Healthcare Information Security

Cybersecurity News

AHIMA issues privacy, security audit tips for providers

By Patrick Ouellette

- The American Health Information Management Association (AHIMA) recently published its “Privacy and Security Audits of Electronic Health Information” guide, which laid out some healthcare security audit best practices. While maintaining equilibrium between making the data useful and available for users and keeping it secure, AHIMA provided some reminders and tips security audits using audit trails and audit logs to peer into back-end systems.

In addition to changing an organization’s culture and reducing risk, intermittent reviews of audit logs may be useful for detecting unauthorized access to patient information as well as providing forensic evidence during security investigations. Furthermore, auditing helps organizations track disclosures of PHI, learn of new threats and intrusion attempts, and determine the overall effectiveness of the organization’s policy and user education.

After going through healthcare federal regulatory requirements such as HIPAA, PCI and Meaningful Use, AHIMA detailed how organizations should establish a security audit strategy, decide what and how often to audit, and the best practices for implementing audit tools. Starting with a diagram of how ePHI flows within the organization, it must learn applications’ and systems’ capabilities to understand what is auditable and how frequently the audits will occur. Organizations should also get the right people, such as users, human resources, and board members involved in the audits. Additionally, according to AHIMA, organizations would be smart to develop a standard set of documents used to investigate and record potential violations and breaches. These were some examples of the types of instances where organizations should audit internal user viewing:

- The record of a patient with the same last name or address as the employee

  • Creating a Culture of Data Privacy, Security in Healthcare
  • Using independent accreditation bodies for OCR security audits
  • HIPAA compliant ways to secure a provider’s private cloud
  • What do healthcare providers use for HIPAA safeguards?
  • Boston Public Health responds to patient privacy questions
  • HIMSS and CHIME Pen Letter to HHS on Healthcare IT’s Future
  • Provisioning users with healthcare IAM dashboards
  • Would health data access reports maintain patient privacy?
  • OCR dismisses Walgreens ‘Well Experience’ HIPAA complaint
  • HHS Pushes for Changes to HIPAA Privacy Rule, 42 CFR Part 2
  • Do HIPAA Regulations Need Updates on Patient Privacy?
  • Verizon 2014 Data Breach Investigations Report: Healthcare impact
  • HITSC seeks 2016 Certified EHR Module security feedback
  • Bitcoin in healthcare: The value v. security debate
  • EHR Security Issues Not Top Barrier for Pediatricians
  • Health Data Encryption is Critical Aspect for PHI Security
  • US Reports North Korea Caused WannaCry Ransomware Attack
  • Preparing Against Current Healthcare Cybersecurity Threats
  • A Chief Security Officer’s approach to health data encryption
  • Aligning healthcare management, staff to strengthen security
  • Healthcare Cloud Services: 5 Uses You Didn’t Know About
  • S.C. Comprehensive Psychological Services has 3,500-patient breach
  • Unencrypted Flash Drive Lost, Privacy Incident for 2K
  • PeaceHealth concentrates on file transfer security
  • Is Health Data Security a Top Concern for Everyone?
  • Brand New Day Data Breach from Vendor System Access
  • Child and Family Services reports patient data breach
  • $25K OCR HIPAA Settlement for Physical Therapy Provider
  • VUMC Fights Healthcare Phishing with Multi-Factor Authentication
  • Education, Planning Critical in Ransomware Preparation
  • Health cloud-based database security concerns
  • Senator Urges HHS to Create Healthcare Cybersecurity Law
  • Visual Hacking Poses a New Healthcare Data Security Threat
  • Updating HIPAA BAAs before Sept. 23, 2014: Compliance tips
  • 58% of Healthcare PHI Data Breaches Caused by Insiders
  • GAO Calls for More Guidance, Oversight in HIPAA Regulations
  • HHS Secretary Kathleen Sebelius resigns from post
  • Patient Privacy Concerns Don’t Outweigh Push for EHR Use
  • HISP primer for data exchange: Security certificate standards
  • How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity
  • How Will End of Meaningful Use Affect Healthcare Security?
  • Surescripts CEO Harry Totonis to step down in March
  • Healthcare Application Security Lagging, Says Study
  • Securing data coming in and out of a healthcare organization
  • Medical Device Security, OCR Oversight in OIG 2016 Work Plan
  • How to Avoid Big Healthcare Data Center Security Mistakes
  • DataMotion security survey: Healthcare compliance improving
  • Healthcare Cloud Usage Exceeds IT Expectations, Report Finds
  • Data Breach Security Bill Passes Amid Concerns
  • How safe is minors’ patient data from hackers?
  • Appeals Court Dismisses VA Data Breach Lawsuit
  • Granting healthcare user access rights: Audit considerations
  • Patient Data Security Questions Healthcare Companies Must Ask
  • Reactions to the Premera Blue Cross Breach
  • Up to $150K for Victims of Flowers’ Healthcare Data Breach
  • Mobile security patent impact on healthcare organizations
  • Stakeholders Desire Clarification on Secure Data Exchange in TEFCA
  • S.C. Hospital Employee Violates Patient Privacy, Steals PHI
  • AHA: Prohibit Health Plan Identifiers in HIPAA Transactions
  • Health data breach roundup: Tufts Health Plan, Iowa DHS
  • Healthcare Security and Compliance Increases, Says DataMotion
  • Why Medical Device Security Cannot be Overlooked
  • Healthcare data encryption trends and methods
  • GAO identifies potential HHS security investment overlaps
  • How Tufts Prepared for Health IT Security Certification
  • Barry University notifies patients of May data breach
  • Tiger Team reviews accounting of patient data disclosures
  • NGA Publishes State Road Map for Secure Health Data Exchange
  • Looking at both sides of the BYOD remote wipe policy debate
  • Healthcare BYOD, mobile cloud security restrictions
  • BD Medical Gear Suffers from Wi-Fi Cybersecurity Vulnerabilities
  • How IoT Impacts Medical Device Cybersecurity Considerations
  • HIMSS Urges Holistic Approach in NIST Cybersecurity Framework
  • Hackers access Michigan Health patient SSNs
  • Seton Healthcare Family announces unencrypted laptop theft
  • NIST allocates $7 million to new NSTIC pilots
  • How Vendors, Providers Can Create Strong Health Data Security
  • HITRUST cyber threat briefing reviews CHSI breach,
  • Six Ways to Stay HIPAA Compliant and Keep PHI Safe
  • Mobile Health App Privacy Policies Not Easily Accessible
  • Key Reminders For Strong HIE Security
  • State HIPAA Settlement Reached in URMC Data Breach Case
  • What Happens When a Healthcare Cyber Policy is Broken?
  • Ransomware Attacks Topped List of Cyber Insurance Claims
  • Healthcare provider focuses when selecting a security product
  • Weighing the privacy risks of mobile health and fitness apps
  • Medical Device Integration, IoT Pose Cybersecurity Risks
  • Anthem Data Breach May Impact 8.8 to 18.8M Non-Customers
  • Healthcare Email Security Needs Drastic Improvement
  • Delaware Health Data Breach Potentially Impacts 19K
  • Hospitals Gravely Concerned on Mobile Device Security
  • HITRUST Program Identifies Healthcare Cybersecurity Threats
  • Billing snag leads to PHI breach; NJ man sues for benefits names
  • Healthcare cloud authentication: Identity federation challenges
  • Working to Overcome the Cybersecurity Skills Gap in Healthcare
  • DoD, VA take aim at EHR security, privacy
  • Houston HealthConnect Talks Health Data Security at HIMSS
  • NC Data Breach Legislation Accounts for Ransomware Attacks
  • Phishing Attack on Verity Health Breaches Patient Data
  • Lake Health reports patient health data breach
  • - VIP patient records (i.e., board members, celebrities, governmental or community figures, physician providers, management staff, or other highly publicized individuals)

    - The records of those involved in high-profile events in the community (i.e., motor vehicle accident or attempted homicide)

    - Patient files with isolated activity after no activity for 120 days

    - Other employee files across departments and within departments (Note: Organizations should set parameters to omit legitimate caregiver access)

    - Records with sensitive health information, such as those involving psychiatric disorders, drug and alcohol records, domestic abuse reports, and HIV/AIDS

    - Files of minors who are being treated for pregnancy or sexually transmitted diseases

    - Records of patients the employee had no involvement in treating (i.e., nurses viewing patient records from other units)

    - Records of terminated employees (Note: Organizations should verify that access has been rescinded)

    - Portions of a record that an individual would not ordinarily have a need to access based on his or her discipline (i.e., a speech therapist accessing a pathology report)

    Finally, specialized, third-party audit tools use prewritten queries and reports and automatically analyze data and quickly generate audit reports based on search criteria that match an organization’s audit “triggers”. This allows an organization to collect and analyze information as soon as the following day in some cases.

    Read through the rest of AHIMA’s advice here.


    SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

    HIPAA Compliance
    Data Breaches

    Our privacy policy

    no, thanks

    Continue to site...