Cybersecurity Health Check At A Glance

Transcription

1 This cybersecurity health check provides a quick view of compliance gaps and is not intended to replace a professional HIPAA Security Risk Analysis. Failing to have more than five security measures not currently in place may constitute an out-of-compliance condition. Workstations 1. Hardware Inventory & Tracking All IT equipment tagged; recorded; records kept current 2. Software Inventory & Tracking List of all software on all machines, including versions; kept current 3. Commercial-grade Antivirus Commercial-grade antivirus protection installed properly 4. Spam Filtering Software scans s and attachments for spam, spam-borne malware 5. Monthly Software Patching All security patches applied monthly; logged and kept current 6. Workstation Firewall Software firewall protection installed on every workstation 7. Admin Privileges to Install Software Ability of staff to install software is restricted to system administrator 8. Security Profiles Security settings for all equipment documented; ed; kept current 9. Disabled USB Drives USB drives disabled to prevent unauthorized downloads/uploads by staff

2 Networking 1. Commercial-grade Firewall Commercial-grade Firewall recommended; installed properly 2. Intrusion Detection & Prevention Software in firewall to defend against known attacks 3. Penetration Reporting Regular review of external penetration attempts logged by firewall/idps 4. Unified Threat Management Security device installed to block malware and other threats 5. Domain Controller Special server used to control security settings on workstations Unique User Names Complex Passwords Regular Password Changes Each user name is unique and traceable to its sole user Minimum 8 characters long; at least 2 numbers; at least 1 special character All passwords are required to be changed every 90 days 6. File Integrity Tools Special tools used to verify files have not been altered or removed 7. Network Monitoring Network inbound/outbound activity monitored; real-time preferable 8. Quarterly Security Reviews Security measures reviewed to detect and prevent erosion

3 Workforce 1. Training Security Rule training yearly; regularly refreshed; included in new hire training 2. Credential Disablement Access immediately disabled upon termination of any employee Internet Access 1. Web Content Filtering Software installed to block access to unauthorized web content 2. Blacklist / Whitelist Software set to restrict or grant access to specified websites Data Backup 1. On-Site and Off-site Backups Performed routinely for on-site AND off-site backups 2. Reviews of Data Backups Data backups are tested to verify completeness of copies 3. Data Restoration Plan Key staff members know how to restore systems as needed

4 1. Audit Log Monitoring Server Firewall EMR Information Systems Access 2. Access Controls User access by role/need to know; administrative accounts limited 3. Two Factor Authentication Access requires two factors to identify user or admin

5 Encryption 1. Servers Software or other tools used to lock files or encrypt data or devices 2. Workstations Software or other tools used to lock files or encrypt data or devices 3. Mobile Devices Software or other tools used to lock files or encrypt data or devices 4. Backup Data Software or other tools used to lock files or encrypt data or devices 5. All Data at Rest Software or other tools used to lock files or encrypt data or devices 6. s, Texts, Attachments Software or other tools used to lock files or encrypt data or devices

6 Annual Network Security Testing 1. Vulnerability Scanning Internal scans conducted to identify unknown vulnerabilities 2. Penetration Testing External scans performed to identify risks from external access 3. Security Remediation System changes resulting from vulnerability and penetration scans 4. Verification Rescans conducted to verify updates in place and working