
Governance Report Card
FREE
13 Data Points to Report to Your Governance Committee
The importance of a walkthrough is both for internal use and proof of due diligence for a pote
Did you dread getting that quarterly report card from your teacher? The kind where you got a C- in gym class, or a “Needs Improvement” in math. Or maybe you were an overachiever and got all A+ scores!
Well, we’re bringing the quarterly report card back, and our aim is to help you get the highest score possible on your security and compliance efforts. With 13 distinctive data points, our quarterly governance report card will help you:
- Understand and track any high-risk areas within your organization
- Gather data and trends to report at your quarterly Governance Committee
- Track industry breaches for learnings you can apply
- Manage change within your organization
- Prioritize and set budgets for needed resources
Let’s take a look at the 13 data points you should include in your quarterly governance report card.
- Current high-risk gaps Based on results from security risk audits or assessments, document your top 5 to 10 high-risk areas, along with the cost to mitigate the risk. Having this information ready for your governance committee meeting will enable informed conversation about the risks and decision-making about budget allocation.
- ePHI vulnerability risks Where have you uncovered vulnerable areas for breach of protected health information? Review areas such as email, portable devices, cloud-based solutions, WiFi networks, servers and workstations for any vulnerabilities of leaking ePHI. Document any vulnerabilities found on your report card, and use that to build an action plan for mitigation.
- Physical security risks Record any risks associated with physical security, such as unauthorized building entry or stolen equipment. Think about the old hardware stored in a basement somewhere. How secure is your facility itself, and thus the data within?
- Status of medical device security While treated as business associates (BAs), medical devices need even further scrutiny. Document the timing and findings from your latest assessments of all medical devices. How secure is the connectivity between those devices and your network? Is staff access properly controlled by role? These are data points you need to track to make it more difficult for attackers to access patient data via a medical device.
- Status of BA management Document your highest risk areas. What have your BA audits uncovered? Are BAs responding appropriately? The governance committee should be aware of this data, and be armed to make any sanctioning decisions if needed. This should include both direct and downstream BAs.
- Disaster Recovery and Business Continuity When was the date of your last disaster recovery test? What were the results? Is your business continuity plan up-to-date based on current procedures? Are employees properly trained to carry the plan out? Using this data, you can assess the need for further testing and modification of your plan.
- Cybersecurity simulations How often do you perform simulations? What were the results of the last three to four simulations? We recommend tracking this information over time to determine trends.
- Workforce training How well did your staff fare on the latest phishing tests? Are there departments or staff who regularly fail? This may indicate the need for further training or other types of enforcement. Or, what about the departments or staff who do well? Perhaps they can be acknowledged as team advocates to build a culture of compliance at your organization.
- Policy and procedure operational audit Document the date and scope of your last audit. What were the results? Were there any impacts from recent changes to policies or procedures? Based on this information, any new updates required can be reviewed and approved by the governance committee.
- Cloud host audit Like #9, you’ll want to document the date and results from your last cloud host audit. Were there any red flags? If so, what was the vendor response? From there, the governance committee can decide if a change in strategy is needed.
- Latest industry breaches Learn from what’s happening to others. By staying informed of breaches in the news, you can analyze the information to see emerging trends. It’s even more important to make sure your governance committee is also aware of these trends so they can be more educated on what to look for in their own departments.
- Change management What impact have any governance decisions had on your business operations? Having this data available during governance committee meetings will educate the team and better inform decisions to be made regarding additional resources or training.
- ISAO information sharing Similar to #11, this is another way to gather and report on the latest threats. Listen to your peers in other organizations. What are they seeing and fighting on a regular basis? Do you need to operationalize new tactics to prevent unseen threats?
Ready to start gathering data for your next governance committee meeting? Download our printable Quarterly Governance Report Card.
Having a comprehensive HIPAA orientation for new employees and a recurring HIPAA training for retained employees is important but, without a field test of this knowledge, vulnerabilities can be exploited.
ComplyAssistant’s HIPAA Facility Walkthrough Checklist will provide you with the high level search criteria necessary to review as you walk around each department. As any HIPAA Privacy and/or Security Office will attest, conducting random HIPAA facility walkthroughs within different sections of your organization where PHI is accessed and/or stored is a necessary part of your HIPAA compliance program but, you need to make sure you are looking for the correct signs.
Failure to comply with HIPAA can lead to massive fines and irreparable damage to an organization’s reputation. Since the HIPAA rules and regulations have been in existence for over 20 years, the Office for Civil Rights of the Department of Health and Human Services (OCR) will issue fines for lack of compliance with HIPAA-HITECH- Omnibus Privacy, Security, and Breach Notification rules regardless if the incident was accidental or a product of willful neglect. Although the former will carry less of a fine than the latter.
ComplyAssistant’s HIPAA Facility Walkthrough Checklist is one of the free tools we offer to our website visitors to assist in their compliance needs. Our goal is to institute a “culture of compliance” in each of our client organizations and the use of a properly outlined HIPAA Facility Walkthrough Checklist is a very important in a client’s compliance evolution2