Penetration Testing mailing list archives
RE: HIPPA Industry Average ranking?
From: Gene Shapiro <gshapiro () kemi com>
Date: Tue, 9 Nov 2010 07:53:58 -0500
I think that a better way to do this is to ensure that there are controls in place to meet the requirements, of course some of this is subjective based on interpretation, and then audit the controls and determine how well they are meeting what they say that they are doing. When they asked for this comparison, what are they comparing to? What others interpret as the requirement? What others are doing based on what they interpret as the requirement. Better to benchmark yourself against the requirements and what you say you are doing than what others are being rated on. Just my 2 cents. Thank you, Gene Shapiro CISSP IAM IEM Kentucky Employers' Mutual Insurance IT Security Administrator Phone: 859-389-1133 FAX: 859-389-3933 -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of MacEwen, Jeffrey B. Sent: Monday, November 08, 2010 11:26 AM To: 'Christopher A. Jarosz'; pen-test () securityfocus com Subject: RE: HIPPA Industry Average ranking? Hooray! I can finally be useful to the list! HIPAA is a strange animal. Even the Technical Safeguards standard of the Security Rule is not really something that directly lends itself to testing by technical means. The HIPAA law is really more meant to force Covered Entities to implement business-centric policies and administrative procedures to protect health information. That said; you can certainly infer from some of the requirements in the Security Rule like "Protection from Malicious Software" and ""Workstation Security" that a prudent organization has a patching and antivirus program that could certainly be easily tested. I would take it a step further and argue that Covered Entities should also be looking at standard workstation loads and removing unnecessary services, etc, etc. However, I doubt that the government would be prepared to go that far in an audit of the organization so you would really need to see how much value testing such things adds for your client. Taking all of that into account, you may understand why there really isn't an official set of "benchmarks" or "scores" for organizations related to their HIPAA readiness, especially technical ones. There's certainly no average that I'm aware of that you could use to give them a score, for example. Instead, you could look at recent enforcement activities by the government and also those where they have done an audit and released a report. These might give you some clues as to what they may be looking for and how ready your client is (Example: the last major Security Rule audit done seemed to have a lot of focus on wireless and other transmission security.) I hope that helps shed some light... Regards, Jeff MacEwen Information Assurance Officer University of Arizona Healthcare -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Christopher A. Jarosz Sent: Sunday, November 07, 2010 12:23 AM To: pen-test () securityfocus com Subject: HIPPA Industry Average ranking? Good day Everyone!!! I have a quick question for you. I'm preparing to perform a Pen test for a HIPPA compliance requirement. The client had asked if there is a way for me to compare my findings against a HIPPA industry average. (i.e. The client is compared to other health care providers and is either better or worse than the average in the industry). Is there such a thing? Thank you in advance!!! Chrisj ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ Notice: The information contained in this email is confidential and may be privileged and is intended only for the use of the individual or entity it is addressed to. If you are not the addressee, note that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this communication in error, please immediately notify us by return e-mail or telephone at (859)425-7800. Thank You. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- HIPPA Industry Average ranking? Christopher A. Jarosz (Nov 08)
- RE: HIPPA Industry Average ranking? MacEwen, Jeffrey B. (Nov 08)
- RE: HIPPA Industry Average ranking? Gene Shapiro (Nov 12)
- RE: HIPPA Industry Average ranking? MacEwen, Jeffrey B. (Nov 08)