HIPAA Blog

[ Wednesday, June 29, 2005 ]

 

Ideas from Medical Newswire: I get free emails from Medical Newswire's HIPAA Wire service (along with some others), and they often contain some pretty decent HIPAA tips. Take this one, for example:

"Don't wait for a major breach to uncover your personnel's malicious activity. Use this simple step-by-step guidance to develop an audit control process that will spot illegal behavior before it ruins your compliance effort.

"Step 1. Define Standard Operations: Before you can evaluate your employees' behaviors, you must define what's normal by figuring out exactly how you operate, says Matt Johnson, a HIPAA security consultant for AltaPacific Technology Group in Fresno, CA.

"Step 2. Determine Abnormal Behaviors: You must pin down the types of behavior that you'll consider anomalous. Next: Set up your audit controls to recognize those anomalies and notify you when they occur. "Most practice management applications have the built-in ability to log and record this information," Johnson says. But you must ensure you turn each of these controls on, he stresses.

"Step 3. Consider Random Versus Specific Audits: A policy that warns your personnel that you will audit their activities on a random basis could be the perfect deterrent to malicious behavior, experts note. However, "we prefer to act on suspicions because it allows us to be more specific with our audits," says Greg Young, information security officer for Mammoth Hospital in Mammoth Lake, CA

"Bottom Line: No matter how you set up your audit process, you must explain to your staff members what you expect from them -- and what sanctions you'll apply if they violate your policies and procedures, Johnson stresses."


Interesting stuff.

Jeff [1:27 PM]

Comments:
The most interesting part is the wide gap between strategy and practice, even in the most sensitive area.

I worked for the banking industry for a while, and the worst situation I saw was in one top 3 U.S. banks - i.e., big, powerful, and trusted.

There was a small department that handled the data management for a particular type of account: that included systems security, analysis and troubleshooting, back up and storage, etc. If an organization is willing to hire someone good, they may get people with all those skills. Unfortunately the organization became ridiculously cheap at that level, and no one knew what they were doing. The manager was all that was left after a series of predecessors had quit: he barely had a grasp on email, much less midrange operations and programmings. None of the employees knew what they were doing, either. They had procedures to follow passed down from earlier employees, but various modifications over time had made the procedures obsolete. These daily routines didn't do what they were supposed to do, and they returned bad data. The president of the division was receiving reports every day that were based on bad data. The bank was making decisions based on these fake reports. There were no audits because at that level no one had the skills to perform a basic audit. The whole situation was mind-boggling. Now it makes me laugh when I see a commericial for some UberCorporation that claims to be on the cutting edge of technology and data security: I have to suspect that 15 layers down they're probably hiring on the cheap - and the incompetence at the bottom snowballs as bad decisions are made on bad data and float upward through the organization.
 
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template