Assessment Description
It is essential as a cybersecurity professional to have a complete understanding of how a compliance audit is conducted and documented because organizational sustainability often depends on the adequate assessment of information security and privacy management. Using the GCU Virtualization Environment, build either a Windows or Linux server. Then, search the web for technical controls related to HIPAA. Break the technical controls down into technical requirements appropriate for your virtual server with Pass/Fail criteria. Audit the virtual server and report if compliant or not. Once compliance testing has been completed, draft a certification letter for your client or organization highlighting the applicable controls tested along with the compliance model used.
Refer to the “HIPAA Security Audit Certification Document,” located within the Topic Resources, as an example.
APA style is not required, but solid academic writing is expected.
Dear GCU hospital
This document serves as a basis for the recent HIPAA security review which occurred at MS Hospital. Cassandra Lalli analyzed the standards and development of the MS Hospital application between the dates of September 1, 2020 and September 2, 2020. Based on the data that was collected from the HIPAA security review, Cassandra Lalli has concluded that the MS Hospital application has implemented a satisfactory set of security controls to satisfy HIPAA requirements for success. Consequently, a user that accesses Dropbox in conjunction with MS Hospital and follows HIPAA procedures can sustain HIPAA compliance.
Cassandra authorizes that the statements made in this document provide accuracy of the assessment of MS Hospital current security as it relates to requirements determined by HIPAA standards. This professional evaluation does not include an evaluation of other technical security controls that, while considered industry best practice, are not explicitly defined in the HIPAA technical safeguard requirements. As the MS hospital application’s code base changes, and new features and functions are added, the MS Hospital application’s security posture will change. Such changes may affect the actual validity of this document. Therefore, the conclusion reached from our analysis only represents a piece of the present time being. Cassandra Lalli would like to thank MS Hospital for this opportunity to help the organization evaluate its current security posture and would like to inform them they will fail if there is any disregard of the rules in the future.
Sincerely,
Keisha Magee
Chief Information Officer,
KSMageecompliance@ksm.com
HIPAA Technical Safeguards | ||
164.312(a)(1) | Access Controls | Technical policies and procedures for electronic information systems that
maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). |
164.312(a)(2)(i) | Unique User Identification. Assignment of a unique name
164.312(a)(2)(i) and/or number for identifying and tracking user identity |
Requirement satisfied. Each user is assigned a unique username (email address) and a password. This credential set is used for identifying and tracking user identity |
164.312(a)(2)(ii) | Emergency Access Procedure. Established (and implemented as needed) procedures for obtaining
necessary EPHI during and emergency |
Requirement satisfied. An administration “dashboard” provides administrators a way for obtaining necessary EPHI in the event of an emergency |
164.312(a)(2)(iii) | Automatic Logoff Procedures that terminate an electronic session after a predetermined time of inactivity | Requirement satisfied. All computer has timers once the work day is over, they will shut down or lock screen prompting for password if user is inactive for too long. |
164.312(a)(2)(iv) | Encryption and Decryption.
A mechanism to encrypt and decrypt EPHI |
Requirement satisfied. Antelope allows encryption and decryption of electronic protected health information via its PC, Mac and iOS clients as well as via a web
browser interface |
164.312(b) | Audit Controls | Hardware, software, and/or procedural mechanisms that record and examine activity in information
systems that contain or use EPHI |
164.312(a)(2)(i) | Unique User Identification. Assignment of a unique name and/or number for identifying and tracking user identity | Requirement satisfied. All employs have a assigned number for identifying and tracking users udentity. |
164.312(a)(2)(ii) | Emergency Access Procedure. Established (and implemented as
needed) procedures for obtaining necessary EPHI during and emergency |
Requirement satisfied. An administration “dashboard” provides administrators a way for obtaining necessary EPHI in the event of an emergency |
164.312(a)(2)(iii) | Automatic Logoff Procedures that terminate an electronic session after a predetermined time of inactivity | Requirement satisfied. All computer has timers once the work day is over, they will shut down or lock screen prompting for password if user is inactive for too long. |
164.312(a)(2)(iv) | Encryption and Decryption.
A mechanism to encrypt and decrypt EPHI |
Requirement satisfied. Antelope allows encryption and decryption of electronic protected health information via its PC, Mac and iOS clients as well as via a web
browser interface |
164.312(b) | Audit Controls | Hardware, software, and/or procedural mechanisms that record and examine activity in information
systems that contain or use EPHI |
Not applicable | This standard has no implementation specifications. | Requirement satisfied. Antelope provides complete audit trails on all operations associated with encrypted files with a simple reporting tool |
164.312(c)(1) | Integrity | Implement policies and procedures to protect EPHI from improper
alteration or destruction. |
164.312(c)(2) | Electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an
unauthorized manner |
Requirement satisfied. EPHI has not been altered or destroyed in an
unauthorized manner |
164.312(d) | Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one claimed | Requirement satisfied. Entity Authentication procedures are in place to verify that a entity seeking access EPHI is the one claimed |
164.312(e)(1) | Transmission Security | Technical security measures to guard against unauthorized access to EPHI that is being transmitted over an
electronic communications network |
164.312(e)(2)(i) | Security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of | Requirement satisfied. Security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed |
164.312(e)(2)(ii) | A mechanism to encrypt EPHI
whenever deemed appropriate |