HIPAA Compliance and Vulnerability Scans
By Jodie Cannon, BS
This article provides useful tips for HIPAA security officers. As a HIPAA security officer, you can divide your list of tasks into two categories: “ad-hoc” tasks and maintenance tasks. Examples of dealing with “ad-hoc” tasks include remediating gaps
identified on a Risk Assessment and dealing with a security incident. There are also maintenance tasks that must be performed on a regular basis. One example is tracking Employee Training. Another maintenance task example is a vulnerability scan.
What is a Vulnerability Scan?
Vulnerabilities are flaws in software that can be exploited by hackers to gain access to your network or sensitive data including protected health information (PHI). Vulnerabilities can be in computer operating systems such as Microsoft Windows XP, 7, 8, 10 or Windows Server. They can be in commonly used software such as Microsoft Office, Adobe Acrobat, Google Chrome or any other software that may be installed on your servers, desktops, laptops and mobile devices.
Vulnerabilities can also exist on hardware devices including network firewalls, switches, routers, printers, or any other device that is on the network. Software and hardware vendors constantly release security patches that will remediate or eliminate vulnerabilities found in their products. Identifying vulnerabilities or flaws in a network gives you the opportunity to apply patches to the network that will eliminate security weaknesses. Your IT department or IT support vendor will use a vulnerability scan as a guide that explains which systems and software need to be patched or upgraded.
A vulnerability can also be an incorrectly applied setting that unintentionally allows access to software or a network. As an example, RDP (Remote Desktop Protocol) could be unknowingly enabled which would allow hackers to gain access to your network. We have seen several security incidents related to this issue. So, in other words, a vulnerability scan and its associated remediation go a long way to keep hackers out of your network and can significantly increase the security of sensitive data and PHI. Many HIPAA data breaches have occurred when hackers exploited unpatched systems. For example, Anchorage Community Mental Health Services paid a fine and entered into a settlement agreement with HHS/OCR because it did not patch its computers. You can read more about this here. All organizations, whether in healthcare or not, should perform vulnerability scans, especially in this day of increased cybersecurity risk.
What is the relationship between a Vulnerability Scan and the HIPAA Security Rule?
As part of the HIPAA Security Rule, HHS/OCR states that “organizations must identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.” Also, “Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of ePHI.” Here is yet another example of where compliance with the HIPAA Security Rule is consistent with what your organization should already be doing to reduce cybersecurity risk.
Who can perform a Vulnerability Scan?
Your IT vendor should be able to take care of this for you if they have not done so already. If this service is not available, please contact our office and we can make appropriate recommendations.
How often should we receive a Vulnerability Scan?
Vulnerability scans are performed at least annually, but in some situations more frequently. Work with your IT vendor to determine which frequency is best for you.
What is the difference between a Vulnerability Scan and a Penetration Test?
As indicated above, a Vulnerability Scan helps discover which vulnerabilities are present in your network and in your software. A Penetration Test attempts to actively exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible. Both are useful IT security tools.
Stay up to date and in compliance with HIPAA. Contact Modern Practice Solutions, LLC today by calling us at (931) 232-7738.