RE: HIPPA Industry Average ranking?



I think that a better way to do this is to ensure that there are controls in place to meet the requirements, of course some of this is subjective based on interpretation, and then audit the controls and determine how well they are meeting what they say that they are doing.

When they asked for this comparison, what are they comparing to? What others interpret as the requirement? What others are doing based on what they interpret as the requirement. Better to benchmark yourself against the requirements and what you say you are doing than what others are being rated on.

Just my 2 cents.

Thank you,

Gene Shapiro CISSP IAM IEM

Kentucky Employers' Mutual Insurance
IT Security Administrator
Phone: 859-389-1133
FAX: 859-389-3933

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of MacEwen, Jeffrey B.
Sent: Monday, November 08, 2010 11:26 AM
To: 'Christopher A. Jarosz'; pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: HIPPA Industry Average ranking?

Hooray! I can finally be useful to the list!

HIPAA is a strange animal. Even the Technical Safeguards standard of the Security Rule is not really something that directly lends itself to testing by technical means. The HIPAA law is really more meant to force Covered Entities to implement business-centric policies and administrative procedures to protect health information.

That said; you can certainly infer from some of the requirements in the Security Rule like "Protection from Malicious Software" and ""Workstation Security" that a prudent organization has a patching and antivirus program that could certainly be easily tested. I would take it a step further and argue that Covered Entities should also be looking at standard workstation loads and removing unnecessary services, etc, etc. However, I doubt that the government would be prepared to go that far in an audit of the organization so you would really need to see how much value testing such things adds for your client.

Taking all of that into account, you may understand why there really isn't an official set of "benchmarks" or "scores" for organizations related to their HIPAA readiness, especially technical ones. There's certainly no average that I'm aware of that you could use to give them a score, for example. Instead, you could look at recent enforcement activities by the government and also those where they have done an audit and released a report. These might give you some clues as to what they may be looking for and how ready your client is (Example: the last major Security Rule audit done seemed to have a lot of focus on wireless and other transmission security.)

I hope that helps shed some light...

Regards,

Jeff MacEwen
Information Assurance Officer
University of Arizona Healthcare



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Christopher A. Jarosz
Sent: Sunday, November 07, 2010 12:23 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: HIPPA Industry Average ranking?

Good day Everyone!!!

I have a quick question for you. I'm preparing to perform a Pen test for a
HIPPA compliance requirement. The client had asked if there is a way for me
to compare my findings against a HIPPA industry average. (i.e. The client
is compared to other health care providers and is either better or worse
than the average in the industry).

Is there such a thing?

Thank you in advance!!!

Chrisj



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

Notice: The information contained in this email is confidential and may be privileged and is intended only for the use of the individual or entity it is addressed to. If you are not the addressee, note that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this communication in error, please immediately notify us by return e-mail or telephone at (859)425-7800.

Thank You.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Verify Your Security Provider -- The truth behind manual testing.
    ... Sometimes employers prohibit employees from using their real names if it ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: Mail Relay / Open Mail Replay
    ... user trust this email even more than outside the company. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)
  • Re: Verify Your Security Provider -- The truth behind manual testing.
    ... Sometimes employers prohibit employees from using their real names ... Information Assurance Certification ... actually do a proper penetration test. ... require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: Verify Your Security Provider -- The truth behind manual testing.
    ... Sometimes employers prohibit employees from using their real names if it ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • RE: felons as pentesters
    ... Those weren't normal people when they bent their morals and committed crimes. ... Not a wolf a normal ordinary person... ... Information Assurance Certification Review ... Prove to peers and potential employers without a doubt that you can ...
    (Pen-Test)