Computerworld’s report of the first known HIPAA audit, now known to have taken place this March, is a warning shot across the bows of anyone who thinks that "business as usual" is an affordable IT plan.
An accompanying list of forty-two points of inquiry, to which the auditors apparently asked for response within ten days, puts in concrete terms the kinds of knowledge that IT operators must now be prepared to demonstrate and deliver upon request. One wonders if the typical IT installation is actually prepared to state its policies for
- Regularly reviewing records of information system activity, such as
audit logs, access reports and security incident tracking reports
- Creating, documenting and reviewing exception reports or logs. Please
provide a list of examples of security violation logging and monitoring.
How quickly, if at all, could an IT hairball of shared databases, desktop and laptop files, and Web-based collaborative documents be combed out in response to a request such as
- Please provide a list of all information systems that house ePHI data,
as well as network diagrams, including all hardware and software that
are used to collect, store, process or transmit ePHI
- Please provide a list of all users with access to ePHI data. Please identify each user’s access rights and privileges.
Going forward, it seems clear that developing and administering systems through well-defined on-demand interactions, and having system architectures and mechanisms defined and described as needed by an on-demand service provider, should be "the new normal." The alternatives come at far too high a price.