RE: HIPPA Industry Average ranking?

["MacEwen, Jeffrey B." <JMacEwen () umcaz edu>]

Hooray! I can finally be useful to the list!

HIPAA is a strange animal. Even the Technical Safeguards standard of the Security Rule is not really something that 
directly lends itself to testing by technical means. The HIPAA law is really more meant to force Covered Entities to 
implement business-centric policies and administrative procedures to protect health information. 

That said; you can certainly infer from some of the requirements in the Security Rule like "Protection from Malicious 
Software" and ""Workstation Security" that a prudent organization has a patching and antivirus program that could 
certainly be easily tested. I would take it a step further and argue that Covered Entities should also be looking at 
standard workstation loads and removing unnecessary services, etc, etc. However, I doubt that the government would be 
prepared to go that far in an audit of the organization so you would really need to see how much value testing such 
things adds for your client. 

Taking all of that into account, you may understand why there really isn't an official set of "benchmarks" or "scores" 
for organizations related to their HIPAA readiness, especially technical ones. There's certainly no average that I'm 
aware of that you could use to give them a score, for example. Instead, you could look at recent enforcement activities 
by the government and also those where they have done an audit and released a report. These might give you some clues 
as to what they may be looking for and how ready your client is (Example: the last major Security Rule audit done 
seemed to have a lot of focus on wireless and other transmission security.)

I hope that helps shed some light...

Regards,

Jeff MacEwen
Information Assurance Officer
University of Arizona Healthcare



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Christopher A. Jarosz
Sent: Sunday, November 07, 2010 12:23 AM
To: pen-test () securityfocus com
Subject: HIPPA Industry Average ranking?

Good day Everyone!!!

I have a quick question for you.  I'm preparing to perform a Pen test for a
HIPPA compliance requirement.  The client had asked if there is a way for me
to compare my findings against a HIPPA industry average.  (i.e. The client
is compared to other health care providers and is either better or worse
than the average in the industry).

Is there such a thing?

Thank you in advance!!!

Chrisj



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------