454 A Practical Guide to Security Assessments
4. Do users know what to do in the event that they encounter malicious
software?
Guidance: This question speaks to incident handling, which is a related
HIPAA requirement. There should be a documented process for incident
handling complete with escalation guidelines, contact names, etc. (see In-
cident Handling questionnaire for further details)
Client Response:
5. Do the security risks of the entity justify any type of network- or host-
based intrusion management system? If not, what mitigating controls are
in place to protect systems with electronic protected health information
against malicious software or intrusions? How would the company know
if someone was trying to gain unauthorized access to electronic protected
health information?
Guidance: Depending on the complexity of the environment, how it is
managed, and the associated risk, intrusion management might be a viable
option for the entity. Within a security assessment, key factors must be
considered when recommending intrusion management including moni-
toring capabilities, risks, and cost. Besides formal intrusion management
systems, there are specific logs already on a system, which, if reviewed,
can also help mitigate some of the associated risk.
Client Response:
6. On the systems where electronic protected health information resides, are
the following measures taken to reduce the risk of malicious software?
• Application of appropriate security and other patches
• Systems hardened to the extent possible
Guidance: Earlier in this book, one of the points emphasized was the idea
of layered security. System hardening and the application of security
patches are two of these layers. During a security assessment, as critical
systems are identified, the application of patches and system security
should be tested using tools as well as manual procedures. Depending on
the system, there are best practice guidelines, which can be used as a
benchmark to evaluate how secure it is.
AU1706_book.fm Page 454 Tuesday, August 17, 2004 11:02 AM