HIPAA Compliance Pre-Audit
Plan, Skills, Costs and Tools
With over 17 years in healthcare IT and 19 years in cybersecurity, ScienceSoft helps healthcare providers and digital health companies keep PHI safe and stay HIPAA-compliant.
A HIPAA compliance pre-audit can help healthcare providers and business associates, such as IT contractors, billing companies, accounting service providers and others, evaluate PHI protection and get ready for an OCR audit. Healthcare software product companies and medical device manufacturers can benefit from HIPAA compliance assessment to be sure that their products meet HIPAA requirements before they enter the market.
- A HIPAA compliance pre-audit may include: Review of established security policies, procedures, and employees’ security awareness; security testing of software and IT infrastructure involved in storing, processing, transmitting or protecting PHI.
- Steps of a HIPAA compliance pre-audit: planning; resources preparation (assembling an in-house auditing team and preparing required tools or choosing a vendor to perform the assessment); the auditing process launch and execution.
- Auditing team roles: project manager, HIPAA compliance consultant, security testing engineers.
A comprehensive evaluation of HIPAA compliance may require different activities, depending on the type of healthcare services a company provides, the size of the company and its structural complexity, or (for healthcare technology vendors) the nature and complexity of a product. ScienceSoft lists the generally applicable guidelines on how to strategize, prepare resources for and carry out an efficient HIPAA compliance pre-audit.
1. HIPAA compliance pre-audit planning
Duration: 2-3 weeks
- Creating a checklist of security policies and procedures applicable for your company as required by HIPAA. You may need to consider the following administrative, technical and physical security controls aimed to ensure PHI protection:
- Security management: PHI risks assessment, risk mitigation and incident response plans.
- Security personnel: a security official responsible for developing and implementing security policies and procedures.
- Information access management: ensuring against unauthorized or unnecessary use and disclosure of PHI.
- Workforce management and training: appropriate authorization and supervision of employees; promoting their understanding of existing security policies and procedures.
- Continuous evaluation of security policies and procedures implementation.
- Access control: user authorization, password management, automatic log-off.
- Transmission security: encryption of transferred sensitive health data.
- Audit controls: monitoring and logging of all the activities involving PHI.
- Integrity controls: prompt detection of security breaches and protective measures against PHI theft or unauthorized modification.
- Facility access controls: restricted access to the facilities containing PHI.
- Workstation and device security measures.
- Identifying applications, databases, and network components that contain, transmit or protect PHI.
- Listing the staff members and business associates who have access to your company’s PHI.
- Estimating financial, time and human resources required for the audit.
- Developing a risk mitigation strategy to deal with unintentional data exposure, downtime, lack of access to the IT infrastructure related to the audit activities.
2. Resources preparation for HIPAA compliance pre-audit
ScienceSoft’s experts outline common preparation steps for in-house and outsourced auditing projects.
3. Launch and execution of HIPAA compliance pre-audit
Duration: up to 10 weeks
To check if a company’s security policies and procedures meet HIPAA requirements, ScienceSoft’s compliance consultants recommend:
- Scrutinizing documentation on all security controls and activities related to PHI protection: risk analysis, breach notification, incident management, HIPAA training for employees, previous security testing for vulnerabilities, etc.
- Interviewing the staff to understand their security awareness level.
To see if the company’s software and IT infrastructure have security loopholes that can endanger PHI, ScienceSoft recommends:
- Running automated vulnerability scanning to find potential entry points to access sensitive health information.
- Reviewing the software architecture and source code for vulnerabilities that can endanger PHI protection.
- Exploiting vulnerabilities and simulate hackers’ attacks to access PHI.
Best practice: Security testers should try to find out how potential hackers can hide trace of their unauthorized presence in the IT environment. It will help devise measures to avoid a repeated intrusion.
- Preparing an audit report that covers:
- HIPAA compliance assessment scope, for example documents on security policies and procedures aimed at PHI protection, components of the IT environment involved in operations with PHI, staff members that have access to PHI.
- Gaps in security policies and procedures or employees' knowledge that can be fraught with PHI exposure.
- Security testing methodology and tools used during auditing, detected vulnerabilities in software and IT infrastructure endangering PHI, their nature, severity and probability of exploitation.
- Corrective measures for all deviations from HIPAA requirements at administrative, technical and physical levels.
Consider Professional Services for Your HIPAA Compliance Pre-Audit
ScienceSoft’s HIPAA compliance consultants and cybersecurity specialists offer their expertise to perform or plan a comprehensive HIPAA compliance pre-audit.
HIPAA compliance assessment planning
- Outlining HIPAA requirements applicable for your case.
- Determining the auditing scope (the assets and security controls to check).
- Defining the auditing steps.
- HIPAA compliance pre-audit cost calculation.
HIPAA compliance pre-audit
- Defining the assessment scope based on your company’s type, size, structure and IT environment.
- Working out an optimal assessment plan.
- Evaluating security policies and procedures as well as the required controls.
- IT infrastructure and application security to locate and explore vulnerabilities that may endanger PHI security.
- A detailed audit report and a roadmap on corrective measures to achieve HIPAA compliance.
- Plans a HIPAA compliance pre-audit, calculates costs and estimates time and human resources needed.
- Monitors and coordinates the auditing process.
- Ensures smooth communication between the stakeholders and the auditing team.
HIPAA compliance consultant
- Defines HIPAA requirements applicable for a specific company.
- Reviews security policies and procedures related to PHI protection to detect and document deviations from HIPAA regulations, if any.
- Interviews employees to check awareness of HIPAA requirements and IT security measures.
- Recommends a remediation plan for the company to become HIPAA-compliant.
- Helps prepare or improve documentation on security policies and procedures aimed at PHI breach prevention or remediation (incident management plan, risk assessment report, breach notification plan etc.).
Security testing engineers
- Run automated vulnerability scanners on software, networks or devices involve in operations with PHI.
- Review software architecture and source code to find the flaws that can undermine PHI security.
- Perform white box/gray box/black box penetration testing to find out the most probable ways to steal or modify PHI.
- Advise on fixing the detected gaps to protect PHI.
HIPAA compliance self-audit
- No need to let third parties access your IT environment and sensitive health data.
- The auditing team is familiar with your healthcare service/product and activities involving the use of PHI.
- Possibility to regularly check HIPAA compliance as your corporate infrastructure grows or changes.
- The need to build up a qualified auditing team, including security testing engineers knowledgeable about HIPAA compliance requirements.
- Heavy expenses on salaries and maintenance.
Third-party HIPAA compliance pre-audit
- An impartial evaluation.
- Expert understanding of complex HIPAA requirements.
- Availability of all the necessary talents for an all-around HIPAA compliance assessment.
- The vendor takes over responsibility for all stages of the HIPAA compliance pre-audit.
- Risks associated with sensitive data exposure.
- The vendor will need time to understand your internal processes and IT infrastructure.
Compliance manager is in-house; security testing team is completely or partially external
- You get skilled compliance talents, while preserving sufficient control over the auditing process.
- Difficulty with finding a knowledgeable in-house compliance manager.
Vulnerability scanning of web applications and websites dealing with PHI
- Detects over 7,000 web application vulnerabilities, such as XSS, XXE, SSRF, SQL injections, host header injections, etc.
- Crawls HTML5 websites and AJAX-heavy client-side SPAs.
- Detects more than 50,000 network vulnerabilities when integrated with the OpenVAS network vulnerability scanner.
- Performs speedy scanning with few false positives.
- Prioritizes and classifies found vulnerabilities.
- Native integrations with CI/CD and issue trackers (Atlassian Jira, GitHub, GitLab, Bugzilla, etc.).
- User-friendly interface and simple setup.
- Out-of-box reports including HIPAA compliance reports.
- Supports Windows, Linux and MacOS.
Starting from $6,995/website/year
Burp Suite Professional
Web penetration testing
- Gartner's Peer Review Customers’ Choice 2020.
- Recognized as G2 Leader Winter 2022.
- Acts as proxy to intercept traffic and enables man-in-the-middle attacks.
- Includes a wide-coverage vulnerability scanner.
- Uses external servers to detect hidden vulnerabilities that bypass conventional SAST and DAST tools.
- Enables advanced attacks of all types: SQL injections, file path traversal, SSRF, XSS attacks, etc.
- Offers an embedded browser providing for an immediate access to the full Burp Suite functionality.
- Allows creating custom extensions, reports, adjusting scanning and attacking for your particular needs.
- Runs on Linux, Windows and MacOS.
Remote web vulnerability scanning
- G2 Leader for Vulnerability Scanner Software.
- Supports MacOS, Linux, and Windows.
- Detects over 65K of common vulnerabilities (CVEs), including missing patches, outdated software, misconfigurations, absent passwords, DoS vulnerabilities, and more.
- Offers plug-ins with new vulnerabilities 24 hours after the vulnerabilities have become known.
- Provides scanning templates to streamline vulnerability assessment.
- Conducts automated scan analysis for remediation prioritization.
- Provides user-friendly navigation and actionable user guidance.
The cost of HIPAA compliance pre-audit depends on the following factors:
- The auditing scope: the number of documents on PHI protection, the number of employees having access to PHI, the number and complexity of networks and applications involved in operations with PHI, etc.
- The complexity of the company’s security policies and procedures, software and IT infrastructure related to PHI.
- The diversity and complexity of applied testing types and techniques (automated vulnerability scanning, manual penetration tests, black/gray/white box pentesting, security code review, social engineering, etc.).
- The efficiency of the vendor’s HIPAA compliance team (in case of a third-party assessment).
- The license costs of scanning and pentesting tools (if these activities are performed in-house).
Example: Black box network vulnerability assessment of up to 200 IPs as part of HIPAA compliance pre-audit may cost $5,000+
ScienceSoft is a global provider of IT consulting, software development, and cybersecurity services headquartered in McKinney, TX. Since 2005, we deliver services for the healthcare industry with a special attention to PHI protection. ISO 9001 and ISO 13485 certifications prove our ability to build mature quality management systems. Being ISO 27001-certified, we guarantee the security of customers’ data entrusted to us. If you need help with evaluating your HIPAA compliance, you are welcome to contact our team.