Does your organization perform routine HIPAA Security Risk Analyses?  If so, are those analyses “good enough”?  With the 2016 Office for Civil Rights (OCR) audits currently underway, and more audits looming for 2017, healthcare organizations would be wise to shore up their security regimens to ensure compliance with the HIPAA Security Rule.

OCR’s 2016 Audit protocol encompasses 180 requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules. While the primary audit objective is to assess compliance of the HIPAA regulated industry, a secondary objective is to discover industry-common vulnerabilities that have remained undetected during routine OCR complaint investigations and compliance reviews. Based on the broad scope of potential audit topics and on OCR’s stanch audit objectives, indications point to substantial failure rates.

Will your organization face a HIPAA audit in 2016?  If you are a Covered Entity or Business Associate, now is the time to test, analyze and remediate any vulnerabilities in your HIPAA Security, Privacy and Breach compliance. The Office for Civil Rights (OCR) has recently announced a new 2016 audit program targeting selected Covered Entities and Business Associates, with protocol that could likely result in significant enforcement actions.

HIPAA law requires covered entities to safeguard against “reasonably anticipated” threats to protected health information.  With healthcare security breaches making all too frequent headlines, the threat of malicious hacking can certainly be reasonably anticipated.  In fact, according to a May 2015 Ponemon Institute study, criminal attacks on healthcare data are up 125% compared to five years ago.  In this cyber-war landscape, healthcare organizations have a legal and ethical responsibility to identify and mitigate the likelihood of real-world threats to IT assets and physical security. Penetration testing can strategically position your organization to repel cyber-attacks.