• E-mail
• Print
• RSS

Automated management tools

HIPAA Weekly Advisor, June 12, 2003

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: Are there any automated management tools that contain questions, checklists, etc., for conducting a HIPAA security risk analysis

A: There are several automated tools you can purchase that will allow you to better manage your HIPAA security risk analysis. Some of these even tailor your analysis towards the standards. There are solutions that range from basic Microsoft Excel applications to high-end, stand-alone programs. These programs can provide you with questions and checklists to help take the pain out of performing a risk analysis. Some well-known generic programs include Insight Consulting's CRAMM and C&A Systems Security's COBRA.

I would suggest performing an Internet search to find one that fits your specific needs. Keep in mind that everything cannot be automated. You'll still need to factor in some manual risk analysis time when planning your efforts.

There is also a myriad of vendor-supplied, open-source, freeware, and commercial applications you can use as part of your risk analysis. You will use these tools mostly to perform penetration tests and vulnerability assessments on your information systems infrastructure. There is no all-in-one tool to use, nor one best tool to use. You'll most likely have to use a conglomeration of tools, ranging from Microsoft's Baseline Security Analyzer to the popular open source Nessus tool to typically more "feature rich" commercial tools such as GFI LANguard Network Security Scanner, the QualysGuard, and WebInspect from SPI Dynamics.

Keep the following key issues in mind:

1. Don't get bogged down trying to figure out which tool to use
There are so many great products out there-some free and some fairly expensive. A lot will depend on your budget. You should consider the vendor's reputation as well. Before buying, downloading, or using any product, I recommend researching technical commercial product reviews from some reputable magazines such as "InfoWorld" and "Information Security Magazine" to get an unbiased perspective. For freeware and open source products, you can usually just perform an Internet search-search engines like Google work well-to see what others are saying.

2. Don't rely on only one tool to get the job done
Some risk analysis tools perform simple port scans only. Other more comprehensive tools perform port scans initially, but take that a few steps further by actually looking for known and unknown vulnerabilities on those ports as well as trying to penetrate those ports. Others can even perform password cracking and denial of service attacks. The bottom line is there is no one best product that will do everything you need. Browse around and find the tools you believe will serve you best based on your information systems infrastructure.

3. You cannot rely on these risk analysis tools alone
Certain things-such as security policies and operational/technical procedures, and even information systems infrastructure issues, such as placement of your perimeter security devices (firewalls, IDS, etc.) and the type of authentication or encryption being used-will require manual analysis by a good old-fashioned human being.

Editor's note: Answered by Kevin Beaver, CISSP, founder and president of Atlanta-based information security consulting firm Principle Logic, LLC, and excerpted from the June 2003 issue of Healthcare Information Security.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive