Network Detective 2015 RapidFire Tools, Inc. All rights reserved V20150201
Contents Purpose of this Guide... 3 About Network Detective... 3 Overview... 4 Creating a Site... 5 Starting a HIPAA Assessment... 6 Using the Assessment Check List... 8 Initiating an External Vulnerability Scan... 9 Complete the Site Interview... Error! Bookmark not defined. Complete the On-site Survey... 12 Planning the On-site Data Collection... 15 Run the HIPAA Data Collector Network Scan... 16 Run the HIPAA Data Collector Computer Scan... 21 Complete the User Identification Worksheet... 23 Complete the Computer Identification Worksheet... 25 Complete the Network Share Identification Worksheet... 27 Complete the Security Exception Worksheet... 28 Generating Reports... 31 Using the Reports... 33 HIPAA Policy and Procedure Document... 33 HIPAA Risk Analysis... 33 HIPAA Risk Profile... 33 HIPAA Management Plan... 33 Evidence of HIPAA Compliance... 34 HIPAA Site Interview... 34 HIPAA On-site Survey... 34 Disk Encryption Report... 34 File Scan Report... 34 User Identification Worksheet... 34 Computer Identification Worksheet... 35 Network Share Identification Worksheet... 35 Login History by Computer Report... 35 1
Share Permission Report... 35 External Vulnerability Scan Detail Report... 35 Appendix I Group Policy Reference... 36 Forward and Introduction... 36 Policies for Windows Firewall... 36 Policies for Windows Services... 36 3 rd party Firewalls and Group Policy Considerations... 37 2
Purpose of this Guide This document is intended for users of Network Detective HIPAA Compliance. It will guide you through the initial use of the software as well as the more advanced features. About Network Detective HIPAA is a risk-based compliance framework, with a Risk Assessment being the first requirement in the HIPAA Security Rule. The Risk Assessment must identify the vulnerabilities to the security of electronic Protect Health Information (ephi,) threats that can act on the vulnerabilities, including the likelihood and the impact if that occurs. Network Detective s HIPAA Compliance module is the first professional tool to combine and integrate automated data collection, with a structured framework for collecting supplemental assessment information not available through automated tools. It is the first solution to allow for the automatic generation of the key documents that are necessary to demonstrate compliance with the Security Rule. It includes comprehensive checklists that cover the Administrative, Physical, and Technical safeguards defined in the HIPAA Security Rule. More than just documents to satisfy a compliance requirement, Network Detective provides factual evidence, expert advice, and direction to minimize or eliminate the risk of a data breach. You can compare Network Detective s HIPAA Compliance module to getting a medical exam. Network Detective automates the lab tests for the technology environment. It includes interview questionnaires to gather information manually. And it provides a recommended treatment plan. 3
Overview Network Detective is composed of the HIPAA data collector, Network Detective Application, Surveys, and Worksheets. The process to create a HIPAA assessment involves three major steps: a) collecting data, b) gathering secondary information, and finally, c) documenting exceptions. There are two types of HIPAA assessments that can be performed: 1) HIPAA Risk Assessment 2) HIPAA Risk Profile The Risk Assessment is a complete assessment that includes all worksheets and surveys. You should plan on a day to complete a full assessment on a typical 15 user network. The Risk Profile requires selecting a prior Risk Assessment and reduces the time to complete the assessment by using worksheets and surveys from the Risk Assessment. 4
Creating a Site The first step in the assessment is creating a Site. Before making a selection you must decide on your assessment strategy. See the Network Detective User Guide for information on sites. a. For a single location you will create one site. b. For organizations with multiple locations you must decide if you want one set of reports, or separate reports for each location. Select New Site Enter the site name. For sites with multiple location, enter a more detailed description. 5
Starting a HIPAA Assessment From the Home screen, select the site you wish to start. Click on the Start button. Select either a HIPAA Risk Assessment for an Annual or Quarterly assessment or a HIPAA Risk Profile for a monthly update. 6
A HIPAA Risk Assessment is required prior to running a monthly assessment. HIPAA Risk Assessment HIPAA Risk Profile Required at least Annually Recommended Quarterly as part of a Quarterly Compliance Review Requires that all manual WORKSHEETS be completed Example 15-user network in 6 8 hours Monthly Review Does NOT require WORKSHEETS Requires selecting a prior RISK ASSESSMENT (will use existing worksheets) MUCH faster with little manual input Example- 15-user network in less than one hour Enter a label to identify the assessment. Enter comments to help further identify the assessment. Select Show Checklist to create a document to track your activities throughout the assessment. As you progress through the assessment process additional items will be added to the Checklist. 7
Using the Assessment Check List The checklist will guide you through the assessment process and ensure you have gathered enough data to produce the best assessment possible. As you import scans, the checklist will automatically be revised adding additional suggestions and indicating where additional information may help produce richer results. The Assessment Check List is always available on the assessment screen. The checklist will be updated continuously as you complete your Site Assessment. 8
Initiating an External Vulnerability Scan Select Initiate External Scan 9
Enter the range of IP addresses you would like to scan. You may enter up to 16 addresses. Select Add to add a range of external IP addresses to the scan. If you do not know the external range, you can use websites such as whatismyip.com to determine the external IP address of a customer. 10
Enter the IP range for the scan. For just one address, enter the same value for the Starting and Ending IP Address. You can initiate the External Vulnerability Scan before visiting the client site to perform the data collection. This way, the External Scan data should be available when you are ready to generate the client s reports. Enter an email address to be notified when the scan is completed. Click Next to send the request to the servers that will perform the scan. Scans can take several hours to complete. You will receive an e-mail when the scan is complete. 11
Complete the On-Site Survey The On-Site Survey provides information that cannot be gathered automatically. It is best to conduct the survey at the client site, so that you can validate answers; observe facilities and work areas, take photographs, and review documentation. Enter the responses (text responses) or select the proper response (multiple choice) in the Response section. Topics Security Officer Name Contact Information Wireless Days since Wireless Key Changed High Risk Employee Terminations since Last Wireless Key Change Wireless SSID Pre-assessment Check Business Associate Agreement Signed Authorization Existing Security Measures Related to Access Controls Access Control Procedure Employee Training Description HIPAA requires a named Security Officer as a central point of contact. Enter information for the Security Officer in this section. Enter the name of the Security Officer for the covered entity. Enter contact information for the Security Officer. You can use multiple lines if needed. Wireless networks are often overlooked as a security vulnerability. While a hacker or former employee may not be able to enter a facility to plug into the network, they may be able to park outside or come close enough to get wireless access. Enter the number of days since the wireless key was last changed below. High Risk Employees should include anyone with administrative access, such as an IT person. Enter 'yes' if there have been employee terminations since the last wireless key change in the notes. If not, then enter 'no' List all published SSID (one per line). Prior to performing the assessment you should protect yourself and your client by signing a HIPAA Business Associate Agreement and having your client sign a letter authorizing the assessment including the external vulnerability test. If you are a 3rd party performing this assessment, do you have a signed Business Associate Agreement? If 'no', do not proceed with the assessment. If you are a 3rd party performing this assessment, do you have a signed authorization to perform the assessment? If 'no', do not proceed with the assessment. Does the company have a written policy and procedure for granting access to ephi? Include a copy of the policy and procedure with the assessment. Do all company employees receive training on how to avoid becoming a victim of technology threats? Please validate records of the training for all employees are available before answering Yes. 12
Biometric or Multi-Factor Authentication Data Center Hosted Servers Business Associated Agreement External Firewall External Firewall Intrusion Prevention System Intrusion Prevention System Turned On Malware Filtering Malware Filtering Subscription Current Office Walkthrough Not Secured Computers Not Secured Data Storage Devices Screens with ephi Viewable by Co-Workers or Visitors Retired/Decommissioned/Failed Systems or Storage Devices Copiers and Multi-function Printers Wireless Guest Wireless Guest Wireless same Network as ephi Fax How do you send Fax? Business Associated Agreement How do you Receive Fax? Business Associated Agreement Email Does your company use biometric authentication, security cards, or codes for logon? Does your company have servers that could have or could possibly transmit ephi in a hosted facility or external data center? If yes to the above, do you have a Business Associate Agreement with the Data Center? Does your company employ an external firewall to protect your network from external attacks? Please list the model numbers of all firewalls in use in the Notes area (one per line). Does the firewall have an Intrusion Prevention System (IPS)? Is the Intrusion Prevention system (IPS) turned on? Does the external firewall have Malware Filtering? Is Malware Filtering current? During a physical walkthrough of the office, were any computers not secured against theft? Methods can include physical security cabling, door locks, electronic access control systems, security officers, or video monitoring. Enter findings in the Notes area if you select Yes. During a physical walkthrough of the office, were any data storage devices not secured against theft? Methods can include locked cabinets, door locks, electronic access control systems, security officers or video monitoring. Enter findings in the Notes area if you select Yes. Are there any workstation screens that potentially have ephi viewable by the public or co-workers? Enter findings in the Notes area if you selected Yes. Are there any retired, decommissioned, failed systems or storage devices present? Enter findings in the Notes area if you select Yes. Does your company use any copiers or multi-function printers? Please list all model numbers below. Does your company provide guest wireless to visitors or patients? Is your guest wireless access on the same network as ephi? Such as on the same network as doctors and nurses. If you do not have guest wireless, answer 'N/A'. If Electronic Fax Service above, do you have a Business Associate Agreement with the Electronic Fax Service? If Electronic Fax Service above, do you have a Business Associate Agreement with the Electronic Fax Service? If you do not have service, answer 'N/A'. 13
Use Free Email Service Business Associated Agreement Electronic Health Record System Local EHR Server Is EHR Server Secured? Cloud-based EHR System Business Associated Agreement Do your employees ever send email containing PHI to free email accounts, including Gmail, Hotmail, Yahoo, or free accounts from Internet Service Providers? List the providers in the Notes area one per line. If yes to the above, do you have a Business Associate Agreement with all the above free providers? If you do not use a free provider, answer 'no'. Does your company use a local EHR system (not cloud-based)? Is the server in a locked room, locked cabinet, or locked down? If no, please enter the reason you do not feel that your server does not need to be secured below. Does your company use a cloud-based EHR system? Enter the name of the cloud-based provider in the Notes field. If yes to the above, do you have a Business Associate Agreement with the cloud-based EHR system? 14
Planning the On-site Data Collection There are various ways to collect data for a Risk Assessment. These can vary based on time, cost, client expectation, level of detail needed to identify remediation needs, etc. Initial Assessment Types of collections: Risk Assessment Quick Audit + External Scan + Network Scan + Computer Scan on 1-3 computers + All worksheets Full Audit + External Scan + Network Scan + Computer Scan on all computers + All worksheets Risk Profile Quick Audit + External Scan + Network Scan + Computer Scan on 1-3 computers + NO worksheets Full Audit + External Scan + Network Scan + Computer Scan on all computers + NO worksheets 15
Run the HIPAA Data Collector Network Scan The HIPAA Data Collector is a self-extracting zip file that executes an.exe and is completely noninvasive it is not installed on the domain controller or any other machine on the client s network, and does not make any changes to the system. The Data Collector makes use of multiple technologies/approaches for collecting information on the client network, including: Network Scan Active Directory WMI Remote Registry ICMP File System Scanning Windows Registry Windows Shares and Permissions Security Center Download and run the HIPAA Data Collector. It is a self-extracting ZIP file that does not install on the client computer. Use the unzip option to unzip the files into a temporary location and start the collector. 16
f you are running on a computer in the network, such as the domain controller, be sure to also select Local Computer Data Collector as well. 1. Enter the type of network you are scanning. 2. Enter a username and password with administrative rights to connect to the local Domain Controller and Active Directory. If in a domain, clicking the Next button will test a connection to the local Domain Controller and Active Directory to verify your credentials. If you are scanning a Workgroup environment enter credentials which can access the individual workstations as a local administrator. 17
Enter the name(s) of the organization s external domains. A Whois query and MX (mail) record detection will be performed. Enter the starting and ending IP addresses for the range(s) you want to scan. Scans may affect network performance. Select Perform minimal impact scan if this is an issue. 18
Enter any additional community strings used on the network. If needed follow instructions to install Microsoft Baseline Security Analyzer. Select the MBSA and Patch Analysis for the most informative scan. Select Next. 19
You may change the output location and name for the scan data. Enter any comments then select Start. The Collection Progress window provides information about the scan status. 20
MBSA is an external program written by Microsoft. It can take 1-5 minutes per node to run. More than one node is checked at a time. Usually 256 nodes takes about 30 minutes. Patch analysis can take more than 8 minutes per computer. At any time you can Cancel Data Collection which will not save any data. By selecting Wrap It Up you can terminate the scan and generate reports using the incomplete data collected. Run the HIPAA Data Collector Computer Scan A full HIPAA assessment requires running the Local Computer Data Collector on all computers. Download and run the HIPAA Data Collector. It is a self-extracting ZIP file that does not install on the client computer. Use the unzip option to unzip the files into a temporary location and start the collector. The Computer Scan will augment data collection when remote protocols are not available from a computer. Select HIPAA Local Computer Data Collector. 21
(Optional)Change the output location for the scan data, change the name of the file, and add comments. Track the scan through the Collection Progress window. At any time you may Cancel Data Collection without saving any data. You may select Wrap It Up to stop a scan and use the incomplete data that was collected. 22
Complete the User Identification Worksheet Identify each user and note if they are authorized to access electronic Protected Health Information. From the Network Detective desktop, visit the User Identification Worksheet. To save time you may select a default value to pre-populate each user record. Select a default if a majority of the responses are expected to be similar. 23
For each user you can select Response and change the default. Save your work periodically and Save and Close when done. 24
Complete the Computer Identification Worksheet Identify each computer that stores ephi, does not store ephi, or accesses ephi. From the Network Detective desktop visit the Computer Identification Worksheet. To save time you may select a default value to pre-populate each computer record. Select a default if a majority of the responses are expected to be similar. 25
For each computer you can select Response and change the default. 26
Complete the Network Share Identification Worksheet Identify each network share that it contains ephi, does not, or that you do not know. From the Network Detective desktop visit the Network Share Identification Worksheet. To save time you may select a default value to pre-populate each network share record. Select a default if a majority of the responses are expected to be similar. 27
For each network share you can select Response and change the default. Complete the Security Exception Worksheet The Security Exception Worksheet compiles the issues discovered by the HIPAA Data Collector, Site Interview, and On-Site Survey. 28
1. Exceptions are grouped by category. 2. Enter the person providing the information. 3. You may exclude any item from the reports. 4. Instructions include guidance that will not appear in your reports. 5. Enter the appropriate response. 6. Select the SWOT category (see inset) 7. Enter a Bullet Point comment. 8. Select Key Point to prioritize the item in the SWOT report. For each exception you wish to provide a response, click on each red item. Continue through exception worksheet populating all entries where exceptions are applicable. NOTE: You do not need to complete every entry in this worksheet. 29
Responded by: Enter the name of the person providing the information. The Instructions will describe the nature of the exception. Enter your Response if applicable, otherwise, leave the entry blank. Click Save or Save and Close when you are done. 30
Generating Reports At the bottom of the Network Detective desktop reports that are printed in black can be generated. 31
HIPAA Assessment reports are found in the HIPAA table. If you own other modules of Network Detective, additional reports may be available to you. HIPAA Reports Select your reports and click Next. Customize Your Reports Reports can be customized including logos, design themes, and cover images. Enter your information, upload your logo, choose a theme, and select or upload cover images. Then select Generate. 32
Using the Reports HIPAA Policy and Procedure Document The Network Detective HIPAA Security Rule Policy and Procedures guide includes suggested HIPAA policies and procedures required for compliance. Policies are rules that an organization adopts stating that they will do something. The guide includes both suggested policies and references the specific HIPAA requirements. Also provided are suggestions for procedures to implement to comply with the policies. Policies, procedures, and end-user training are effective tools to protect against data breaches. They are required for compliance but are important lines of defense against data breaches. HIPAA Risk Analysis HIPAA is a risk-based security framework and the Risk Analysis is the first requirement of the HIPAA Security Rule. A Risk Analysis is the foundation for the entire security program. It identifies the locations of electronic Protected Health Information (ephi,) vulnerabilities to the security of the data, threats that might act on the vulnerabilities, and estimates both the likelihood and the impact of a threat acting on a vulnerability. The Risk Analysis helps HIPAA Covered Entities and Business Associates identify the locations of their protected data, how the data moves within, and in and out of, the organization. It identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of ephi. The value of a Risk Analysis cannot be overstated. Every major data breach enforcement of HIPAA, some with penalties over $ 1 million, have cited the absence of, or an ineffective, Risk Analysis as the underlying cause of the data breach. The Risk Analysis should be reviewed or updated at least annually, more often if anything significant changes that could affect ephi. HIPAA Risk Profile A Risk Analysis is a snapshot in time, while compliance is an ongoing effort. The Network Detective HIPAA Risk Profile updates a Risk Analysis to show progress in avoiding and mitigating risks. Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that may have otherwise been missed and resulted in a data breach. HIPAA Management Plan Based on the findings in the Risk Analysis, the organization must create a Risk Management plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, Network Detective 33
provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources. The Risk Management plan defines the strategies and tactics the organization will use to address its risks. Evidence of HIPAA Compliance Just performing HIPAA-compliant tasks is not enough. Audits and investigations require evidence that compliant tasks have been followed, and kept for six years after an event or incident occurs. Documentation can be in different forms and stored in various systems. The keys to proper documentation are to be able to access it, and that it contains enough details to satisfy an auditor or investigator. HIPAA Site Interview The site interview contains questions that cannot be answered by collecting data from the network. Information is gathered about the organization s Security Officer, and about security of the wireless network. HIPAA On-site Survey The On-site Survey is an extensive list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from how facility doors are locked, firewall information, how faxes are managed, and whether servers are on-site, in a data center, or in the Cloud. Disk Encryption Report Encryption is such an effective tool used to protect data that if an encrypted device is lost then it does not have to be reported as a data breach. The Disk Encryption Report identifies each drive and volume across the network, whether it is fixed or removable, and if Encryption is active. File Scan Report The underlying cause identified for many data breaches is that the organization did not know that protected data was stored on a device that was lost or stolen. After a breach of 4 million patient records a hospital executive said, Based on our policies that data should not have been on those systems. The File Scan Report identifies data files stored on computers, servers, and storage devices. It does not read the files or access them, but just looks at the title and file type. This report is useful to identify local data files that may not be protected. Based on this information the risk of a breach could be avoided if the data was moved to a more secure location, or mitigated by encrypting the device to protect the data and avoid a data breach investigation. User Identification Worksheet The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have been terminated and should have had their access terminated can also be identified. 34
This is an effective tool to determine if unauthorized users have access to protected information. It also is a good indicator of the efforts the organization goes to so terminated employees and vendors have their access quickly disabled. Another benefit is that you can review the user list to identify generic logons, such as Nurse, Billing Office, etc., which are not allowed by HIPAA since each user is required to be uniquely identified. To save time the system allows you to enter default settings for all users and just change some as needed. Computer Identification Worksheet The Computer Identification Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access ephi. This is an effective tool in developing data management strategies including secure storage and encryption. To save time the system allows you to enter default settings for all computers and just change some as needed. Network Share Identification Worksheet The Network Share Identification Worksheet takes the list of network shares gathered by the Data Collector and lets you identify those that store or access ephi. This is an effective tool in developing data management strategies including secure storage and encryption. To save time the system allows you to enter default settings for all network shares and just change some as needed. Login History by Computer Report The Login History by Computer Report shows login audit history. The report is used cross-referenced with the ephi worksheets to look for unauthorized logins. Share Permission Report The Share Permission Report shows all network shares and both the associated network share permissions and file system permissions. External Vulnerability Scan Detail Report The External Vulnerability Scan Detail Report shows the result of a vulnerability scan performed against the external (Internet facing) IP addresses. 35
Appendix I Group Policy Reference Forward and Introduction Some networks are more restrictive than others, and in some cases the Network Detective Data Collector may query a device and have the request blocked or return less information than is required. To obtain more information, Group Policies can be modified, or a Local Data Collection to fill-in-theblanks can be performed. This document is a reference for modifying Group Policies, and will indicate which Group Policies are needed to ensure a full data collection. This document is for reference only; RapidFire Tools is in no way responsible for, or able to assist with, any modifications to Group Policies made via this document. If you choose to make changes, perform a backup first, only make changes once you ve assessed the overall impact, and of course, exercise caution. Policies for Windows Firewall Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Domain Profile Windows Firewall: Allow ICMP exceptions Enabled Allow inbound echo request Windows Firewall: Allow file and printer sharing exception Enabled Allow unsolicited incoming messages from local subnet Windows Firewall: Allow remote administration exception Enabled Allow unsolicited incoming messages from local subnet Windows Firewall: Allow local port exceptions Enabled Windows Firewall: Define inbound port exceptions TCP: 135, 139, 445 UDP: 137, 138 Windows Firewall: Allow Remote Desktop exception Enabled Allow unsolicited incoming messages from local subnet Policies for Windows Services Computer Configuration > Windows Settings > Security Settings > System Services Windows Management Instrumentation (WMI) Startup Type: Automatic Remote Registry Startup Type: Automatic Remote Procedure Call (RPC) Startup Type: Automatic 36
3 rd party Firewalls and Group Policy Considerations 3rd party firewalls should be disabled or configured similar to Windows Firewall Machines automatically refresh policies every 60-120 minutes, but rebooting a machine or manually performing a gpupdate /force will update policies quicker 37