Search in ISMS Guides


Tuesday, September 4, 2007

Enhancing HIPAA Security Rule Compliance Efforts

Achieving compliance with the U.S. Health Insurance Portability and Accountability Act's Security Rule can be a daunting task. Internal auditors can play an instrumental role during the compliance process by helping organizations gain the most from their HIPAA security audits.

Gary Swindon, CISM, CHS-III
Chief Operating Officer, RiskWatch Inc.

Protecting and securing medical information is a major concern for private, public, and government organizations in the health-care industry. Internal auditors are equally aware of this importance: Ensuring health-care records and other sensitive information do not fall into the wrong hands is of special concern. Auditors must determine whether or not the organization has taken the necessary steps to prevent the inappropriate exposure, damage, or loss of confidential data.

Since 1996, the U.S. Health Insurance Portability and Accountability Act (HIPAA) has provided organizations in the United States with guidance regarding the proper ways to protect personal health information through the act's Privacy and Security rules. While HIPAA's Privacy Rule provides information to help organizations regulate how they use and disclose personal health information, its Security Rule lists 42 standards companies need to implement to ensure the confidentiality, integrity, and availability of digital personally identifiable health information. Although both rules should be used together, the Security Rule is of special importance to IT departments, because it identifies how organizations can protect personal health information from external and internal security threats, such as e-mail attacks and password compromises.

Internal auditors can help organizations prepare for the IT component of the HIPAA security audit by focusing management's attention on key compliance considerations, such as the organization's IT governance structure; helping IT departments identify how the Security Rule's 42 standards will affect the organization's current IT environment; and comparing each of the report's findings to IT guidance provided in the Security Rule. This will enable auditors to help organizations gain the most from their HIPAA security audits.


HIPAA compliance audits should be based on three things:

  • An identification of the organization's governance model. Examples of IT governance models organizations might consider using include the IT Infrastructure Library, ISACA's Control Objectives for Information and related Technology (CobiT), and the International Standards Organization's (ISO's) 17799 or 27001 standards.
  • A traditional screening, sometimes called a checklist, of all controls, countermeasures, and items of interest as defined in the scope of the audit.
  • An identification of the master rules or conditions required by the regulation based on the organization's type (i.e., private, nonprofit, or publicly traded).

In the case of HIPAA's Security Rule, audits should be based on the rule's provisions or standards (i.e., safeguards and outcomes specified in the body of the regulation, as opposed to industry best practices) and be supplemented by the organization's chosen governance model. Understanding the organization's IT governance model is important, because it enables auditors to determine which standards the company views as appropriate and should be used in the conduct of the audit. The IT governance model also helps auditors frame audit findings and recommendations pertaining to IT controls and identify whether these controls are effective based on HIPAA compliance requirements. If the firm has no adopted IT governance model, the use of generally accepted IT industry standards to conduct the audit would be appropriate, such as ISO's 17799 and 27001 standards, CobiT, or the National Institute of Standard and Technology's Security Self-Assessment Guide for Information Technology Systems (PDF, 1.48MB)

The findings of the audit should help to confirm or call into question the governance model chosen. Audit results that indicate a clear pattern of noncompliance with rules and regulations should warn executives that the company's governance model may not be appropriate.

Traditional screenings or checklists identify required compliance elements that will be reviewed during the audit, such as key items to be addressed, personnel to be interviewed, and new or existing policies. These checklists are important, because they enable the auditor to provide a list of the different areas that need to be improved or implemented for compliance to take place.

Finally, an identification of the master rules or conditions required by the regulation based on the organization's type is important, especially in situations where the company chooses to meet other standards as a demonstration of its good intentions. A good example of this is when a private nonprofit organization adopts IT controls outlined in Section 404 of the U.S. Sarbanes-Oxley Act of 2002, even though the company is exempt from Sarbanes-Oxley compliance. HIPAA's Security Rule identifies four minimum requirements or master conditions that all implemented IT measures and controls need to meet (refer to "HIPAA Security Rule Master Conditions" for more information).


The Security Rule allows auditors to construct their audit plans more effectively by expressing desired outcomes under three safeguard categories — administrative, physical, and technical. Each of these safeguards is divided into a number of standards — 42 total — which are then categorized as required or addressable. These outcomes can be found in a matrix that has been incorporated into the final Security Rule and is available on the Centers for Medicare and Medicaid Services Web site. Although required standards must be implemented as outlined in the Security Rule, addressable standards can be structured by the entity to suit its particular needs as long as the outcome conforms to those found in the Security Rule. This process is outlined in Figure 1.

Graphic 2

Figure 1: HIPAA Security Rule audit process

HIPAA security audits require the auditor to pay attention to the prevailing general conditions or stipulations that may impact the audit plan, as well as how existing controls and methods address each of the 42 security standards. In terms of IT, auditors need to review the organization's use of appropriate controls to ensure the protection of personally identifiable health information. The following list provides useful information auditors should keep in mind during Security Rule audits:

  • The HIPAA Security Rule is tied directly to the HIPAA Privacy Rule and incorporates elements of the Privacy Rule through cross referencing. For instance, the requirement found in paragraph 164.530 of the Privacy Rule deals with policies and procedures, including IT, and is carried forward in the Security Rule in its requirement for appropriate policies and procedures and in the retention period for them.
  • The Security Rule's scope is corporatewide and applies to the implementation of security standards in all relevant business processes, not just IT.
  • The Security Rule represents a minimum set of security standards organizations must have in place for compliance. Many businesses have processes and requirements that are unique to the way they do their work. As a result, appropriate additional IT controls and procedures should be in place.
  • The Privacy and Security rules incorporate the extension of adopted IT and other standards to business partners through the formal Business Associate Agreement process. This is a formal standard stated in both rules. The standards for privacy and security are found in the Privacy Rule and Security Rule, respectively.
  • The standards found in the Security Rule and the company's implementation of corresponding IT and other controls must be based on the results of periodic risk assessments conducted by the company. The results of these risk assessments will help the auditor determine the effectiveness of companywide information security efforts to protect business assets.


    The Security Rule outlines four master conditions or minimum requirements that apply to business controls and processes used to address the rule's 42 standards. These minimum requirements state that all selected controls must be:

    • Cost effective. A company should not spend more for the control's implementation than the probable value of the information or process it is designed to safeguard.
    • Within the technical capability of the firm. The company must be able to maintain and enforce the controls they choose without having to rely on an outside party. For instance, although a company can outsource its IT functions, it must be able to create, maintain, and enforce all IT controls if they are brought back in-house, such as access and authorization controls and audit log evaluations.
    • Within the resource capability of the enterprise. The business should have the necessary IT resources to monitor and manage each control throughout the year.
    • Suitable when weighed against their desired results. General IT, compensating, or alternative controls should correspond directly to the standard in question. For example, the requirement to be able to back up and restore patient data should rely on access controls, data verification and integrity controls, and storage requirements, among others.

    During Security Rule compliance reviews, internal auditors need to identify how companywide IT measures and controls meet each of the four requirements.


Prior to releasing audit findings, internal auditors should be able to answer questions regarding the report's IT recommendations. To do this, auditors can compare each of the report's findings to IT guidance provided in the Security Rule. The following questions can help auditors identify how current IT controls compare to IT guidance provided in the Security Rule, as well as determine whether existing controls meet compliance requirements:

  • Given the IT governance model adopted by the firm, does the chosen IT control match the company's intention? If so, does it fit logically?
  • Does the chosen IT control meet the general and master conditions outlined in the Security Rule? For example, does it meet the cost, capability, resource, and suitability requirement in the rule?
  • Given the apparent investment level in the IT control, is the investment appropriate to accomplish the goal?
  • As with any audit, are the IT controls documented adequately?
  • Do IT controls tie to a stated security standard outlined in the Security Rule or to an identified business need above and beyond the rule's standards?
  • Has the firm identified and documented addressable and required IT controls properly, including its rationale for the choice of action?
  • For any given IT control, is there an obvious impact regarding the viability of the security system employed?
  • Do audit findings represent a material condition or weakness (e.g. not being able to recognize revenue correctly and consistently or ensuring that pharmacy prescriptions are filled in a timely manner)? If so, is the finding material in its potential impact on financial systems, patient care safety standards, etc.?
  • Do chosen IT controls support the company's risk posture? Auditors should look to the IT governance model for direction or to accepted industry standards if no governance model has been identified.
  • Do the IT standards and controls make sense in the context of the company's choices as opposed to IT best practices?


Although the information above focuses primarily on the IT aspect of Security Rule compliance, these basic recommendations can be used for overall HIPAA compliance audits. These recommendations also can be applied to other regulations, particularly Sarbanes-Oxley and the U.S. Graham-Leach-Bliley Act (GLBA) of 1999. For instance, HIPAA, Sarbanes-Oxley, and GLBA share many common requirements, such as the need for companies to conduct regular risk assessments or the need to achieve cost effectiveness and stay within the company's IT capability. Furthermore, the blending of implemented audit compliance requirements from different regulations and the organization's adopted governance model can highlight the potential need for changes in the way the company views IT risks and uses IT resources.

For more information about HIPAA, visit:

Gary Swindon is the chief operating officer for RiskWatch Inc., a security risk assessment company. Prior to RiskWatch, Swindon held senior positions in both public and private organizations, including Orlando Regional Healthcare, where he was the hospital group's chief information security officer; WebMD, where he served as chief security and privacy officer; and the state of Michigan, where he was responsible for consolidating more than 20 data centers. He also has served as a director for the ISACA CISM certification board.
Source :

7 Steps to a Highly Effective IT Compliance Program

Documenting internal policies and controls, assigning appropriate compliance management oversight, and ensuring compliance through training are three of the seven steps incorporated into highly effective IT compliance programs.

By Michael Rasmussen, Vice President of Enterprise Risk & Compliance Management, Forrester Research Inc.

Regulatory compliance pressures are plaguing organizations around the world. Unfortunately, because compliance challenges often affect multiple areas of an organization and can span across different industries, there is no silver-bullet technology package that will bring companies into compliance. In addition, recent corporate disasters and growing government regulatory action have heightened the focus on corporate governance and are driving the centralization of compliance oversight within today's organization. Because most IT functions permeate the organization and its processes, IT compliance is also a process that requires continuous oversight and management.

To meet IT compliance obligations, many companies are looking for a structured approach that allows them to identify and prioritize IT controls and establish a compliance record system. But, implementing an IT compliance program that is effective and responds to the dynamic business environment can be challenging. Nevertheless, having a structured approach is a major step toward compliance with different standards and legislation, such as the U.S. Sarbanes-Oxley Act of 2002, the International Organization for Standardization (ISO) 27001 standard, and the European Union (EU) Directive on Data Protection of 1995. To ensure their IT infrastructure is compliant year-round, organizations can incorporate a series of seven steps to existing operations. When combined with a formal risk assessment process and IT asset management strategy, these seven steps can bring companies one step closer to compliance.


In 1991, the U.S. Sentencing Commission (USSC) established the Organization Sentencing Guidelines to assist courts in setting fines for organizations and sentences for executives in criminal regulatory cases. The USSC based its model on seven core elements. In 2001, the original USSC guidelines went into revision to include Sarbanes-Oxley compliance and sentencing information.

Using the USSC guidelines as a basis, Forrester Research — a technology and market research company that advises organizations about technology's impact on businesses and consumers — extended the seven elements by integrating compliance best practices in large organizations. When examined in detail, however, these seven practices or steps are equally useful in small and mid-size enterprises. The extended guidelines provide a framework around which organizations can structure their IT compliance management programs, as well as information that could help organizations in their compliance efforts with non-US regulations, such as ISO 27001 and the EU Directive on Data Protection. Below is a description of each step and key points organizations need to keep in mind when implementing each of these recommendations.

Step No. 1: Document the Policy and Control Environment

To demonstrate IT compliance, firms must start by identifying how they document the compliance process and their IT control architecture. The overall compliance documentation architecture should be implemented through a control framework, such as the Information Systems and Audit Control Association's Control Objectives for Information and related Technology (CobiT), and should document all corporate IT policies, controls, standards, and procedures that align with compliance objectives and requirements.

The policy and control architecture establishes the compliance foundation upon which the remaining seven habits are built. Without a proper governance model of policies and controls, organizations may have a hard time overseeing, communicating, monitoring, enforcing, or responding to gaps. It is the policy and control architecture for compliance that provides the framework for everything else to work within the IT environment. This architecture is unique to each organization, reflecting its culture of control and industry requirements.

After drafting the necessary IT policy and control documentation, organizations need to communicate any relevant documentation clearly to those expected to comply with established policies, procedures, standards, and supporting controls. In addition, companies need to update and maintain all documentation, as well as use an operational control and compliance platform that helps them to manage the complexity of corporate IT policies and compliance controls. This documentation also should include a framework to manage operational risks, define policies and supporting controls to meet risks, conduct control self-assessments to validate IT control implementation and efficiency, and track existing control gaps and incidents within the IT environment.

Step No. 2: Assign Appropriate Compliance Management Oversight

The second element necessary for effective IT compliance is the establishment of appropriate oversight for compliance. In many organizations, the compliance role is divided among different parts of the firm. This results in substantial technology and effort duplication, as well as lack of compliance visibility across the organization.

Effective IT compliance oversight in an organization must achieve the mission and charter of the compliance program. To this end, companies should define IT compliance as a corporate function that has proper authority and governance, as well as create appropriate lines of communication to convey important compliance efforts to all operational areas. The board and executive management team must develop this structure with care and review it at least once per fiscal year for effectiveness. To be successful, organizations should develop a compliance oversight model that:

* Makes executives and the board accountable for compliance.
* Assigns IT compliance responsibility to an oversight manager. This individual may have the title of chief information officer or chief compliance officer.
* Delegates specific compliance areas to distribute oversight.
* Assigns adequate resources (e.g., staff and budget).
* Ensures that the compliance oversight manager has enforcement authority.
* Establishes lines of communication to the business.
* Defines reports and metrics for operational IT control and compliance.

Step No. 3: Require Personnel Screening and Access Control

Ensuring that the organization is not giving access to information and business processes to an individual likely to exhibit unethical behavior is crucial when establishing an effective IT compliance program. One of the greatest risks that organizations face when trying to enforce compliance with regulations is the internal threat from employees, contractors, and business partners. To ensure that appropriate and authorized access is established across the board, organizations should:

* Conduct a background check on employees, contractors, and business partners before allowing them access to sensitive corporate data.
* Use caution when delegating authority.
* Use identity management and provisioning when giving access to IT systems. Provisioning enables administrators to assign system resources and privileges to users, including employees, contractors, and business partners (e.g., many IT managers use provisioning software to enforce security policies).
* Implement access controls based on the person's job function, role, and responsibility.
* Change access rights when internal changes occur (e.g., an employee changes jobs within the organization).
* Revoke access upon termination.
* Conduct routine reviews to check for unethical behavior in personnel and contractors with access to sensitive resources.
* Publicize disciplinary standards. This allows employees to understand the repercussions of noncompliance with access policies and procedures.

Step No. 4: Ensure Compliance Through Training and Communications

Forrester Research's fourth recommendation is the establishment of effective compliance awareness through active training and communication to employees, contractors, and business partners. To avoid corporate wrongdoing and fraud, as well as to reduce liability, organizations must implement effective compliance training programs that help to promote compliance with regulations and rules of corporate conduct. Characteristics of an effective compliance communication and training program include:

* The integration of compliance into the corporate ethics program.
* An active policy communication.
* Required compliance training for all employees, contractors, and consultants who have access to regulated information.
* The acknowledgement of training and policy adherence.
* Up-to-date information regarding relevant changes in regulations and case law.

In essence, companies have to ensure that individuals with access to regulated processes and information understand what they need to do to comply with internal and external regulations.

Step No. 5: Implement Regular Monitoring and Auditing of IT Controls

Monitoring and auditing IT controls for efficiency and effectiveness is the fifth step toward establishing an effective IT compliance program. Where the first recommendation focused on documenting controls, this step focuses on the working operation of those controls. The proper controls to monitor that may affect IT compliance vary in type. Some include:

* Policy, operational, and technical controls.
* Contractual controls.
* Detective, preventive, and corrective controls.
* Compensating controls.

Firms should monitor and audit controls regularly through a manual or automated process, which validates that the control is in place and is operating effectively. When monitoring the management of IT system controls, many organizations prefer automated control monitoring and enforcement to ease the burden of control validation. When controls cannot be automated, organizations should conduct control self-assessments that are facilitated through workflows on compliance management systems. Furthermore, control self-assessments should be augmented by independent verification of audit controls.

Documented controls are meaningless and could become a business liability if they are not implemented or functioning properly. As a result, the role of compliance management is to implement a process of monitoring control implementation and effectiveness. The critical factors in monitoring and auditing IT controls an organization must have are:

* Ongoing validation of controls by management.
* Independent audit verification of controls.
* The establishment of key risk indicators.
* The reporting of control gaps and audit findings in the environment.
* The monitoring of corporate policy compliance.
* The retention and review of audit trails.

In addition, organizations need to establish a process that helps them incorporate any recommendations accepted by management regarding the control monitoring process, and implement an escalation procedure that details how to proceed when agreed-upon recommendations are not implemented.

Step No. 6: Enforce the Control Environment Consistently

The sixth step identifies some of the ways effective compliance programs may promote a consistent enforcement of policies and controls throughout the company. Consistent enforcement of the control environment allows internal controls to be applied appropriately throughout the organization, its business processes, and relationships, as well as make sure specific control violations are not ignored and are enforced according to policy. The organization’s approach to ensure consistent enforcement should drive the success of the overall compliance program. It is through consistent enforcement that the organization’s culture of compliance is achieved and that employees understand there will be zero tolerance for unethical and noncompliant behavior.

If management does not consistently enforce controls and discipline unethical and noncompliant behavior, the compliance program will fail. Penalties for noncompliance increase with regulators and the courts when organizations do not exhibit effective governance and enforcement practices. Vital factors for consistent enforcement of the control environment include:

* Establishing appropriate incentives to endorse strong ethical and compliance behavior.
* Adhering to consistent disciplinary actions.
* Providing open communication and reporting.
* Implementing a systematic approach to incident investigation.
* Establishing a post-incident evaluation process that enables organizations to learn from each incident.

Step No. 7: Prevent and Respond to Incidents and Gaps in IT Controls

An effective IT compliance program prevents and responds to compliance violations and gaps in controls and includes a lessons-learned process to prevent further violations. For instance, identified control deficiencies or incidents should be corrected in an efficient and effective manner. To prevent and respond to IT control incidents, organizations must:

* Develop a control deficiency response plan.
* Maintain an incident response team and procedures.
* Implement active detection and monitoring for gaps and violations.
* Build a lessons-learned process, so the company is not a repeat offender.
* Establish active and cooperative lines of communication with authorities, and communicate with authorities according to response procedures.
* Obtain legal counsel from a knowledgeable source when incidents occur.

Disregarding control gaps and compliance violations amounts to negligence. Therefore, it is essential that an effective compliance program actively identifies and closes all control gaps, as well as contains or eliminates potential damage or loss to the organization incurred by any violations.


Following the seven guidelines above will help organizations build effective IT compliance programs that improve confidence in business performance. In addition, the seven steps help companies manage operational risks and compliance efforts, as well as measure compliance consistently. To implement the steps, organizations need to involve the use of policy, approach compliance as a process as opposed to individual projects, and consider the use of technology to automate compliance management activities.

Furthermore, organizations need to establish a formal risk assessment process so they can take a more comprehensive approach to information security management. This formal risk assessment process will help organizations expand the effectiveness of the seven recommendations above. After conducting an organizationwide information security risk assessment, companies should implement an information asset management strategy, as well as put into practice a business continuity plan that incorporates IT disaster recovery strategies.


Organizations that do not embrace IT compliance management as a defined business process will approach compliance as fragmented projects. Although this mindset may appear to work for a short time, gaps that can push an organization out of compliance may arise quickly. In fact, one of the 11 control areas mentioned in the ISO 27001 standard is compliance with relevant legislation and regulations that affect the organization's activities. Unfortunately, many organizations don't realize what the consequences of noncompliance are until it's too late: When regulators come asking questions, and there is no central person ready to answer them, the organization looks confused and unorganized and receives more scrutiny.

On the other hand, organizations that incorporate the seven steps make effective IT compliance a cost of doing business — not a one-time business event. For these firms, spending money on a compliance program averts far greater expense resulting from losses and penalties. These organizations also establish greater operational control oversight, enabling them to pour more funding into expanding their activities into new areas with confidence. These well-run organizations will contrast sharply with those that remain reactive and tackle compliance problems as isolated and reactionary initiatives. The end game is a culture of IT compliance and controls and a structured approach that demonstrates the business is practicing IT compliance, while managing information security from the most senior level.

Michael Rasmussen is a vice president and analyst in Forrester's IT Management and Services research group. A risk professional with more than 12 years' experience, Rasmussen advises clients around the world on issues pertaining to enterprise risk and compliance management, as well as public policy, legislation, and regulation.

source :