HIPAA & HITECH Require Technical Vulnerability Assessment

A key requirement of the HIPAA and HITECH regulations is that covered entities and business associates must conduct a comprehensive and thorough assessment of the potentials risks and vulnerabilities to the confidentiality, integrity, and availability (CIA) of all electronic Protected Health Information (EPHI). These HIPAA and HITECH mandates require that organizations must complete a comprehensive and thorough vulnerability assessment on a regular schedule.

bizSHIELD  – An ecfirst Technical Vulnerability Assessment Service

ecfirst developed the bizSHIELD^tm program to assist Covered Entities, Business Associates, and vendors of Electronic Health Records (EHRs) and Personal Health Records (PHRs) in meeting the requirements of the HIPAA Privacy and Security Rule, The HITECH Act, and all subsequent guidance documentation and settlement agreements.

As a part of the bizSHIELD^tm program, ecfirst will list every requirement of the HIPAA Security Rule including every Safeguard, Standard, and Implementation Specification in a risk analysis format that identifies an organization’s state of compliance with the requirement, recommended remediation activity, and associated risk priority. All remediation activities will be listed according to recommended implementation time bands in the bizSHIELD^tm Corrective Action Plan (CAP) table. The bizSHIELD^tm report is an actionable, documented risk analysis that provides both in depth and executive summary level findings appropriate to all audiences from administrators to the Board of Directors.

Technical Vulnerability Assessment Service

The Office of Civil Rights (OCR) wants to ensure that organizations have identified all of the risks and vulnerabilities to the EPHI that they collect, store, process, or transmit. The ecfirst bizSHIELD^tm risk analysis program includes a technical vulnerability assessment to address HIPAA and HITECH mandates with the objective of establishing and prioritizing compliance and security gaps.

The ecfirst bizSHIELD^tm Technical Vulnerability Assessment Service supports several distinct components, including:

• External Assessment
• Internal Assessment
• Firewall Assessment
• Wireless Assessment
• Social Engineering

When is the last time your organization conducted a risk analysis activity that included a technical vulnerability assessment?

External Network Vulnerability Assessment

ecfirst will identify, analyze, and document vulnerabilities within an organization’s Internet-facing infrastructure and attached systems. ecfirst follows a pragmatic approach when conducting a vulnerability assessment of external systems.

Internal Network Vulnerability Assessment

ecfirst’s internal network vulnerability assessment will verify that the security controls implemented on an organization’s hosts provide an adequate level of protection against network attacks. The ecfirst security team will scan and validate the security of the network and perform a comprehensive assessment against selected hosts. ecfirst can include many valuable components in its reporting including:

• Active Directory assessment
• Open File Shares scan and report
• SNMP scan
• Promiscuous NICs scan and report
• Database Security Analysis including MS SQL or Oracle

Firewall Assessment

ecfirst will review the organization’s Internet-facing firewall to identify the current security posture in three critical areas:

• Rulebase configuration
• Current IOS (or other operating system) and patch revision release level
• Vulnerability assessment of configuration file

Rulebase configuration is critical to the integrity and operating security of a firewall. The rulebase should be tied to business requirements. Every rule that is configured on a firewall is essentially a permissible security hole into the company’s network infrastructure. Each of these rules should have a well defined business need for existing. However, many corporations open rules for testing and never close them when the test has completed. Additionally, many rules are opened up because of then-current business needs, but never closed or repaired once that need, or the corresponding business contract, has ended. This results in legacy access and a vulnerability providing a pathway into the internal network.

Wireless Assessment

Wireless networks are particularly vulnerable to attacks because it is extremely difficult to prevent physical access to them. Wireless networks are subject to both passive and active attacks. A passive attack is one in which an attacker just captures signals flowing from authorized devices, such as a corporate laptop to an authorized Access Point (AP). An active attack is one in which an attacker send signals to the authorized AP in order to solicit specific responses and intrude upon the corporate network, typically, in a very short timeframe.

During the wireless assessment, ecfirst addresses the following areas:

• Discover the Wireless Access Points and wireless systems.
• Investigate rogue devices installed without IT department consent.
• Assess Wi-Fi RF coverage from adjacent buildings and public locations.
• Determine the existing Wi-Fi security infrastructure.
• Attempt to compromise the wireless security.
• Determine encryption type and compromise the security.

Social Engineering Assessment

Organizations with excellent security programs often spend large amounts of money on capital purchases to implement technical security controls. However, employees or contractors of the entity often prove to be the weak link in the security chain. Employee and contractor education is a key component to any information security program. Authorized members of the workforce have both authenticated access to information systems as well as physical access to facilities and secured areas.

During the social engineering assessment, ecfirst will attempt to gain unauthorized or inappropriate access to facilities, secured areas, documents, credentials, or confidential data. ecfirst security personnel will attempt to bypass security controls that are in-place in order to gain access to various assets. ecfirst will attempt to bypass electronic, personnel, and procedural controls during this assessment. ecfirst will document and present a very detailed record of successes, failures, controls bypassed, access achieved and information obtained during the assessment.

HITECH Data Breach Service

Under the HITECH Data Breach Rule, organizations are required to take steps to prevent, identify, report, and remediate data breaches of unsecured information. The ecfirst Data Breach solution will document the ability of the organization to detect a breach, review the incident management policy and procedures, and make recommendations. In addition, organizations will receive a HITECH Data Breach policy and several Data Breach procedures to ensure compliance, should a breach happen.

About ecfirst, Home of The HIPAA Academy

Devoted To Our Clients. Delivering with Passion.
ecfirst, Home of The HIPAA Academy™, is a leader with rich hands-on experience delivering world-class services in the areas of:

• Security regulatory compliance solutions (HIPAA, HITECH Act, PCI DSS, NIST and ISO 27000 Standards, State Regulations)
• Compliance training and certification
• HITECH data breach and incident response management
• End-to-end Meaningful Use EHR Stage 1 objective driven services including gap assessment, risk analysis, reporting and more
• Health Information Technology (IT) services including On-Demand Consulting (starting @ 40 hours), Management Compliance Services Proposal (MCSP), IT professional staffing and project management, customized portal development and security technology implementation

Compliance and Training Certification

ecfirst, home of the HIPAA Academy™, offers the gold standard in compliance training and certification. The HIPAA CHA^TM and CHP certifications are the only certifications recognized in the Industry. The ecfirst Certified Security Compliance Specialist^TM (CSCS^TM) Program is the first and only information security program that addresses all major compliance regulations from a security perspective.

ecfirst delivers world-class information security and regulatory compliance solutions. With over 2,000+ clients, ecfirst was recognized as an Inc. 500 business – America’s Top 500 Fastest Growing Privately Held Business in 2004 – our first year of eligibility. ecfirst serves a Who’s Who client list that includes technology firms, numerous hospitals, state and county governments, and hundreds of businesses across the United States and abroad. A partial list of clients includes Microsoft, Symantec, HP, McKesson, EMC, IBM, Principal Financial, U.S. Army, U.S. Dept. of Homeland Security, U.S. Dept. of Veterans Affairs and many others.

Regulatory Compliance Practice

The ecfirst Regulatory Compliance Practice delivers deep expertise with its full suite of services that include; HIPAA Privacy Gap Analysis, Meaningful Use Risk Analysis, HITECH Data Breach, Technical Vulnerability Assessment, Policy and Procedure Development, Disaster Recovery Planning, On-Demand Consulting, as well as managed security and IT infrastructure solutions.

ecfirst Differentiators

ecfirst combines state of the art tools, the highest credentialed staff, and reporting that maximizes value, efficiency, and information for our clients to deliver the industry’s best technical vulnerability assessments.

Critical ecfirst differentiators include:

• Home of The HIPAA Academy™ – First in the healthcare industry with the Certified HIPAA Professional (CHP) and Certified Security Compliance Specialist™ (CSCS™) programs
• Highly credentialed professional consulting team with expertise in HL7, ICD-9/10, HIPAA, HITECH, Meaningful Use
• Deep experience in the healthcare industry
• Compliance based vulnerability assessments
• Executive dashboards that may be tailored for senior management to highlight critical findings

Talk to ecfirst and you will find an organization that is passionate about the services we deliver and exceptionally devoted to its clients. We deliver value with intensity and are paranoid about our performance for your organization.