3. Create a governance team that will enforce accountability.
  4. Empower the CISO. We can’t stress this enough.
  5. Respond and be transparent. This will feed the governance team’s decision-making.
  6. Keep up with regulatory changes so you can incorporate them into your audit process.
  7. Don’t forget about change management. Make sure you’re ready to perform security risk audits year after year.
  8. Plan all year for your next audit. Where are your gaps and trends? What organizational changes have occurred? What new technologies are in place?
  9. Get a governance, risk and compliance (GRC) solution to help. You can’t do this all on paper. A comprehensive GRC software solution will allow you to automate manual processes, reduce complexity, and enable internal and external collaboration.

Don’t let your healthcare organization get behind. Audit regularly, gather and document evidence and take action on risk areas consistently.

Read the full article in Compliance Today.

© 2019 Compliance Today, a publication of the Health Care Compliance Association (HCCA).

Want more? Read our Fundamental Guide to Security Risk Assessments.

For a consultation and demo, contact ComplyAssistant.