We recently completed another Security Assessment and remediation plan development for a client that maintains HIPAA data. In this instance, the organization’s maturity was relatively low in areas of data access rights and controls around data access. For this client, there was an Information Access and Controls policy that had been developed, but the procedures for how the policy was to be implemented were incomplete, and there were no controls in place to prove that the policy was being adhered to.
When we presented our findings to the leadership team, the presentation turned into a productive conversation. It became clear to HR that they had a key role in maintaining HIPAA compliance by needing to notify IT when a person had been terminated to ensure that their systems access was revoked. They realized that not notifying IT about the termination was putting the company at risk. The leadership team then talked openly for the next 10 minutes about ways to notify IT about the termination. After talking through that example, we walked through the remaining remediation plan for the other areas of focus and it was clear that the leadership team “Got It”. Different members of the leadership team took on the areas of the remediation plan that affected their organization. When we met a few days later, we were quickly able to finalize and prioritize a remediation plan that had full buy-in by the leadership team.