SugarCRM Connector Kinamu - problems connecting to the SOAP server

Israeli companies often ask us about the roles of audit and risk management in their HIPAA security and compliance activities.  At the eHealth conference in Israel last week – a lawyer gave a presentation on compliance and stated:

If you have to do one thing, make sure everything is documented – your policies and procedures, corrective action you took. Everything.  That is your best line of defense.

Security is not an exercise in paperwork.

Risk does not walk alone

Risk is not an independent variable that can be managed  on its own.  It is not an exercise in paper work. Risk is a function of external and internal that exploit weaknesses (vulnerabilities) in people and systems and processes in order to get something of value (assets).   The HIPAA Security Rule prescribes in a well-structured way – how to implement the right security countermeasures to protect EPHI – the key assets of your patient customers.

The importance of audit for HIPAA

While  is not specifically mentioned in the HIPAA Security Rule – security review and risk management are key pieces – audit is crucial for you to stay on track over time.

According to the Institute of Internal Auditors, internal auditing is an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Internal audits provide assurance and consulting services to management in an independent and objective manner. But what does that mean? It means that internal auditors can go into your business operation and determine if your HIPAA security and compliance is a story on paper or a story being acted out in real life.

Audit – necessary but not sufficient

However, internal audit is not a line of defense and neither is a corporate risk management function a line of defense.

Security and Privacy Rule compliance regards investigating plausible , valuable assets, vulnerabilities and security countermeasures that mitigate asset vulnerabilities and reduce the risk which is the result of threats exploiting vulnerabilities to damage assets.

When we frame security defenses in terms of mitigating attacks – we immediately see that neither audit nor corporate risk management fall into the category of countermeasures.