Risk Assessment
Policies & Procedures
Employee Training
Business Associate Agreements
Resources
Best Practices
Vulnerability Scanning and Penetration Testing Time-frame SuggestionsRegardless of the size of the organization, we suggest vulnerability scans be performed at least quarterly and after major changes to the systems. Penetration testing should be performed annually and after significant changes. Possible significant or major changes may include:
- Installation of a new firewall
- New installation or upgrades for the operating system
- Utilization of a new malware or virus protection software
- Large additions to the network
- A malicious attack
- Anything that may be deemed by the organization as a risk
Firewall Best Practices
Initially, best practices suggest the organization complete an evaluation of the business uses of their network and systems. This should include a list of the types of traffic required by the organization and a categorization of how said traffic should be secured. Once the evaluation is completed, the organization should create a policy surrounding firewall usage and configuration. The firewall policy should be updated frequently, at least annually, as classes of new attacks or vulnerabilities arise, or as the organization’s needs regarding network applications change.
Hardware Firewall
We recommend implementing a hardware firewall, placed between your office network and the Internet. This will enable the organization to better protect systems and networks. The hardware firewall has the capability of blocking incoming and outgoing traffic. The organization should determine what outbound traffic should be allowed and only allow that traffic.
Software Firewall
Software firewall is useful in protecting specific systems. This can be used in addition to the hardware firewall, though the organization may experience issues from the overlap. The software firewall detects browser, email, network, and other programs that attempt to connect with remote servers. If using software firewalls, we suggests setting defaults to deny all traffic, and then determine what exceptions will be allowed.
Utilizing these suggestions will allow the organization to protect assets by proactively mitigating risks from continuously evolving trends in cybersecurity.
Workforce Training Time-frame Suggestions HIPAA states that training should be performed for all workforce members; however, the HIPAA standards do not provide a specific timeframe. We suggest new hire training be performed within the first 30 days of hire. After that, training should be performed annually, in most cases, in order to mitigate the organizational risk. Additionally, if changes are made to the organization, or to HIPAA standards, retraining should be provided for all workforce members affected by the changes. Completing trainings more frequently allow the organization to protect assets by proactively identifying risks, and training on them, due to continuously evolving trends in cybersecurity.
Evaluation and Risk Assessment Time-frame Suggestions
| Organization size | Number of employees | Suggested timeframe for risk assessments and evaluations |
| Large | 100 or more | Annually AND when major changes are made that require new policies and procedures. |
| Medium | 25-99 | Annually OR when major changes are made that require new policies and procedures. |
| Small | 24 or fewer | Every two years OR when major changes are made that require new policies and procedures. |
While HIPAA states that after the initial risk assessment evaluations should be done periodically, we suggest risk assessments be performed annually, in most cases, in order to mitigate the organizational risk. As these evaluations and assessments are done more frequently, they will become less daunting to complete. Completing risk assessments more frequently allow the organization to protect assets by proactively identifying risks due to continuously evolving trends in cybersecurity.