Within the scope of the HIPAA Security Rule’s Risk Analysis implementation specification is the requirement for vulnerability assessment.
The HIPAA Academy’s Network Vulnerability testing process is divided into internal and external assessments. The external assessment determines the security posture of your organization’s electronic perimeter, consisting of the routers, hosts, firewalls, modems and other devices (and software) that connect your networks to non-corporate networks. These network components generally provide the maximum exposure to outside intruders.
HIPAA Academy’s methods approximate closely to what an external hacker would face trying to break in. HIPAA Academy™ will use a suite of sophisticated tools, ranging from freeware (which is available to the hacker community at large) to tools that are proprietary to HIPAA Academy.
The internal assessment is conducted from inside the corporate perimeter security devices (e.g., a firewall) via an internal LAN connection. The internal assessment provides your organization with data on what an informed hacker or disgruntled employee might be able to accomplish, should he or she bypass the firewalls or other network-access safeguards. Within the scope of the internal assessment is an evaluation of your organization’s wireless vulnerabilities. This includes a review of configuration of your access points as well as wireless end systems.
The internal portion of the assessment is particularly important because the internal network is most often overlooked in network security management. Many businesses have strong external defenses but almost nonexistent internal defenses. The internal assessment will show to what extent an internal user could create damage, and allow HIPAA Academy™ to identify the most efficient means of securing the network.
The HIPAA Academy™ uses a number of tools in assessing the vulnerability of an organization’s systems and networks. Examples of tools that may be used for risk analysis and vulnerability assessment include (but are not limited to) SamSpade Tools, Nmap, Nessus Vulnerability Scanner, and Microsoft Baseline Security Analyzer. Detailed reports are published by the HIPAA Academy™ based on analysis of the data collected from the various tools deployed both internally and as part of external penetration testing.
An assessment checklist is created to document information about all critical systems and applications that process or store EPHI. The risk analysis team then specifically identifies:
- Key information technology systems and components for each critical asset
- Key systems and components for technology weaknesses/vulnerabilities that may be exploited
- Vulnerability Assessment Report and Recommendations
The final HIPAA Academy™ Risk Analysis report will present a realistic impression of your organization’s security posture against the most likely attacks. It will provide an analysis of results, reveal samples of data discovered (i.e. screen shots), and furnish recommendations for effective long-term security measures.
The HIPAA Risk Analysis report will detail the vulnerabilities and compliance issues found and the corrective actions required to secure networked systems and mitigate identified risks. The report is conveyed in soft copy on compact disc (CD) and in a PDF format.
For more information about HIPAA Academy’s consulting services, please contact John Schelewitz at +1.480.633.3225 or John.Schelewitz@ecfrist.com.