A healthcare organization’s most precious information is kept in its IT systems, quite naturally. So, it is imperative for the organization to keep a complete tab on its IT security. The method in which this is done is what is called information security audit.
Patient records and the organization’s finances are just two of the myriad documents of crucial importance that a healthcare organization’s IT systems hold in them. If there is vulnerability in these systems, it backfires on the business, as security lapses that lead to leaks of important data not only undermine the healthcare organization’s reputation; it could also invite class action lawsuits.
Information security audit is acquiring importance in business circles to the extent that many financial institutions, investors and even customers insist on it before going ahead with dealing financially with healthcare organizations.
What are the ways in which an information security audit is to be carried out?
Information security audit is carried out through a well laid out, thorough process. It consists of the following steps:
Planning and preparation with the auditor: All the details relating to the information security audit should be discussed with the auditor. Most organizations take the services of external, independent auditors for the information security audit. Since information security audit covers all aspects of the information security, the healthcare organization should make clear to the auditor all the aspects of IT, such as the organization’s IT policy, details of the operating systems and software applications and other aspects, and so on.
Having clear audit objectives: This is a major step that decides what exactly the organizations wants audited to mitigate risk. This helps the auditor determine if there are proper controls and security measures in place.
Carrying out the audit review: The auditor usually does this by physically going to the data center and getting a complete idea of the way in which it processes information and carries out its set procedures.
Review: This is done after the information security audit is carried out. During this review, the client and the auditor discuss the entire exercise of the information security audit.
What should be audited?
An information security audit has to look at the all the areas that matter to the IT security of the healthcare organization. It should look specifically for the following:
- Network vulnerabilities, since it is through networks that data is transmitted
- Structural security
- Specific tools used in network security, such as anti-virus software, logical security and access controls, firewalls and proxy servers, and auditing systems such as log management.
- Encryption and IT