eEye Digital Security
Case Studies
Advantech Guild HIPAA Compliance: A Retina Network Security Scanner Case Study
IT Consulting Firm Uses Vulnerability Assessments to Help Customers Achieve HIPAA Certification
Advantech Guild uses Retina Network Security Scanner to successfully meet HIPAA regulations for secure computing.
Situation
Advantech Guild is a security-consulting provider that focuses on improving data and network security for the healthcare industry. In the past 10 years, Advantech has consulted with numerous leading enterprises within the field, including: healthcare conglomerates, university hospital systems, healthcare information system providers, and support facilities.
Advantech founder Karl Reid uses vulnerability assessment technology to perform tests and document the penetrability of clients networks, ensuring Health Insurance Portability and Accountability Act (HIPAA) compliancy. Based on its findings, Advantech will help remediate issues and suggest policy changes to fortify a facilities network. Additionally, Reid's team will provide the client with necessary data to support their HIPAA IT security compliancy in terms of physical documentation.
Challenge
According to Reid, a considerable number of Advantech's clients are unaware of the network dangers that firewalls, intrusion detection systems, and anti-virus applications neglect to protect. "Many companies assume just having a firewall is good enough. They don't realize that bad traffic can easily get through the firewall. They have a false sense of security about their network and think everything is protected. However, having just one weak password or a single unaddressed vulnerability is enough to exploit the entire network and create big problems," says Reid.
Upon educating its clients about the need for layered security and regular vulnerability testing, Advantech must conduct full-scale penetration tests and provide its clients with detailed reports outlining issues, remediation actions, and trend reporting. This process was often very cumbersome for Advantech. Reid and his team were reliant on first and second-generation scanning tools, customized testing routines, and had to manually create and consolidate all vulnerability reports.
With the onset of HIPAA, Advantech needed to formalize and simplify the vulnerability assessment and remediation process without sacrificing ease-of-use, scanning speed, or accuracy. In order to achieve compliancy for its customers, Advantech had to substantially augment its reporting by identifying previous scan results and showing both improvements and elimination of vulnerabilities. Per HIPAA requirements, Advantech needed to provide its customers with tangible proof that they were on top of security practices and regularly performing vulnerability assessments on their networks. Under HIPAA, firms not meeting network security compliancy are subject to severe penalties. For example, penalties for violation of patient confidentiality standards are substantial with monetary fines and in some cases imprisonment. Federal criminal penalties can also be placed upon health plans, providers and health care clearinghouses that improperly disclose information.
Response
Advantech began looking into vulnerability assessment solutions that would satisfy its technical and reporting needs. "I didn't want to have to spend a majority of my time consolidating and typing up vulnerability reports for our clients. I wanted a detailed report that got to the point, looked good, and unquestionably satisfied HIPAA requirements," said Reid.
Reid learned of Retina Network Security Scanner when he began working with a colleague that was using Retina to test a rogue server for vulnerabilities and collect information. Upon seeing the speed and advanced reporting capabilities Retina offered, Reid downloaded the trial version of Retina and began probing for open shares on a test server and found that it had been unwittingly spreading the Nimda virus. "Retina was extremely instrumental in providing us with all of the data that we needed to find out about that problematic server. After identifying the vulnerability, Retina guided us through the quick process of fixing it so that we could control it from spreading. The whole process was so easy and so well documented, I realized that Retina was the tool Advantech needed," said Reid. "The reporting in Retina is one of the best features. I like the ability to see the high level reports and also view issues on the granular level," states Reid.
Reid also evaluated other leading vulnerability scanners and either found the products to be too costly, slow, or technically intrusive. Additionally, these products were not very consultant-friendly and often made it more difficult for Advantech to provide customized reports to its clients. "I liked how eEye was open to creating a solution that was tailored towards the consulting marketplace. They really wanted to help me and get me using the product in our industry niche. The eEye team has really worked with me," states Reid. "eEye bent over backwards for Advantech and quickly helped us become educated on Retina, allowing us to better guide out customers through the HIPAA process. I truly appreciate that level of support and will continue to buy Retina consulting licenses."
Results
"Advantech now uses Retina on a daily basis. Retina provides the detailed assessment and associated reports Advantech needs for its clients. Besides typical vulnerability assessments, Advantech uses Retina to evaluate its client's common operating environments (COE) and compatibility with application deployment. "We run Retina up against the image to be distributed and quickly find any issues that may affect its deployment and remediate issues in advance. This confidently ensures a chain of trust agreement is in place when distributing such applications internally," states Reid.
One of the most comforting factors Advantech has realized in using Retina is that eEye engineers are constantly updating and improving the product based on eEye research. eEye has identified more vulnerabilities than any other vulnerability assessment solution provider, and builds its products to stay a step ahead of intruders. "I think eEye puts out very timely updates and that is extremely important for Advantech and our customers. New vulnerabilities are almost a daily occurrence and eEye is on top of the situation with regular updates to Retina," said Reid. "With the backing of eEye research, I'm confident that we can protect our clients and ensure the CIA data triad of confidentiality, integrity, and availability."
Advantech Guild HIPAA Compliance: A Retina Network Security Scanner Case Study (pdf)