Security audits should be taken by covered entities

The final ruling on HIPAA compliance requires all covered entities “to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of this subpart.” As regards the frequency of evaluation, the regulations state that “covered entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation, for example, new technology adopted or responses to newly recognized risks to the security of their information.” HIPAA regulations also point out: “it is important to recognize that security is not a product, but is an ongoing, dynamic process.”

To assess how the entity’s security policy is employed, one can opt for a systematic, measurable technical assessment through a computer security audit. Security audits are a part of the on-going methodology of defining, maintaining and improving effective security throughout the organization. With an aim of attaining HIPAA network security compliance, the organization has to follow an established vulnerability assessment and remediation process which starts with the first step of asset identification. One has to identify and understand the devices and digital assets on a network.

Thus, it can be concluded that the most critical phase in the entire vulnerability and remediation process involves properly auditing an entire network for vulnerabilities.