Within the scope of the HIPAA Security Rule’s
Risk Analysis implementation specification is the
requirement for vulnerability assessment.
The HIPAA Academy’s Network Vulnerability
testing process is divided into internal and external
assessments. The external assessment determines
the security posture of your organization’s
electronic perimeter, consisting of the routers,
hosts, firewalls, modems and other devices (and
software) that connect your networks to non-corporate
networks. These network components generally provide
the maximum exposure to outside intruders.
HIPAA Academy’s methods approximate closely
to what an external hacker would face trying to
break in. HIPAA Academy will use a suite of sophisticated
tools, ranging from freeware (which is available
to the hacker community at large) to tools that
are proprietary to HIPAA Academy.
The internal assessment is conducted from inside
the corporate perimeter security devices (e.g.,
a firewall) via an internal LAN connection. The
internal assessment provides your organization with
data on what an informed hacker or disgruntled employee
might be able to accomplish, should he or she bypass
the firewalls or other network-access safeguards.
Within the scope of the internal assessment is an
evaluation of your organization’s wireless
vulnerabilities. This includes a review of configuration
of your access points as well as wireless end systems.
The internal portion of the assessment is particularly
important because the internal network is most often
overlooked in network security management. Many
businesses have strong external defenses but almost
nonexistent internal defenses. The internal assessment
will show to what extent an internal user could
create damage, and allow HIPAA Academy to identify
the most efficient means of securing the network.
The HIPAA Academy uses a number of tools in assessing
the vulnerability of an organization’s systems
and networks. Examples of tools that may be used
for risk analysis and vulnerability assessment include
(but are not limited to) SamSpade Tools, Nmap, Nessus
Vulnerability Scanner, and Microsoft Baseline Security
Analyzer. Detailed reports are published by the
HIPAA Academy based on analysis of the data collected
from the various tools deployed both internally
and as part of external penetration testing.
An assessment checklist is created to document
information about all critical systems and applications
that process or store ePHI. The risk analysis team
then specifically identifies:
- Key information technology systems and components
for each critical asset
- Key systems and components for technology weaknesses/vulnerabilities
that may be exploited
Vulnerability Assessment Report and Recommendations
The final HIPAA Academy Risk Analysis report will
present a realistic impression of your organization’s
security posture against the most likely attacks.
It will provide an analysis of results, reveal samples
of data discovered (i.e. screen shots), and furnish
recommendations for effective long-term security
measures.
The HIPAA Risk Analysis report will detail the
vulnerabilities and compliance issues found and
the corrective actions required to secure networked
systems and mitigate identified risks. The report
is conveyed in soft copy on compact disc (CD) and
in a PDF format.
For more information about HIPAA Academy’s
consulting services, please contact Lorna Waggoner
at (877)899-9974 x17 or Lorna.Waggoner@ecfirst.com.
