Israeli biomed companies often ask us about the roles of audit and risk management in their HIPAA security and compliance activities. At the eHealth conference in Israel last week – a lawyer gave a presentation on HIPAA compliance and stated:
If you have to do one thing, make sure everything is documented – your policies and procedures, corrective action you took. Everything. That is your best line of defense.
Security is not an exercise in paperwork.
With all due respect to lawyers – no. Your best line of defense is implementing real security countermeasures in a prioritized way an ensuring that you are doing the right stuff all the time by integrating your HIPAA Security Rule and Compliance activities with your internal audit and risk management teams.
Risk does not walk alone
Risk is not an independent variable that can be managed on its own. It is not an exercise in paper work. Risk is a function of external and internal attackers that exploit weaknesses (vulnerabilities) in people and systems and processes in order to get something of value (assets). The HIPAA Security Rule prescribes in a well-structured way – how to implement the right security countermeasures to protect EPHI – the key assets of your patient customers.
The importance of audit for HIPAA
While audit is not specifically mentioned in the HIPAA Security Rule – security review and risk management are key pieces – audit is crucial for you to stay on track over time.
According to the Institute of Internal Auditors, internal auditing is an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Internal audits provide assurance and consulting services to management in an independent and objective manner. But what does that mean? It means that internal auditors can go into your business operation and determine if your HIPAA security and compliance is a story on paper or a story being acted out in real life.
Audit – necessary but not sufficient
However, internal audit is not a line of defense and neither is a corporate risk management function a line of defense.
HIPAA Security and Privacy Rule compliance regards investigating plausible threats, valuable assets, vulnerabilities and security countermeasures that mitigate asset vulnerabilities and reduce the risk which is the result of threats exploiting vulnerabilities to damage assets.
When we frame security defenses in terms of mitigating attacks – we immediately see that neither audit nor corporate risk management fall into the category of countermeasures.
So why is audit and risk management important?
Audit is crucial to assuring that the security portfolio is actually implemented at all levels. Yes – all levels – including the CEO office and the last of the cleaning team. Audit strengths are also their weakness – they generally do not understand the technical side of security and therefore audit must work hand in glove with the operational and engineering functions in an organization.
Risk management is key to prioritizing implementation of security countermeasures – because – let’s face it – business and engineering operations functions are not qualified to evaluate asset value.
Your HIPAA and Security Rule compliance is not just about paper-work. It’s about getting it right – day in and day out.