Another Nessus thread… HIPAA/HITECH audits
My client had an audit done by a HIPAA security consultancy, and they used Nessus, as I assume a HIPAA auditor will do. Nessus flagged the firewall as a high risk, saying that the "OS was outdated and unsupported by the vendor, therefore likely to have vulnerabilities…blah...". At the time, it was running pfSense2.0.3/FBSD8.1-RELEASE-p13. (It has since been updated to 2.1.)
I'm hoping that 2.1, being based on FBSD 8.4, will make a better 'scanner' impression, but with HIPAA Omnibus in effect Sep 23, 2013, we're subject to massive fines if the government auditors don't want to hear "but it's all patched and up to date" from me.
Is there ANY way to have pfsense score better on the Nessus scan? I like pfSense, but I cannot afford multi-thousand dollar fines because the feds might be stubborn button-pushers who have already budgeted fine/penalty dollars. It'd be way cheaper to buy Sonicwall than get fined.
pfSense 2.1 uses FreeBSD 8.3 and is at 8.3-p11
FreeBSD 8.3 has security patches coming out up to April 2014 (I think that is accurate?), so I would hope that an automated security assessment bot will be happy with that.
That's good. I did update it to 2.1, so that covers it through April. Thanks for that.
The results obtained from any vulnerability scanner are open to interpretation. The fact is that Nessus, run from the inside, will find vulnerabilities. My own healthcare clients are using a couple of different Unix/Linux firewalls and fare poorly against a Nessus scan - typically DNS vulnerabilities. Nessus is a good starting point to for a risk assessment but its verdict on your vulnerabilities is not a verdict on your HIPAA compliance. The best fit for Nessus and HIPAA is when it is used for regular monitoring and inventory - what's different about your network from yesterday or last year? Nessus scans could have a place in your HIPAA policies, but its scans need to be considered within the overall culture and policy of your organization.
HIPAA security assessments typically center on gap analysis - what are your security policies and are you adhering to them? Do those policies meet or exceed the standards set by the government? Have you documented all locations that contain ePHI, either at active or at rest? Do you have a complete inventory of your information assets? Do you have backup policies? Are you adhering to your backup policies? The law typically tells us what to do, but not how to do it, that's for each organization to define through their policies. See http://scap.nist.gov/hipaa/ for a good assessment toolkit.
Government HIPAA auditors usually are involved after the fact. The real HIPAA police are the patients and the healthcare organizations themselves. Fines await those who expose patient health or financial information. The fines are not issued because you failed a Nessus scan but instead because you may not have done everything in your power to prevent the exposure of protected health or financial information.