As a Manager, you can divide your list of tasks into two categories: "ad-hoc" tasks and maintenance tasks. Examples of dealing with “ad-hoc” tasks include remediating gaps identified on a Risk Assessment and dealing with a security incident. There are also maintenance tasks that must be performed regularly. One example is tracking Employee Training. Another is a vulnerability scan.
What is a Vulnerability Scan?
Vulnerabilities are flaws in software that can be exploited by hackers to gain access to your network or sensitive data including protected health information (PHI). Vulnerabilities can be in computer operating systems such as Microsoft Windows XP, 7, 8, 10 or Windows Server. They can be in commonly used software such as Microsoft Office, Adobe Acrobat, Google Chrome or any other software that may be installed on your servers, desktops, laptops and mobile devices. Vulnerabilities can also exist on hardware devices including network firewalls, switches, routers, printers, or any other device that is on the network.
Software and hardware vendors constantly release security patches that will remediate or eliminate vulnerabilities found in their products. Identifying vulnerabilities or flaws in a network gives you the opportunity to apply patches to the network that will eliminate security weaknesses. Your IT department or IT support vendor will use a vulnerability scan as a guide that explains which systems and software need to be patched or upgraded.
A vulnerability can also be an incorrectly applied setting that unintentionally allows access to software or a network. As an example, RDP (Remote Desktop Protocol) could be unknowingly enabled which would allow hackers to gain access to your network. We have seen several security incidents related to this issue.
So, in other words, a vulnerability scan and its associated remediation go a long way to keep hackers out of your network and can significantly increase the security of sensitive data and PHI. Many HIPAA data breaches have occurred when hackers exploited unpatched systems. For example, Anchorage Community Mental Health Services paid a fine and entered into a settlement agreement with HHS\/OCR because it did not patch its computers. You can read more about this here. All organizations, whether in healthcare or not, should perform vulnerability scans, especially in this day of increased cybersecurity risk.
What is the relationship between a Vulnerability Scan and the HIPAA Security Rule?
As part of the HIPAA Security Rule, HHS\/OCR states that “organizations must identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI.” Also, “Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of ePHI.” Here is yet another example of where compliance with the HIPAA Security Rule is consistent with what your organization should already be doing to reduce cybersecurity risk.
Who can perform a Vulnerability Scan?
Your IT vendor or your internal IT department should be able to take care of this for you, if they have not done so already.
How often should we receive a Vulnerability Scan?
At least annually, but in some situations more frequently. Work with your IT vendor/department to see which frequency is best for you.
What is the difference between a Vulnerability Scan and a Penetration Test?
As indicated above, a Vulnerability Scan helps discover which vulnerabilities are present in your network and in your software. A Penetration Test attempts to actively exploit the vulnerabilities in a system to determine whether unauthorized access or other malicious activity is possible. Both are useful IT security tools.
*Reminder*: It's never too early to complete your Annual HIPAA Risk Assessment! Completing now/earlier ensures that more time can be devoted to your remediation plan and you'll avoid missing the end of year deadline. Reach out to us at firstname.lastname@example.org if you have any questions on getting your Risk Assessment completed for this year.