Assessment Description It is essential as a cybersecurity professional to have a complete understanding of how a compliance audit is conducted and documented because organizational sustainability ofte

April 1, 2019

Dear GCU hospital

This document serves as a basis for the recent HIPAA security review which occurred at MS Hospital. Cassandra Lalli analyzed the standards and development of the MS Hospital application between the dates of September 1, 2020 and September 2, 2020. Based on the data that was collected from the HIPAA security review, Cassandra Lalli has concluded that the MS Hospital application has implemented a satisfactory set of security controls to satisfy HIPAA requirements for success. Consequently, a user that accesses Dropbox in conjunction with MS Hospital and follows HIPAA procedures can sustain HIPAA compliance.

Cassandra authorizes that the statements made in this document provide accuracy of the assessment of MS Hospital current security as it relates to requirements determined by HIPAA standards. This professional evaluation does not include an evaluation of other technical security controls that, while considered industry best practice, are not explicitly defined in the HIPAA technical safeguard requirements. As the MS hospital application’s code base changes, and new features and functions are added, the MS Hospital application’s security posture will change. Such changes may affect the actual validity of this document. Therefore, the conclusion reached from our analysis only represents a piece of the present time being. Cassandra Lalli would like to thank MS Hospital for this opportunity to help the organization evaluate its current security posture and would like to inform them they will fail if there is any disregard of the rules in the future.

Sincerely,

Keisha Magee

Chief Information Officer,

[email protected]

HIPAA Technical Safeguards
164.312(a)(1)	Access Controls	Technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4).
164.312(a)(2)(i)	Unique User Identification. Assignment of a unique name 164.312(a)(2)(i) and/or number for identifying and tracking user identity	Requirement satisfied. Each user is assigned a unique username (email address) and a password. This credential set is used for identifying and tracking user identity
164.312(a)(2)(ii)	Emergency Access Procedure. Established (and implemented as needed) procedures for obtaining necessary EPHI during and emergency	Requirement satisfied. An administration “dashboard” provides administrators a way for obtaining necessary EPHI in the event of an emergency
164.312(a)(2)(iii)	Automatic Logoff Procedures that terminate an electronic session after a predetermined time of inactivity	Requirement satisfied. All computer has timers once the work day is over, they will shut down or lock screen prompting for password if user is inactive for too long.
164.312(a)(2)(iv)	Encryption and Decryption. A mechanism to encrypt and decrypt EPHI	Requirement satisfied. Antelope allows encryption and decryption of electronic protected health information via its PC, Mac and iOS clients as well as via a web browser interface
164.312(b)	Audit Controls	Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI
164.312(a)(2)(i)	Unique User Identification. Assignment of a unique name and/or number for identifying and tracking user identity	Requirement satisfied. All employs have a assigned number for identifying and tracking users udentity.
164.312(a)(2)(ii)	Emergency Access Procedure. Established (and implemented as needed) procedures for obtaining necessary EPHI during and emergency	Requirement satisfied. An administration “dashboard” provides administrators a way for obtaining necessary EPHI in the event of an emergency
164.312(a)(2)(iii)	Automatic Logoff Procedures that terminate an electronic session after a predetermined time of inactivity	Requirement satisfied. All computer has timers once the work day is over, they will shut down or lock screen prompting for password if user is inactive for too long.
164.312(a)(2)(iv)	Encryption and Decryption. A mechanism to encrypt and decrypt EPHI	Requirement satisfied. Antelope allows encryption and decryption of electronic protected health information via its PC, Mac and iOS clients as well as via a web browser interface
164.312(b)	Audit Controls	Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI
Not applicable	This standard has no implementation specifications.	Requirement satisfied. Antelope provides complete audit trails on all operations associated with encrypted files with a simple reporting tool
164.312(c)(1)	Integrity	Implement policies and procedures to protect EPHI from improper alteration or destruction.
164.312(c)(2)	Electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner	Requirement satisfied. EPHI has not been altered or destroyed in an unauthorized manner
164.312(d)	Person or Entity Authentication procedures to verify that a person or entity seeking access EPHI is the one claimed	Requirement satisfied. Entity Authentication procedures are in place to verify that a entity seeking access EPHI is the one claimed
164.312(e)(1)	Transmission Security	Technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network
164.312(e)(2)(i)	Security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of	Requirement satisfied. Security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed
164.312(e)(2)(ii)	A mechanism to encrypt EPHI whenever deemed appropriate	Requirement satisfied. A mechanism is in place encrypt EPHI.