424
A Practical Guide to Security Assessments
purpose as the other questionnaires in this book. Although the questions are basically
from the regulations themselves, there is guidance with each of the sections to help
you understand why a given question is important. This questionnaire can facilitate
a conversation to do much of the initial fact-finding. You obviously must still test
and verify based on the client.
There are many software packages now on the market now that automate much
of what is being asked here. This questionnaire complements those software pack-
ages and each has its place. As you talk with senior or managerial-level individuals
at health care organizations, you should be armed with knowledge about the impor-
tance of a given regulation, the difference between a “required” specification and
an “addressable” specification (discussed in a subsequent section), and how the
HIPAA security requirement maps to information security best practices. This ques-
tionnaire will help you to become knowledgeable about the HIPAA security regu-
lations and help facilitate the information gathering process for the assessment.
Once you have the initial information, software packages might be appropriate
for collecting information in larger environments or to generate reports that are
customized for HIPAA security. Tools can save significant time and produce standard
reports that are useful for your client.
QUESTIONNAIRE STRUCTURE
The specific sections of the HIPAA security questionnaire are as follows:
• Is the entity subject to the HIPAA security regulations?
• What is the extent of the electronic protected health information?
• HIPAA security requirements
– Administrative security regulations
–Physical security regulations
–Technical security regulations
This HIPAA security questionnaire follows the regulations from the
Federal
Register
. Unlike the other questionnaires, the questions contain some guidance
information but no risks. One reason for this is that many of these questions have
been covered in other questionnaires where the risks have already been identified.
In addition, because HIPAA is something that is mandated, companies subject to
the regulation must comply.
For the questions in the HIPAA requirements section, the structure contains the
following:
• Specification directly from the HIPAA security regulation (as stated in
the
Federal Register
).
•For each requirement there are a set of questions to help determine whether
a client is in compliance with the requirement. These questions are an
initial list and, as with the other questionnaires, you should modify them
to fit the requirements of your client. These questions are there to help
you determine whether the company is in compliance with the specific
HIPAA regulation, so you can use them at your discretion.
AU1706_book.fm Page 424 Tuesday, August 17, 2004 11:02 AM