As breaches continue to occur in healthcare IT, it is becoming top priority to protect against them. A Vulnerability Analysis is a proven method for identifying vulnerabilities on your network to secure both the perimeter and the interior. Regular use of this service can prevent data breaches, improve compliance and improve network efficiency. The HIPAA regulations require a periodic technical evaluation, and require the covered entity or business associate to determine the type of evaluation that is appropriate.
The technical vulnerability analysis is one widely used evaluation, and many security frameworks explicitly specify the vulnerability analysis be conducted; for example, the PCI framework requires that the vulnerability analysis be conducted quarterly. Eagle is partner of Qualys and uses the powerful QualysGuard Cloud platform for this analysis.
The process begins with a review of your network diagram to understand your network configuration and major applications. Depending on the scope of the evaluation, one or more scans will be performed. We can provide external scans which evaluate any outward facing IP Addresses for vulnerabilities. Then, a scanning appliance is attached inside the network to scan some or all assets on the network. Depending on network topography, multiple scanners may be deployed. These internal scans can be done either in non-authenticated mode, or for a more comprehensive and accurate scan, authentication credentials will be used to thoroughly examine each device on the network, or a representative sample of devices.
The QualysGuard Vulnerability Management tool we utilize contains a database of over 20,000 vulnerabilities, with new vulnerabilities added daily. Findings may include the use of insecure configurations, unpatched software, end-of-life software, use of default passwords, inappropriate placement of firewalls, and/or lack of encryption technology.
Healthcare IT Vulnerability Solution Deliverables:
Eagle Consulting Partners analyzes the results and provides:
- A thorough written report on the vulnerabilities
- Prioritized recommendations for risk remediation.
- Reports for both for executive management and technical staff who require details for remediation.
Because networks are changing constantly, and because new software vulnerabilities and patches are released on a daily basis, Eagle can offer an ongoing vulnerability management program that includes ongoing scans on an annual, quarterly, monthly or continuous basis. Customized reporting can be created for different audiences.
No. of HIPAA Compliance Cases with Corrective Action from HHS (source: HHS.gov)
Experienced Eagle Analysis & Solutions:
1) Identify all computer hardware, software and patient data (PHI). This involves quantifying the location, type and quantity of patient data.
2) Evaluate technical security capabilities in place, such as passwords, encryption, firewalls and audit logging, usually based on interviews with computer support personnel. For larger practices and networks, a vulnerability scan can be performed.
3) Review administrative processes in place, such as employee background checks, employee termination procedures and employee discipline.
4) Prepare risk analysis report, which includes commentary for all 42 HIPAA Security implementation specifications with corresponding risk levels based on security measures and prioritized for corrective action recommendations.