United States

Beyond HIPAA compliance

Aligning IT audit and information security to manage information risks


Download Paper

Health Information Portability and Accountability Act (HIPAA) requirements are not new to information security and privacy professionals. A well-managed information security function must be in place to protect a health care organization’s technology and processes, and also protect sensitive data such as electronic protected health information (ePHI). However, emerging technologies and the depth and quality of regulatory audits and reviews require organizations to be agile--addressing emerging areas such as medical device security, vendor management and business associate security.

Mature health care organizations can also leverage the IT audit function to fully understand and manage their risk posture. Unfortunately, in many cases IT audit, IT security and health care privacy operate in silos. However, optimal results are realized when these groups have a robust partnership and work in concert.

Recent rule changes and more aggressive regulatory enforcement have led to significant fines for noncompliance and increased pressure to implement effective security measures. In most cases, it is costlier to react to a security issue than to proactively invest in a mature security framework. A data breach can lead to severe financial sanctions, costs to respond to the breach, reputational damage and potentially jeopardizing sensitive patient information.

However, even amid a rapidly changing information security environment, health care organizations can employ several strategies to better secure their environment. Implementing an existing, formalized framework can increase security measures and align with HIPAA compliance demands. In addition, collaboration and alignment between IT security and IT audit can bring consistency to risk management efforts and can allow the organization to manage HIPAA compliance risks and general controls, and allow management to take a broader view of enterprise-wide risks.       


How can we help you?

Contact us by phone 800.274.3978 or
submit your questions, comments, or proposal requests.

Rapid Assessment®

Complete our Rapid Assessment form to be contacted about receiving our "quick-hit" diagnostic of your critical areas of operations.




AML and regulatory compliance webcast series: Winter 2018

  • February 13, 2018


Cybersecurity risks for employee benefit plans

  • January 11, 2018


Understanding cybersecurity and operational risks of cryptocurrency

  • November 09, 2017


Cybersecurity best practices and considerations for the public sector

  • October 26, 2017


Learn the real cost of a data breach

  • October 17, 2017