Vulnerability Assessment and HIPAA Compliance Scans for Healthcare
Vulnerability Assessment and Compliance laws aren’t something new if you’re coming from the financial or retail industry. For example, PCI Compliance was introduced in the late 90’s to help protect your personal and credit card information from criminals. Now, with the advent of the Patient Protection and Affordable Care Act (PPACA) in 2010, the healthcare industry seriously began recognizing the importance of protecting their electronic Protected Health Information (ePHI). However, many healthcare practices chose to ignore compliance and paid dearly for it in the form of fines and penalties. By and large, PPACA, Meaningful Use, MIPS, MACRA, and the HITECH ACT are here to stay, and compliance isn’t optional anymore.
Don’t assume protection of patient information.
When a patient visits your office, what personal information are they giving you? Usually, it’s their demographics, insurance, clinical and family history. The staff inputs their information, it gets recorded in your medical database, and they move on to the next patient. So what happens with all this sensitive data? Is your data being protected from cyber criminals? The answer to these questions may shock you.
ePHI is precious on the black market. As a matter of fact, it’s 10x more valuable than a credit card number. You’d only call your bank to report a theft of a stolen credit card number. Your bank will reverse all fraudulent charges, and you move on with a new credit card number. However, patient information stolen from a medical practice can wreak havoc on your patients for many years to come. The exposed data reveals their social security number, home address, clinical history, phone numbers, and insurance information. As a result, stolen ePHI can cause irreversible harm to their personal identity.
How can you protect your patient data?
We advise all of our medical clients how important vulnerability assessment scans are for their practice. They’re essential tools for minimizing the risk of ePHI from being compromised by intruders or ransomware attacks. Patients trust their doctor’s medical expertise. In turn, it’s our job to safeguard your data and provide a higher level of trust back to your patients.
Each Security Risk Analysis conducted has two metrics. The first metric is a Vulnerability Assessment. The second is an HIPAA Compliance scan. Practices often confuse these as being the same, but they are very different. A vulnerability assessment identifies potential risks that may exist on a network, workstation, firewall, or server. An HIPAA compliance scan ensures the practice is in conformity with the HIPAA laws imposed by the government in 1996, and the HITECH ACT in 2009.
Vulnerability Assessment Scans
Vulnerability Assessment scans are crucial for every healthcare practice’s network security toolkit. However, they’re not an “end-all” solution for compliance. Keep in mind; a vulnerability can be exploited even with scans in place. That said, exposing a vulnerability demonstrates that there is a lack of security or effort to safeguard unauthorized access to patient data. That’s why it’s important to remember that we still need to prove that these vulnerabilities exist when shown on a report.
In all compliant networks, including the practices we support, there are security devices in place that help reduce these risks on a daily basis. All of these networks have a business-class firewall to prevent outside access to internal resources. Web filtering helps mitigate internet-borne risks of viruses and inappropriate access to internet resources. E-mail scanning provides anti-spam filtering and blocks attachments from viruses. Antivirus software provides protection on a server and desktop level. Workstation hard drive encryption is also crucial for laptops and desktops in case they’re lost or stolen.
HIPAA Compliance Scans
As we all know, medical practices must follow specific HIPAA provisions. Therefore, HIPAA and the HITECH ACT require that we audit logon events, meet password complexity rules, terminate sessions after a predetermined time, and much more. In the past, there was no quick and reliable way of measuring these policies. Frankly, some practices attest that they’re compliant without a full understanding of what they’re stating. One of the benefits of periodic HIPAA compliance scans is that they accurately report if a medical practice’s infrastructure reflects these policies instituted by the practice. Our clients find that adding these monthly or quarterly reports to their Meaningful Use binder is worth every penny. Especially when they receive a daunting audit letter from CMS!
Understanding Risk – CVSS Scores by Severity
Our scanning software utilizes a Common Vulnerability Scoring System (CVSS). It accurately reports the severity of vulnerabilities found in an organization. CVSS is an open industry standard for assessing the severity of network vulnerabilities. CVSS attempts to establish a measure of how much concern a vulnerability warrants compared to others. This scoring helps IT to prioritize remediation efforts. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are critical and are the highest priority. Those in the range 4.0-6.9 are major. Those in the range 0.0-3.9 are minor. The CVSS scores correspond to the software severity levels as follows: 10.0 = Critical severity (Red), 7.0-9.9 = High (Orange), 4.0-6.9 = Medium (Yellow), and 0.0-3.9 = Low (Green). Each security level displays the vulnerabilities counts. Here’s a sample chart:
Our software also provides valuable insight for a Managed IT Services Provider (MSP), who in turn help you understand which devices on a network may need more attention. It also gives an MSP information required to provide quick remediation for discovered vulnerabilities. These software tools make it easy to identify these metrics. Therefore, medical practices will know how vulnerable they really are. Remediation could be as simple as applying software or firmware updates. If a device or software is obsolete, replacing it may be warranted. For example, if your Sonicwall firewall is end-of-life, a replacement will help you minimize security risks and prevent unauthorized intrusions.
Understanding Risk – Details by Severity
The level of severity measures each device vulnerability. Here’s an example:
What do Vulnerability Assessment Scans mean to you, as the healthcare provider?
Each scan provides insight into understanding the actual vulnerabilities that may exist on a particular device. In the above example, “Symantec Antivirus Detection (Corporate Edition)” is labeled as a “Critical” severity. You might be asking yourself “How can my antivirus software put my patient information at risk?” Simply put, vulnerability scans check the version of the software against their database to ensure you have up-to-date antivirus definitions. It’s a well-known fact that outdated desktop antivirus is not effective in removing new viruses on the internet. This finding may also raise a flag as to when the last time you renewed your antivirus subscription. Perhaps it was never renewed, and your virus definitions are outdated by five years? To summarize, outdated antivirus definitions leave you exposed to viruses that start at the desktop level and can spread itself like wildfire to all of your desktops and servers.
The biggest virus or intrusion threat to any network typically comes from either the internet or email. For example, running old versions of Adobe Flash and Java Adobe on your desktop can leave you exposed. Opening PDF, Zip, Word, or Excel attachments in an email can also cause havoc on your network.
Are there exceptions to this rule?
Yes, but to a certain extent so proceed with caution.
As an illustration, in the example above the scan reported this PC as “Microsoft Windows XP Unsupported Installation Detection” and marked it “Critical.” That’s because Microsoft no longer supports Windows XP. Therefore, there won’t be additional security patch releases or support. However, an exception could be an older, but useful medical diagnostic device with highly specialized software that only works on Windows XP. As a result, the manufacturer should have contacted you to provide an upgraded unit that’s compatible with a newer operating system. It’s likely that they also quoted a price tag in the tens of thousands for the upgrade; an expense that’s not in your budget right now. In this case, we recommend that you write an exception into your IT security policy acknowledging the potential risk. We also recommend you immediately disconnect this device from your local network.
Another example (also shown above) is “Microsoft.NET Framework Unsupported” marked “Critical.” This message tells us that Microsoft no longer supports this version. We already know that Windows XP is obsolete. Therefore, our recommendation would be to install an updated version if one exists. In summary, the only way to resolve this message is to upgrade the workstation operating system.
Are there any other exceptions to this rule?
The other caveat here is if your medical practice uses Electronic Health Records (EHR). Occasionally, EHR’s may require this particular version to run their software. In this case, we recommend writing an exception into your security policy stating that we have identified this risk and it’s in the remediation process.
The vulnerability severity may also be re-categorized to “Low” by IT, simply because the vulnerability presented in this case is mandatory for EHR to function properly. Ordinarily, other security mechanisms are already present on the network to mitigate any risk that could arise.
Understanding Compliance Checks
After every vulnerability assessment, we’ll perform a final compliance check. We test every device connected to your network using a baseline of preset rules and parameters. Furthermore, each practice’s compliance set may vary slightly depending on their size, but they all follow the same fundamental rules:
The above snippet provides a summary view of a particular network’s compliance; “PASSED,” “FAILED,” or “WARNING” are the three possible values. Typically we want all of the tested values to pass. In many instances, that’s not the case. Here’s what each value indicates:
A “PASSED” value means all of the devices tested on that date passed compliance for that particular test. The parameters were within range of that check.
A “FAILED” value indicates a device tested on that date failed compliance. The parameters are out of range of that check. For example, a firewall with outdated firmware will trigger this result.
A “WARNING” value indicates a device could not be accessed. For example, a disconnected or powered down wireless access point could have triggered this warning.
In the summary view shown on the sample report below, you’ll see an in-depth detail of scanned network devices. Furthermore, the report provides a thorough analysis of which network devices passed, failed, or presented a warning. You’ll also see a low-level detail of how the scanning software determined the status it reported on.
As you can see, performing periodic vulnerability & compliance scans will help protect your business and mission critical data. Safeguarding your business data is more important than ever with the constant threat of new malware, viruses, and ransomware flooding the internet.Start Scanning
About Innovative Computer Systems
Innovative Computer Systems is a Managed Services Provider specializing in Healthcare Information Technology (HIT) and Corporate Business Technology. We work closely with our clients to understand their daily workflow requirements. Some of our clients include leaders in Ophthalmology, Facility Maintenance, Pediatrics, Law, Urology, Dermatology, Commercial Real Estate, Internal Medicine and Ambulatory Surgery.