Penetration Testing mailing list archives

RE: HIPPA Industry Average ranking?

From: Gene Shapiro <gshapiro () kemi com>
Date: Tue, 9 Nov 2010 07:53:58 -0500
I think that a better way to do this is to ensure that there are controls in place to meet the requirements, of course 
some of this is subjective based on interpretation, and then audit the controls and determine how well they are meeting 
what they say that they are doing.   

When they asked for this comparison, what are they comparing to?   What others interpret as the requirement?  What 
others are doing based on what they interpret as the requirement.  Better to benchmark yourself against the 
requirements and what you say you are doing than what others are being rated on.
 
Just my 2 cents.

Thank you,
 
Gene Shapiro  CISSP IAM IEM   
 
Kentucky Employers' Mutual Insurance
IT Security Administrator
Phone: 859-389-1133
FAX:    859-389-3933

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of MacEwen, Jeffrey B.
Sent: Monday, November 08, 2010 11:26 AM
To: 'Christopher A. Jarosz'; pen-test () securityfocus com
Subject: RE: HIPPA Industry Average ranking?

Hooray! I can finally be useful to the list!

HIPAA is a strange animal. Even the Technical Safeguards standard of the Security Rule is not really something that 
directly lends itself to testing by technical means. The HIPAA law is really more meant to force Covered Entities to 
implement business-centric policies and administrative procedures to protect health information. 

That said; you can certainly infer from some of the requirements in the Security Rule like "Protection from Malicious 
Software" and ""Workstation Security" that a prudent organization has a patching and antivirus program that could 
certainly be easily tested. I would take it a step further and argue that Covered Entities should also be looking at 
standard workstation loads and removing unnecessary services, etc, etc. However, I doubt that the government would be 
prepared to go that far in an audit of the organization so you would really need to see how much value testing such 
things adds for your client. 

Taking all of that into account, you may understand why there really isn't an official set of "benchmarks" or "scores" 
for organizations related to their HIPAA readiness, especially technical ones. There's certainly no average that I'm 
aware of that you could use to give them a score, for example. Instead, you could look at recent enforcement activities 
by the government and also those where they have done an audit and released a report. These might give you some clues 
as to what they may be looking for and how ready your client is (Example: the last major Security Rule audit done 
seemed to have a lot of focus on wireless and other transmission security.)

I hope that helps shed some light...

Regards,

Jeff MacEwen
Information Assurance Officer
University of Arizona Healthcare



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Christopher A. Jarosz
Sent: Sunday, November 07, 2010 12:23 AM
To: pen-test () securityfocus com
Subject: HIPPA Industry Average ranking?

Good day Everyone!!!

I have a quick question for you.  I'm preparing to perform a Pen test for a
HIPPA compliance requirement.  The client had asked if there is a way for me
to compare my findings against a HIPPA industry average.  (i.e. The client
is compared to other health care providers and is either better or worse
than the average in the industry).

Is there such a thing?

Thank you in advance!!!

Chrisj



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Notice: The information contained in this email is confidential and may be privileged and is intended only for the use 
of the individual or entity it is addressed to.  If you are not the addressee, note that any disclosure, copying, 
distribution or use of the contents of this message is prohibited.  If you have received this communication in error, 
please immediately notify us by return e-mail or telephone at (859)425-7800.  

Thank You.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------
Current thread:

HIPPA Industry Average ranking? Christopher A. Jarosz (Nov 08)
- RE: HIPPA Industry Average ranking? MacEwen, Jeffrey B. (Nov 08)
  - RE: HIPPA Industry Average ranking? Gene Shapiro (Nov 12)