By Gil Vidals, , HIPAA Blog, Resources

Malicious actors want your data, and will actively scan networks in order to discover vulnerabilities.

Once they know your network’s weaknesses, they attempt to penetrate the network and gain unauthorized access in order to abuse the system in some way. Abuse may include stealing your data or using the compromised system as part of their botnet.

HIPAA regulations do not explicitly require vulnerability assessment scans (VAS); however, information security best practices dictate that networks containing sensitive information, including electronic health records (EHR), be scanned on a regular basis.

Scanning is therefore a proactive measure that exposes any vulnerabilities and scores them in terms of criticality. Some vulnerabilities are considered to be highly critical while others are only mild in nature.

Before delving into the topic too deeply, let’s define what is meant by a network scan. Scanning is the process of searching networks for their ports, which are in turn queried to discover what services are running on those ports. In case this concept seems vague, here is an analogy that everyone will understand:

If you want your home protected, you’ll install a burglar alarm and shut all your windows and doors before setting the alarm each day before leaving for work. A more paranoid person may walk around their home and examine the windows and doors from the inside and outside and, perhaps, even test each doorknob to see if they can get in.

Now imagine that during the walk-around of the house, they found out that simply twisting a locked doorknob forcefully allowed them to gain access through the garage door! Obviously, this wouldn’t be good. Installing a new door lock would definitely be in order.

A network, much like a house, requires close examination to see if there are any weaknesses that might be exploited by a malicious user. Just like our paranoid homeowner that walks around the house inspecting it for possible ways to get in, a security expert will “walk around the network” by using a networking security tool or scanner that traverses the various systems (computers) on the network and tests them for holes.

The network scanner also searches for IP addresses. Each IP address is simply the address for a network device. Once a network device is discovered, the next step is to see what ports are available. Think of ports like windows in your home. Each window, or port, is examined to see what is on the other side.

Continuing our analogy, the homeowner could make a list that shows there is an old, rusted lock on the master bedroom and a garage doorknob that needs to be replaced. In the same way, the network scanner makes a list of what the port may lead to. Some ports may lead to email services, others to web services, database services, etc.

Once the malicious user has a list of network devices along with their respective ports, he can begin to attempt to penetrate the system. A network scan performed by a malicious user or an information security expert is thus the same for all intents and purposes. The difference is that a hacker will exploit the system to his benefit while a security export will proceed to patch the holes in the system to tighten security.

Be sure to check if your HIPAA-compliant web host does a regular scan. The scans come in two “flavors”: an exterior scan and an interior scan. Again, to use our homeowner analogy, the exterior scan would be checking everything from outside the house such as the doors and windows.

In contrast, an interior inspection would require checking windows and doors from the inside. (Imagine finding that there is a latch on the inside of the house with a screw that is loose and almost ready to fall out. One would immediately grab a screwdriver and tighten the screw to prevent the latch from falling off).  Similarly, a network scanner should be run from inside each network device because the vulnerabilities discovered from within are usually different than those discovered from the outside.

Is your HIPAA compliant hosting provider scanning on a regular basis? Are they running the scan from the outside and from the inside of the network? Ask them for a report generated from their last scan. Was the scan last performed within the past 30 days? Was the scan an inside scan or an outside scan? These are good questions to ask in order to ensure your systems are being scanned thoroughly and regularly.

If you would like HIPAA Vault to perform a free vulnerability scan on your website, please fill out this form.