How to Prepare for a HIPAA Audit

hipaa audits

Preparing some documents beforehand will make your HIPAA audit much more pleasant.

Check out the infographic here. 

Brand Barney, SecurityMetrics, CISSP
By: Brand Barney

The OCR has scheduled you for a HIPAA audit, and you’re panicking. What do you do? How can you prepare?

Believe it or not, HIPAA auditors are not your enemy; they want to help you make your organization more secure for your workforce members and your patients. But if you aren’t prepared for the audit, it can quickly become your worst nightmare.

See Also: HHS HIPAA Audit Requirements

Why did you get audited?

hipaa audits
There are a few reasons why your organization may be getting an audit. Here are the primary audit triggers:
  • At random: the OCR conducts random audits on organizations to see how healthcare entities are doing with HIPAA compliance
  • Complaints: A customer, or even an employee can file a complaint with the HHS, which may lead to an audit.
  • Self-reported breach: If you have had a breach, you have a much higher chance of being audited.
 Here are ways you can prepare for your HIPAA audit:

Have documentation ready

This is probably one of the most important things to prepare for your audit. Having the proper documentation ready will make your audit go much faster and help you avoid costly penalties.
You’ll want to have the following documents available for your audit:
Workforce member training documents
Your workforce members are among your weakest links in your organization, so you should be devoting more time to training. And this training should all be written down.

Have things like employee manuals and policies ready for your auditors to see how your workforce understands HIPAA. The OCR will audit your workforce members to see if they actually know that information, so make sure your staff members are up-to-date with the information in training materials.

See Also: HIPAA Training Video: Essential Healthcare Compliance Training

Security Policies and Procedures:
Just like your organization needs security policies, you need to have them documented. These may include:
  • Incident response policies
  • Business continuity policy
  • Firewall policies
  • Physical security policy
  • HIPAA Privacy and Security Rule policies
Not only will these policies help your company handle security efficiently, it will help show auditors how your organization handles security.

Risk analysis and Risk management documents
These documents are required by HIPAA. A risk analysis finds potential security risks present in your organization, and a risk management plan addresses how you plan to handle these risks.

Having these documents shows your auditor you’re actually fulfilling the HIPAA requirements, you understand what risks may be present in your organization, and how you’re handling potential security issues.

Conduct internal audits

hipaa documentsConducting audits within your organization can help you find resolvable problems in your security before your audit. It’s best to do these audits periodically to find new issues that may appear.

I always advise entities to engage a third party security expert to help with conducting a proper security assessment. A security assessor will have experience in HIPAA (and many other security mandates) and will be able to see your organization from an external view (which is what malicious attackers are doing).

Talk to a third party security expert!

Prepare yourself properly

HIPAA audits can be difficult for both the auditors and the organization involved, but taking the proper steps to prepare yourself will help your audit become less of a headache.

Remember, the point of an audit is to help your organization become more secure, protecting you, your workforce members, and ultimately your patients.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

Need help getting ready for a HIPAA audit? Check out the infographic below, 5 Documents to Prepare for an Audit, to see what you can do to make your audit go more smoothly.

5 documents to prepare for a HIPAA audit
Spotting Vulnerabilities – Is Vulnerability Scanning Antiquated?

vulnerability scanning

Just how helpful is vulnerability scanning today?  

This blog was originally featured as an article in Hospitality Upgrade

Brand Barney, SecurityMetrics
By: Brand Barney
I often hear, “Isn’t vulnerability scanning outdated?” from my clients. After all, with log monitoring and patch updates readily available, they tend to wonder, “What’s the point?”

However, without ongoing vulnerability assessment (VA), the probability of exploits and compromise for a company rises dramatically.

Move beyond the it-can’t-happen-to-me feeling of security and look at the facts: an average of 19 new vulnerabilities are reported per day, according to the National Vulnerability Database.

Most hackers don’t care who you are. They care about your vulnerabilities.

If you look at headlines recently published in the media, it’s easy to see not all attacks are targeted to a specific business.
For example, vulnerabilities like Ghost, Poodle and Heartbleed actually attacked systems based on specific vulnerabilities.

Many large, popular retailers and companies may not have lost as much sensitive data if they and their third party vendors had been practicing regular VA scanning to discover vulnerabilities within their networks and sites.

vulnerability scanning
Did you know the same vulnerability scanning tools that enterprise businesses should be using are theVulnerability scanning, in fact, is one of the only crucial things that can help companies keep up-to-date on emerging vulnerabilities.
same tools attackers use to discover vulnerabilities?

In order to systematically shrink a company’s risk window and prevent a data breach, critical vulnerabilities must be continuously identified, prioritized and remediated across a significant portion of the network.

See Also: How Long are Businesses Vulnerable Before a Breach? 

Here are a few examples of vulnerabilities that your organization’s VA tools should catch (and that your IT team should repair immediately):
  • Cross Site Scripting (XSS): A XSS attack can be carried out using various client-side languages (JavaScript being chief among them). Most scanning tools today are very quick to point out XSS vulnerabilities (if you have them).
  • SQL Injection: This attack takes place when an attacker jumps on insecure web application coding and begins to query an organization’s backend database with fervor. The reality is, these issues are quite easy to resolve, yet still widely rampant. Running scans frequently can help to identify this vulnerability quickly.
  • Heartbleed: While the media sensation of Heartbleed has finally died down, it was a heavy hitter that existed within OpenSSL 1.0.1 and 1.0.2-beta. Running VA scans would have immediately caught this vulnerability once it had been published.
A correct vulnerability management program takes a wide range of network issues into consideration. It not only identifies weaknesses that may need correction, including misconfigurations and policy noncompliance vulnerabilities that a patch management system alone may not be able to address, but also delivers an across-the-board picture of all systems, services and devices that can potentially breach a network.

Why don’t organizations scan more often?

Due to what was once perceived as a complicated, disruptive process to daily business functions, it’s no secret that VA has caused some huge management headaches over the years.

On top of that, most organizations treat vulnerability management as an occasional and isolated spot check process, largely focused on addressing immediate issues. When a company views VA as a random point-in-time, it is not only a detriment to the industry, but also a practice ineffective at minimizing risks.

Industry best practice is to scan quarterly (at the very minimum) and include a system to speedily remediate discovered weaknesses.

Encourage a top-down approach

It can be challenging for IT departments to gain management support when it comes to enforcing security-related policies and procedures. After all, change can be difficult to implement from middle management up through an organization.

But VA activities must have acceptance from the highest executive levels of an organization in order to be effective. It’s critical that management understands the importance of the assessment to the organization as a whole, and give IT the approval to perform scanning activities.

Keep in mind: The time it takes an IT team to repair and recover from vulnerability exploitation usually has far greater impact on a business than the shorter amount of time it takes to get the organization up to speed on a VA solution.

Once a company has buy-in across the board, it’s important to encourage awareness and training among team members. Typical VA awareness training within a company should include:
  • Company-specific goals for utilizing the technology
  • An explanation of how a vulnerability scanning appliance operates
  • Which departments and systems will be in the assessment scope
  • How false positives can be reported to the IT team
  • How reports can be used to show details around vulnerabilities
  • Where patches can be found and details around the severity levels
Some organizations decide to conduct the scanning process independently, especially with the introduction of scanners that do not require advanced security knowledge to install or implement. When it comes to internal scanning, companies are allowed to use their own product, but to comply with the Payment Card Industry Data Security Standard, they must use an approved scanning vendor for all external VA scans.

Need an approved scanning vendor? Check out our external vulnerability scanner!

Long live vulnerability scanning

As long as hackers and their malware are out there, vulnerability scanning will continue to be a necessary part of everyday security operations. With this simple approach, security holes can be repaired before they become problematic, and companies can proactively fend off attacks before they occur and do serious damage.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

learn about data security with SecurityMetrics' learning center
How to Confront Hospital Ransomware


Don’t let your patients’ medical records be taken hostage.

By David Ellis
Ransomware is one of the fastest growing malware versions to grab the attention of cybercriminals worldwide (attacks grew 113% in 2014) and has the potential to seriously affect both small and large organizations, and the healthcare industry should be particularly concerned.

In the last year alone, data breaches against the healthcare industry have targeted major providers like Anthem, Premera Blue Cross, and Excellus, and compromised more than 99 million patient records.

How does ransomware work?

In a nutshell, ransomware is digital extortion.
Ransomware starts with malware typically downloaded via a phishing email or malicious site link.

ransomwareWhen activated, this ransom malware (ransomware) immediately encrypts all of the files on a computer, including:
  • Word documents
  • PDFs
  • Spreadsheets
  • Photos
  • Music
  • The operating system itself
Sometimes the malware locks the user out of the computer entirely, without being able to access files, applications, or even the desktop.

The attacker retains the decryption key and it’s veritably impossible for the user to access the files. The attacker will leave just one decrypted file on the computer. Included in the file is an explanation that the files have been encrypted, and the attacker demands a payment in order to provide the decryption key.

The instructions will include a deadline that, if not met, results in the attacker threatening to discard the decryption key, rendering the computer useless. According to the FBI, the initial ransom amount is anywhere from $200–$5,000, typically accepted only in Bitcoin crypto-currency.

Although there’s no guarantee the files will be decrypted using the key, it’s rare that an attacker has not decrypted the files after payment. After all, it wouldn’t be a very effective extortion tool if word got around that the hackers didn’t fulfill their end of the bargain.

Why ransom a hospital network?

The psychology behind ransomware is all about how much value the user thinks the computer’s data holds. For someone with a new personal computer that contains only a few files, paying a hacker $500 to restore locked files doesn’t make sense. It would be easier to wipe the computer and start from scratch.

But what if a hacker got a hold of all patient records for an entire hospital and encrypted them? There could be hundreds of thousands of patient files that suddenly become inaccessible.  If the hospital’s data wasn’t properly backed up (outside of the network) and the ransom wasn’t immediately paid, doctors wouldn’t have the vital information needed to treat patients. Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised, and the list goes on.

The ensuing chaos could effectively ruin a hospital’s reputation.

In recent years attacks targeting healthcare organizations have become even more appealing to hackers because of the digitalizing of hospital records, motivated by movements like the EHR Incentive Programs that pay companies to move certain hardcopy health records to electronic format.  As more data is digitized, the more records an attacker will be able to affect on a given network, thus, the more lucrative and successful the attack becomes.

Ransomware removal 101

In theory, ransomware is not that sophisticated. However, the average user, or even average IT guru, probably couldn’t remove it without accidentally wiping a computer. Which means, the average user has two ransomware removal options: pay up, or wipe the computer.

At BlackHat USA 2015, Dr. Engin Kirda shared research that 61% of ransomware attacks leave files untouched, and only lock down the computer. In cases like these, a professional may be able to either extract your critical files or remove the malware off your computer without you handing out a ransom.

But, in cases where the malware has encrypted each file, paying the attacker is likely the only option.

However, ransomware survivors have no guarantee that the whole thing won’t happen again at some future date. After all, the hacker still has access to the computer either through the original vulnerability that allowed them to download malware in the first place, or because the attacker installed a covert backdoor for future system access.

Preparing your healthcare environment for ransomware

As shown, ransomware is a very real threat that has the potential to devastate healthcare organizations, and this malware is too effective for attackers to stop using it.

Here are a few things to keep in mind while preparing your networks, computers, and staff for the
possibility of ransomware:
ransomware removal
  • Store data in the cloud: If you’re using a Health Information Exchange (HIE) in the cloud, pat yourself on the back. As of today, no known ransomware has successfully attacked cloud-based systems.
  • Utilize backups: To thwart ransomware, back up files often and make sure that a recent backup is stored offline, so the backup cannot be impacted by ransomware or other digital attack vectors.
  • Train staff on data security: Staff members are the weak link in the ransomware equation. In most cases, malware is downloaded onto healthcare environments because of a workforce member surfing the web or opening a link in a phishing email.
  • Create a ransomware crisis plan: Each member of your staff that uses a company computer needs to understand and practice your organization’s data security plan in order to avoid the devastating affects of a ransomware attack.
Remember, you have a responsibility to protect not only your organization’s reputation, but also your patients’ sensitive and valuable health data.

Improving your data security measures to be able to fend off a ransomware attack may seem arduous, but it is a mere speed bump compared to the sheer roadblock that a successful ransomware attack may pose to your organization.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

Top 10 Network Security Audit Fails

PCI DSS assessment issues haven’t changed in years. 

Gary Glover, SecurityMetrics
By: Gary Glover
Back in 2011, I gave a presentation on the top 10 security issues I saw during hundreds of PCI DSS network security audits. Guess what? Five years later, all 10 remain top security issues that initiate most of today’s security breaches.

Obviously these concerns merit a discussion.

Let’s delve a little deeper into the top 10 network security audit fails (in no particular order) to help you understand what projects need your attention in your business data environment.

1. Poor or no card data environment (CDE) segmentation

network security auditIn my experience with PCI DSS assessments, poor segmentation is often a security problem. Here are some of the poor segmentation practices:

Flat network architecture
Flat network architecture is a common problem where the network contains both card data systems and those that have nothing to do with card data (e.g., office systems, email servers). By isolating card data systems from others with network segmentation, you can more easily safeguard zones that need protection (i.e., ones that handle card data), minimize scope, minimize the attack surface, and not waste resources on areas that don’t require fortification.

Misconfigured or non-existent firewalls
A correctly configured firewall makes it harder for criminals to access your network/system and strengthens your segmentation. To reinforce a firewall, strengthen your inbound/outbound firewall rules, only allow secure protocols, and frequently check firewall rules against accepted standards. Watch for protocols you say are necessary between a less secure zone and a more secure zone—like windows file share or Active Directory traffic. These protocols compromise the security of the zone you’re trying to protect.

Unsecured wireless networks
Unsecured Wi-Fi was the attacker’s point of access in the well-known T.J. Maxx data breach back in 2007, and I expect similar wireless issues continue to assist multitudes of hackers today. Wireless network segments should be protected with WPA2 encryption using a strong wireless password. For additional security, don’t allow any wireless access into the card data environment, period.

2. Not understanding the flow of card data through the network

To secure payment card data, you must be the expert on everything that happens with card data in your organization. It’s not good enough just to have an idea in your mind; you need to document the flow via a card data diagram or detailed description.

Learning about card data processes by interviewing employees isn’t enough. You must look in places you don’t expect. A data discovery tool like PANscan is the best way to find locations that contain hidden card data.

Once you find caches of card data and understand the data process, you need to decide if the data in question was collected on accident or for a purpose, and if you can eliminate the need to keep that data around.

Being an expert on the flows of card data in your network is the only way you’ll be able to understand your PCI DSS requirements and successfully pass a PCI DSS assessment.

3. Insecure remote access into CDE

Cybercriminals love when you use remote access. Why? It’s a method to access card data systems from outside your network perimeter that’s often poorly secured.

Ideas to protect remote access technologies range from log alerting implementation to default username alteration, but the secure solution is to implement two factor authentication.

Many remote access packages only require a user ID and password to gain access, and that’s not good enough. Multiple independent factors of authentication are needed to protect remote access. Instead of two knowledge-based identifiers, a second, different factor is needed like biometric fingerprint or physical token.

It’s important to note that many merchants have external contractors that help administrate their remote access systems. The merchant, not the third party, is responsible for making sure the remote access process and technology is secure.

4. Stored card data

As per PCI DSS requirement 3, stored credit card data must be encrypted using industry-accepted algorithms (e.g., AES-256). No homegrown encryption methods allowed!

Not only must card data be encrypted, the utilized encryption keys must be protected as well. If you don’t protect the location of the encryption key using a solid PCI DSS encryption key management process, it’s like storing your house key pushed into your front door lock.

As mentioned before, an essential part of eliminating stored card data is through the use of a good card data discovery tool and methodology. Begin where you think the data would be, and then look where it shouldn’t be. Remember, payment card data can easily leak due to poor processes or misconfigured software.

To be effective, data discovery must be repeated frequently. I can’t tell you how many times I’ve examined a network after last year’s clean network security audit and found all kinds of data because of process and code changes.

5. Poor application security (web, payment apps, etc.)

pci dss assessmentJust buying a PA-DSS validated payment application does not automatically make you compliant. You must install it correctly per the vendor’s directions. I often find customers who use a PA-DSS validated payment application but install it incorrectly, resulting in sensitive information storage in places like error logs.

If you develop payment applications in-house (e.g., ecommerce websites, POS applications) you must use very strict development processes and secure coding guidelines as outlined in the PCI DSS. Don’t forget to develop and test applications in accordance with industry accepted standards like OWASP.

If a web application is used to take payment data, a web application firewall should be installed in front of the application and kept well tuned. This helps avert common attacks like SQL injection.

6. Weak patch management

It always surprises me that businesses don’t regularly install software updates. To maintain security and PCI DSS requirements, you must have a well-documented patch management process and follow it religiously.

Patch all critical components in the card flow pathway. This includes operating system and critical software applications like payment applications, databases, web servers, etc.

7. Access control issues

Access control is required on all computer systems or network gear in the card data network. All systems in the CDE should have a login step that requires a personal user ID and unique password per user (no default usernames or passwords!). Many compromises are caused by something as simple as not changing default system passwords or software permissions (e.g., operating system, network gear, databases).

The best way to assign correct permissions to employees is through role-based access. Role-based access means users are only allowed the bare minimum access their job requires. Their access level doesn’t impede their job responsibilities, and one less person has access to CDE data.

8. Lack of vulnerability scanning

All external IPs (and domains) exposed from the CDE must be scanned by a PCI ASV (Approved Scanning Vendor) at least quarterly. All systems within the CDE must be scanned for vulnerabilities from an internal perspective as well to help prevent hackers moving from system to system exploiting common security holes.

Despite what many businesses believe, scanning is not enough. You can’t just scan and sit on the report. Act quickly on any vulnerabilities discovered to ensure security holes are plugged.

See Also: SecurityMetrics Scanning FAQ for Customers

9. No event log collection or monitoring

Log monitoring systems oversee network activity, inspect system events, and store user actions. The problem is logging features may not be turned on by default on various types of systems within the CDE. Traceable logging must be enabled to ensure useable log data is available. Make sure all log sources are identified (e.g., web server logs, payment application logs, operating system access logs).

Collecting raw log data in a centralized monitoring location is only useful if an alerting notification system is in place. Often, automated filtering software is used to summarize and deliver warnings if patterns of attack are detected. These notifications should be monitored daily and acted upon if necessary.

10. Lack of security processes and policies

Documentation and well-developed PCI security policy processes are often labeled "overkill," but I have personally seen that without set security procedures, companies fall right back into old habits of lax security.

Here are some great process tips that secure businesses employ:

Get everyone involved
All parties involved in the security of card data (from cashiers to IT administrators) need to have clearly assigned responsibilities for continual protection of card data. If someone doesn’t know their security responsibilities or isn’t following them, they could be the chink in the armor that leads to the loss of card data.

Get management buy-in
Security never really works from the bottom up. It should be mandated and supported from the top down. I’ve been in many audit situations where the IT technical staff wanted a “failing” audit report so that management would have to notice the issue and get involved. Don’t be that company!

Train employees
Employers hiring new employees with access to card data should have confidence in each employee’s ability to secure that card data. If your state law allows it, conduct background checks. For hired employees, don’t fall into the annual training trap. Train on security as often as possible, and employees will retain more.

Need help training employees? Check out our PCI Security Training.

Monitor third party PCI compliance
Many merchants rely on outsourcing for IT functions. If using outsourced third-party vendor services with access to your collected card data, you are responsible for making sure they agree to follow PCI DSS requirements. Don’t just take their word for it. Develop reasonable verification checks and only select vendors with your same dedication to security.

Assess risks and re-scope CDE frequently
Processes dealing with card data may change frequently due to the nature of a growing business. Define triggers that will result in a reassessment of any risks to card data (e.g., new software used, new data center location) as well as time-based triggers (e.g., annual assessment). This ensures new technology, processes, and vulnerabilities in the security posture don’t go undiscovered.

See Also: How to Make Your Auditors Happy and Pass Your Next PCI DSS Audit

How to break the fail-cycle

As a security professional I often feel like a broken record. I give the same advice to business after business, year after year. Change your passwords. Update your software. Follow your policies. People have trouble considering security a constant process.
Your compliance does not end with a checked checkbox.
Any change, no matter how small, could inadvertently take you out of compliance and make you vulnerable to attack.

Security isn’t a one-time thing. Security is a business-as-usual practice.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

How to prepare for a PCI audit, SecurityMetrics
What is HIPAA Compliance, and How Long Will It Take?

what is hipaa compliance

HIPAA is a process, not a destination . . . but it doesn’t hurt to know your timeframe.

Thomas McCrory, SecurityMetrics
By: Thomas McCrory
HIPAA, or the Health Insurance Portability and Accountability Act, is a set of guidelines created by the U.S. Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR) through HIPAA audits. The reason it exists is to ensure the confidentiality, integrity, and availability of patient information, both physical and electronic.

I’ll try to cover the "what is HIPAA compliance" basics and not overwhelm you. If you want to learn more, you’ll see lots of external links to places that cover certain topics more in depth (like these useful HIPAA FAQ and HIPAA Myths articles).

Which organizations does HIPAA apply to?

HIPAA rules apply to two groups: covered entities and business associates.
    what is hipaa compliance
  • A covered entity is a health plan, healthcare clearinghouse or healthcare provider that electronically transmits any health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans, HIEs).
  • A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of a covered entity (e.g., CPA, attorney, third party IT, billing and coding, laboratories).
Ultimately, anyone who accesses PHI is responsible for upholding HIPAA compliance requirements. Individuals and companies can independently face criminal charges for mishandling patient health information. After all, you have a responsibility to patients.

Learn more in depth who is responsible for HIPAA violations.

What is HIPAA compliance?

In HIPAA, the OCR audit protocols are composed of the Privacy Rule, the Breach Notification Rule, and the Security Rule. Most healthcare organizations are already pretty familiar with the first two, so I generally focus on the Security Rule when discussing HIPAA compliance timeframes.

The HIPAA security challenge for most entities is technology and the fact that PHI is literally everywhere. Since the rise of electronic record implementation, it’s become more difficult to secure patient data from breach exposure. With each new mobile device, networked medical device, and computer come additional unsecured avenues to patient data.

The Security Rule shows certain requirements be met to safeguard patient data. For example: encrypting emails, logging off computers when leaving workstations, securing data backup, signing new business associate agreements, implementing risk management plans, conducting a risk analysis, enforcing security policies, and regular employee trainings.

All in all, there are 77 Security Rule requirements that encompass 254 individual validation points.

Learn more about your HIPAA security requirements.

How long does HIPAA compliance take?

hipaa timeframes, hipaa process
During a recent webinar, a rather persistent attendee asked, “I understand I have to do it, but how long does HIPAA compliance take?” Unfortunately for that webinar attendee, the answer to his question isn’t simple.

I can’t accurately determine how long without a full assessment of an individual organization’s systems, workforce, and technology. And even then, the timeframe simply depends on too many variables.

Before I review those variables, let me make one thing very clear. HIPAA is not a destination, it’s a journey.

HIPAA compliance and HIPAA security are never 100% complete. Medical processes are always changing, workforce member turnover happens, technology is updated, and before you know it, the environment is significantly different from its last HIPAA assessment. My point is, HIPAA should be an ongoing ‘business as usual’ practice.

That being said, I know you’re still probably looking for a timeframe. So, let me try to estimate for you.

You may also be interested in: How Much Does HIPAA Compliance Cost?

There are a few things your timeframe will depend on, including but not limited to:
  • Your organization’s type: Are you a hospital, business associate, HIE, healthcare clearinghouse, or another type of healthcare provider? Each has varying requirements necessary to safeguard patient’s information. For example, a third party IT associate who only works with a single-location doctor’s office will have fewer HIPAA to do’s than an IT organization that oversees an entire hospital’s IT department.
  • Your organization’s size: Typically, the larger the organization, the more vulnerabilities it has. More workforce members, more programs, more processes, more computers, more PHI, and more departments means you should allot more time to HIPAA requirement completion. Hospitals should expect to spend much longer on the HIPAA compliance process than, say, a single-location doctor’s office.
  • Your organization’s culture: If data security is one of upper management’s top priorities, increasing time spent on HIPAA compliance probably isn’t a major internal struggle. In other cases, feet draggers that don’t clearly understand the organization’s HIPAA responsibilities (from workforce members to board members) will make the process take a lot longer than necessary.
  • Your organization’s environment: Because HIPAA requires the most up-to-date and secure technology, outdated medical devices, computer operating systems, firewall types, and backend server models can negatively affect your HIPAA timeframe. Where PHI is stored can make a big difference in time and investment needed to properly secure your data. A virtual environment may be cheaper and easier to upgrade than a physical environment.
  • Your organization’s dedicated HIPAA workforce: Even with a dedicated HIPAA team, organizations usually require outside assistance or consulting to help them meet HIPAA requirements. Hiring an outside HIPAA consultant for a HIPAA audit will significantly reduce your organization’s time spent on items such as a risk analysis and risk management plan.
  • What you’ve already completed: Obviously, if you’ve already worked on HIPAA compliance or security, it will make an impact on how much longer HIPAA will take. (Take a quick HIPAA quiz to see how you’re doing.) For example, if you’ve already conducted a risk analysis, it will significantly decrease the time you must spend on analyzing how PHI is (or isn’t) secured at your organization.

HIPAA compliance timeframes

While accounting for the variables I listed above, here are some specific timeframes you can use to begin a HIPAA plan.

Hospitals and large healthcare organizations:
Expect HIPAA to be a full-time job for an entire team of healthcare risk and compliance professionals. If you’re starting from scratch, HIPAA compliance will likely take you 2-3 years (if not more).

Does that seem like a ridiculous estimate? First, think of how long it’s taken your employees to get up to speed with the HIPAA Privacy Rule. Now double that.

The Security Rule contains 77 requirements (three more than the Privacy Rule). Those 77 requirements have 254 validation points. Each of those validation points requires a big change in technology or process for your organization’s infrastructure. Not to mention the giant list of all business associates you’re required to monitor for HIPAA compliance as well.

The point is healthcare organizations don’t already have the infrastructure to support HIPAA’s strict security requirements regarding patient data security. It’s not just processes and trainings that need to occur. HIPAA may require an entire systems overhaul within your organization.

Because each large environment is unique, I highly recommend speaking with a HIPAA consultant who can break down what is expected of your organization and get you on a plan to HIPAA success.

Medium-sized healthcare organizations:
Medium-sized organizations are difficult to estimate, because they vary so much in size. But generally, from beginning to end, HIPAA will likely take you 1-2 years.

Because medium-sized entities usually have multiple locations, start a PHI flow chart to speed up your process. This helps identify exactly where your PHI is, where it flows, and where it’s stored to assist in your decision to implement appropriate patient data safeguards.

Single-location healthcare locations and business associates:
With a full-time staff member devoted to HIPAA, it should take a typical office less than 6 months to become compliant. If a full-time employee isn’t realistic, or if you can only afford a few hours per week, HIPAA compliance will take longer.

Lucky for you, requirements that may take a large organization years to accomplish, you can finish in half the time (e.g., business associate agreements, risk analysis, risk management plans, etc.).

Check out this this 21-day plan for HIPAA compliance, specifically for small organizations.

Start now or risk spending even more time on HIPAA

What is HIPAA compliance? It’s the best and only government-sanctioned way to secure your patients’ sensitive medical data. It’s a necessary evil…that shouldn’t be considered evil. It’s expected.

HIPAA is not going away. In fact, I estimate that the HHS will release an updated version in the next few years.
For those putting HIPAA on the backburner, you are simply putting off the inevitable.
I don’t mean to depress you with these timeframes. I hope they give you a realistic expectation for what is truly required for HIPAA compliance. If you’re not sure where to start, check out this awesome software designed to track HIPAA progress. Get a free demo here.

Thomas McCrory (CISSP, MCITP, QSA) is a Security Analyst, and has been with SecurityMetrics for a little over 2 years. He specializes in Risk Analysis and has a Master of Science Information Systems from the University of Utah. Previously, Thomas worked as an EMT for 10 years.

learn about HIPAA through the SecurityMetrics HIPAA Learning Center