How to Perform a Quick, Self-Audit


Performing a security audit on your facility or organization working in healthcare is vitally important. So important, in fact, that HHS requires a risk assessment to be done by the Final Rule. While these formal security audits and assessments are best left to technical professionals that can accurately test for proper safeguards and create appropriate documentation, average users hold a great deal of power over the outcome. Performing your own self-assessment, professionally and personally, can make a positive impact – and you don’t have to be a “techie” to do a basic audit!

The basic audit we highlight in this post doesn’t need a technical degree. It doesn’t even involve any special programs or knowledge. This self-audit is aimed at the average user. The key here is to be very honest about the answers, which can be difficult when we are only answering to ourselves. After identifying shortcomings, making a commitment to improve or correct the issues is just as important as making note of what may not be correct or ideal.

For this audit, ask yourself the following questions:

  • If I step away from my computer for a few minutes, will the screensaver lock the computer (requiring my password to log back in) automatically? Do I know how to manually lock it and do so each time I get up to stretch?
  • Do I have reminders (that I keep dismissing) on the computer regarding a software update? Leaving software un-patched leaves security vulnerabilities on the computer.
  • Does my anti-virus program work, and update regularly on its own? Do I know how to check this?
  • If this computer has or comes in contact with electronic Protected Health Information (ePHI), does it have some form of encryption?
  • Do I have strong passwords that include numbers, letters and symbols? Are these passwords easily guessed? **
  • Do I have a different password for each system I log into, or each website? Or, do I only have a few (or, just one) password that, if guessed or compromised, would let someone into everything I access? **
  • If I have lots of different passwords (which is great!), how and where do I store them all? Is it somewhere secure like a password manager program, or are they written down in a notebook or on a sticky note? **
  • To my knowledge, does anyone else have my passwords or have I shared them with anyone? If you are not the sole person in possession or knowledge of each of your passwords, non-repudiation is an issue.

The above questions should give you a good idea of how secure your immediate working environment is, and your understanding of it. The list of questions isn’t exhaustive, and isn’t meant to be so. The list of questions does, however, also appear on almost all risk assessments performed by Covered Entities, Business Associates, and any subcontractors that work with ePHI.

If any of your answers were negative, it’s important to mitigate or correct the particular issue. It’s also important to understand the method, or how, it is fixed. If you are unclear, you should reach out to your I.T. team and find out. Doing so will help you and them, because your understanding of security strengthened the overall environment of your facility or organization.

To that end, the three questions marked with “**” will be the topic of the next security post. Be sure to stay tuned!