Obtaining compliance with CMS regulations can be difficult. One of the requirements is a risk assessment of the EMR system and network, as well as confirmation that proper policies and procedures are in place in reference to computer and network use, access, and security. A proper risk assessment includes policy and procedure review, a site survey, an interview process, a network vulnerability assessment with penetration testing where applicable, and social engineering testing where applicable.
This entire process from start to finish can take months to complete due to logistics, time constraints, and other factors. Even a risk assessment with a small scope will require hundreds of pages of data to be analyzed and a report to be created from the data acquired. This is a very time entensive process. Trying to rush an assessment will likely lead to an incomplete, and/or inadequate report so it is advisable to begin the process with the mind-set that it is not going to be done in a week or two.
HHS SRA Tool
At present time, we recommend the Department of Health and Human Services Security Risk Analysis tool (HHS SRA tool for Windows or HHS SRA tool for IOS) to help assess policy and procedure. This tool is free and made available through healthit.gov. Once downloaded you simply run the file, create an account for the tool to remember you by, and begin answering the questions it asks. We are available to help explain the questions asked if needed, and once the questionnaire is completed we are available to help rectify any issues identified by the tool. It is advisable to be honest when answering the questions, and if the answer to any of them is “no” give a description/plan of action along with the reason for the “no” answer. Once completed, this tool can be invaluable in building up your policies and procedures to meet meaningful use expectations as well as improving your overall security posture.
We will visit your site for a physical assessment and inventory. During this visit, we will note certain items of interest and meet with the person identified by your organization as being responsible for the assessment. During this meeting, we will ask some questions pertaining to what we have noted during our physical assessment, as well as any other pertinent questions that may help us properly complete the assessment. While we are there, we typically place a computer on your network that we can remotely access for the internal network assessment and any penetration testing that will be performed later. This is also the time that typically works best for collecting data to be used in the inventory section of the final report.
Identify Publicly Available Information
We will identify publicly accessible information about your organization and its past/present employees. This information will be noted for your reference, as well as used in our penetration testing and social engineering procedures. Publicly available information typically includes finding information regarding to email servers, online accounts, email addresses, website hosting information, and any other details we can obtain. Once the assessment is complete, we will use this information in our final report.
We will perform an assessment of your external IP address. What this means is identifying open ports for internal services, and then trying to exploit those services to either gain access to your internal system or create a denial-of-service situation. Obviously, we will make every effort to avoid interruption of daily activities while still trying to correctly identify issues. The final report will contain all of our findings and suggestions for mitigation.
Internal Vulnerability Assessment
A large amount of time is spent assessing internal systems and networks. We will identify live devices on the network as well as any open ports they may be listening on, identify IP addresses, MAC addresses, host names, identify known vulnerabilities in the software, etc… The vulnerability assessment is not only given in the final report, but is also used as part of the information gathering process for penetration testing.
If there is a Wi-Fi system, we must also assess it to confirm that it is secure and that any guest Wi-Fi system is not capable of eaves dropping on the traffic of the internal network.
We must assess each on site server. This includes identifying software, ports, how they are accessed, and any other pertinent information about them. When you host EMR software on your own server, we also have to assess that particular application or set of applications more closely than a normal file server, domain controller, etc… to confirm that data is safe in every state – in use, at rest, and in transit. We will go through backup procedures and confirm that they are adequate for your needs, secure, and suggest any appropriate changes that could be made to improve your situation.
We will attempt to break into your system from the outside, and we may be required to test the possible vulnerabilities identified during the internal network assessment processes. If we find any operating system considered as outdated, like Windows XP for example, we will make every attempt at “hacking” into that machine, when we find user shares, FTP services, web services, etc… running on end-user workstations we will attempt to gain access to those services. The purpose of penetration testing is to either prove or disprove whether or not the identified possible vulnerability is actually an issue for you. Of course, all penetration testing results will be included the final report.
We can also create a social engineering campaign as part of the process. There are multiple different strategies that can be implemented, but we suggest at least using a phishing campaign to test your employees. This is not a “got-ya” ploy, but rather a test to find out if more training is needed. Employees are the largest threat to any organization, and you need to know that they are not unintentionally handing over the keys to your network. All social engineering ploys will be preapproved before implementation.
Once we compile all of the required data, we will analyze it and create a final report. This report will likely be several hundred pages, including the executive summary; a plan of actions and milestones; a copy of your HHS SRA tool report if applicable; details of the physical, external, and internal assessments; any publicly accessible details; our analysis of the vulnerability scanner report; the actual vulnerability scanner report; a list of open ports for each device; and an inventory report. We will print the report and deliver it along with a PDF file version of the report in our final meeting to present the findings and answer questions.
Report Summery Meeting
In our final meeting we will present the report and answer any questions about the findings and mitigation suggestions. Since we must be objective about all findings, we do not correct issues along the way unless they pose an immediate risk and you authorize the action, so any identified issues in the report can be addressed as you see fit.