Compliance audits ensure that IT practices and systems align with healthcare regulations, laws, and internal policies. However, to be effective, auditing must go beyond checking systems and creating policies. To help physician practice groups understand the process and why it matters, John Garcia, Information Security Manager at Pixel Health, shared his team’s best practices for implementing proactive processes that support cybersecurity.
Conduct a yearly audit
The typical audit in a physician practice group takes around two to three months. To start this process, the Pixel Health audit team gathers current documentation, system logs, and cybersecurity training records. With this information, they interview the IT team and staff to understand their current workflows. The team then reviews the systems to check configurations, access logs, and security controls across the organization.
“In our experience working with physician practice groups, an audit will reveal risks and gaps in compliance given that systems and security practices are continually evolving,” said John. “As part of our audit reporting, we create a remediation plan to fix the issues, which may involve upgrading software or purchasing new equipment, developing compromising controls or updating policies to meet specific cybersecurity frameworks.”
Understand the effort and time required
A compliance audit or security assessment involves the entire organization. “Many companies think auditing it is ‘just an IT problem,’ but it goes beyond the technical aspects,” explained John. “For example, different departments may handle various types of information, often with multiple data owners across the organization. Defining and managing each owner’s responsibilities is necessary to maintaining compliance and mitigating risk.”
Another part of the effort includes creating comprehensive cybersecurity policies. The written information security policy (WISP) is the framework of how an organization handles its data. It’s not just a requirement for healthcare practices—it’s a good practice for any business. The WISP functions as an overarching policy that describes how to run the security program and operate all the related security policies that fall under that umbrella. Our Cybersecurity Policy Info Sheet provides a high-level overview of the various policies that WISP can cover.
Engage senior leadership and management
Senior leadership and management play a key role not only in developing policies and procedures but also in operationalizing them.
“It’s important that leaders are engaged in the process to help ensure the policies are incorporated in day-to-day workflows,” said John. “These policies affect multiple departments, if not the entire organization. Management must also be on board to shift behaviors so that their staff understand and follow the new or refined policies.”
Evaluate risk tolerance levels
As part of the auditing and policy development process, new risks may be identified. For example, a physician practice group may allow personal devices to connect to its corporate network, a practice referred to as BYOD (bring your own device). While convenient, this introduces significant risk, if a personal device is compromised and connects to the corporate network, it can provide a direct pathway to corporate systems, potentially exposing sensitive data. Organizations must determine their risk tolerance and balance that with ease of use.
“Many organizations have decided to no longer allow personal devices to connect to their corporate network,” reported John. “From the IT perspective, technical controls can assist in blocking unauthorized devices, but well-communicated policies also help enforce this culture shift.
Encourage a culture of compliance
John notes that compliance auditing may not be at the forefront of IT priorities, but it is essential.
“Security isn’t valued until an incident occurs. But as we often say, ‘It’s not if a security incident is going to happen, but when. That’s why we want to be as proactive as possible to ensure best practices are in place. This includes security awareness training to help users be more mindful of their day-to-day practices. Ultimately, with robust policies in place and annual auditing and remediation, we aim to develop a culture centered on compliance.”
Learn how Pixel Health works with physician practice groups to perform auditing and ensure the confidentiality, integrity, and availability of sensitive healthcare data.
