There are a few things that clients should do as it will help with their audit:
- Document data management, security, training and notification plans
- Client should use a Password policy for their access
- Encrypt PHI data whether it’s in a database or in files on the server
- Do not use public FTP. Use other methods to move files
- Only use VPN access for remote access
- Login retry protection in their application
- Document a disaster recovery plan.