Vulnerability Assessment & Risk Analysis

The Vulnerability Assessment & Risk Analysis (VARA) looks at an organization’s information security and risk management program in a collaborative, standards-based, and compliance-aware approach. Our VARA service includes strategic, operational, and tactical assessments in order to achieve comprehensive risk mitigation.

Security Vulnerability Issues We Address

Our cyber security professionals have deep expertise and are armed with the latest scanning tools and techniques. This gives us the most meaningful and accurate vulnerability intelligence for risk analysis and remediation planning.

Progressive healthcare organizations perform a Vulnerability Assessment on an annual basis, often in conjunction with a Risk Analysis, resulting in the creation of a remediation plan.

Our approach to vulnerability assessments and risk analysis provides the structure, detail and clarity that clients need to:

  • Evaluate HIPAA/HITECH compliance
  • Document current state of security controls
  • Meet the requirements associated with Meaningful Use
  • Identify gaps that pose true business risk
  • Create a practical remediation roadmap
  • Establish a sustainable operating model for information security and privacy
  • Further relationships based on trust and confidence with its clients and business partners.

During the course of a VARA engagement, we will:

  • Review the information security program, including documented policies, procedures, previous analysis results, audit and compliance plans, and related documentation
  • Conduct site surveys to evaluate administrative, physical, and technical controls
  • Review gaps in control areas
  • Identify vulnerabilities and risks rank based on the CVSS (Common Vulnerability Scoring System) matrix (likelihood and impact)
  • Map vulnerabilities identified to both HIPAA (as amended by HITECH and the Omnibus 2013 Final Rule), NIST Cybersecurity Framework and the HITRUST CSF
  • Draft a comprehensive Report of Findings incorporating practical, real-world remediation recommendations
  • Present findings and recommendations in stakeholders’ briefing session(s)
  • Provide subject matter expertise for senior management decisions, regarding risk
  • Assist with alignment of strategy, business objectives, and information assurance

Penetration Testing vs. VARA

Vulnerability Assessments and Penetration Testing (“Pen Test”) are often mistaken for one another, however they have very different implications for healthcare organizations and the security posture of IT infrastructure.

A Vulnerability Assessment works to improve security posture and develop a more mature, integrated security program.  A Pen Test is a point-in-time snapshot of a security program's effectiveness or “hardening.”

We suggest starting with a Vulnerability Assessment because it yields more information and data points. Learn when Penetration Testing Services are appropriate.