Are you ready for a network audit? The first step toward due diligence for major data-privacy regulations, such as the Health Insurance Portability and Accountability Act, is to conduct regular, internal audits.
We use HIPAA compliance as an example here, but the general principles on how to prepare for an audit apply to all government and industry regulations. Rule Number 1: Complying with regulations is an ongoing process. You must know intimately the rules and time frames for compliance, and regularly review where your organization and systems stand in regards to them.
A wide variety of tools and checklists are available to help you determine your organization's gaps in regulatory compliance. Some products provide baseline security practices and walk you through a series of questions to determine compliance. Alternatively, you can call on consultants familiar with the changing standards and regulations, though their services are often expensive.
To start with, read the standards that apply to your environment--such as whether you're required to encrypt e-mail messages--and conduct internal audits to discover gaps. Then designate plans for how to satisfy regulations in areas where you're noncompliant, such as ensuring that messages with patient and health information are encrypted. Then it's up to management to assign the necessary resources to meet the compliance objectives, such as determining who will be responsible for putting the company's security policy on an employee-accessible intranet.
Make sure you have a solid understanding of the applicable standards and regulations and of the organizations making the rules. HIPAA, for instance, provides standards for processing electronic health transactions and unique identifiers, and provides privacy and security rules to guard health information. The Department of Health and Human Services (HHS) publishes the HIPAA rules, and the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR) enforce them. There's plenty of information out there on HIPAA to get you up to speed