Comment by tptacek
3 hours ago
As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; any automated process that can plausibly be described as instrumental in finding some kind of vulnerability is a "vulnerability scan", so all you have to do is run nmap.
they have comment/request for information sessions for HIPAA rule proposals, which your input would be valued.
I don't think the rule would be better with more detailed vulnerability scanning requirements! All these things inexorably become races to the bottom.
If it is like SOC2 I would expect respected auditors to reject that
But there are no auditors required for HIPAA. Only the government (HHS OCR) itself can enforce the standards.
Thanks for the clarification, in that case the text is indeed really weak. Does that system work in practice, or are companies just claiming they are HIPAA compliant with close to no actual auditing mechanism?
7 replies →
No? Like, wildly no? This is a big part of why you pay for the most respected auditors.
I guess we had different experiences. The ones I interacted with were ok and wouldn’t have accepted a simple nmap here
8 replies →
> so all you have to do is run nmap.
This is ignorance at best. No one who has ever actually had to do SOC2 compliance legitimately has just run nmap and been done with that.
https://blog.cloudflare.com/introducing-flan-scan/
>No one who has ever actually had to do SOC2 compliance
while i find tptacek's opinions very strong on the subject, you would be extremely mistaken to think those opinions were formed without experience