Preparing for a Network Audit

Make sure you have a solid understanding of the applicable standards and regulations and of the organizations making the rules. HIPAA, for instance, provides standards for processing electronic health transactions and unique identifiers, and provides privacy and security rules to guard health information. The Department of Health and Human Services (HHS) publishes the HIPAA rules, and the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR) enforce them. There's plenty of information out there on HIPAA to get you up to speed (see Sites to See, page 74).

Finally, once you've wrapped up your internal audit, hire a third-party auditor to check your work. Your internal audit will have corrected any major problems, so the external audit should be no more than a sanity check.

Are You Covered?

Before committing resources to compliance, find out whether your organization is required to follow the industry-specific regulations. HIPAA provides a series of questions in a flowchart to help you determine if your organization is a "covered entity" required to comply with the act. Basically, if you're a health-care organization that provides health-care billing information in electronic form, a health-care clearinghouse or a health insurer, you are subject to HIPAA. You may also be subject to a CMS audit if you transmit Electronic Protected Health Information (ePHI) as part of your business.

You also should know the time frame for compliance. Once health-care providers and health insurers adopt HIPAA, for instance, they must use the standards within 24 months. (Compliance is usually required 60 days after the final rule is published.) If you're a health-care provider or insurer, you can use a clearinghouse to help you meet these requirements, much in the same way you can hire an accountant to do your taxes. A clearinghouse accepts a wide variety of EDI formats, so you aren't burdened with updating your records and billing systems to become HIPAA-compliant overnight. It produces documents in HIPAA-standard formats that can be understood by everyone in the health-care community.One of the most difficult aspects of becoming compliant with HIPAA or other data-privacy regulations is figuring out what needs to be done specifically for your organization. The standards are written for an audience that ranges from large government agencies and Fortune 500 insurance companies, with revenues in the billions, to health-care providers in rural areas with more modest budgets. The requirements are written clearly, but knowing how to implement controls and whether they meet the requirements is another story. And your internal security policy should be updated regularly to keep pace with regulatory changes.

Before committing money to consulting services and products aimed at meeting HIPAA compliance, for example, try attending the variety of inexpensive or free workshops and conferences where other companies actively discuss their approaches to compliance. The Information Systems Security Association, for example, examines the security implications of HIPAA. The Information Systems Audit and Control Association is another good resource. Its COBIT (Control Objective for Information-related Technology) framework provides management guidelines, detailed control objectives and guidance on the overall IT audit process for HIPAA and other regulations. Also plan to attend HIPAA workshops offered by CMS.

Among the security requirements for HIPAA are so-called technical controls, such as reducing the number of unnecessary ports on a server to minimize the risk of a breach. If your server doesn't require FTP to move files, why keep it installed? Use only the minimum services and ports required for your applications and turn off what you don't need.

Another technical control is mandating standard server configurations with hardened operating-system images in your organization. Consistent server configs make testing and deploying patches easier. Otherwise, you need configuration-management tools to discover which servers aren't compliant.

It's a lot easier to start with this standard approach and then use a product like ConfigureSoft's Enterprise Configuration Manager (ECM) to ensure compliance and check for any shift or drift deviations from the standard and automatically correct them.The Center for Internet Security, meanwhile, provides configurations for Microsoft Windows 2000 servers and Group Policy Objects (GPO) you can use to set policy centrally. But remember, these are just tools. Compliance takes a combination of tools, standards know-how and ongoing checks and balances. So a process must be in place to ensure ongoing compliance.

The Big Guns

For an effective internal or external audit, senior management must endorse the process and authorize any changes required by the audit's findings. A company executive's memo to the entire company asking for full cooperation and participation during the audit helps pave the way.

Now you're ready to begin gathering information about your network and whether it meets the regulations. A checklist is a great way to see which tasks must be reviewed against the standard to determine your compliance (for a look at a checklist we adapted from SANS, go to ID# 1515rd3.)

You can send questionnaires to key personnel or interview them. Ask questions that drill down to the level of implementation for each control, for example: If your company purchased an IDS (intrusion detection system), make sure the questionnaire or interview includes the hardware make and model, operating system level and level of implementation. That means determining if the IDS has been tested and is in production or whether it's still sitting shrink-wrapped on a shelf somewhere.Testing 1-2-3

Once you have documented your security architecture and controls, begin testing the effectiveness of your administrative, physical and technical controls. Administrative controls or safeguards are human actions that govern and control your organization's security and are derived from the human resources and security policies. Physical safeguards range from card-key access to the data center to any steps to protect data and systems from natural disaster or environmental hazards. Technical controls, of course, are the IDS systems, firewalls, encryption and other security technologies you deploy.

Testing your technical controls may bring out the hacker in you. For example, you may be required to conduct a penetration test, which examines the network from the outside-in, on your network perimeter. A penetration test typically starts with border routers and firewalls, and then moves to the core of the network where sensitive data is kept. Once inside, you can check if hosts are vulnerable. For instance, if you want to fingerprint a system inside the network, run a tool like Sourceforge.net's Winfingerprint to see which ports are listening in the target host operating systems. Plenty of open-source tools, too, like nmap and Nessus, are available for mapping and vulnerability assessment.

Your mainframes and distributed network of servers, meanwhile, typically contain the PHI databases that are restricted to users who must access this data as part of their jobs. Work with your local database administrator when testing access controls to make sure he or she is aware of the testing. Ensure that a restricted account can't obtain escalated privileges beyond what is required for the business function, and make sure the default system administrator accounts aren't left blank. That's still a big hole in some organizations: If the default sys admin password is left blank, the system is open to exploits, such as SQL Slammer worm.

Once you've finished testing and gathering information, provide senior management with a report of your internal audit findings. Make it clear and concise with specific actions and dates for meeting compliance. Then you can act on these findings by ensuring your security policy incorporates and reflects the regulatory requirements. This also helps management secure the funding for necessary training and awareness to meet the HIPAA security requirements or any other regulations. Plus your organization can use compliance as a marketing asset to demonstrate security due diligence to customers.There's no excuse for getting caught unawares when an external audit occurs. Start by conducting your own audit, and the external one will be a mere formality.

Michael Dalton is an information protection specialist responsible for application security reviews and network vulnerability assessments at a Fortune 100 insurance company located in North America. Write to him at michael [email protected].

Sites to See

Center for Internet Security's Windows 2000 site

HIPAA's final security rule on Centers for Medicare and Medicaid ServicesHHS guide on HIPAA

Information Systems Audit and Control Association (ISACA)

Information Systems Security Association

ISO 17799 standard checklist

NIST's guide to implementing the HIPAA Security Rule1. Know which standards your organization will be measured against, and get senior management on board. Identify a member of the senior management team that will support efforts to comply with the audit and has the authority to allocate resources for remediation.

2. Keep the minimum regulatory requirements in mind at all times to avoid "scope creep." Focus on whether you've met the requirements. Best practices can be captured in the portion of the report recommending tactical and strategic recommendations.

3. Identify any gaps. Compare the information you gathered and assess the difference between where you stand and the standards. Determine how to correct any shortcomings and construct a time line for doing so.

4. Check the obvious. When assessing your security controls, first make sure you've closed the unnecessary ports on your servers, and aim for standard server configurations with hardened operating-system images across the organization.

5. Put your technical controls to the test. Run a penetration- or vulnerability-assessment tool to pinpoint weaknesses in your network and systems.6. Report your findings to senior management. Communicate a plan of action to remediate problems.

7. Establish a schedule of ongoing compliance assessment. Keep tabs on your status, what technology changes have occurred and where the regulations are going.

8. Invite objective and certified external auditors to assess your current state of compliance. Use regulatory auditors recognized by CMS for an official HIPAA audit, for example.

When in doubt, you can always refer to a checklist. Here's one generated from the SANS audit checklist for the ISO 17799 standard (www.sans.org/score/checklists/ISO_17799_checklist.pdf):

Security PolicyDoes a written security policy exist?

Does the security policy tie into HR policy?

Organizational Security

Has the risk of access from third parties been identified?

Are security requirement included in outsourcing contracts?Asset Classification and Control

Has an inventory of assets been conducted so theft would be noticed?

Do data-classification procedures exist to identify and protect ePHI?

Personnel Security

Is information-security training and education provided for employees?Are there enforcement procedures, including disciplinary action from HR, for security violations?

Physical Security

How is the perimeter secured? Is there a gated entrance? Is there a reception at the front desk to ensure visitors are escorted by an employee while on-site? How many entrances are there into the building(s) where sensitive data is kept, and how is access provided (swipe card, key lock, etc.)?

Are documents that are not classified as "Public" stored in locked file cabinets or desks that can be locked securely?

Is any there any removable/portable media in sight that is not in locked storage?Communications and Operations Management

Are operational procedures in place to ensure that all programs running in production are subject to strict change control moveup authorization?

Is there an established Computer Security Incident Response Team (CSIRT) in place to report violations?

Is there adequate separation of duties?

Protection Against Malicious SoftwareIs antivirus software installed and in use on workstations and servers?

Is antivirus software checking in place to intercept e-mail containing spam and potentially unsafe attachments?

Electronic Commerce Security

Is electronic commerce well-protected, and have controls been implemented to guard against fraud and manipulation? Does this protection include authentication and authorization controls?

User Password ManagementAre strong passwords in use that are not easily guessable or would provide more resistance to a dictionary attack?

Audit, Logging and Monitoring

Is access control monitored and logged? If so, who actually examines the logs, and how often? Are the logs kept on a central syslog server when they may be less susceptible to tampering?

Mobile Computing

Is there a standard for mobile devices, such as laptops and personal digital assistants? Are the data files on each PDA encrypted to minimize the possibility of data disclosure by an authorized person if the PDA is lost? Is there a technical control to format the data if the number of unsuccessful logon attempts for a PDA is exceeded?0