Vulnerability assessments, also known as security audits are the process of identifying and quantifying vulnerabilities in your application or network using automated scanning and testing tools. Vulnerability assessments are initially undertaken as part of your risk assessment. They are often conducted prior to a penetration test. Vulnerability assessments can help you to determine your current security posture at a high level. They will not however validate the existence of a potential risk which is what a penetration test will do. It’s a great first step to determine what you need to do to improve your security posture.
A thorough risk assessment/analysis [(45CFR§164.308(a)(1)(ii)(A)] for the Security Rule includes a comprehensive assessment of the internal and external networks whether wired, wireless, or cloud-hosted. In addition, the report must include a technical vulnerability assessment of all the IT assets, all electronic protected health information ePHI; physical, environmental controls, & operational policies and procedures of the underlying IT infrastructure.
There are several items that are considered ePHI according to HIPAA:
- Geographic information
- Dates (Birthdates, service dates,etc)
- Telephone numbers
- FAX numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers & serial numbers including license plates
- Device identifiers & serial numbers
- Web URLs
- IP addresses
- Biometric identifiers (palm scans, fingerprints, retina,etc.)
- Full face photos & medical images
- Any unique ID number
Our technical vulnerability assessments evaluate sensitive information which may be disclosed to unauthorized parties. All the above are considered sensitive to a HIPAA covered entity. Leakage of any data included in the above list can have detrimental consequences for the covered entity should any of it become compromised. HIPAA violations can have significant financial penalties. What may normally be considered a Low Risk information disclosure issue to is High Risk issue to a HIPAA covered entity.
The PCI compliance checklist for merchants and other businesses that handle payment card data consists of 12 requirements mandated by the PCI DSS:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know. Assign a unique ID to each person with computer access. Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Our technical vulnerability assessments address the following areas:
- External -an examination of the public infrastructure from the outside to identify vulnerabilities. The external assessment typically consists of scanning firewalls, routers and any such devices protecting the public network
- Internal – involves a thorough review of your critical servers in the office, data center and workstations and typically requires someone onsite for a few business days.
- Firewall – an examination of the rulesets and blocklists, whitelists associated with traffic through your firewall.
- Wireless – checks access points and other wireless devices, as well as an analysis of encryption and authentication capabilities implemented for wireless transmission.]
The results of a technical vulnerability assessment are then analyzed to establish your risks to vital assets and sensitive information such as ePHI. This then provides the foundation for further testing and verification by conducting a full penetration test. Results of vulnerability assessments are often used as the first phase of a plan for the organization to prioritize its security risks and make the appropriate decision regarding mitigation to maintain PCI and/or HIPAA security compliance.
Our vulnerability assessment packages are similar to the penetration testing packages. It’s based on hours needed to complete the task; the larger the network/application is, the more hours it will require. For more details or a free consultation on getting a vulnerability assessment, please contact us.