Vulnerability assessment is a vital part of ensuring networks comply with HIPAA, says Gerhard Eschelbeck

Regular network audits are at the heart of new security requirements by HIPAA. The Department of Health and Human Services says all entities subject to HIPAA "must assess potential risks and vulnerabilities to the individual health care data in its possession and develop, implement, and maintain appropriate security measures. These measures must be documented and kept current...."

In this environment, continuous auditing and managing of vulnerabilities within corporate networks to prevent exploitation by hackers, viruses or worms isn't just important, it's mandated. As a result, vulnerability assessment is becoming a critical element in HIPAA compliance.

Where other security measures traditionally detect attacks during or after their occurrence, vulnerability assessment proactively protects data by identifying and resolving security exposures before they can be exploited.

Compliance with specific security rules

Ensuring regular security audits through the use of vulnerability assessment is a practical requirement for HIPAA security. It streamlines a variety of complex testing procedures such as identifying devices, finding vulnerabilities and assisting in the repair process. And it also quickly meets most of the key administrative procedures within HIPAA's security regulations.

Security testing includes hands-on functional testing, penetration testing and verification. Today's vulnerability assessment solutions give organizations the ability not only to systematically scan their networks for vulnerabilities and report on their weaknesses, but also provide verified fixes.

Security configuration management includes hardware and software installation and maintenance review and testing for security features. Running vulnerability assessment scans before and after installation and maintenance of PCs, routers, etc. ensures proper security settings on infrastructure such as firewalls and intrusion detection.

Inventory management is the formal documented identification of hardware and software assets throughout your network. Network discovery, an integral part of vulnerability assessment, enables organizations to identify systems and provide a documented map of all systems on the network.

Certification involves a technical evaluation performed as part of and in support of the accreditation process that establishes the extent to which a particular computer system or network design and implementation meets a pre-specified set of security requirements. Regular vulnerability audits test network security policies and identify fixes to meet HIPAA compliance.

A contingency plan is an entity's formal assessment of the sensitivity, vulnerabilities, and security of its programs and information it receives, manipulates, stores and/or transmits in the course of health care business practice. Vulnerability assessment solutions provide full documentation of all network security testing.

Security management process is the creation, administration and oversight of policies to ensure the prevention, detection, containment and correction of security breaches. Data and insight gleaned from vulnerability audits enables optimum risk analysis and management policies.

Personnel security assures supervision of maintenance personnel by an authorized, knowledgeable person. With systematic security audits and reports, all supervisory levels can clearly understand network security status, system access integrity and repair paths.

The education requirement is to inform managers about vulnerabilities to the health information in an entity's possession and how to protect it. This requirement also includes awareness training for all personnel about security issues. Security data revealed by vulnerability audits and reports cut out the guesswork in teaching staff and management about the real-world protection of their network.

Some other considerations

In addition to meeting HIPAA security requirements, vulnerability assessment provides an effective means to better network security. Many security breaches result from weaker network perimeters due to multiple new entry points such as wireless and virtual private networks. Auditing the network for security vulnerabilities quickly identifies the weaknesses and also helps counterbalance the rising complexity of managing numerous security patches and configuration updates.

A systematic approach to network security audits will enable organizations to meet new HIPAA security regulations and provide a stronger digital defense for individual health care data stored online. n

Gerhard Eschelbeck is CTO and vice president of engineering for Qualys, Inc. (www.qualys.com)


Vulnerability assessment and HIPAA

Vulnerability assessment is the systematic auditing of networks for security weaknesses. It can be deployed as a traditional software-based solution or as an automated web-based service. Key elements include:

  • Identify network topology and points of entry
  • Identify services, operating systems, applications
  • Identify and prioritize critical vulnerabilities
  • Remedy vulnerabilities and verify fixes