hipaa compliance assessment module quick start guide€¦ ·...

QUICK START GUIDEComplianceManager forHIPAAInstructions to Perform a HIPAA Compliance Assessment

6/30/2021 12:26 PM

© 2021 RapidFire Tools, Inc. All rights reserved.

2

Contents

Performing a HIPAA Compliance Assessment 4

Compliance Manager for HIPAA Assessment Overview 4

Using the Security Exception Worksheet to Address Compliance Lapses andFalse Positives 4Network Prerequisites for Assessment Scans 5

Pre-scan Network Configuration Checklist 6Checklist for Domain Environments 6

Checklist for Workgroup Environments 8

Step 1 — Create a New Site 10

Step 2 — Use the To Do List to Complete Tasks 16Re-run or Modify To Do Items 16

Assessment Progress Bar 18

Step 3 — Set Up the HIPAA Assessment Project 19

Step 4 — Install and Configure the Compliance Manager Appliance 26Configure Scan Settings for Active Directory Domain 26

Configure Scan Settings for Workgroup 34

Step 5 — Start Assessment and Perform Pre-Scan Analysis 41

Step 6 — Collect HIPAA Compliance Assessment Data 52Obtain HIPAA Policies and ProceduresDocument 56

Step 7 — Collect Secondary Assessment Data 59

Step 8 — Document Security Exceptions 63

Step 9 — Generate HIPAA Compliance Assessment Reports 65Optional Task: Export Issues to Kaseya BMS 66

Step 1—Gather Credentials and Set Up Kaseya BMS 66

Step 2— Set Up a Connection to your Kaseya BMS 67

Step 3—Map your ComplianceManager’s Site to a Kaseya BMS 72

Step 4— Export Issues to Kaseya BMS 73

Step 10 — Complete and Archive your HIPAA Assessment 75Archiving Assessments 75

Compliance Manager HIPAA Assessment — Quick Start Guide


3

Step 11 — Start a New HIPAA Assessment after Completing a PreviousAssessment 76

HIPAA Assessment Reports 77

Compliance Reports 77

Supporting Documentation 81

Appendices 84

Pre-Scan Network Configuration Checklist 85Checklist for Domain Environments 85

Checklist for Workgroup Environments 87

Compliance Manager Cyber Insurance Add On 90

HIPAA To Do Task Complete List 96

HIPAA Assessment — Quick Start Guide Compliance Manager


4

Performing a HIPAA Compliance Assessment

ComplianceManager for HIPAA Assessment OverviewCompliance Manager for HIPAA combines 1) automated data collection with 2) astructured framework for collecting supplemental assessment information throughsurveys and worksheets. To perform a HIPAA Compliance Assessment, you will:

l Access and log in to the RapidFire Tools Portall Create a site and set up a projectl Install the Compliance Manager Appliance on the target networkl Collect data from the target network using the Portal's guided To Do Listl Generate HIPAA Compliance Assessment reports and documentation

Using the Security ExceptionWorksheet to AddressCompliance Lapses and False Positives

Sometimes you may get stuck in an assessment. This might happen for several reasons:

l You cannot resolve every single compliance issue identified in the assessmentl Your scan results differ from what you know is the reality on the target networkl You do not have enough information to enter accurate responses for every formquestion

If you encounter any of the above, you can always move ahead and complete yourassessment using the Security Exception Worksheet. This worksheet becomesavailable near the end of your To Do list. It allows you to document explanations onsuspect items. Your explanation can include why various discovered items are not trueissues and indicate possible false positives. Additionally, you can explain why a certaincompliance requirement should not apply to you – or an alternative way in which youhave met the requirement.

These exceptions can be documented on an item by item level (for example: at thegranularity at users, ports, applications, etc.). The Security Exception Worksheet doesnot alleviate the need for safeguards but allows for description of alternative means ofmitigating the identified security risk.



5

Network Prerequisites for Assessment ScansFor a successful network scan:

1. ENSURE ALL NETWORK ENDPOINTS ARE TURNED ON THROUGHOUT THE DURATION OFTHE SCAN. This includes PCs and servers. The scan can last several hours.

2. CONFIGURE THE TARGET NETWORK TO ALLOW FOR SUCCESSFUL SCANS ON ALLNETWORK ENDPOINTS. See "Pre-scan Network Configuration Checklist" on thefacing page for configuration guidance for both Windows Active Directory andWorkgroup environments.

3. GATHER THE INFORMATION BELOW TO CONFIGURE YOUR SCANS FOR THE CLIENTSITE.Work with the project Technician and/or your IT admin on site to collect thefollowing:

l Admin network credentials that have rights to use WMI, ADMIN$, and Fileand Printer Sharing on the target network.

l Internal IP range information to be used when performing internal scans.

Note: Compliance Manager will automatically suggest an IP range toscan on the network. However, you may wish to override this or excludecertain IP addresses.

l External IP addresses for the organisation to be used when setting upExternal Vulnerability Scans.

l RapidFire Tools Portal User Credentialsl For Windows Active Directory environments, you will need admincredentials to connect to the Domain Controller, as well as the name/IPaddress of the domain controller.

l For Windows Workgroup network environments, a list of the Computers tobe included in the Assessment and the Local Admin Credentials for eachcomputer.



6

Pre-scan Network Configuration ChecklistRapidFire Tools products can gather a great deal of information from the target networkwith little advance preparation – and with very little footprint! However, if you are havingtrouble with scans, or you have the ability to configure the target network in advance, werecommend the settings below.

These checklists detail the recommended network configurations for both WindowsDomain andWorkgroup environments.

Note: You must have .NET 3.5 installed on machines in order to use all datacollector and appliance tools.

Checklist for Domain EnvironmentsShare this checklist with your IT Administrator and ask them to configure your network'sDomain Controller as follows:

Complete Domain Configuration

GPO Configuration for Windows Firewall (Inbound Rules)

AllowWindows Management Instrumentation (WMI) service to operate throughWindowsFirewall

This includes the following rules:

l Windows Management Instrumentation (ASync-In)

l Windows Management Instrumentation (WMI-In)

l Windows Management Instrumentation (DCOM-In)

Allow File and printer sharing to operate throughWindows Firewall


l File and Printer Sharing (NB-Name-In)

l File and Printer Sharing (SMB-In)

l File and Printer Sharing (NB-Session-In)

EnableRemote Registry “read only” access on computers targeted for scanning.



7


Note: Remote Registry access should be restricted for use by the user accessaccount credentials to be used during network and local computer scan.

Enable the Internet Control Message Protocol (ICMP) to allow authorized ICMP echorequest messages and ICMP echo reply messages to be sent and received by Windowscomputers and network devices.

Windows firewall rules onWindows computers may need to be created/enabled to allow acomputer:

l operating a Kaseya-RapidFire Tools product network data collector to issue ICMPecho request messages to be sent toWindows computers and network devices

l to send ICMP echo reply messages in response to an ICMP echo request

Note: ICMP requests are used to detect activeWindows computers and networkdevices to scan.

GPO Configuration for Windows Services

Windows Management Instrumentation (WMI)• Startup Type: Automatic

Windows Update Service• Startup Type: Automatic

Remote Registry• Startup Type: Automatic

Remote Procedure Call• Startup Type: Automatic

Network Shares

• Admin$must be present and accessible using supplied credentials (usually a local adminor user in the local Computer's Administrative Security group)



8


3rd Party Firewalls

• Ensure that 3rd party Firewalls are configured similarly toWindows Firewall rulesdescribed within this checklist.

Note: This is a requirment for both Active Directory andWorkgroup Networks.

Checklist for Workgroup EnvironmentsBefore you perform a workgroup assessment, run the following PowerShell commandson the target network and the machine that will perform the scan. These threeconfigurations should help you avoid most issues in a workgroup environment. Eachcommand is followed by an explanation and link to Microsoft documentation.

1. reg addHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

By default, UAC only allows remote administration tasks to be performed by theBuilt-in Administrator account. To work around this, this command sets theLocalAccountTokenFilterPolicy registry key to 1. This allows any local admin toperform remote administrative tasks (i.e. access to system shares C$, Admin$,etc.).

https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows

2. netsh advfirewall firewall set rule group="windowsmanagement instrumentation (wmi)" new enable=yes

This command creates an Inbound firewall rule to allow access to the WMI serviceand namespaces.

https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista

3. netsh advfirewall firewall set rule group="File andPrinter Sharing" new enable=Yes


https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windowshttps://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windowshttps://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vistahttps://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista


9

This command creates an Inbound firewall rule which enables File and PrinterSharing on the machine. File and printer sharing is required in order to access theAdmin$ share on remote machines.

https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354

You can also share this checklist with your IT Administrator and ask them to configureeach computer in your workgroup as follows:

Complete? Workgroup Configuration

Network Settings

• Admin$must be present on the computers you wish to scan, and be accessible with thelogin credentials you provide for the scan

• File and printer sharingmust be enabled on the computers you wish to scan

• Ensure theWindows Services below are running and allowed to communicate throughWindows Firewall:• Windows Management Instrumentation (WMI)• Windows Update Service• Remote Registry• Remote Desktop• Remote Procedure Call

• Workgroup computer administrator user account credentials.

Note: Before configuring scan settings for workgroups, prepare a list of theworkgroup computer(s) adminstrator user account credentials for entry into the scansettings wizard.




https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354


10





To complete a HIPAA Compliance Assessment, follow these steps:

Step 1—Create a NewSiteTip:We recommend you get started by making a "practice site" and running your firstassessment in-house. Use this to familiarise yourself with Compliance Manager andthe installation and configuration process.

The first step in performing a HIPAA Compliance Assessment is creating a "Site". Siteshelp you organise your assessments. This task is performed by the Site Administrator.To create a site:

1. Access the RapidFire Tools Portal at https://www.youritportal.com and log in withyour credentials.

2. From the Sites page, click Add Site.


https://www.youritportal.com/


11

3. Enter a Site Name. This can be the name of the client for whom the assessment isbeing performed, for example.

4. Under Site Type, select Compliance Manager and your assessment type.l If you wish to perform a GDPR assessment, selectGDPR.l If you wish to perform a HIPAA assessment, select HIPAA.l If you wish to perform a Cyber Insurance assessment, select CyberInsurance.

l If you wish to perform a NIST CSF assessment, select NIST.l If you wish to perform a CMMC/NIST 800-171 assessment, selectCMMC/NIST 800-171.



12

Note: • If you are a direct-to-customer or SMB user, you will not need toprovision a license for your Site. Click Confirm and proceed to "The Site Homepage will appear. Click the Compliance Manager tab." on page 14.

• If you are an MSP user, you will need to select a license to use with each ofyour Sites. This license determines how many endpoints you can manage atthe Site. Proceed to "Click Next. " below.

5. Click Next.6. Select a subscription option (MSP only). You can choose to:

a. Use an Existing License you have purchased previously. Select the existinglicense from the drop-down menu and click Next.



13

b. Create a New Subscription. Select the subscription option from the drop-down menu and click Next.

Note: You have 10 FREE Site licenses as part of your initial ComplianceManager subscription. Each of these licenses can cover a site with up to



14

250 computers. Select one of these free licenses for use with your first 10new Sites. We suggest that you use 1 of the 10 licenses for your owninternal use, such as familiarizing yourself with the product andassessment processes.

If you wish to purchase additional licenses or upgrade to a higher license(500 and above), you will be billed extra. Contact your SalesRepresentative for more details.

7. The Site Home page will appear. Click the Compliance Manager tab.



15

The Site To Do page will appear.



16

Step 2—Use the To Do List to Complete TasksThe To Do List will guide you through the HIPAA Compliance Assessment process. Itpresents the tasks you need to complete for the assessment. To use the To Do List:

1. From the [Your Site] > Compliance Manager tab, click To Do.

The Site's To Do list will appear.

2. Click on a To Do item to open more detailed information and instructions abouteach step in the assessment process.

Tip: The Tasks steps in this quick start guide walk you through each To Dotask. Note that the tasks may appear in a different order depending on whichtasks you complete first.

Re-run or Modify To Do ItemsSome to do items can be re-run or modified after they have been completed.

l Automated Scans can be re-run directly from the To Do item. Re-running a scanwill reset whatever forms were generated from that can. Any data entered intothose forms during the current assessment will be lost. The worksheets will



17

reappear as new To Do items.l Worksheets and forms can be modified directly from the To Do item.

To re-run or modify a To Do item:

1. Open a completed To Do item from the To Do list.

2. Depending on the type of To Do item (scan or worksheet), select Re-run orModify:

l If the To Do item is an automated scan, click Re-run.

l If the To Do item is a Worksheet or Survey, click Modify.



18

3. A list of related To Do items that will be reset will appear. Confirm that you wish toproceed.

Note: For example, if you reset an automated scan, 1) any worksheets thatcontain data from that scan will also be reset and 2) any data previouslyentered in that form during the current assessment will be lost.

4. Once you reset or modify the To Do item, the regenerated item will appear in theTo Do list.

Assessment Progress BarFrom the Site Dashboard, you can view a progress bar for your assessment. Thisprogress bar is advanced when you complete assessment tasks.



19

If you hover over the progress, you can see the number of To Do items remaining in theassessment. This number is based on the total steps in the assessment, rather than thecurrent To Do list. Once all To Do items are completed, the Progress Bar will beremoved from the Current Assessment panel in the Compliance Manager Dashboard.

Step 3—Set Up the HIPAA Assessment ProjectI. Task Set Up Report Preferences.

Compliance Manager generates assessment reports and proof of compliancedocuments to help you complete your HIPAA Compliance Assessment. You canalso customize these reports to align with your company or organisation brandingguidelines and information. This task is performed by an Administrator.

To configure Report Preferences:

1. From your Site Home Page, go to Compliance Manager > Settings.

Next, click Report Preferences to access the customization settings. Thisincludes company information, images, and design elements for this site'sreports.



20

2. Customize your reports. This includes company information, images, anddesign elements for this site's reports.

3. Select the correct paper size in your report preferences. If you are in the USA,select Letter (8.5"x11") size.



21

4. Once you finish configuring Report Preferences, return to the item in the ToDo list and click Mark Complete. Do this each time you complete a task inthe To Do list.

II. Recommended: Set Time Zone.

You can set your time zone from Global Settings >General. Set your time zone toschedule automated scans at your preferred local time. To configure time zones:



22

1. Go to Global Settings >General.

2. Select your time zone from the drop down menu.3. Click Save.

Note that the time zone setting is relatively narrow in scope. For example, To Dotask creation time is shown based on your browser's local time, not the time zonesetting in Global Settings. The time zone setting effects a few items, including:

l start time for scans when using the limit scan start time feature for a sitel last modified date of risk update reportsl last sync date and time for Kaseya BMS billing integration

III. Task Create additional users and assign to roles.Your HIPAA Compliance Assessment has several roles: these include SiteAdministrator, Technician, Internal Auditor, and (optional) Subject MatterExpert (SME). Each role performs different tasks within the assessment.

Tip: Before you begin the assessment, you will need to assign users to eachrole except the optional SME role. This allows users to be assignedassessment tasks within their To Do list and email notifications.

This task is performed by the Site Administrator. To assign users to project roles:



23

1. From the Home page for your Site, click Users.

2. Click Add User.

i. Add Existing Users(s) by searching for their user name within thedrop-down menu.



24

ii. Alternatively, you can create a New User account to provideindividuals access to the Portal and assessment process. You willneed to enter an email address, first and last name, and password foreach user. The email address you enter is where the user will receiveTo Do Notifications from Compliance Manager.

Important: Send new users their login credentials after you addthem to the site.

iii. Click Add to add the user to the site.

Next you will associate these new users with your HIPAA ComplianceAssessment Site. To do this:

3. From the Home tab side menu, click Roles.

4. Next to each role, click Add User to assign users to the Technician, InternalAuditor, and (optional) Subject Matter Expert (SME) roles. The usersassigned to these roles will receive assessment task notifications for thatrole.



25

5. Select each user you wish to assign to the role. Then click Add.

Note: Before you can assign a user a Role, you must first create that userand/or associate them with your Site.

Important: Do not assign the SME role to users with other roleassignments. Doing so will limit their access to the portal.

6. When you have finished adding users to your site and assigning roles, clickMark Complete on the task To Do page.

Important: Be sure to send the users their login credentials in order to accessthe RapidFire Tools Portal and begin working on assessment tasks.



26

Step 4— Install and Configure the ComplianceManagerAppliance

I. Task Install Appliance.

Install the Compliance Manager Appliance on the target network. This task isperformed by the Technician. The Appliance collects data and performs automatedscans within the assessment environment.

Visit https://www.rapidfiretools.com/cm and refer to the separate ComplianceManager Server Installation Guide for more detailed instructions.

Important: You can only install one RapidFire Tools appliance on a PC orendpoint at a time. If you need to install multiple appliances, install each one ona separate endpoint on the target network. Appliances for various RapidFireTools include the 1) "Scan Server" (for Compliance Manager, Cyber Hawk, andReporter) and 2) "Remote Data Collector."

Note:Once you install the appliance, this To Do item will automatically bemarked complete. This may take several minutes.

II. Task Configure Appliance Scan settings.

Before you configure scan settings, first determine if the target network is an ActiveDirectory Domain OR a Workgroup. Then refer to the instructions below.

l Look here to "Configure Scan Settings for Active Directory Domain" belowl Look here to "Configure Scan Settings for Workgroup" on page 34

Tip: For best results, be sure to follow "Pre-Scan Network ConfigurationChecklist" on page 85

Configure Scan Settings for Active Directory DomainSet the Scan Settings from the [Your Site] > Compliance Manager > Settings >Scan Settings page. Complete all required prompts. This task is performed by theTechnician.


https://www.rapidfiretools.com/cm


27

Follow the steps below to configure the Scan Settings for the Compliance ManagerAppliance:

1. Select the Scan Type: Active Directory Domain. Click Next Page.

2. The Merge Options page will appear. Configure how you wish to treatcomputers that are not associated with Active Directory. You can choose to:



28

a. Treat them as part of the primary domainb. Treat them as part of a specific workgroup by entering a workgroup

name

Tip: Use this feature to tell Compliance Manager how to handlecomputers that are not connected to the domain. This will help thosecomputers appear where you want them when you generate reports at theend of the assessment.

Select a merge option and click Next Page.

3. Enter a username and password with administrative rights to connect to thelocal Domain Controller and Active Directory.

Note: Be sure to enter the Fully Qualified Domain Name (FQDN) namebefore the username. Example: corp.myco.com\username.

4. Also enter the name or IP address of the Domain Controller. Click Next Pageto test a connection to the local Domain Controller and Active Directory toverify your credentials.

5. The Local Domains window will appear. If you wish to scan only specificdomains or OUs, select those here. Click Next Page.



29

6. The Additional Credentials screen will appear. Enter any additionalcredentials to be used during the scan. Click Next.



30

7. The IP Ranges screen will then appear. The Compliance Managerappliance will automatically suggest an IP Range for the scan. If you do notwish to scan the default IP Range, select it and click Clear All Entries. Usethis screen to enter additional IP Addresses or IP Ranges and click Add.



31

From this screen you can also:

l Click Reset to Auto-detected to reset to the automatically suggestedIP Range.

l Exclude IPs or IP ranges from the scan.

Note: Key network component IP addresses should be excluded inorder to prevent scans being performed from impacting theperformance of a device when it is being scanned. For example, acompany might want to exclude the IP Address range for their voiceover IP telephone system if they are performing a scan duringbusiness hours.

Click Next Page once you have configured the IP ranges for the scan.



32

8. The SNMP Information window will appear. Enter any additional SNMPcommunity strings used on the network. Click Next Page.

9. Enter the IP addresses for the external vulnerability scan. Click Next Page.

Important: You must ensure that no other Network Detective orCompliance Manager products are being used to perform an ExternalVulnerability Scan on the same external IP Address range at the sametime. Allow at least several hours between repeat external vulnerabilityscans. Scheduling external scans at the same time will result in reportswith missing or incomplete data.

Note: IP ranges for the external vulnerability scan are not supported atthis time. Please enter individual IPs for the external scan.



33

10. Your scan settings will then be complete. Return to the To Do list andcontinue assessment tasks.

Note: Stepping through the prompts creates the Scan Settings. Once thesettings are saved, the Start HIPAA Compliance Assessment To Do item iswhat is used to trigger the scans.

When you have finished entering the scan settings, return to the To Do item andclick Mark Complete.



34

Configure Scan Settings for WorkgroupSet the Scan Settings from the [Your Site] > Compliance Manager > Settings >Scan Settings page. Complete all required prompts. This task is performed by theTechnician.

Follow the steps below to configure the Scan Settings for the Compliance ManagerAppliance:

1. From the Scan Settings screen, select the Scan Type:Workgroup. ClickNext Page.

2. The Merge Options page will appear. Configure how you wish to treatcomputers that are not associated with Active Directory. You can choose to:



35

a. Treat them as part of the primary domainb. Treat them as part of a specific workgroup by entering a workgroup

name

Select a merge option and click Next Page.

3. Enter scan credentials with administrative rights to connect to the localcomputers in the workgroup.

Note: For Workgroups, you have two options for how to enter theusername. First, you can enter the characters ".\" (without quotationmarks) immediately before the username, as in the image below.



36

Second, you can optionally use the following format:"computername\localuseraccountname." For example, "WGWINX\user."

If you have trouble connecting when using one username format, use theother format presented here.

Click Next Page to test the connection and verify your credentials.

4. The Additional Credentials screen will appear. Enter any additionalcredentials to be used during the scan. Click Next.

Important: If each workgroup PC has its own unique Admin usernameand password credentials, you will need to enter each set of credentialshere in order to scan these PCs.



37

5. The IP Ranges screen will then appear. The Compliance Managerappliance will automatically suggest an IP Range for the scan. If you do notwish to scan the default IP Range, select it and click Clear All Entries. Usethis screen to enter additional IP Addresses or IP Ranges and click Add.



38

From this screen you can also:

l Click Reset to Auto-detected to reset to the automatically suggestedIP Range.

l Exclude IPs or IP ranges from the scan.

Note: Key network component IP addresses should be excluded inorder to prevent scans being performed from impacting theperformance of a device when it is being scanned. For example, acompany might want to exclude the IP Address range for their voiceover IP telephone system if they are performing a scan duringbusiness hours.

Click Next Page once you have configured the IP ranges for the scan.



39

6. The SNMP Information window will appear. Enter any additional SNMPcommunity strings used on the network. Click Next Page.

7. Enter the IP addresses for the external vulnerability scan. Click Next Page.

Important: You must ensure that no other Network Detective orCompliance Manager products are being used to perform an ExternalVulnerability Scan on the same external IP Address range at the sametime. Allow at least several hours between repeat external vulnerabilityscans. Scheduling external scans at the same time will result in reportswith missing or incomplete data.

Note: IP ranges for the external vulnerability scan are not supported atthis time. Please enter individual IPs for the external scan.



40

8. Your scan settings will then be complete. Return to the To Do list andcontinue assessment tasks.

Note: Stepping through the prompts creates the Scan Settings. Once thesettings are saved, the Start HIPAA Compliance Assessment To Do item iswhat is used to trigger the scans.

When you have finished entering the scan settings, return to the To Do item andclick Mark Complete.



41

Step 5—Start Assessment and Perform Pre-Scan AnalysisNote: The order of To Do tasks may appear differently in your assessment,depending on the order in which you or other users complete To Do tasks.

I. Task Start HIPAA Compliance Assessment.

To begin performing the HIPAA Compliance Assessment, click on the StartHIPAA Assessment task from the To Do list:

When you are ready to perform your first initial HIPAA Compliance Assessment,click Start Assessment.



42

Note: Completing this task will create several new assessment tasks in the ToDo list. The task Type of HIPAA Assessment will be added, where you canchoose whether to add additional worksheets for an expandedHIPAA assessment. Two scans that will begin automatically: the Pre-Scan andthe External Vulnerability Scan. The scans will be marked completeautomatically when they finish.

II. Task Type of HIPAA Assessment

In this step, you optionally can choose to add additional worksheets to yourassessment to identify additional issues.

To add these additional worksheets:

1. Open the “Type of HIPAA Assessment” To Do item.

2. In the “Type of Assessment” To Do item details page, select Yes to expandthe assessment to include an assessment of compliance with the PrivacyRule and the Breach Notification Rule.



43

The “Complete Privacy Rule Worksheet” To Do item and the “CompleteBreach Notification Rule Worksheet” To Do item will be added to the To Dolist.

Note: If you do not wish to add these worksheets and want a morestreamlined assessment process, click No and continue with theassessment.

III. Task (Optional) Complete the HIPAA Privacy Rule Worksheet

The HIPAA Privacy Rule Worksheet assess how well a Site's policies andprocedures adhere to the HIPAA privacy standards. To complete this worksheet:



44

1. Select the “Complete the HIPAA Privacy Rule Worksheet” To Do item

2. Select the “Go to Form: HIPAA Private Rule Worksheet” to open the HIPAAPrivacy Rule Worksheet

The HIPAA Privacy Rule Worksheet will be opened.



45

3. Use the “Invite Others” feature to invite other Site users assigned the Role ofSubject Matter Experts to input information or upload documents into theHIPAA Private Rule Worksheet.

4. Answer the questions posed in the HIPAA Privacy Rule Worksheet.



46

5. After answering all of the questions in the HIPAA Privacy Rule Worksheet,select the Save and Return button to return to the “Complete HIPAA PrivacyRule Worksheet” To Do item’s details page.

IV. Task (Optional) Complete the HIPAA Breach Notification Worksheet

The HIPAA Breach Notification Rule Worksheet assess how well a Site's policiesand procedures adhere to the HIPAA breach notification standards. To completethis worksheet:

1. Select the “Complete the HIPAA Breach Notification Rule Worksheet” To Doitem



47

2. Select the "Go to Form: HIPAA Breach Notification Rule Worksheet" to openthe HIPAA Breach Notification Rule Worksheet

3. The HIPAA Breach Notification Rule worksheet is opened.



48

4. Use the “Invite Others” feature to invite other Site users assigned the Role ofSubject Matter Experts to input information or upload documents into theHIPAA Breach Notification Rule Worksheet.

5. Answer the questions posed in the HIPAA Breach Notification RuleWorksheet

6. After answering all of the questions in the HIPAA Breach Notification RuleWorksheet, select the “Save and Return” button to return to the “Complete theHIPAA Breach Notification Rule Worksheet” To Do item’s details page.



49

7. Select the “Mark Complete” button to complete the “Complete the HIPAABreach Notification Rule Worksheet” To Do item.

V. Task (Automated) Running the Automated External Vulnerability Scan.

The assessment includes an external vulnerability scan of your publicly facing IPaddresses.

Once the scan is complete, this To Do item will automatically be marked ascomplete.

Note: New worksheets will appear once the External Vulnerability scancompletes.

VI. Task Running Pre-Scan Analysis.



50

In this task, the Compliance Manager appliance will begin an automated pre-scananalysis of the target network.

This will verify the credentials and attempt to detect issues to ensure you have themost accurate automated scans.

When the automated scan is completed, and any issues are identified, you mayfollow the recommended corrective actions and re-run this analysis.

VII. Task Review Pre-Scan Analysis Results and Recommendations.

Use the Pre-Scan Analysis Results and Recommendations to address anyidentified network configuration issues before continuing the assessment.

The results from the pre-scan analysis will appear on the task details page.

Note: A 100% successful scan may not be possible in some cases due tonetwork restrictions. Before opening ports or allowing protocols, please consultwith your network and system administrator.

Below the Results Summary, refer to the Recommendations for specificsuggestions for mitigating the issues that were identified.



51

Once you finish making any changes, click Rerun Pre-scan Analysis to check forany remaining issues.

When you have reviewed the pre-scan analysis and are finished making anyrecommended changes to the target network, click Mark Complete.



52

Step 6—Collect HIPAA Compliance Assessment DataI. Task (Automated) Running the Automated Scan of the Internal Network.

The Compliance Manager appliance performs the Internal Network Scan on thetarget network. The Internal Scan begins automatically once you complete the pre-scan analysis and review the results.

Once the scan is complete, this To Do item will automatically be marked ascomplete.

II. Task Running Local Scan of Remote Computers.

Once the Internal Network Scan is successfully completed, a scan of remotecomputers on the target network will automatically begin.

This scan gathers more detailed data from individual endpoints on the targetnetwork.



53

l You will receive a separate To Do item if there is an error during the localscan of Remote Computers.

l You can then click Go to Scan Settings to change your scan configuration.l You can also click Initiate Rescan once you fix any issues and wish torestart the scan.

III. Task Run Local Data Collector.

In this task, you can perform manual scans on computers that could not bescanned automatically. You will also receive a list of known computers on thetarget network that could not be scanned. From this to do item, you can:

A. Upload scans for computers that are connected to the network but cannot bescanned

B. Upload scans for computers that are not available on the network beingscanned, but that should be accounted for in the assessment process



54

Tip: You will also be notified if all computers are scanned successfully. Youcan then just click Mark Complete and move on with your assessment.

To perform the scan manually, first download the Local Computer Data Collectorfrom https://www.rapidfiretools.com/cm. Run the Data Collector directly on thecomputer(s) and then upload the scan(s). Then click Upload Local Scan, andselect the files or .zip files. When you are finished, click Mark Complete.

IV. Task Complete HIPAA On-Site Survey.

Use the HIPAA On-Site Survey to survey the site environment for any securityissues. The worksheet is best done on-site, as it requires identifying risks that mayexist outside the computer network.

1. Click the Go To Form button to open the worksheet.

2. As you walk through the site environment, check to see if any of the followingsecurity issues are present. Use your notes to respond to each question inthe worksheet.


https://www.rapidfiretools.com/cm


55

3. When are finished, Save, and return to the To Do item and click MarkComplete.

V. Task Complete the HIPAA Policy and Procedures Verification Worksheet.

Your subscription to Compliance Manager includes a set of Policies andProcedures for HIPAA. This is intended as a starting point for your organisation toimplement HIPAA-compliant practices.

In the HIPAA Policy and Procedures Verification Worksheet, you will answerquestions related to your organisation's implementation of these practices.



56

Obtain HIPAAPolicies and Procedures DocumentYou can access a sample HIPAA Policies and Procedures document with yoursubscription. To do this:

1. From within the portal, click on user options and navigate to ComplianceManager Help & Resources > HIPAA Resources.

2. From the HIPAA Resources page, scroll down to the HIPAA Policies and



57

Procedures. Click to download as a Word doc.

VI. Task Complete External Port Use Worksheet.

Note: The External Port Use Worksheet will become available 1) once theExternal Vulnerability Scan is complete, and 2) one or more external portsare found to be open.

An attacker can exploit unnecessary open ports to gain access to the network. Thisworksheet details ports that were found to be open during the external vulnerabilityscan. Use this worksheet to document the business justification for each open port.Also indicate whether the port uses a secure protocol.



58

When you are finished, Save, and return to the To Do Item and click MarkComplete.



59

Step 7—Collect Secondary Assessment DataI. Task Complete the Inactive Computer Identification Worksheet.

Inactive computers on the target network represent a potential security risk. TheInactive Computer Identification Worksheet contains a list of computers thathave not been logged into for a long period of time. This list of computers isidentified during the network scan phase of the automated data collection.

In this worksheet, document the usage status of each computer (for example:Verified Active, Possibly Active, or Verified Inactive).

II. Task Complete the Computer Identification Worksheet.

The Computer Identification Worksheet contains a list of the computers thathave been identified during the network scan phase of the automated datacollection. The computers identified are operating within a particular domain orworkgroup. The list also includes non-domain devices. In this worksheet, youidentify each computer that stores ePHI, does not store ePHI, or accesses ePHI.



60

III. Task Complete the Network Share Identification Worksheet.

The Network Share Identification Worksheet presents a list of network sharelocations within the network. Because network shares can be accessed by multipleusers, you should inventory them and determine whether they contain ePHI.

Document whether the network share has ePHI, does not contain ePHI, ordocument that you do not know if the share contains ePHI or not.

IV. Task Complete User Identification Worksheet.

The User Identification Worksheet enables you to identify each user and documentif they are authorized to access electronic Protected Health Information (ePHI).This worksheet contains a list of users that have been identified as having ePHIaccess rights during the network scan phase of the automated data collection.

In this worksheet, you document the type of user account (for example: Employee –ePHI Authorization, Employee - no ePHI Authorization, Vendor – ePHIAuthorization, Vendor – no ePHI Authorization, Former Employee, Former Vendor,Service Account, etc.).

V. Task Complete ePHI Scan System Selection Worksheet.



61

In this worksheet, select each system that you wish to scan for ePHI (ElectronicProtected Health Information) as defined by HIPAA. This scan is CPU intensiveand may require a significant amount of time to complete. It is best to coordinatethe scan with office downtime or a non-critical period. If you cannot run the scan onall computers, we recommended that you run the scan on a random sampling ofsystems during each assessment.

Select Yes under “Include in Scan?” for each system you want to include in theePHI

Note: You must select at least one computer to proceed.

VI. Task Running ePHI (HIPAA Deep) Scan.

When this To Do item appears, an automatic scan of the selected systems will beinitiated looking for EPHI. Once the scan is complete, this To Do item willautomatically be marked as complete.

VII. Task Unable to scan all selected systems

Tip: If all systems were scanned successfully, this To Do item will appear as"Able to scan all selected systems."

In this step, you will see a list of any computers that were unable to be scanned forPersonal Data. You can then:



62

A. Initiate Rescan to try the scan again. Before you initiate the rescan, checkyour scan settings or reconfigure your network to ensure a successful scan.

B. Upload Local Scan(s) using the Local Data Collector on each machinethat could not be scanned. Run the Local Data Collector directly on thecomputer selecting Deep Scan. You can access the data collector athttps://www.rapidfiretools.com/cm.

VIII. Task Complete the ePHI Validation Worksheet.

The ePHI (Electronic Protected Health Information) Validation Worksheet detailscomputers that were discovered to contain ePHI during the most recent scan. Usethis worksheet to verify the existence of ePHI and flag "false positives."

Next to each instance of ePHI discovered, select "Yes" or "No" from the Verifiedcolumn to indicate whether the information is Personal Data, or a false positive.


http://www.rapidfiretools.com/ag/downloads


63

Step 8—Document Security ExceptionsTask Complete the Security Exception Worksheet.

The Security Exception Worksheet allows you to document any compensatingcontrols used to mitigate the risks uncovered during the assessment.

Tip: Use the Security Exception Worksheet to handle "false positives" or explainwhy certain issues have been resolved. Your entries will affect the overall risk scoreand other areas in your assessment documentation.

To use the Security Exception Worksheet:

1. For each issue in the form, select one of the available options.



64

A. Mitigated through Compensating Control

i. Choose this option to enter a blanket response as to why all instancesof the issue have been mitigated. For example, why do you not needsigned agreements with your business associates that transmit ePHI?

ii. When you indicate that an issue has been mitigated, enter an OptionalResponse explaining how the issue has been resolved or why it's notrelevant. These notes will appear in your final assessmentdocumentation.

B. Review Individual Entries

i. You can also choose to review each issue separately. This is useful ifyou need to explain why some of your PCs are detected as not havinganti-virus or account lockout enabled, for example. When you choose toreview individual entries, you can likewise indicate whether each entryis mitigated, valid, or a false positive.

C. Valid: Indicates that the issue is valid and has not been addressed.D. False Positive: Indicates that the issue is NOT valid and does not need to be

addressed. Choose this option if you have trouble with the results from anautomated scan, for example.



65

Step 9—Generate HIPAA Compliance Assessment ReportsTask Review Final Reports.

After documenting the compensating controls, the assessment reports and supportingdocumentation will become available for review.

Note: It may take several minutes for the reports to appear once you reach this step.

To review the reports and findings:

1. From your Site, go to Compliance Manager > Assessments.

2. Click Reports from the left menu to access a list of generated reports.

3. The Reports page will appear. Click the download icon next to the report that youwish to download and view.



66

4. Once you have reviewed the reports, click Mark Complete on the task detailspage.

Optional Task: Export Issues to Kaseya BMSOnce you generate assessment reports and review them, you can view specific issuesidentified in the assessment — organized by risk score — from the Issues tab. Theseissues supplement the detailed data in your reports with immediate action items — andlikewise allow you to export these issues as tickets to Kaseya BMS.

To do this:

Step 1—Gather Credentials and Set Up Kaseya BMSBefore you begin, you will need:



67

l Valid Login Credentials for RapidFire Tools Portall A RapidFire Tools Portal Compliance Manager "Site" for which you wish to exporttickets

l Valid Login Credentials and details for Kaseya BMS (refer to the table below)

PSA System PSA Prerequisites

l Kaseya Usernamel Kaseya Passwordl Kaseya Tenant (i.e. company name)l Kaseya API URL,example: "https://bms.kaseya.com" (youshould receive the exact URL in an emailfrom Kaseya)

Step 2— Set Up a Connection to your Kaseya BMSFollow these steps to set up a Connection to Kaseya BMS.

1. Visit https://www.youritportal.com and log into the RapidFire Tools Portal.


https://www.youritportal.com/


68

Note: In order to configure the Settings in the Portal, you must have the All orAdmin global access level.

2. Click Global Settings.

3. Click Connections.

4. Click Add to create a new Ticketing System/PSA Connection.



69

5. In the Setup New Connection window, select Connection Type and chooseKaseya BMS.

Note: Compliance Manager can only be integrated with Kaseya BMS at thistime.

6. Then enter the information required to set up the Connection.

This information will include:

l Username and Passwordl API URLl Tenant name (Company name)



70

7. Click Test Login button to test your Connection login. After a successful test login,the second Add Connection Ticket Details window will be displayed.

8. Continue creating your Connection by entering in the necessary Ticket Details.



71

Click Test Ticket. The Add Connection Settings Confirmation window will bedisplayed after the Test Ticket process is successful.

9. In the Add Connection Confirm Settings window presented, enter a ConnectionName.

10. Review the Connection’s configuration details and click Save.



72

The new Connection created will be listed in the Portal’s Connection list.

Step 3—Map your ComplianceManager’s Site to a Kaseya BMSFollow these steps to map a Kaseya BMS Connection to the RapidFire Tools Portal Siteassociated with your Compliance Manager assessment.

1. From the Global Settings > Connections menu, scroll down and click Add underSite Mappings. The Map Site to Connection window will be displayed.



73

2. Select the RapidFire Tools Portal Compliance Manager Site you want to assign tothe Kaseya BMS Integration.

3. Next, select the name of the Connection that you want use to link the Site toKaseya BMS.

4. Click Save. The Site’s mapping will be saved and listed in the Site Mappings list.

You can now export Issues as tickets for the RapidFire Tools Portal Site youselected.

Step 4— Export Issues to Kaseya BMSThe final step is to select issues and export them. To do this:

1. Navigate to the site with the issues you want to export. Go to ComplianceManager > Assessment > Issues.

2. Check the box next to each issue to be exported.



74

3. Click Export to BMS and confirm.

Each successfully exported issue will receive a ticket number. The issues will nowbe available as tickets in Kaseya BMS.

Note:Once the ticket is exported, you can continue to view its details, but youcannot export it twice.



75

Step 10—Complete and Archive your HIPAA AssessmentTask HIPAA Assessment Complete.

In this step, after you have reviewed your HIPAA assessment reports, theHIPAA assessment will be complete. Compliance Manager will also note the number ofcompliance and security issues detailed for further review in the Risk Assessment report.

Archiving AssessmentsWhen you complete an assessment, that assessment will be archived. You can reviewthe assessment and the generated reports and compliance documentation. To do this:

1. Navigate to the Compliance Manager > Assessments > Dashboard tab.2. Click on the drop-down menu from the right side of the screen.

3. Select the archived assessment you wish to review.



76

Note: Your archived assessment will be named: YYYY-MM-DD where the dateis the start date of the assessment.

Step 11—Start a NewHIPAA Assessment after Completing aPrevious Assessment

To start a new assessment, follow these steps:

1. Click on Assessments from the top menu.2. Click Start New.

Your To Do List will be reset. The Start HIPAA Assessment To Do item will beadded to your To Do list.



77

HIPAA Assessment ReportsCompliance Manager for HIPAA can generate the following reports and supportingdocuments:

Compliance ReportsThese reports show where you are in achieving HIPAA compliance. In addition, thesedocuments identify and prioritize issues that must be remediated to address HIPAArelated security vulnerabilities through ongoing managed services.

Report Name Description

Evidence of HIPAACompliance

Just performing HIPAA-compliant tasks is not enough. Auditsand investigations require evidence that compliance tasks havebeen carried out and completed. Documentation must be keptfor six years. The Evidence of Compliance includes log-in files,patch analysis, user & computer information, and other sourcematerial to support your compliance activities. When all is saidand done, the proof to proper documentation is accessibility andthe detail to satisfy an auditor or investigator included in thisreport.

Site Diagram The site diagram breaks down and categorizes all of the assetsavailable on the network. The schematic shows the basicnetwork structure, with convenient drill downs into each group oflike workstations. Each device is annotated with importantidentifying configuration information and is color-coded basedon its status.

Windows PatchAssurance Report

Windows Patch Assurance Report helps verify the effectivenessof the client's patch management program. The report uses scandata to detail which patches are missing on the network.

Full Detail ExcelExport Report

The Full Detail Excel Export includes every detail uncoveredduring the assessment’s network and computer endpointscanning process. Details are presented in line-item fashion inan editable Excel workbook document. The report is organizedby titled worksheets to help you locate the specific findings ofinterest, and problem areas are conveniently highlighted in red,making it easy to spot individual problems to be rectified.



78


HIPAA Privacy RuleWorksheet

The HIPAA Privacy Rule Worksheet assess how well a Site'spolicies and procedures adhere to the HIPAA privacy standards.

HIPAA BreachNotification Worksheet

The HIPAA Breach Notification Rule Worksheet assess howwell a Site's policies and procedures adhere to theHIPAA breach notification standards.

HIPAA Security RuleAuditor Checklist

This checklist helps you determine whether the client is incompliance with HIPAA. The checklist details specificcompliance items. These items are turn used to identify potentialissues to be remediated in order to achieve compliance.

HIPAA CompliancePowerPoint

Use our generated PowerPoint presentation as a basis forconducting a meeting presenting your findings from the NetworkDetective. General summary information along with the risk andissue score are presented along with specific issuerecommendations and next steps.

HIPAA ManagementPlan

Based on the findings in the Risk Analysis, the organizationmust create a Risk Management Plan with tasks required tominimize, avoid, or respond to risks. Beyond gatheringinformation, Network Detective provides a risk scoring matrixthat an organization can use to prioritize risks and appropriatelyallocate money and resources and ensure that issues identifiedare issues solved. The Risk Management plan defines thestrategies and tactics the organization will use to address itsrisks.

HIPAA Policies &Procedures SampleDocument

The Policy and Procedures are the best practices that ourindustry experts have formulated to comply with the technicalrequirements of the HIPAA IT Security Rule, Privacy Rule, andBreach Notification Rule. The policies spell out what yourorganization will do while the procedures detail how you will doit. In the event of an audit, the first thing an auditor will inspectare the Policies and Procedures documentation. This is morethan a suggested way of doing business. The Policies andProcedures have been carefully thought out and vetted,referencing specific code sections in IT Security Rule, PrivacyRule, and Breach Notification Rule and supported by the otherreports include with the HIPAA Compliance module.

HIPAA Risk Analysis HIPAA is a risk-based security framework and the production of



79


a Risk Analysis is one of primary requirements of the HIPAASecurity Rule's Administrative Safeguards. In fact, a RiskAnalysis is the foundation for the entire security program. Itidentifies the locations of electronic Protected Health Information(ePHI,) vulnerabilities to the security of the data, threats thatmight act on the vulnerabilities, and estimates both thelikelihood and the impact of a threat acting on a vulnerability.The Risk Analysis helps HIPAA Covered Entities and BusinessAssociates identify the locations of their protected data, how thedata moves within, and in and out of, the organization. Itidentifies what protections are in place and where there is aneed for more. The Risk Analysis results in a list of items thatmust be remediated to ensure the security and confidentiality ofePHI. The value of a Risk Analysis cannot be overstated. Everymajor data breach enforcement of HIPAA, some with penaltiesover $1 million, have cited the absence of, or an ineffective, RiskAnalysis as the underlying cause of the data breach. The RiskAnalysis must be run or updated at least annually, more often ifanything significant changes that could affect ePHI.

Security ExceptionWorksheet

The report is used present the details associated with securityexceptions and how compensating controls will be or have beenimplemented to enable HIPAA compliance. This worksheetallows the HIPAA Compliance readiness specialist to documentexplanations on suspect items. The readiness specialist isenabled to document and explain why various discovered itemsare not true issues and possible false positives.

These exceptions can be documented on an item by item level(for example: at the granularity at users, ports, applications, etc.).The Security Exception Worksheet compiles the issuesdiscovered by the HIPAA Compliance Data Collection includingthe completion of the questionnaires and worksheets.

The benefit of this feature is that it adds back in the humanelement into the assessment and allows for explanation ofspecial circumstances and specific environment requirements.The Security Exception Worksheet does not alleviate the needfor safe guards but allows for description of alternative means ofmitigating the identified security risk. The process is consistentwith industry standard HIPAA assessment and risk management



80


processes



81

Supporting DocumentationThese documents show the detailed information and raw data that backs up thecompliance reports. These documents include the various interviews and worksheets,as well as detailed data collections on network assets, shares, login analysis, etc.

Report Type Description

ComputerIdentificationWorksheet

The Computer Identification Worksheet takes the list ofcomputers gathered by the Data Collector and lets you identifythose that store or access ePHI. This is an effective tool indeveloping data management strategies including securestorage and encryption. To save time the system allows you toenter default settings for all computers and just change some asneeded. There is also an inactive computer identificationworksheet.

Disk EncryptionReport

Encryption is such an effective tool used to protect data that if anencrypted device is lost then it does not have to be reported as adata breach. The Disk Encryption Report identifies each driveand volume across the network, whether it is fixed or removable,and if Encryption is active.

EPHI Scan SystemSelection Worksheet

In this worksheet, you select the systems to be scanned for ePHIas defined by HIPAA.

EPHI ValidationWorksheet

In this worksheet, you validate instances of ePHI detectedduring the ePHI scan and indicate whether the data is correct ormight indicate a false positive.

External NetworkVulnerability ScanDetail by Issue

Detailed reports showing security holes and warnings,informational items including CVSS scores as scanned fromoutside the target network. External vulnerabilities could allow amalicious attacker access to the internal network.

External Port UseWorksheet

In this worksheet, you document the business purpose andsecurity status of each open port detected during the externalvulnerability scan.

File Scan Report The underlying cause identified for many data breaches is thatthe organization did not know that protected data was stored ona device that was lost or stolen. After a breach of 4 millionpatient records a hospital executive said, "Based on our policiesthat data should not have been on those systems." The FileScan Report identifies data files stored on computers, servers,



82


and storage devices. It does not read the files or access them,but just looks at the title and file type. This report is useful toidentify local data files that may not be protected. Based on thisinformation, the risk of a breach could be avoided if the data wasmoved to a more secure location, or mitigated by encrypting thedevice to protect the data and avoid a data breach investigation.

HIPAA On-Site Survey The On-site Survey is an extensive list of questions aboutphysical and technical security that cannot be gatheredautomatically. The survey includes questions ranging from howfacility doors are locked, firewall information, how faxes aremanaged, and whether servers are on-site, in a data center, or inthe Cloud.

HIPAA Policy andProceduresVerification Worksheet

In this worksheet, you verify whether your organization complieswith the provided HIPAA Policy and Procedures document.

Login History byComputer Report

Same data as User Behavior but inverted to show you bycomputer. Quite useful, in particular, for looking at a commonlyaccessed machines (file server, domain controller, etc.) – or aparticularly sensitive machine for failed login attempts. Anexample would be CEO’s laptop – or the accounting computerwhere you want to be extra diligent in checking for users tryingto get in.

Network ShareIdentificationWorksheet

The Network Share Identification Worksheet takes the list ofnetwork shares gathered by the Data Collector and lets youidentify those that store or access ePHI. This is an effective toolin developing data management strategies including securestorage and encryption. To save time the system allows you toenter default settings for all network shares and just changesome as needed

Share PermissionReport

Comprehensive lists of all network “shares” by computer,detailing which users and groups have access to which devicesand files, and what level of access they have.

User IdentificationWorksheet

The User Identification Worksheet takes the list of usersgathered by the Data Collector and lets you identify whetherthey are an employee or vendor. Users who should have beenterminated and should have had their access terminated can



83


also be identified. This is an effective tool to determine ifunauthorized users have access to protected information. It alsois a good indicator of the efforts the organization goes to soterminated employees and vendors have their access quicklydisabled. Another benefit is that you can review the user list toidentify generic logons, such as Nurse, Billing Office, etc., whichare not allowed by HIPAA since each user is required to beuniquely identified. To save time the system allows you to enterdefault settings for all users and just change some as needed.



84

AppendicesRefer to the appendices listed below for the supplementary information referenced in thisuser guide:Pre-Scan Network Configuration Checklist 85Checklist for Domain Environments 85Checklist for Workgroup Environments 87

Compliance Manager Cyber Insurance Add On 90

HIPAA To Do Task Complete List 96



85

Pre-Scan Network Configuration ChecklistRapidFire Tools products can gather a great deal of information from the target networkwith little advance preparation – and with very little footprint! However, if you are havingtrouble with scans, or you have the ability to configure the target network in advance, werecommend the settings below.

These checklists detail the recommended network configurations for both WindowsDomain andWorkgroup environments.

Note: You must have .NET 3.5 installed on machines in order to use all datacollector and appliance tools.

Checklist for Domain EnvironmentsShare this checklist with your IT Administrator and ask them to configure your network'sDomain Controller as follows:


GPO Configuration for Windows Firewall (Inbound Rules)

AllowWindows Management Instrumentation (WMI) service to operate throughWindowsFirewall


l Windows Management Instrumentation (ASync-In)

l Windows Management Instrumentation (WMI-In)

l Windows Management Instrumentation (DCOM-In)

Allow File and printer sharing to operate throughWindows Firewall


l File and Printer Sharing (NB-Name-In)

l File and Printer Sharing (SMB-In)

l File and Printer Sharing (NB-Session-In)

EnableRemote Registry “read only” access on computers targeted for scanning.



86


Note: Remote Registry access should be restricted for use by the user accessaccount credentials to be used during network and local computer scan.






GPO Configuration for Windows Services

Windows Management Instrumentation (WMI)• Startup Type: Automatic

Windows Update Service• Startup Type: Automatic

Remote Registry• Startup Type: Automatic

Remote Procedure Call• Startup Type: Automatic

Network Shares

• Admin$must be present and accessible using supplied credentials (usually a local adminor user in the local Computer's Administrative Security group)



87


3rd Party Firewalls

• Ensure that 3rd party Firewalls are configured similarly toWindows Firewall rulesdescribed within this checklist.

Note: This is a requirment for both Active Directory andWorkgroup Networks.

Checklist for Workgroup EnvironmentsBefore you perform a workgroup assessment, run the following PowerShell commandson the target network and the machine that will perform the scan. These threeconfigurations should help you avoid most issues in a workgroup environment. Eachcommand is followed by an explanation and link to Microsoft documentation.

1. reg addHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

By default, UAC only allows remote administration tasks to be performed by theBuilt-in Administrator account. To work around this, this command sets theLocalAccountTokenFilterPolicy registry key to 1. This allows any local admin toperform remote administrative tasks (i.e. access to system shares C$, Admin$,etc.).

https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windows

2. netsh advfirewall firewall set rule group="windowsmanagement instrumentation (wmi)" new enable=yes

This command creates an Inbound firewall rule to allow access to the WMI serviceand namespaces.

https://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista

3. netsh advfirewall firewall set rule group="File andPrinter Sharing" new enable=Yes


https://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windowshttps://support.microsoft.com/en-us/help/951016/description-of-user-account-control-and-remote-restrictions-in-windowshttps://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vistahttps://docs.microsoft.com/en-us/windows/win32/wmisdk/connecting-to-wmi-remotely-starting-with-vista


88

This command creates an Inbound firewall rule which enables File and PrinterSharing on the machine. File and printer sharing is required in order to access theAdmin$ share on remote machines.

https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354

You can also share this checklist with your IT Administrator and ask them to configureeach computer in your workgroup as follows:


Network Settings

• Admin$must be present on the computers you wish to scan, and be accessible with thelogin credentials you provide for the scan

• File and printer sharingmust be enabled on the computers you wish to scan

• Ensure theWindows Services below are running and allowed to communicate throughWindows Firewall:• Windows Management Instrumentation (WMI)• Windows Update Service• Remote Registry• Remote Desktop• Remote Procedure Call

• Workgroup computer administrator user account credentials.

Note: Before configuring scan settings for workgroups, prepare a list of theworkgroup computer(s) adminstrator user account credentials for entry into the scansettings wizard.




https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354https://answers.microsoft.com/en-us/windows/forum/all/turning-on-file-and-printer-sharing-windows-10/bb3066eb-f589-4021-8f71-617e70854354


89







90

ComplianceManager Cyber Insurance AddOnYou can directly provision cyber insurance for your Compliance Manager sites. Thisoffering is provided by Cysurance. Cyber insurance safeguards small business revenueagainst privacy breaches, identity theft, system damage and other cybercrimes, and canbe a valuable service for your MSP to offer clients.

To provision Cysurance for one of your Compliance Manager sites:

1. Log into the Compliance Manager Portal.2. Open your Compliance Manager Site provisioned for any assessment type (i.e.

GDPR, HIPAA, or Cyber Insurance.3. Select the Add-Ons menu options.


https://cysurance.com/


91

Note: Select the Learn More button to learn more about available CyberInsurance offerings.

4. To get a Cyber Insurance quote, click the Get Your Instant Quote button.



92

5. Select the category that bests describe the business/client from the drop-downmenu.

6. Select the business/client's annual revenue from the drop-down menu.

7. After the selections have been made, click Next button in the Get Your InstantQuote window to proceed.

8. Select the Policy Coverage option desired.



93

Note: The “Notes” associated with each Policy Coverage option, such as theDeductible amount, will vary based on the option.

9. Click Proceed once you have selected an option.

10. The RapidFire Tools Portal redirects the user to the Cysurance Web Portal.



94

11. The RapidFire Tools Portal opens a new browser tab and the user is directed tothe Cysurance MSP Enrollment web page to complete the Cyber Insuranceenrollment process. The Cysurance MSP Enrollment process will take over theinteraction with the user to complete the Cyber Insurance Enrollment process.

Note:Once you enter the company's or client's information on the Cysurancewebpage, you will receive a policy from Cysurance to review. Follow the link inthe email from Cysurance and follow the steps to finalize the policy. You willreceive these emails from Cysurance to the email addressed you entered forsign-up.

12. Once you complete the transaction through Cysurance, you can View PolicySummary from your Compliance Manager Site Home > Add-ons.



95



96

HIPAA To Do Task Complete ListThe list below outlines all To Do tasks in the HIPAA Assessment To Do list.

Note: The items below may appear in a different order in your To Do list. Thisdepends on the order in which you choose to complete certain tasks.

Task Project Role

□ Create additional users and assign to roles (Home tab > Settings >Users; Roles)

Add and invite users to participate in the assessment. Then assign these users toproject roles.

Site Admin

□ Set up Report Preferences (ComplianceManager tab > Settings > ReportPreferences)

Configure the reports for the Site that will be generated at the end of theassessment. This includes visual elements and client details.

Site Admin

□ Install Compliance Manager Appliance (Installed on client network)ComplianceManager Server on the target network.

Technician

□ Configure Appliance Scan Settings (ComplianceManager tab > Settings >Scan Settings)

Once appliance is installed, enter information to set up scans.

Technician

□ Start HIPAA Assessment (ComplianceManager tab > To Do)Initial start of assessment. Starts automated scans and generates forms tocomplete.

Internal Auditor

□ Running Pre-Scan Analysis (Automated Scan)The appliance will check for issues that might prevent a complete network scan.

ComplianceManagerAppliance

□ Review Pre-Scan Analysis Results and Recommendations (ComplianceManager tab > To Do)

Technician



97

Task Project Role

Review and fix potential scan problems before starting the internal scans.

□ Type of HIPAA Assessment (ComplianceManager tab > To Do)Optionally can choose to add additional worksheets to your assessment toidentify additional issues.

Internal Auditor

□ Complete the HIPAA Privacy Rule Worksheet (ComplianceManager tab > ToDo)

Assess how well a Site's policies and procedures adhere to the HIPAA privacystandards.

Internal Auditor

□ Complete the HIPAA Breach Notification Worksheet (ComplianceManagertab > To Do)

Assess how well a Site's policies and procedures adhere to the HIPAA breachnotification standards.

Internal Auditor

□ Complete the HIPAA On-Site Survey (ComplianceManager tab > To Do)Document any security issues in the Site environment.

Internal Auditor

□ Complete the HIPAA Policy and Procedures Verification Worksheet(ComplianceManager tab > To Do)

Document how your organisation complies with the HIPAA P&P provided to byComplianceManager.

Internal Auditor

□ Running the Automated Internal Network Scan (Automated Scan)An automated scan will begin on the client's internal network.


□ Running Local Scan of Remote Computers (Automated Scan)An automated scan will begin on the client's internal network targeting remotecomputers.




98

Task Project Role

□ Run Local Data Collector (optional) (ComplianceManager tab >

hipaa compliance assessment module quick start guide€¦ ·...

Documents