Resources for Hospitals
Forward this Email

HIPAA Tip
07/08/09

The HIPAA Tip is emailed the second, third and fourth Wednesday of every month.  In it you will find valuable information to ensure you are current on the latest news, trends and regulatory issues surrounding HIPAA. Subscribers total over 2,500.

If you're looking for assistance in HIPAA compliance training solutions, please contact:

Ali Pabrai, Security+, CISSP, CHP, CSCS
ecfirst.com/HIPAA Academy, Chief Executive
www.HIPAAAcademy.Net

HIPAA Academy's HIPAA Compliance Training Solutions


July 08, 2009

Technical Vulnerability Assessment

 

The HIPAA Security Rule’s Risk Analysis implementation specification requires that organizations conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (EPHI). This is the #1 implementation specification in the HIPAA Security Rule and indeed is a critical activity that identifies gaps – both compliance gaps and security gaps – that need to be reviewed closely and addressed.

 

A technical vulnerability assessment is a key component of a comprehensive risk analysis exercise. Vulnerability assessments typically address the following areas:

  • External Assessment
  • Internal Assessment
  • Firewall Assessment
  • Wireless Assessment

The external assessment is an examination of the Internet-facing infrastructure from the outside to identify vulnerabilities. The external assessment typically consists of attempting to access or electronically transgress external firewalls, routers and any such perimeter (your DMZ) devices protecting the network. The internal assessment involves a thorough review of your critical servers in the data center or otherwise and end user systems.

 

Firewall assessment involves a close review of the architecture, rulebase configuration, and current operating system or patch release levels. Finally, the wireless assessment identifies vulnerabilities with access points and other wireless devices, as well as an analysis of encryption and authentication capabilities implemented for wireless transmission.

 

The results of a technical vulnerability assessment are then analyzed to clearly establish risks to vital assets and sensitive information. This then provides the foundation of a corrective action plan (remediation) for the organization to priorities its security activities.

 

When did your organization last conduct a comprehensive and thorough technical vulnerability assessment? 

 

Contact John Schelewitz at at ecfirst at +1.480.663.3225 or at John.Schelewitz@ecfirst.com, to discuss compliance with State regulations as well as the HITECH Act and HIPAA. Talk to ecfirst about their exclusive Managed Compliance Services Program (MCSP) to address HITECH, HIPAA and State mandates.

 

Webcast: Applying ISO 27000 To Address HIPAA, HITECH & State Mandates, July 9

Organizations are increasingly considering applying the ISO 27000 international security standards to comply with various U.S. federal regulations, such as HIPAA and the HITECH Act, as well as state requirements such as those for California or Massachusetts. To learn more about this global information standard, including ISO 27001 and ISO 27002, join cyber security and compliance expert, Ali Pabrai for the first of its type 60-minute webcast on Applying ISO 27000 to Address HIPAA, HITECH & State Mandates, on July 9. To register, please visit www.ecfirst.com.