HIPAA compliance is not just a one-time event. To eleminate risk, covered entities must remain in compliance and demonstrate that required policies are being performed. Compliance could disappear without anyone realizing it. IT staff can add new machines; people could publish things on the machines.
Access Control
Computers
Network Security
To monitor activities that could comprimise HIPAA compliance, Intersect utilizes an applicance that is placed at the client location. That device performs regularly scheduled scans that drive daily oir weekly notices. The purpose of the appliance is for policy and security policy enforcement. Policy enforcement is of the highest priority. That demonstrates that you are not just doing an assessment, but are performing ongoing compliance.
Some of the policies are meant to remediate occurrences similar to what happened at St. Joseph's Health System. For instance, there are computers that shouldn't have Internet access. In terms of those computers, you can restrict the access using the appliance. It will detetect when that violation of the policy occurs. It is not blocking anything, but rather doing detection. Another example would be a policy that restricts access to accounting computers to authorized users. Another policy, "Restrict access to computers that have e-PHI to authorized users would enable you to specify which computers have e-PHI and which users should have access to e-PHI. Then if a viololation occurs and we discover that a logon as occured by a user who shouldn 't have access, we would be able to notify the client. At St. Joseph's Health System, a policy that restricted computers that were not authorized to have access to the Internet directly would have triggered a notification. For machines that have e-PHI on them should have a tag that stuoykatesm "these computers should never have access to the Internet. Every day when the appliance scans the environment, it will check to see if that machine can reach the Internet. If it is able to reach the Internet, a notice would be sent. The same applies to internal vulnerabilities. This means more than external defenses.
All of these forms are packaged to be used for auditing purposes, for Meaningful Use submissions, and foir providing the documents that you need. The Risk Analysis, which is required to be completed anually, or whenever changes are made, contains information about it as well as listing the issues,. It also gives a score. This score and the "Risk Meter" provide a measurement of the health of the network. It contains a list of the issues and recommendations about how to remediate them.
Scoring is required, not because it is required, but because it is required for prioritization. You must prioritize and and scoring help show that you have prioritized and organized about it. Once you sow that you have completed a Risk Analysis that has uncovered issues in your environment, you must show a prioritized listg and how you are addressing it. This is where the Management Plan becomes relevant. The Management Plan report shows all of the issues listed by criticality; the nature of the issue, and the recommendation. An example is for operating systems that are no longer supported. They violate the idea of defending against malicioius software beause they can not be patched. The report also lists which computers are in those catagories and which Operating Systems are on them. The report also shows a list of employees that have been terminated and are still in the Active Directory.
The next report is the most important. It is the Evidence of Compliance report. It reveals that once the Risk Analysis and the Management Plans are complete, it is necessary to prove that the information is substantiated. That report proceeds section by section describing the environment, details about generic accounts that were discovered such as those not associated with specific individuals, accounts for former vendors, and former employees. Additional information relates to an evaluation of "standards." An example is a Termination Standard. The Termination Standard should describe the proceedure for terminating access to electronic health information. Do former employees or vendors still have eanbled accounts which could potentially provide access to e-PHI? There is an evaluation of of login dates. Those accounts which haven't logged in during the past 30 days are flagged so that an investigation can be performed. The evidence report goes on further.
A sample report was 84 pages in length. It details all of the different items, linkes them back to the CFRs, so that it is possible to demonstrate in the "Former View" what an auditor would expect, and to demonstrate how this all links together.
Finally, Risk Profiles, month over month combine to create the managed service - not just for HIPAA compliance, but also for network seurity.