Resources for Health Insurance Portability and Accountability Act (HIPAA)

Changing a mindset: Audits are no longer one-off events

www.scmagazineus.com

Not long ago, audits were a sporadic occurrence for an IT department. While most regulatory mandates included sections that addressed IT controls, these portions of the regulations were not the initial focus of auditors, so they were largely ignored.

Therefore, even though validating IT security controls part of the law, soothe laws failed to provide any evidence that appropriate security measures had actually been implemented until years after the laws were initially enacted when auditors changed their enforcement focus.

This initial enforcement gap left executives with a false sense of confidence that, in some cases, provided the opportunity to manipulate financial and personal information. As regulatory audits began to shift their focus to an organization's IT controls, there was little advance preparation and almost no automated technology capable of providing appropriate validation of controls. This led to lengthy audit preparation, usually requiring tremendous manual efforts involving significant outsourcing.

Unfortunately, many organizations are still following this short-sighted approach. While no one relishes the audit process, when approached correctly, the end result can provide additional value through improved business processes and reduced risk of exposure. After all, the intent of compliance laws is to prove that organizations are properly protecting sensitive information.

View the Resource

Share or bookmarklet this web page at: