Acme Health Group
Assessment Date:
Assessor: XyberIQ
Focus the next 30–90 days on BAAs, access controls (MFA), and audit logging. Close high-severity gaps first; batch low-effort wins to build momentum and evidence.
| Safeguard | Gap | Severity | Action |
|---|---|---|---|
| Business Associate Agreements (BAAs) | No executed BAAs for two key vendors handling ePHI. | High | Execute BAAs; centralize repository and renewal cadence. |
| Access Control (MFA) | MFA not enforced for EHR remote access; shared accounts exist. | High | Mandate MFA; eliminate shared accounts; enable SSO policy. |
| Audit Controls | Insufficient log retention and review for ePHI systems. | Medium | Expand retention to 12–18 months; weekly review workflow. |
| Security Awareness Training | Annual training completed, but phishing simulations absent. | Medium | Quarterly simulations; targeted refreshers after failures. |
| Device & Media Controls | No formal wipe/chain-of-custody for retired laptops. | Low | Adopt standardized wipe, certificate of destruction, log. |
| HIPAA § | Control | Status | Notes / Evidence Needed |
|---|---|---|---|
| 164.308(a)(1) | Risk Analysis | Partial | Last full RA > 18 months; schedule updated assessment. |
| 164.308(a)(3) | Workforce Security | Partial | Offboarding checklist exists; needs automated access revocation. |
| 164.312(a)(2)(i) | Unique User ID | Partial | Two shared service accounts remain; replace with scoped roles. |
| 164.312(d) | Person/Entity Authentication | Gap | MFA not enforced for remote EHR; enforce across all ePHI apps. |
| 164.312(b) | Audit Controls | Gap | Enable immutable logging + alerting for anomalous access. |
| 164.310(d)(2)(i) | Disposal | Partial | Formal wipe/cert process needed for retired devices. |