HITECH Audit: Important Lessons LearnedA CISO Describes Why Beefy Risk Assessment Is So Important
After helping a hospital to pass an audit that assessed compliance with requirements of the HITECH Act "meaningful use" electronic health record incentive program, CISO Mitch Parker offers this audit prep advice: Beef up your risk assessment.
"You can't skimp on the risk assessment. That's the first and foremost item that they look for," he says. "And it can't be one of those cut-and-dry ones. You have to be very detailed about it. We had about 300 categories in ours."
Temple University Health System in Philadelphia, which recently had one of its four hospitals audited for "meaningful use" compliance, has since expanded its risk assessments to include 423 questions, and it's now making them universal throughout the healthcare system, the CISO says.
Temple's audit took about a month and a half to complete because of the thoroughness of the review by a contractor hired by the Center for Medicare and Medicaid Services, Parker says. Auditors reviewed every aspect of the 200-page risk assessment and how the organization mitigated risks identified, he says in an interview with Information Security Media Group at its recent Healthcare Information Security Summit in Boston, where he was a featured speaker.
Creating a detailed risk assessment and documenting all security measures is good preparation for a federal audit, whether for HITECH reviews, which can lead to paying back federal incentives if non-compliance issues are found, or for the upcoming HIPAA compliance audits, scheduled to resume soon, Parker says (see: HIPAA Audits: Getting Ready). Also, healthcare organizations should organize a team of experts who are well-prepared to answer all auditors' requests, he advises.
"You have to have everything organized, you have to have a strong team," he says. And you have to make sure you have executive leadership aware of what you're doing."
In this interview, Parker offers other audit-preparation advice, including:
- Prepare thorough documentation of your security training program, including copies of materials used and proof that all staff members completed the training.
- Keep all necessary evidence of compliance well-organized in one central place so it's easy to retrieve when auditors ask for it;
- Designate a multi-disciplinary team to prepare for the audit and involve senior management in the planning.
In addition to his role as CISO at Temple University Health System, a four-hospital system with annual revenue of $1.4 billion, Parker, CISSP, is CISO for Temple University's clinical faculty practice plan, Temple University Physicians, and consults to the university's school of medicine. Previously, he was an information security consultant to the Defense Logistics Agency and others.