Auditors - how to handle them?

By gmmoon ·
I'm fielding a question for our privacy officer and CIO, and they don't trust my opinion enough - they want concensus.
We have auditors who regularly come by (we're a hospital) and managers in different areas aren't willing to let an employee run reports and guide them around the systems. These managers want us to create accounts for the auditors and that way they can get what they need without intervention or interrupting the employees from patient care or daily duties. I don't think the auditors should be allowed to have at our systems. What do you all think? How do you handle auditors access to your files, systems, accounts?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

what i think

by jck In reply to Auditors - how to handle ...

they should have restricted access to only the data they need.

giving them access to raw data does them no good. they simply need information that gives them what they need, not a total system dump or the ability to do so.

Collapse -

Generally it depends on their level of authority ...

by OldER Mycroft In reply to Auditors - how to handle ...

It may seem like a simple way to explain it but that is the hard truth.

If you have insufficient understanding of the level of authority they have, and in so doing tend to generate a self-induced form of panic, you are on to a loser.

Either you KNOW that you have a higher authority than they do, or you have to step aside. Any other stance could endanger your professional position. Make no mistake about that.

Collapse -


by cmiller5400 In reply to Auditors - how to handle ...

What kind of auditor are they? I assume that they are external auditors? If so then are the appropriate NDA's, confidentiality documents etc in place in case they see something private/privileged? Since you are medical, HIPPA is a very tough beast. Consult with a lawyer on this.

But on to your question. They should be given only the access that they need to do their audit. Your internal auditors should be there to help them get what ever information they need. The Management that is refusing to supply persons should realize that the quicker they get the information, the faster the audit will be over. Once the auditor's have left, their access should be terminated.

Collapse -

My Considered Opinion is

by OH Smeg Moderator In reply to Auditors - how to handle ...

Do as you are told to by Management. They know what is required by their System and they are the ones responsible for what happens.

If someone was to gain access to Patient Records and do as they like it's not your concern unless you are the Security Officer and even then all that would be required is the direction in Writing on what it is required that you do under Instruction of Management.

End of Story it's not your Hardware or system and it's not your responsibility if it gets hacked provided you are doing exactly as you are told.

Your name isn't Child's per chance is it?


Collapse -

That's a clever comment !! <NT>

by OldER Mycroft In reply to My Considered Opinion is
Collapse -

What are they auditing?

by Bizzo In reply to Auditors - how to handle ...

If they're quality auditors then they shouldn't need access to patient data or systems, just your quality systems. And they need to know if employees can find their way around the quality system, so giving them that kind of access with no employee interaction wouldn't be enough.

If they're security auditors, then giving them access may be a fail anyway!

So what will they be auditing?

Collapse -

Get it in writing

by Menace65 In reply to Auditors - how to handle ...

We go through a couple of audits per year (we are a utility company), and the requests for access to our systems comes from a manager, in writing. We give the auditors "display only" access, and then only to the data that is required to see (again all this is in writing so there is no confusion).

This does not mean they are then let off the leash, we do have one person who keeps an eye on them while they are here, and the auditors will always need to confer with the relevant individuals of the system areas to clarify anything they see which may be in question. Especially because you are a medical facility, you will need to be able to document everything, and if possible set an end date that their accounts will lock automatically. Unless this is planned very carefully and there is at least one person babysitting the auditors at all times, I would not recommend this approach.

You may want to suggest that your privacy officer and CIO reach out to his counterparts in other hospitals and ask them how they handle audits.

Related Discussions

Related Forums