Preparing for a Network Audit: Are You Covered?

Are you ready for a network audit? The first step toward due diligence for major data-privacy regulations, such as the Health Insurance Portability and Accountability Act, is to conduct regular, internal audits.

We use HIPAA compliance as an example here, but the general principles on how to prepare for an audit apply to all government and industry regulations. Rule Number 1: Complying with regulations is an ongoing process. You must know intimately the rules and time frames for compliance, and regularly review where your organization and systems stand in regards to them.

Audit Overview

A wide variety of tools and checklists are available to help you determine your organization's gaps in regulatory compliance. Some products provide baseline security practices and walk you through a series of questions to determine compliance. Alternatively, you can call on consultants familiar with the changing standards and regulations, though their services are often expensive.

To start with, read the standards that apply to your environment--such as whether you're required to encrypt e-mail messages--and conduct internal audits to discover gaps. Then designate plans for how to satisfy regulations in areas where you're noncompliant, such as ensuring that messages with patient and health information are encrypted. Then it's up to management to assign the necessary resources to meet the compliance objectives, such as determining who will be responsible for putting the company's security policy on an employee-accessible intranet. Make sure you have a solid understanding of the applicable standards and regulations and of the organizations making the rules. HIPAA, for instance, provides standards for processing electronic health transactions and unique identifiers, and provides privacy and security rules to guard health information. The Department of Health and Human Services (HHS) publishes the HIPAA rules, and the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR) enforce them. There's plenty of information out there on HIPAA to get you up to speedFinally, once you've wrapped up your internal audit, hire a third-party auditor to check your work. Your internal audit will have corrected any major problems, so the external audit should be no more than a sanity check.

Are You Covered?

Before committing resources to compliance, find out whether your organization is required to follow the industry-specific regulations. HIPAA provides a series of questions in a flowchart to help you determine if your organization is a "covered entity" required to comply with the act. Basically, if you're a health-care organization that provides health-care billing information in electronic form, a health-care clearinghouse or a health insurer, you are subject to HIPAA. You may also be subject to a CMS audit if you transmit Electronic Protected Health Information (ePHI) as part of your business.

You also should know the time frame for compliance. Once health-care providers and health insurers adopt HIPAA, for instance, they must use the standards within 24 months. (Compliance is usually required 60 days after the final rule is published.) If you're a health-care provider or insurer, you can use a clearinghouse to help you meet these requirements, much in the same way you can hire an accountant to do your taxes. A clearinghouse accepts a wide variety of EDI formats, so you aren't burdened with updating your records and billing systems to become HIPAA-compliant overnight. It produces documents in HIPAA-standard formats that can be understood by everyone in the health-care community.

One of the most difficult aspects of becoming compliant with HIPAA or other data-privacy regulations is figuring out what needs to be done specifically for your organization. The standards are written for an audience that ranges from large government agencies and Fortune 500 insurance companies, with revenues in the billions, to health-care providers in rural areas with more modest budgets. The requirements are written clearly, but knowing how to implement controls and whether they meet the requirements is another story. And your internal security policy should be updated regularly to keep pace with regulatory changes.Before committing money to consulting services and products aimed at meeting HIPAA compliance, for example, try attending the variety of inexpensive or free workshops and conferences where other companies actively discuss their approaches to compliance. The Information Systems Security Association, for example, examines the security implications of HIPAA. The Information Systems Audit and Control Association is another good resource. Its COBIT (Control Objective for Information-related Technology) framework provides management guidelines, detailed control objectives and guidance on the overall IT audit process for HIPAA and other regulations. Also plan to attend HIPAA workshops offered by CMS.

(Editor's Note: For more information on network audits, click on "Preparing for Network Audit" below)