How The
Process Works
The first step in performing a valid comprehensive HIPAA assessment is collecting and organizing the vast amount of data from a variety of sources. Our software tools provide a central repository to safely and securely collect the information.
Next, we conduct a “site interview” to obtain the answers to a series of questions about HIPAA-related IT issues such as ePHI. This step ensures we collect the same information a government auditor seeks.
Then we conduct an onsite survey to observe the environment and check on a wide range of security policies. There’s no guesswork here: Our service includes a comprehensive checklist of things to look for.
We use a series of computer-generated worksheets that are automatically cross-correlated with the collected data to ensure there are no anomalies. We also run local HIPAA scanners on each PC in your office to collect even more HIPAA-required data. All the information gathered is then analyzed by our specialists and organized into a set of official HIPAA Compliance reports and documents that we certify and provide to you as part of our service offering.
Issue Remediation
Preparing all of these documents is the most important step in avoiding fines for “willful neglect” of the law. But in order to provide the protection you need from a potential data breach and HIPAA fines, we review, prioritize and recommend fixes for any issues deemed to be potential HIPAA violations.
Action Items
What we need from you:
- Network/PC Administrator Account
We prefer not to have access to the current administrator password if possible. Recommended options: Company administrator types the password into our network discovery tools, or new (individual) administrator account for running the discovery tool. - Microsoft Active Directory Domain name (if applicable)
- Name of Active Directory server (if applicable)
- Documented corporate policies and procedures that aid in our HIPAA assessment
Stage 1
- Obtain signed IT Assessment Confidentiality Agreement
Gives permission to collect and analyze information about your IT network with results discussed solely with you. - Visit site and interview CEO/CTO
A brief discovery of your network to capture physical access measures, associated vendors, storage devices, electronic communication processes and so on. - Connect discovery appliance to network
Network activity and load increase and potentially affect performance. Automated scans are scheduled for non-working hours only. - Scan all workstations/laptops
A small executable is run using local admin privileges. - Initiate external vulnerability scan
Alert firewall administrators of pending tests to prevent false alarms.
Stage 2
- Additional data collection on unreachable or non-domain joined workstations/laptops
A small executable is run using local admin privileges. - Visit facility and interview CEO/CTO (after initial automated assessment)
- Obtain accurate, minimal list of administrators and domain administrators
- Share permission review
- Network share and computer identification
Stage 3
- Final review with stakeholders
- Perimeter defense
- Patching to prevent vulnerabilities
- Antivirus/anti-spyware to combat malware
- Administrative access
- Access to sensitive information
- Physical security practices, including handling of removable drives, data center security, and access control
- Internal vulnerabilities
- Group policies
- Local security policies
- Unusual or unauthorized login attempts by employees or attackers
- Defunct or rogue users and computers
- Compliance-level auditing