“I Passed My Compliance Audit; Now What?”

It’s that time again—time for your compliance audit. Depending on your business, it might be an annual audit from a government or regulatory entity, or it may be requested by someone with whom you’re about to do business—a prospective vendor, partner or client.

What’s involved in this audit? And if you pass, does that mean you’re good to go? What’s the next step?

What Is a Compliance Audit?

A compliance audit is a set of questions designed to make sure that you are complying with industry or federal regulations. Most often, these are related to security of information. The type of information varies, but the ultimate goal is the same: making sure that your organization is taking the appropriate steps to ensure the safety of the data that has been entrusted to you.

Audits across different industries ask different questions. A healthcare compliance audit will be looking for HIPAA metrics—steps taken to safeguard protected health information (PHI). Brokers are subject to FINRA compliance audits to ensure security in the financial industry, and organizations that contract with the government must comply with NIST requirements for cybersecurity.

Compliance audits average between 100-200 questions, most of which are highly technical and are best answered by your IT team or resource. It’s not a black-and-white pass/fail scenario, though. Since audits may vary not only by industry, but even from company to company, not every question will apply to your business. For example, a healthcare organization may send a HIPAA compliance audit to a potential vendor, but since the vendor doesn’t handle any PHI, many of the questions won’t apply. This doesn’t mean that the two can’t do business together; rather, it supports an informed discussion about their partnership.

If I Passed, That Means I’m Secure, Right?

Not exactly. As Anthony, one of our FIT engineers, explains, it’s just a first step. Compliance audits are concerned with different aspects of your business and environment, but not EVERY aspect. Some areas of your network are not included, but could still pose a vulnerability in your security.

Plus, most audit questions are not a simple pass/fail; you may have passed, but with the equivalent of a C. Think of your compliance audit as a report card—an assessment of where you’re at, and where you can improve. Once you identify those areas, what do you do about them?

Next Steps

Your compliance audit helps you develop a TBP, or Technology Business Plan, for what adjustments or improvements your IT environment needs over the next 3-24 months. Areas that barely passed or didn’t pass will be the primary areas of focus for your IT team, and can spur projects or other resolutions to help strengthen and streamline your network.

Since the main focus of compliance audits is security, take a good look at the cybersecurity measures you have in place. New threats emerge every day, so it takes a proactive approach and constant vigilance to counter attacks and defend against new vulnerabilities and exploits.

At FIT Solutions, we are your go-to IT resource. We complete compliance audits for you and make recommendations based on the results. We also help prepare your environment to meet and repel cyberattacks. Give us a call today at 888-339-5694 or contact info@fitsolutions.biz to see what elite IT service is like.

6 Things Skilled Nursing Facilities Can’t Overlook in Their IT Setup

How do you protect your data and meet regulatory compliance guidelines with a limited IT staff? This ebook discusses six measures skilled nursing facilities can take to follow best practices for security and business continuity.

Get the Ebook

Small Businesses: Does the CCPA Affect You?

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. This law deals with the right of consumers to know or even control how their personal information is used by organizations. For businesses that collect such information from consumers, this represents new burdens.

Do I Have to Comply with CCPA?

The CCPA comes with certain thresholds that may exclude some small or medium businesses from compliance requirements. What are these thresholds? You’re on the hook for compliance if you are:

  • Are a for-profit business operating in California
  • Collect personal information from consumers
  • Exceed one or more of the following:
    • Buy, receive, sell or share personal data from 50,000+ devices, consumers, or households
    • Have gross annual revenues of over $25 million
    • Sales of California residents’ personal data represents 50% or more of total annual revenue

I Don’t Meet the Thresholds, So Why Should I Worry About CCPA?

The CCPA is the most extensive privacy law ever passed in the US. Other states are taking a page from California’s book and are considering or have already passed similar legislation. Plus, the possibility of having different standards instituted across multiple states could result in the enactment of a privacy law at the federal level. So even if the CCPA does not currently affect you, it will eventually.

Looking at the legislative climate, given the CCPA and likelihood of more laws like it coming soon, it’s clear that there is an increasing recognition of the need for businesses to handle consumer data responsibly, for consumers to have the right to determine how that data can be used, and for businesses to protect consumer data against theft or loss.

What is “Reasonable Security”?

Part of the CCPA revolves around an organization’s responsibility to protect consumer data against theft or loss, like through a data breach. If a business fails to implement reasonable safety measures, resulting in a breach, they may be liable to pay penalties of $100-$750 per consumer per incident, or even higher. What would count as “easonable security” measures? The CCPA does not specify, but some legal experts refer to the state attorney general’s words in the California 2016 Data Breach Report:

“The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

These CIS Controls are comprised of a set of 20 broad categories of action, each of which contains subcontrols in the form of specific tools and practices. These subcontrols vary based on the sensitivity of the data you’re protecting, the size of your organization, and the extent of your IT resources. Together, these controls form a defense strategy against breaches and cyberattacks.

We recommend that companies of all sizes take a look at the CIS Controls—especially if you’re at or near a threshold for CCPA compliance. At FIT Solutions, we use CIS Controls and other security frameworks, like NIST, to follow best cybersecurity practices for our clients. Contact us or call 888-339-5694 for help in strengthening your organization’s defenses.

Amazon Alexa & Google Assistant for Senior Care: 4 Considerations

There is tremendous interest in using voice assistants such as Amazon Alexa and Google Assistant in skilled nursing, LTPAC facilities and assisted living settings. The devices that access these technologies — most often an Amazon Echo or Google Home speaker — can be used in conjunction with smart home technologies to control lighting, heating and cooling, home entertainment, communication and other various systems. With simple voice commands, residents can turn the lights and off, set the thermostat, communicate with loved ones, create a shopping list, turn music on, hear the news and get the latest weather report.

These devices address various concerns around safety, promote feelings of independence, help seniors stay connected, and do a host of other very good things. Especially for those with limited mobility, cognitive issues or other challenges, voice control can be enabling for everyday life and contribute to overall well-being. When they are used in in conjunction with sensors and other smart home-enabled technologies, you can appreciate why so many facility designers are beginning to incorporate these into their plans.

Sensors can detect whether the resident is active or inactive, or whether the refrigerator or medicine cabinet has been opened. They sense movement and turn pathway lighting on to prevent falls. Smart water systems monitor consumption to make sure residents are drinking enough water. Medication reminders and pill dispensers assist those with memory issues.

We love the advantages these technologies offer, but allow us to point out a few potential issues for facilities to consider.

Connectivity Requirements

These technologies rely heavily on the cloud for their fundamental operation, including the voice recognition that makes them tick. The various sensors and other smart-enabled devices and technologies are likewise “Internet of Things” (IoT) devices. They’re Internet-reliant — and the more functions they provide, the more residents rely on them for their everyday living. It’s a whole new world when “the lights won’t turn on” triggers an IT trouble ticket. Having highly reliable, regularly monitored and redundant Internet connections with failover capability and sufficient bandwidth is absolutely essential.

HIPAA Considerations

When voice assistants are used for medication reminders, gathering healthcare data or other medical matters, HIPAA regulations come into play. Amazon has recognized the medical applications for its technology, and has entered agreements with some third parties in the healthcare arena to deliver services over Alexa that are “HIPAA compliant.” This means that the data is collected and stored by the third party in a HIPAA-compliant manner; it does not mean that any or every use of Alexa is “HIPAA compliant.” Even seemingly routine discussions about healthcare matters that happen to be picked up while the voice assistant is listening can lead to HIPAA exposure.

Wi-Fi Security Implications

Voice assistants rely on Wi-Fi for connectivity. If they’re going to be used for gathering and transmitting healthcare data that’s subject to HIPAA, they absolutely must be connected to the same protected, healthcare-dedicated Wi-Fi network that handles your EHR and other medical systems. Allow voice assistants on the guest-and-resident network only if they’re resident-owned and -installed, and you can be sure they’re functioning in a way that’s outside the reach of HIPAA.

Remember the Network

In our conversations with senior care facilities, the enthusiasm for voice assistant and smart home technologies is evident, and we share it! But we encourage you to keep the network and security implications in mind to ensure that these assets do not become liabilities.

At FIT Solutions, our managed IT services come with tools and expertise in network design and connectivity, monitoring and troubleshooting. If you have a project like this in mind, give us a call at 888-339-5694.

Windows 7 End-of-Life (EOL): How to Maintain HIPAA Compliance

You may soon be facing a HIPAA compliance headache on the workstations in your healthcare facility. Microsoft support for Windows 7 and Windows Server 2008 ends on January 14, 2020. 

No more security patches will be issued after that date. This puts those operating systems at odds with the HIPAA administrative safeguards, which include the specification for “protection from malicious software,” specifically “procedures for guarding against, detecting, and reporting malicious software.”

The end of support means that workstations running those operating systems will be unpatched against new exploits, leaving them highly vulnerable, and therefore, out of HIPAA compliance.

If you are still running those older operating systems, you’re not alone. Many companies still have Windows 2008 servers and Windows 7 workstations in their environments. While these operating systems are ten years old and newer systems are certainly better, organizations keep using them. They are very stable and continue to do their jobs well. But the longer you hang onto them, the greater the risk to your organization.

First, let’s talk about the risks, and then how to alleviate them without having to purchase all-new systems at once.

Lessons from Past Compliance Audits

After a data breach occurs, history shows that regulators conduct a thorough audit of the affected organization’s entire environment. They look at everything. Although the breach was caused by an employee walking out with a thumb drive that was lost or stolen, every other instance of non-compliance that the auditors uncover is subject to a fine, even if it had nothing to do with the breach. Organizations that have been found using Windows products that were past their end-of-life — such as Windows XP — have been fined for that in the past. Undoubtedly, Windows 7 and Server 2008 will be no exception.

Considering the Alternatives

Under the language of the HIPAA rule, specifications are listed as either required or addressable. “Protection from malicious software” is an addressable specification. That gives organizations a bit of wiggle room. Complying with an addressable specification involves evaluating the risk, considering the measures to mitigate it, coming up with a reasonable alternative that is equivalent, and documenting it. (That’s the short version; here’s the official source on how to meet an addressable specification.)

Let’s say you find it impossible or at least extremely cost-prohibitive to replace all of your out-of-compliance operating systems by January 14. You could address the HIPAA specification by updating a set number of systems every month between now and the end of 2020, until all have been updated. In the meantime, you implement an Endpoint Detection and Response (EDR) monitoring system to keep an eye on the unpatchable systems, as well as use encryption on the systems that hold personal health information (PHI).

Hopefully, you have already performed this sort of analysis across all of the HIPAA specifications as part of your overall compliance effort. HIPAA requires you to perform a risk analysis, have a risk management plan, and document them both. Those are the first documents an examiner will want to see.

At FIT Solutions, we can advise you on all of the aspects of IT that impact your ability to comply with HIPAA. That includes helping you with your risk management and risk assessment plans and documentation, as well as assisting with your Windows 7 and Windows Server 2008 end-of-life planning.

Call us today at 888-339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!