Learning Center Home > Data Security > HIPAA Vulnerability Scanning 101

HIPAA Vulnerability Scanning 101

Data Security

Best practices to secure against a data breach

This post contains the text from the White Paper: HIPAA Vulnerability Scanning 101. Download the PDF below.

White Paper: HIPAA Vulnerability Scanning 101

Download Here


Based on data collected by SecurityMetrics Forensic Investigators from last year’s breaches, it took an average of 166 days from the time an organization was vulnerable for an attacker to compromise the system. Once compromised, attackers had access to sensitive data for an average of 127 days. 

These system compromises can and often do lead to patient data theft and expensive data breach fines. 

Many of these compromises could have been avoided if organizations had tested their environment (e.g., vulnerability scans). Vulnerability scanning is a great way to identify vulnerabilities that attackers may exploit to gain access to your sensitive networks.

But vulnerability scanning isn’t just about locating vulnerabilities in your environment; it’s about remediating and changing your processes to ensure vulnerabilities are addressed on a prioritized basis. 

In this white paper, you will learn the basics about vulnerability scanning, how vulnerability scanners work, how you can best perform vulnerability scanning, and tips to manage your network vulnerabilities.



Due to inherent security weakness in systems or technology, attackers could potentially exploit some organizations’ network vulnerabilities starting on the day they set up their IT environments. 

In other cases, an organization becomes vulnerable because they fail to regularly apply security patches or make system modifications without properly updating related security protocols. 

To reduce your risk and prevent a data breach, make vulnerability scanning part of your annual Risk Assessment process. Critical vulnerabilities must be continuously identified, prioritized, and remediated (e.g., your Risk Management Plan). 

Without regular vulnerability scanning, your probability of being exploited and compromised increases considerably. This is because there are an average of 19 new vulnerabilities reported daily that can then be exploited if discovered in your networks and systems (e.g., Heartbleed, WannaCry, Petya). 

For example, here are the top five failed vulnerabilities from last year that SecurityMetrics’ customers discovered after they performed their vulnerability scans: 

  • TLS version 1.0 protocol detection: Exists if the remote service accepts connections using TLS 1.0 encryption 

  • SSL certificate with wrong hostname: Happens when a SSL certificate for the tested service is for a different host 

  • Web application potentially vulnerable to clickjacking: Occurs if a remote web server does not set an X-Frame-Options response header in all content responses 
  • SSL RC4 Cipher Suites Supported (i.e., Bar Mitzvah Attack):
Exists when the RC4 encryption algorithm is used in SSL/TLS transmission 
  • SSL Self-Signed Certificate: Occurs when organizations use
an identity certificate that they create, sign, and certify rather than a trusted certificate authority (CA) 

Often, attackers use vulnerability scanning tools to discover network vulnerabilities. 

To stay ahead of attackers, you need to keep up to date on emerging vulnerabilities by running internal and external vulnerability scans. 

Download the latest guide to HIPAA Compliance

Download now


A vulnerability scan is an automated, high-level test that looks for and reports potential known vulnerabilities. For example, some vulnerability scans are able to identify over 50,000 unique external and internal weaknesses (i.e., different ways or methods that hackers can exploit your network). 

It’s hightly recommended that you perform two independent methods of vulnerability scanning: internal and external scanning. An external vulnerability scan is performed outside of your network (e.g., at your network perimeter), and it identifies known weaknesses in network structures. An internal vulnerability scan is performed within your network, and it looks at other hosts on the same network to identify internal vulnerabilities. 

Think of your environment as a house. External vulnerability scanning is like checking to see if outside doors and windows are locked, while internal vulnerability scanning is like testing if bedroom and bathroom doors are locked.

Typically, vulnerability scans generate an extensive report of discovered vulnerabilities and provides references for further research on these vulnerabilities. Some scanning tools even offer directions for remediation. 

Despite what some healthcare organizations believe, scanning isn’t enough. You shouldn’t just scan and sit on the report. Act quickly on any discovered vulnerabilities to ensure security holes are fixed, and then re-scan to validate that vulnerabilities have been successfully addressed. 

Vulnerability scanning identifies potential harmful vulnerabilities, so that you can remediate processes to ensure network security.



Quick, high-level look at possible vulnerabilities

False positives

Very affordable compared to penetration testing

Businesses must manually check each vulnerability before testing again

Automatic (can be automated to run weekly, monthly, quarterly)

Doesn’t confirm if a vulnerability is exploitable


Some mistakenly believe vulnerability scanning is the same thing as a professional penetration test

Here’s the difference: A vulnerability scan is automated, while a penetration test includes a live person actually digging into your network and application complexities. 

A vulnerability scan only identifies vulnerabilities, while a penetration tester digs deeper to identify the root cause of the vulnerability that allows unauthorized access into networks and secure systems where PHI is stored. 

Vulnerability scans are designed to be nonintrusive, similar to a security professional checking if your front door is unlocked and then letting you know (while not entering your environment). Vulnerability scans search your network and provide a logged summary of alerts for you to act on. Unlike penetration testing, a vulnerability scan doesn’t manually test and verify vulnerabilities in your network. 

Vulnerability scans and penetration tests work together to improve network security. Vulnerability scans offer great monthly or quarterly insight into your network security, while penetration tests offer a more thorough examination of your network security. 

Do You Need a Penetration Test?

Find out Here


Unlike antivirus software, a vulnerability scanner doesn’t check every network file. Your scanner must be configured to scan specific interfaces, such as internal or external IP addresses (e.g., ports and services), for vulnerabilities. 

Vulnerability scanning technology includes different tools and scripts designed to check for vulnerabilities. These tools can include: command line scripts, GUI interfaces, open source technologies, and other scanning tools (e.g., Nessus). 

Scanning tools run a series of if-then scenarios on your systems (i.e., a vulnerability scan), which typically take less than 24 hours for most scanned interfaces (not including re-scans). 

These if-then scenarios should identify system settings or actions that could lead to system exploitation. For example, if your scan checks for outdated operating system versions and discovers a Windows XP operating system on a workstation, it will flag the operating system as vulnerable. 

As you review your scan results, you may notice common vulnerability and exposure (CVE) numbers in your alerts or report, providing the common names for known cyber security issues and how to address them. If you have questions about these CVE records, visit the National Vulnerability Database to help you identify and prioritize your risks if your product/vendor doesn’t offer this for you. 


A vulnerability management plan is vital for your organization’s security and compliance efforts. Follow these 7 tips to best discover existing and potential weaknesses in your network. 


To protect your network, you need to run vulnerability scans on networks, processes, and systems that create, receive, transmit, or maintain patient data. 

Start by creating and documenting a protected health information chart. A PHI flow chart shows where PHI comes into your organization, where it’s stored, and where it leaves. 

Here are common areas where patient data is stored (intentionally and unintentionally):

  • Database
  • Security appliances
  • Email system (in-office and doctor-to-doctor emails)
  • Data warehouse
  • File shares
  • Ticketing systems
  • Tablets/smart phones/mobile devices

When defining your environment, you should consult with a HIPAA security professional.

If you don’t properly understand your environment, your scans might overlook important networks and what needs to be scanned. 

Most healthcare organizations typically set up a flat network (i.e., where everything inside a network can connect to everything else). When organizations have flat networks, their entire network must be scanned. 

Complex networks using network segmentation should pay attention to how and if their environment changes throughout the year, then conduct vulnerability scans after changes are made. 


External scans should be performed by a qualified scanning vendor to test and validate your network’s security.

Because cybercriminals discover new and creative ways to hack healthcare organizations daily, make sure your scanning vendor regularly updates their vulnerability scanner (e.g., monthly, weekly, or even daily). 

But just because a qualified scanning vendor runs your external vulnerability scan, this doesn’t mean your organization is secure. After receiving your scan report, you’re responsible for fixing discovered vulnerabilities and then rescanning until vulnerabilities have been properly addressed. 

If patient data is not properly secured, healthcare organizations are placing themselves and their patients at serious risk.


If your third-party provider currently performs your external quarterly scans, understand they might not handle your internal quarterly vulnerability scanning. 

You may have an internal vulnerability scanning tool or appliance (e.g., SecurityMetrics Vision) set up inside your network by your scanning vendor, but chances are they’re not personally handling or monitoring your internal vulnerability scans. Make sure that your internal vulnerability scans are actually running routinely, and that you are addressing discovered vulnerabilities. 

There are a variety of tools to help you with your internal vulnerability scans. For example, you can: 

  • Download an open-source internal vulnerability scanning tool
  • Purchase an internal vulnerability scanning tool from a third-party provider 

Keep in mind that the tool you use still needs to be configured by a security expert after you purchase or download it. If you purchase a vulnerability scanning tool/appliance, IT support service is typically included. If you download scanning tools, take time to research and implement configuration best practices. 

Remember, your organization is in charge of internal vulnerability scanning from initial download/purchase and configuration, to the actual scanning, alert analysis, and vulnerability management. 


Only a qualified individual—independent of the scanned target (e.g., device, component, network)—should run vulnerability scans and address vulnerabilities. Independence is necessary to make sure vulnerability results are properly addressed and not dismissed.

Basically, the person managing your vulnerability scanner should be separate from the person managing or remediating any discovered vulnerabilities. 

For example, if you run an internal scan on your firewalls, you can either choose a qualified security professional or a qualified employee who’s not in charge of firewall administration. If an employee is not independent of the scanned system, they should not be running the scans. 

It doesn’t matter if you only have one IT employee in charge of your entire environment. If they’re not independent from managing the system, they shouldn’t run the scans. 

Have a HIPAA Deadline?

Request a Quote


Organizations should run quarterly internal and external scans. If you only have a single target, that would be eight total scans per year (i.e., one internal and one external scan per quarter). 

Many organizations routinely run quarterly external vulnerability scans, but they often overlook running internal vulnerability scans. Others think vulnerability scanning is an occasional spot check process, meant to address immediate issues (e.g., WannaCry ransomware). 

You should run at least four external vulnerability scans per year (i.e., one per quarter), and four internal vulnerability scans per year (i.e., one per quarter), and all of your scans should achieve a passing status. 

Many vendors allow unlimited vulnerability scanning for a single target, so if you fail your first scan, make sure to remediate your network’s vulnerabilities and then re-scan until passing. You’ll likely need to run additional scans beyond your quarterly vulnerability scans. 

On average, it took SecurityMetrics customers 1.68 scans and 11 days
 to achieve a passing scan.


In addition to running your vulnerability scans quarterly, you should run scans after any significant change. 

What defines a significant change? A significant change depends on how your environment is configured. But a significant change is typically an upgrade or modification that could allow access to patient records or affect the security of your environment. 

Scanning after significant changes means it should happen within a reasonable timeframe. If you make significant changes to your system the day after your quarterly internal or external scan, test your changes and scan that week. 

Here are some examples of significant changes: 

  • Adding new servers or system components 
  • Modifying firewall rules 
  • Altering interfaces 
  • Upgrading products 
  • Changing network structures 
  • Adding encryption applications 
  • Changing your firewall product 
  • Adding middleware (e.g., JBOSS) 
  • Removing/instituting new systems that store patient data 

Here are some examples of non-significant changes: 

  • Switching file integrity monitoring products
  • Changing antivirus products
  • Removing terminated administrative employees from configurations 

White Paper: HIPAA Vulnerability Scanning 101

Download Here


When it comes to gaining executive support, IT departments often have trouble enforcing security-related policies and procedures. 

Your IT team needs to have executive approval and support to perform regular vulnerability scanning and make necessary organizational changes when vulnerabilities are found. 

Remember, your IT team would need a significant amount of time to repair and recover from vulnerability exploitation (i.e., a data breach), which would have a far greater impact on your organization than the amount of time it takes to regularly find and fix vulnerabilities.



Remember, scanning isn’t just about locating and reporting vulnerabilities. It’s also about establishing a repeatable and reliable process for fixing problems. 

After a vulnerability scan finishes, it’s crucial to fix any located vulnerabilities on a prioritized basis. Start by prioritizing vulnerabilities based on risk and required effort; then, run scans until results are clean. 


We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security. 


Have a HIPAA Deadline?

Request a Quote