Vulnerability Scans Should be Required for HIPAA Hosting

By HIPAA Vault

Malicious users scan networks in order to discover vulnerabilities. Once they know the network’s weaknesses, they attempt to penetrate the network and gain unauthorized access in order to abuse the system in some way. Abuse is typically stealing data or using the compromised system as part of their botnet.

HIPAA regulations do not explicitly require vulnerability assessment scans (VAS); however, information security best practices dictate that networks containing sensitive information, including electronic health records (EHR), be scanned on a regular bases. The scanning is a proactive measure that exposes the vulnerabilities and scores them in terms of criticality. Some vulnerabilities are considered to be highly critical while others are only mild in nature.

Before delving into the topic too deeply, let’s define what is meant by a network scan. Scanning the network is the process of searching for networks and their ports. The ports are in turn queried to discover what services are running on the ports. This is, obviously, a technical processes, and before I completely lose the non-techies, let me simply use an analogy that everyone will understand.

If you want your home protected, you would install a burglar alarm and you would also shut all your windows and doors before setting the alarm each day and leaving for work. A more paranoid person may walk around their home from time-to-time and examine the windows and doors from the inside and outside and, perhaps, even test each door knob by twisting it to see if they can get in. Imagine if during the walk-around the house, they found out that simply twisting the locked door knob forcefully allowed them to gain access through the garage door! This wouldn’t be good. Installing a better or new door lock would be in order!

A network, much like a house, requires examining it closely to see if there are any weaknesses that might be exploited by a malicious user. Just like our paranoid homeowner that walks around the house inspecting it for possible ways in, a security expert, walks around the network by using a networking security tool or scanner that traverses the various systems (computers) on the network and testing them for holes.

The network scanner searches for IP addresses. Each IP addresses is simply the address for a network device. Once a network device is discovered, then the next step is to see what ports are available. Think of ports like windows in your home. Each window, or port, is examined to see what is on the other side. Continuing our analogy, the homeowner could make a list that shows there is an old rusted lock that goes to the master bedroom and a garage door knob that needs to be replaced. In the same way, the network scanner makes a list of what the port may lead to. Some ports may lead to a email services, other ports lead to web services and yet others to database services, etc.

Once the malicious user has a list of network devices and their respective ports, he can begin to attempt to penetrate the system. A network scan performed by a malicious user or by an information security expert is the same for all intents and purposes. The difference being that a hacker will exploit the system to his benefit while a security export will patch the holes in the system to tighten security.

Check to ensure that your HIPAA compliant web host does a regular scan. The scans come in two flavors. One is an exterior scan and the second is an interior scan. Again using our homeowner analogy, the exterior scan would be checking everything from outside the house such as the doors and windows. An interior inspection would require checking windows and doors from the inside. Imagine finding that there is a latch on the inside of the house with a screw that is loose and almost ready to fall out. One would immediately grab a screwdriver and tighten the screw to prevent the latch from falling off.

The network scanner, in the same way, can be run from inside each network device. The vulnerabilities discovered from within are usually different than those discovered from the outside. Is your HIPAA compliant hosting provider scanning on a regular basis? Are they running the scan from the outside and from the inside of the network? Ask them for a report generated from their last scan. Was the scan last performed within the past 30 days? Was the scan an inside scan or outside scan? These are good questions to ask in order to ensure your systems are being scanned thoroughly and regularly.

If you would like HIPAA Vault to perform a free vulnerability scan on your website, please fill out this form.


Our certifications