Fulton County Health Center, located in Northwest Ohio, is a full service, independent, non-profit, hospital that has been serving the community since 1973. Through the years the hospital has continued to grow adding a variety of programs and services which include, expanding the Emergency Room, a Sleep Disorder Center, modern outpatient surgery suites, and a comprehensive diabetic education program, just to name a few. Always looking forward, Fulton County Health Center continues to grow to meet the needs of the community.
Providing quality patient care services to its customers and maintaining community relationships are a core principle for Fulton County Health Center. Protecting confidential patient information is also a critical concern and necessary to preserve patient trust and FCHC’s reputation. For this reason FCHC engaged VioPoint to assess their compliance with the HIPAA Security Rule. VioPoint would perform a suite of HIPAA and policy related security services to evaluate the HIPAA compliance of many critical applications and review and address gaps in HIPAA related policies. Additionally, VioPoint would also extract technical security controls related to Meaningful Use reporting for EHR related applications.
While HIPAA compliance is certainly not new to healthcare organizations now days, finding efficient and effective methods to manage this complex process has become increasingly important.
VioPoint’s Approach to HIPAA Compliance
During a risk assessment it is important to understand how information assets are protected, transmitted and stored within the environment. For the first part of this project – the HIPAA compliance assessment, VioPoint assessed the information assets that transmit and store ePHI. To address this project VioPoint utilized Modulo’s Risk Manager, an IT GRC (governance, risk and compliance) software application capable of performing security, risk and compliance assessments across many different regulatory and best practice areas. Modulo’s Risk Manager provides an automated, efficient method for scoping and managing the project as well as collecting and analyzing the data. Risk Manager will calculate the risk by using weighed values and developing scoring based on the information collected. The results are then presented in both executive and detailed technical reports to help the organization understand the critical risk areas. The detailed recommendations also included a prioritized report that delineates the most critical controls that should be investigated and remediated in order of importance.
VioPoint’s approach to this portion of the project included the following steps:
- Scoping Discussions – working with key stakeholders to validate the scope and determining which HIPAA controls are global and which need to be assessed individually.
- Collect Data – a combination of manual and survey-based interviews with asset owners and stakeholders. VioPoint uses NIST 800-66 to review security controls as it pertains to the HIPAA Security Rule.
- Risk Scoring – a Modulo risk scoring mechanism that takes into account the criticality of each asset along with the probability of the threat exercising a vulnerability. Additionally, a HIPAA Gap Analysis was constructed by VioPoint.
- Reporting and Results Review – risk scores, recommendations and mitigation strategies on how to approach the identified risks are presented. A high level strategic recommendation and project costs report is also provided to go along with the detailed control by control results.
“Modulo Risk Manager allows us to assess a large number of controls in a relatively short time – minimizing the effect on end users. The built-in and customizable risk scoring also helps us turn around reports much quicker than traditional approaches,” commented Brian Clippard, Senior Security Consultant at VioPoint.
Policy Gap Analysis
For the second phase of the project, the Policy Gap Analysis, VioPoint worked with FCHC information security stakeholders to review all of the relative policies and procedures that had been published and distributed to the appropriate users within the organization. VioPoint reviewed the documents and compared the findings against the best practice policy documents and the HIPAA Security Rule. The results were an examination of what current policies and procedures had been missed from both a technical and administrative perspective.
For the Policy Gap Analysis VioPoint reviewed the following:
- Organizational policies, information technology specific policies, security strategy documents and any procedures.
- Policy gaps for potential vulnerabilities and to identify theoretical exposures.
- Policy gaps for actual vulnerabilities and exposures that took place because of missing policy or procedure items.
- Roles and responsibilities for policy decision makers and any committee members tasked with creating or maintaining policies
As a result of this examination, VioPoint provided comprehensive reports to explain any substantial gaps with HIPAA compliance. VioPoint also identified any policy documents that needed editing as well as any additional policies that should be implemented. The final deliverable included draft versions of new policies for FCHC to review, edit and implement.
“We really value the expertise and support VioPoint provided for our HIPAA and Policy Assessment”, commented Larry Hefflinger, Director of Information Systems, who continued, “In the end, we received detailed recommendations and updated policies that helped FCHC navigate the many challenges of maintaining HIPAA compliance.”
As a result of the project Fulton County Health Center was able to easily assess their compliance with the HIPAA Security Rule and implement any policy changes and or additions into their environment quickly and efficiently.