<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

OCR Phase II Audit Has Launched - Time To Get Access Under Control

By Fouad Khalil on March, 31 2016
Fouad Khalil

VP of Compliance with extensive experience in the technology space with more than 25 years spanning disciplines in software development, IT support, program and project management and most recently IT Security and Compliance management. Key areas of focus include: Information Technology, Internal Controls over financial reporting, Sarbanes-Oxley, PCI DSS, and HIPAA/HITECH compliance. Experienced in security training and awareness as part of corporate governance and regulatory compliance. ISACA Member & CISA Certified

I recently attended the 24th National HIPAA summit in Washington, DC and had the opportunity to mingle and catch up with my compliance peers. I walked away realizing that the HIPAA/HITECH compliance tidal wave is not letting up any time soon.  Listening to healthcare industry leaders and members of the private and government sectors left me to believe that we have a long and tough path to compliance ahead of us.

It was clear to many that the healthcare industry must start considering Cybersecurity and what reasonable and appropriate controls are required to ensure continued protection of electronic Protected Health Information (ePHI).

Given the complexity of the law and what individuals’ rights to access PHI are, HHS has released new FAQs on Access Guidance to assist health organizations with adherence to the rule.  Considering the criticality of access controls to ePHI and the level of scrutiny by HHS/OCR, health organizations need to ensure all access is accounted for.

Given that SSH keys represent 80-90% of all access to production – also known as the “hidden plumbing” - and it comes with all Linux, Unix, Mainframe, Apple and soon Windows platforms, organizations must address all vulnerabilities and mitigate all risks associated with poor or lack of management of SSH keys.

I continue to emphasize in my presentations that organizations across all markets must consider SSH keys as part of their access lifecycle management process.  Please consider this formula:


I am a firm believer that all security professionals goal is to work themselves out of a job.  If all is compliant and secure, what is left to do?  Ok that was a nice quick dream, but now let us jump right back to reality:

  • The healthcare industry had 41 Million as the number of people breached by 3/1/2015.
  • 35 Million were added in the past 12 months alone.
  • Hackers’ attacks are no longer opportunistic – the trend reflects that they are now becoming more targeted. ePHI constitutes 21% of all breached records and it is anticipated to continue to rise.
  • With 113 Million records breached in 2015 covering 266 reported breaches – what will 2016 bring?

Healthcare industry security breach and ransomware incidents continue to flood the news.  A recent story for a hospital in Kentucky that had its records scrambled by ransomware.  This is purely for financial gain and organizations have been paying them off in order to get back into normal operations faster than having to wait for the legal process.

HHS and OCR are conducting a cross-walk with NIST’s Cybersecurity framework.  They also announced the launch of the “Phase II” audit.  ePHI value is going up in the dark markets.  Hackers are conducting more targeted attacks than ever before.  Organizations must be prepared and start mitigating all risks and adhering to latest security best practices to protect ePHI.

We need to all be diligent and strive for continuous compliance.  Security controls must be part of our daily operations, must be effective, must be auditor ready and - most of all – hacker ready.

Submit a Comment

Stay up to date