More details about the HIPAA Audit Program emerged as KPMG wins contract to perform audits, as reported by Howard Anderson, Executive Editor, HealthcareInfoSecurity.com in his article titled “HIPAA Audit Program Details Emerge.”

The chances of your healthcare organization being audited by KPGM may sound small or unlikely because they are only expecting about only 150 audits to be completed by the end of 2012.  Just think for a second- what if your organization was one of the 150 selected- are you prepared to pass the HIPAA Audit Program?  If not, are you prepared to face possible fines or run the risk of being made an example to other healthcare organizations?

Viewfinity has helped EagleMed, LLC comply with HIPAA compliance mandates with its award winning Privilege Management solution.  After locking down PCs and moving to a least privilege environment while using Viewfinity Privilege Management to manage administrator rights, EagleMed has been able to effectively prevent the sharing of patient data.  Also, EagleMed is widely reducing the security risks introduced through malware. The successful and meaningful deployment of Viewfinity Privilege Management at EagleMed has won them the 2011 Info Security Products Guide Best Deployment Scenario Award.

 Don’t delay, get started now on the path of complying with HIPAA.

“Security gaps leave patient records exposed,” reported Ricardo Alonso-Zaldivar of Associated Press.

In the article, the inspector General of the Health and Human Services released two reports that find that the drive to connect hospitals and doctors so they can share patient data electronically is being layered on a system that already has glaring privacy problems. Connecting it up could open new pathways for hackers.  This report resulted from an audit performed by the Government of seven hospitals that resulted in a staggering 151 security vulnerability weaknesses.

“The list of vulnerabilities read like a road map for hackers,” said Ricardo Alonso-Zaldivar.  Some of the vulnerabilities include inadequate password requirements, computers that did not automatically log off inactive users, unencrypted laptops that contained patient data, problems with wireless access that included the inability to detect unauthorized intrusion, lack of continuous monitoring, and even the absence of a firewall separating wireless from other internal networks.  A very common problem amongst the seven hospitals was the slow updating of their computer software to defeat known security bugs.

The full article can be read at: http://on.msnbc.com/lK4by2

The seriousness of protecting online records has come to light in recent reports such as the two released by the inspector General of the Health and Human Services.  Why would anyone want to get a hold of patient data? Just like any other record out there, there is valuable information such as names, date of birth, address, and social security numbers.  This information makes it possible for any hacker to steal a patient’s identity and expose sensitive information.

Implementing best practices through multiple layers of security protection helps to protect online records.  One such practices is to implement a least privileges environment, where administrator rights are removed from the end users, and policies and application level processes are managed using a privilege management solution. Viewfinity Privilege Management has helped EagleMed LLC manage administrator rights at the endpoint – for both in-house PCs and mobile laptops.  EagleMed LLC takes protecting patient data seriously.  According to Ryan Kane, Systems Engineer for EagleMed LLC, “The bigger gain was the ability to lock down our PCs and use Viewfinity Privilege Management to manage administrator rights. By locking down the machines, we prevent the sharing of patient data and we’re also mitigating the security risks introduced through malware.  This will have a very positive impact with the auditors. From an IT perspective, staff now only has access to do what they’re required to do.”

Read the full EagleMed Case Study.

Since Sarbanes-Oxley, there has been a lot of buzz about "compliance" and the hoops IT must jump through to ensure its adherence. But everybody views it differently. One organization demands all PCs are locked down completely, another one keeps the environment wide open and resets to a golden image when issues occur, and yet another has different policies for laptops and desktops or different polices depending on the end user’s functional role within the organization. Many argue that there is no such thing as privacy on company’s computer, and others insist that there are privacy issues to be considered. Regardless, these policies create tension between IT personnel and end users. And since more and more people are telecommuting, it is very difficult to keep everything as restrictive as management would like. Many enterprise level organizations have conceded the fact that the corporate PC, while primarily a tool to conduct business, is also the same device used for “personal computing” and separating these two uses may not be necessary. This allows employees to use their PC for both business and personal needs. With this approach, however, what should be the role of tech support and how is corporate compliance enforced?

Maintaining "blacklists" or "whitelists" for unauthorized and authorized applications can be time consuming. Since fluctuations between blacklists and whitelists occur frequently, flexible application lockdown rules based upon groups, connectivity status, application, and time of day would best support the needs of the end user, the system administrator and the company. Configurable compliance policy support would help to eliminate critical problems that might occur if, say for example a laptop is stolen. If the laptop isn’t connected to the corporate network, specified data and/or applications cannot be accessed. Or, to disable iTunes or IM during business hours.

So what is the norm today and can an automated method for managing privileges help your company protect itself if complete lockdown is not the ideal approach?