Risk: Lack of audit control mechanisms to record and examine activity in information systems that contain or use ePHI
Explanation: It is necessary that information systems be equipped with audit controls that track and record system activity. This is important especially for detecting security violations. Most audit controls also provide audit reports of the system activity.
- Evaluate and understand the current technical infrastructure, hardware and software security capabilities.
- Perform a risk analysis, determine the risks and possible mitigation/avoidance strategies.
- Decide on the audit controls that work for information systems in the physician’s practice containing ePHI.
Secondary Mitigation: The organization must have more than one person to conduct the audit process and report the results. It may also be a good idea to have IT vendors explain how audits are conducted and have the process documented.
Success Criteria: Data gathered from audit controls and periodic review of data can help verify if the audit control mechanisms are tracking activity in information systems. Auditing the audit control system by outside third party organizations can verify the proper working of the audit controls in the organization.