Are you worried about the safety of your data and the potential security risks to your organization? In this episode, we talk with Jen Stone of SecurityMetrics to explore the importance of performing technical and nontechnical evaluations of your security program. Jen helps to explain the benefits of thorough evaluations and how they can safeguard your organization against potential vulnerabilities.
In this episode:
The Value in Evaluation – Ep 420
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
The Value in Evaluation
[01:07] Jen Stone joins David today to discuss the value in evaluating your security program. Jen is a Principal Security Analyst with SecurityMetrics. She evaluates an organization’s systems, takes a look at reports, talks to people and reviews current processes. Then she provides a report that gives a baseline of how the organization is doing and where improvements can be made. Jen typically evaluates an organization’s security programs in the healthcare environment for HIPAA or evaluates a company’s PCI security. And like us, Jen is the host of a long running podcast for SecurityMetrics where she talks with security professionals discussing current data security and compliance trends as well as offering tips and security best practices.– Jen Stone, Security Metrics
Evaluation is a term we see in the administrative safeguards of the HIPAA Security Rule. Theses safeguards have 8 standards that are really just topics:
- Security management process
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness and training
- Security incident procedures
- Contingency plan
- Evaluation
It’s important to understand that often IT teams and MSPs look at just the security requirements, or technical safeguards, under HIPAA. That’s only half of the security rule. There are still the administrative safeguards and physical safeguards to account for in your security program.
Periodic Evaluation
[10:44] The evaluation standard for the HIPAA Security Rule starts off by sayingSo, what does periodic mean? “Periodic” can mean different things to every organization, but it should be based on risk. If you look at what your risk is to a cyber attack, you will want to evaluate your program or your safeguards more often, or even continuously.
It’s like you saying that you go to the dentist periodically vs taking a shower periodically. You are using the same word, but saying it in context of the dentist might mean you go once or twice a year. But saying it in context of taking a shower would likely mean once a day, or maybe even twice a day. You wouldn’t go to the dentist every day and you certainly wouldn’t take a shower only once a year.
A lot of the HIPAA requirements are like that. Look at your risk analysis and your decisions made on the likelihood of something happening, like a ransomware or phishing attack, and the impact it would have on the organization if it did occur. Then, you can determine your risk. The higher the risk the more often you should evaluate it. And the important thing is to document your decisions and your evaluation frequency.
Creating robust documentation the first time can be hard and time consuming. Typically it takes 2 years to do it. That’s why you see OCR enforce a 2 year CAP on organizations that don’t have a program in place. But once you have it, making changes to that documentation when systems change, there are changes to the business or even security requirements or compliance law changes is easier. Periodic evaluation and documentation updates are key to maintaining a healthy security program.
Technical and Nontechnical Evaluation
[18:02] Nontechnical evaluations can consist of looking at the policies and procedures. How do you do things? What is your standard flow of work and how is it related to what you’re supposed to be doing? Are you actually following the procedures that you have documented? You don’t have to look at system configurations and system technical reports to do a nontechnical evaluation.Technical evaluations include reviewing reports of penetration tests, internal and external vulnerability scans and security safeguards that are in place. Having reports from your IT team that gives you information about what vulnerabilities you have and issues they are seeing can be really valuable in helping protect your network from cyber attacks. It’s worth having a third party do these technical scans periodically just to make sure things aren’t being missed by IT. It can also be very valuable to share the results of these scans not only with IT, but also with decision makers of the organization so that they can help make decisions on how to spend money or direct efforts to best protect the business.
It’s important to include external vulnerability scans of the organization and fix things as you go. The bad guys are using tools to automatically scan networks all over the internet all of the time. You want to make sure you find your vulnerabilities before they do. Then, rescan to evaluate that you fixed the issues. What’s the point of scanning if you don’t fix and rescan?
[31:34] Penetration testing (pen testing) is not the same as vulnerability scanning. Often vulnerability scanning is the first step in pen testing. Pen testing does a deeper dive to see if the vulnerability found can be exploited. Using manual pen testing tools, can I get into the network and to the critical apps and data. These tests are often expensive, so you probably won’t want to do them as often as vulnerability scanning. Not to mention there are a number of different kinds of pen testing, such as network pen testing, web application pen testing, social engineering pen testing, client side pen testing, etc. Not all penetration tests are created equal. You’ll want to know what you are trying to prove or disprove and select a reputable vendor to perform appropriate penetration tests for your environment.Having the documentation that you are doing these scans and tests periodically on your organization is crucial in proving you are doing what you can to protect your networks and data. And the historical documentation of scans can help you prove that you have an organized, mature security process.
[44:09] If you do technical and nontechnical evaluations and don’t look at the results and act on the findings to improve things, then what’s the point? These technical evaluations are important to the broader idea of a vulnerability management program.Another important evaluation for organizations to do is to identify what the most critical apps and data are in the organization, where they reside and make sure they are being backed up. More important than that is to make sure you have tested the recovery of those important backups. As David likes to say, you aren’t buying backup services. You are buying the ability to recover your data. Backup reports are useless. What you want to see is recovery reports.
Performing both technical and nontechnical evaluations of a security program is crucial. Technical assessments uncover vulnerabilities in systems and applications, while nontechnical evaluations focus on human and process-related security aspects. This dual approach ensures a comprehensive understanding of vulnerabilities and strengths, allowing organizations to proactively address weaknesses in both technology and human elements.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.