So welcome back, you cyber. A artist of auditing an assessments. This is less than 3.3 of implementing a HIPPA compliance program for leadership. And now, after eight months of work, we're finally ready to let the outsiders judges to make us cry and make us feel bad about our security program. Actually, not quite that bad yet because we're having an assessment and not or not it. And we're gonna talk to you about the differences between the two
and actually go toe work with our security consulting partner.
We have hired to test an assessor security program. So if you're ready, let's go.
So in today's lecture, we will answer three big questions. Well, for really, because we need to know where I picked up that awful suit and tie and answer the three questions. What's involved in the third party security assessment? What are the differences between what we've already done in our self assessments and what this new outside third party assessor is going to do for us and why and why? Why all this extra effort,
what we gaining by paying for this outside view of a security program?
And how are we finally preparing for a hipper readiness assessment. So let's loosen our ties and take our shoes off and get comfortable. Well, maybe not that, because anyway well, get comfortable because the assessor is gonna be here. Well, sometimes weeks for their team to perform the work.
So if asked what I'm passionate about, it's the items in the slides. It's a professional security assessment. What it does, how it's performed, what we learn and the value of brings. I want to start by sharing that there is a huge difference between an audit and auditor and an assessor and assessment. So let me explain. Unaudited is gonna come into your program, sit down, break out a bunch of work papers with a list of items to review for compliance.
that list of controls we got from HHS with the required and addressable controls broken down Those administrative, physical and technical controls. When auditors going to sit down and work those check boxes, Do you have the control? Prove it. Okay, check next. An assessment with an assessor is instead a real partnership between you and the consulting party. Do you have the control? Yes.
No kind of Okay, let's talk through it and make some recommendations on what's involved to get you
to get to that check box, because that's what an auditor is going to be looking for. You see the magic, the partnership. You're still not ready for a true audit to occur. You're still fine tuning your program. In fact, they're still very likely straggling remediation work that's still occurring over the next couple of months.
But we have documentation now, and we can explain our case and how we will meet the standard when we execute our plan remediation activities.
And for those of you watching this video, because the same slide will be duplicated several times because we have a lot to talk about. So your listeners out there imagine a slide deck with the same slide, repeated, like three times or something. Either it must be so important or there's so much to cover. The instructor is just plain out of imagination and creativity. I'm thinking the latter. That guy is quite the idiot.
Our third party agency will now use much more expensive and robust scanning tools that we used on ourselves. Now these very expensive tools they're gonna use all kinds of scanning methods and use all the various national international databases to check for vulnerabilities much deeper and wider than we ever did on ourselves. So think of scanning on steroids, and then we find a vulnerability,
like a weakness in the authentication on the Web server. While the consultants are now going to try to exploit that vulnerability,
this is called penetration testing. They'll actually try all the methods and use all the same tools hackers would use to try to get into our network and steal our information and do damage. Now, this is where the ethical hacker comes in the CH. The consultants will use the same methods hackers will use to try to get into our network and do damage and cause chaos, but actually not create camp
chaos and actually not do damage.
They will see how far they could go, how far they can get in, but not actually steal our information or installer crypto locker on our data. They will scan your active directory environment and not crack your user passwords because A D actually doesn't store your passwords in clear text but encrypts them in this thing called a hash. Well, your consultants have access to literally dozens of password crackers,
and these things have so much processing and computational power
that they will actually decrypt the hashes and then try to crack the passwords. And this is the scary stuff, folks. I see literally every day of thes password crackers air so good that on average, 40 to 50% oven organizations passwords, air cracked in just a matter of hours. And a lot of these crackers air free and open source like the three password crackers included with the free tools
downloading hacking suite
called Medicine Plate. Really scary but really critical stuff.
So for your listeners out there, I give the viewers a break and actually change the slide around. This time, you're seeing a screenshot of the cover page of NIST Special Publication 853 Security and privacy controls for federal information systems and organizations.
So viewers sorry to waste your time telling all the listeners out there what you're seeing. But remember seeing is believing, and the listening audience hasn't believed a word. I've said this whole lecture. Siri's
so sure they still want their CPS for completing the course at 1.5 times speed, but don't actually believe a thing I'm selling. So what would you do if you were me? Anyway? Our assessment team, while they're gonna be really digging into a much wider pull of standards and guidelines from the documentation and not just HIPPA
how is my how is our network documentation? How about our our pos and art Eos What documentation do we have for policy on the destruction of old hardware and software
stuff that maybe our internal team hadn't thought of? And the assessment team will go much deeper and much wider into controls than this cybersecurity framework. For example, reviews about 100 controls, but the next 853 a much bigger guideline, reviews more than 300. And the International Standards Organization Special Publications ISO 27,000 and one and 27,002
are just a sweida. Zionists 853
but internationally recognized, not just for the United States. So what if our health care organization, which is us based, has health care facilities in Canada and is now GDP are compliant and we need to pay attention and they will now go deeper and risk and deeper into all our programs as well. So get ready because we're rolling up our sleeves. This one is
this is the real deal,
and our assessment team will perform rugged and very targeted social engineering testing. They'll run phishing attacks, calling our employees pretending to be I t management or try to get information from us over the phone. They will send phishing attacks to our email addresses,
using Clickbait and other methods to try to get information from our user community by sitting them to fake websites and filling out forms with their personal information to qualify for their free Amazon gift card. And you know what, folks?
This stuff is very successful. It works, and they will walk into our lobby and pretend to be the new employees. Or where a service uniforms by pretending to be the H fat guy who requires access to the Lock Data Center to check out how the computers are making the room. This is called pretexting or pretending to be somebody else to gain confidential information,
and they're gonna be screen watching our our employees monitors facing common areas that could be seen through windows where bad guys can take pictures
and take video to capture our patient records and credit card information. So let's hope for our sake that our employees have their monitors behind walls and cubicles so they can't be seen by prying eyes. As you can see, our outside assessment team is really running the gamut of test against us
that they have in their compliance arsenal to test our program. And we're gonna be so much better and stronger going through this process.
So this time when we get our report card are Gap and Remediation report from our third party assessment. It's really good news if we get a pass passing on this one is a good enough grade that we get to keep our jobs for another six months or until the real out it happens. Our report cards gonna be based on high, medium and low risk, the criticality of the finding, how expensive it is,
an estimated for us from a labor perspective to perform the remediation on the control.
And the control is low risk to us because we only have a few users with the risky software and the chance of exposing critical data is very low. compared Toa like our passwords. Well, they were substantially cracked and cracked easily. So now we need to buy a multi factor authentication solution because we can't trust our users to maintain to maintain good password policy.
And you know what? Unfortunately, an emphasis, expensive and labor intensive to implement.
So now we're from this report. We have to make a whole new remediation list and go back to the table and asked for more resources and more budget and more time to get our security program in order. All right, so we're dizzy and blurry from the third party assessment. So we have to go to the eye doctor to make sure we're not just getting old and having a stroke. So can you name a couple of deeper and wider security standards
that our assessment team will use to review and assess our controls?
So that's right. There's a lot of America. There's no way I could list them all. But just to name a few, there's the next 853 with its 300 controls, the International Standards Organization 27,000 and one and 27,002, and we like that one because it's internationally recognized, uh, there 830 by NIST, which is a risk management guide.
And then this 866 which is really a walk through of being a hip hop
compliant program. And there's a lot of other new ones, like C s Centers for Internet Security. They've got standards and reviews as well, so a lot of these can be used. You'll grab one or two, and the organization will use that to go deeper and whiter so that you're not just HIPPA compliant, but you're doing the best you can.
Had the best network and hardened network out there to protect your privacy and security
of your patients and your pH I all really great stuff.
So in this lesson, we took a deep dive into all that's included into a third party assessment from deeper reviews, wider standards to the use of higher quality tools to search for vulnerabilities and exploit them via penetration, testing using ethical hacking methods and our users air just plain exhausted by all the telephone phishing attacks, email, phishing attacks and pretend new hire pretexting, social engineering testing.
We have a bunch of new remediation work to go do now and some new tools that we have to run through the budget process.
But we're getting closer to the finish line. So great job, everyone.
So here in Texas, where I live, you know when the assessor walks in the room because he's got a suit and ugly tie and wears a cowboy hat and cowboy boots. The rest of us in the network where were wearing jeans and sports shirts and tennis shoes. We've got coffee stains and food spots all over us because we just pulled an all nighter cutting over the new content filter so we can show the audit or how many times the nursing staff went to Facebook.
So on behalf of all of us here, Sigh, bury the instructors,
the course creators teaching assistance. Thanks so much for joining us in our next lecture. It's the hip, a readiness assessment. And so, until then, take care and happy journeys