Question: We recently hired a new law firm to handle our privacy practices and they told us to conform our practices so we could survive a "health IT audit." What is that? Codify Subscriber Answer: Health information technology audits allow the OIG to determine whether a health care entity is keeping patient information safe and to ensure that criminals can't hack into your health IT system. Health records are very valuable to thieves, and can often fetch more money than credit card data. To ensure that this information is under lock and key, the OIG investigates how carefully practices, hospitals, insurers, and other entities are protecting those medical records. One method the government uses is to attempt to access the records, much like a hacker would. The OIG performs what's called "penetration testing," in which its staff members try to exploit a health care entity's vulnerabilities to see if they can gain access to the network. While performing penetration testing, OIG auditors review specific items such as whether the entity changed the out-of-the-box usernames and passwords that the manufacturer created. If those default usernames and passwords are still in effect, then the system is vulnerable to hackers. Practices that have out-of-the box software in their offices should be sure and check whether they have changed these passwords, and if not, you should do so immediately. Resource: To read more about the OIG's work on IT audits, visit https://oig.hhs.gov/.