The Security Rule requires organizations to take into account the probability of potential risks to e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are “reasonably anticipated.”

Vulnerability scanning is a software application that helps identify these risks by assessing all of your devices, applications and network for Common Vulnerabilities and Exploits. Besides performing the scan, the vulnerability scan produces a report of your scanned results so you can see what and where any weaknesses or potential exposures are in your system. This automated process of proactively identifying security vulnerabilities of computing systems in a network in order to determine if and where a system can be exploited and/or threatened; such as open ports, insecure software configuration, and susceptibility to malware.

Vulnerability scanning typically refers to the scanning of systems that are connected to the Internet (external scans) but can also refer to system audits on internal networks that are not connected to the Internet (internal scans) in order to assess the threat of rogue software or malicious employees in an enterprise.

It’s recommended that you schedule periodic vulnerability scans to ensure nothing has been missed and to keep you complying with all of the HIPAA requirements. Typically, vulnerability scanning is run quarterly or semi-annually, but it’s a good idea to run this scan every time you add in any new equipment or install new applications.

Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering.

Carosh will conduct your vulnerability scan review the results with management, and coordinate the remediation of any identified vulnerabilities with your IT staff, or service provider.