Penetration Testing mailing list archives
RE: HIPPA Industry Average ranking?
From: "MacEwen, Jeffrey B." <JMacEwen () umcaz edu>
Date: Mon, 8 Nov 2010 09:25:41 -0700
Hooray! I can finally be useful to the list! HIPAA is a strange animal. Even the Technical Safeguards standard of the Security Rule is not really something that directly lends itself to testing by technical means. The HIPAA law is really more meant to force Covered Entities to implement business-centric policies and administrative procedures to protect health information. That said; you can certainly infer from some of the requirements in the Security Rule like "Protection from Malicious Software" and ""Workstation Security" that a prudent organization has a patching and antivirus program that could certainly be easily tested. I would take it a step further and argue that Covered Entities should also be looking at standard workstation loads and removing unnecessary services, etc, etc. However, I doubt that the government would be prepared to go that far in an audit of the organization so you would really need to see how much value testing such things adds for your client. Taking all of that into account, you may understand why there really isn't an official set of "benchmarks" or "scores" for organizations related to their HIPAA readiness, especially technical ones. There's certainly no average that I'm aware of that you could use to give them a score, for example. Instead, you could look at recent enforcement activities by the government and also those where they have done an audit and released a report. These might give you some clues as to what they may be looking for and how ready your client is (Example: the last major Security Rule audit done seemed to have a lot of focus on wireless and other transmission security.) I hope that helps shed some light... Regards, Jeff MacEwen Information Assurance Officer University of Arizona Healthcare -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Christopher A. Jarosz Sent: Sunday, November 07, 2010 12:23 AM To: pen-test () securityfocus com Subject: HIPPA Industry Average ranking? Good day Everyone!!! I have a quick question for you. I'm preparing to perform a Pen test for a HIPPA compliance requirement. The client had asked if there is a way for me to compare my findings against a HIPPA industry average. (i.e. The client is compared to other health care providers and is either better or worse than the average in the industry). Is there such a thing? Thank you in advance!!! Chrisj ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- HIPPA Industry Average ranking? Christopher A. Jarosz (Nov 08)
- RE: HIPPA Industry Average ranking? MacEwen, Jeffrey B. (Nov 08)
- RE: HIPPA Industry Average ranking? Gene Shapiro (Nov 12)
- RE: HIPPA Industry Average ranking? MacEwen, Jeffrey B. (Nov 08)