There are the most commonly used fields of audit that can be divided into three groups: technical, physical and administrative. Information safety audits because of the importance of the information security have multiple types of audits and huge number of objectives.
As for the Administrative Safeguards it takes in more than half of the HIPAA Security requirements. It has also a series of solutions to the problems caused by some factors that are documented according to every covered situation.
The first standard of Administrative Safeguards is the Security Management Process. This standard includes special procedures and actions to prevent, detect and correct safety violations. The main aim of this management is to create the administrative process which the so-called entity covered by Security Management will use to design the security program in its own environment. It has four important specifications: risk analysis, risk management, sanction policy and information system activity review. Risk management and analysis are both standard information safety processes that have been already accepted by a number of organizations that have relation to the health care industry.
Risk analysis provides an accurate assessment of the risk and problems to the electronic protected health information. Simply the risk analysis can be defined as the process of identifying potential security risks. Risk Management requires an organization to make decisions. It is the process created to identify and conduct security measures to reduce risk to the appropriate level. This part of security audit is important to any kind of business as well as to the company taken as an example. It is the auto parts workshop that is trading the original parts of the Japanese cars. The main office has central computers with the database of all trading operations. So they need to be protected strongly. In this case, the safety audit will include the mostly the administrative and technical safeguards.
The sanction policy is common for every type of business. Appropriate sanction must be used, so the workforce members could realize the consequences of failing, to follow the security policy.
Workforce security is one of the most important standards in our company. If the workforce members want to carry out their duties they need to access to EPHI (Electrnic Personal Health Information). It means that the workforce members have to complete identification on the computer system and applications. In our case the members of the company authorize at their accounts. The authorization is the process of determining, if a user has the rights to read the files or to run any programs on a PC.
If an employee, a workforce member or any other individual has no longer the privileges to access information, the termination procedures must be implemented in order to remove this access privileges.
According to a Security Rule all new and existing workforce members have to complete the security training by a specific date. The Security Awareness and Training standard has some specifications: security reminders, protecting from malicious software and password management.
The security reminders can appear in printed or electronic form. One of the most important measures to protect information and software is protection against malicious software. If such malicious software successfully invades your information system it can cause a huge damage to your business. In our case the company of auto parts can be really harmed if it somehow loses its database and the spyware gets into the system. The last specification in this standard is Password Management. It contains the procedure of creating, changing and safeguarding passwords.
Another standard is called The Contingency Plan. The purpose of the plan is to establish the way of recovering access to EPHI after the power was cut off or some critical errors appeared during the business operations. The main aim is to ensure the company that its EPHI is always available when it is needed. It has two important specifications: data backup plan and disaster recovery plan.
For our company, creating a data backup plan is vitally important as it means creating exact copies of the files containing the main information or simply the copies of EPHI. The employees permanently make backups of the operating system to protect it from the spyware or different hardware crashes etc. Disaster recovery plan is a procedure of restoring any loss of information. The last standard of the Administrative Safeguard is the Business Associate Contracts and Other Arrangements. It may permit a business associate to create, receive or transfer health information on the subject if it obtains satisfactory assurances that the business associate will secure the information appropriately.
The Facility Access Control creates a procedure that limits physical access to its electronic information system and ensures that members authorize properly. Our company has the so-called Facility Security Plan. Its aim is to document the use of physical access controls. It must ensure that only authorized individuals have access to the content and equipment that contain “electronic personal health information”.
Each member of our company has its role in the organization and has its personal permission to access the information. These validation procedures are closely related to the facility security plan.
If the computer, for example, was not used for some time, a default screensaver appears and it is very important to be protected by the password. The monitor becomes inactive as well. When it is not active at that moment, it just shuts off.
It is the most useful standard for the businesses that need the protection of electronic information with a powerful database. Here we have unique user identification systems, encryption, automatic logoff and others. All these systems are made to identify and track the user’s identity. The system of automatic logoff shuts down the computer or account after a specific time of inactivity.
The Audit Controls track the activity of users in the information systems that contain EPHI. Most systems provide the audit controls by means of reporting, such as audit reports. If any security violation happened, these controls are especially useful to record the system activity.
Every standard of business audit is extremely useful and has its separate meaning. Such administrative functions, as policy and procedures, must be available for management and execution of safety measures. So the Administrative standard guarantees the security responsibility and documentation of all decisions; on the other hand the Physical Safeguards protect electronic information systems, buildings and equipment and the Technical Safeguards protect EPHI and control access to it.
By the example of our company we found that every standard plays its important role and together with the appropriate Administrative and Physical standards, the Technical Safeguard standards will ensure you to protect the confidentiality, integrity and availability of EPHI.