Under the HIPAA Security Rule, covered entities must implement safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. To this end, the HIPAA Security Rule requires covered entities to perform a security risk analysis (also known as security risk assessment), which the Security Rule defines as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Scans known as vulnerability scans may be performed to identify known vulnerabilities in applications, networks, and firewalls.
What are Vulnerability Scans?
Vulnerabilities are weaknesses which, if triggered or exploited by a threat, create a risk of improper access to or disclosure of ePHI. Vulnerability scans are scans designed to identify vulnerabilities, or weaknesses, that have the potential to cause a security incident.
Under the HIPAA Security Rule, a security incident is defined as:
- The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information in an information system; or
- The attempted or successful unauthorized access, use, disclosure, modification or interference with system operations in an information system.
In plain English, a HIPAA security incident is an attempt (which can be successful or not) to do something unauthorized. The “something” that is unauthorized, is an unauthorized access, use, disclosure, modification, destruction, or interference.
A HIPAA security incident may occur when:
- The unauthorized attempt to access, use, disclose, modify, destroy, or interfere, targets an organization’s information system.
- The unauthorized attempt is made to access, use, disclose, modify, or interfere with that information system’s system operations.
What are Examples of HIPAA Security Incidents?
Examples of a HIPAA security incidents include:
- Theft of passwords that are used to access electronic protected health information (ePHI).
- Viruses, malware, or hacking attacks that interfere with the operations of information systems with ePHI.
- Failure to terminate the account of a former employee that is then used by an unauthorized user to access information systems with ePHI.
- Providing media with ePHI, such as a PC hard drive or laptop, to another user who is not authorized to access the ePHI prior to removing the ePHI stored on the media.
How Do Vulnerability Scans Identify Weaknesses?
HIPAA vulnerability scans test for holes and flaws in information systems, and for incorrect system implementation and configuration.
Common flaws that can be revealed through a vulnerability scan include:
- Flaws in software. Such flaws can be found in computer operating systems, such as Microsoft 7. Such flaws can also be found in software programs, such as Microsoft Office, Google Chrome, or Internet Explorer.
- Flaws in hardware. Vulnerability scans can reveal vulnerabilities that exist on hardware devices. Hardware devices include network firewalls, printers, or routers.
If a vulnerability scan identifies a vulnerability, the vulnerability may be remediated if the software or network vendor at issue has released a security patch. Installation of the patch may eliminate the security weakness.
