Re: HIPAA Security Audits?

["Penn, Blake" <pennb () UWW EDU>]

We are using NIST 800-66 as our HIPAA Security audit framework.  Each
section is broken down into elements with key activities, descriptions, and
sample questions.  These translate well into an audit or assessment
scorecard for each element.  Examples are also included for those less
familiar with some of the material.

I am going to personally assess our campus clinic using assessment
procedures that I learned and practiced in the financial sector.  Get a good
auditor/assessor with experience in a highly regulated sector and you should
be fine.  If you don't have one on staff, "renting" such an individual and
having one or more of your people tag along might be a good idea.

I think that the answers to a lot of your questions are best decided by
professional discretion rather than blanket policy initially.  The right
professional should be able to answer those questions in the context of your
particular environment and document these answers.  You can then use this
work to help create policy addressing these issues.  Just my $0.02

__________________________________
Blake Penn, CISSP
Information Security Officer
University of Wisconsin-Whitewater
(p) 262-472-5513 (f) 262-472-1285
e-mail: pennb () uww edu


________________________________

From: H. Morrow Long [mailto:morrow.long () YALE EDU]
Sent: Tuesday, July 12, 2005 2:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HIPAA Security Audits?


Have any higher ed institutions decided how/if they are going to perform
audits of departments and/or systems to assess compliance with the HIPAA
Security regulations -- and if so what the audit assessment procedure(s)
would be? I'm also interested in who would be performing these audits,
how often they would take place and what criteria would be used to
determined who/what/it would be audited (primary/secondary ePHI data,
etc.). Have you received any advice as to what is considered to be a
reasonable policy/procedure from your legal or audit department (e.g.
is 'system activity review' of system logs for ePHI systems by the school
or department considered sufficient or is -- in addition -- a random spot
check or regular audit of both physical and IT security of such systems
to be conducted? Respond in public or private -- a summary of the
responses will be posted.

- H. Morrow Long, CISSP, CISM, CEH
University Information Security Officer
Director -- Information Security Office
Yale University, ITS

Attachment: smime.p7s
Description: