Data Audit for Health Informatics

Yeagley (2015) defines audits as periodic validation of the IT security implementation of an enterprise by a certification authority. Security audits should be performed to compare the current security posture against the security policy (Ousley-Rhodes, 2013). Audits can be performed by internal departments as well as outside agencies (2013). Audits by an unbiased third-party agency helps in highlighting the weakness within security policy and its enforcement. It can be performed on an annual, quarterly, monthly or any other regular interval however annual audit ensure the operational compliance of IT security and policy (2013). Audit is usually performed to comply by federal, state or industry regulations (Yeagley, 2015).

From the health industry perspective, Chouffani (2010) highlighted some key areas to perform audit and assessment:

1. Evaluate the HIPAA compliance of electronic medical records

2. Evaluate the wired and wireless network access points and backhaul

3. Evaluate the encryption state of data storage

4. Review the access and security of systems, which include laptops, tablets, computers etc.

5. Evaluate the business continuity plan and disaster recovery plan

6. Review the entities who have access to health care data outside the organization

7. Review the metrics like availability, security, confidentiality, fault tolerance and integrity (2010)

Jones, Ross and Ruusalepp (2009) breaks down the data audit framework into four key steps, planning, identifying and classifying data assets, assessing the management of data assets, and final report. In the planning phase, scope of audit is identified followed by identification of assets for audit. Management of assets is than audited in detail from access, operations, management, security, compliance, ownership etc. perspective followed by a formal report (2009).

For audit purposes, network monitoring control entity in a given health care organization can help in tracking security incidents, traffic, invalid attempts, compliance record, high access accounts, encryption rate across all storage media and so on. On the other hand, network security entity will offer insights into assets (desktop, laptop, smartphones etc.), applications installed, firewalls and anti-virus etc.

References:

Jones, Ross & Ruusalepp (2009). Data Audit framework methodology. Retrieved from https://www.data-audit.eu/DAF_Methodology.pdf

Chouffani, R. (2010). Medical IT Audit and Technology Assessment. Retrieved from https://searchhealthit.techtarget.com/healthitexchange/meaningfulhealthcareinformaticsblog/medical-it-audit-and-technology-assessment/

Rhodes-Ousley, M. (2013). The complete reference: Information Security. McGraw Hill: NY

Yeagley, G. (2015). IT Auditing and IT Risk Assessment: What’s the difference? Retrieved from https://www.compassitc.com/blog/it-auditing-and-it-risk-assessment-whats-the-difference