It is safe to say that no system or software is 100% secure.
The question is whether we have mitigated the vulnerabilities which already been discovered or the attackers will get to it first?
Answering this question involves having a good inventory of our systems, followed by scanning them for known vulnerabilities, then prioritizing the severity and mitigating these vulnerabilities.
The Health Industry Cybersecurity Practices (HICP) document contains vulnerability management practices that address this topic.
This series aims to make these practices accessible even for small-medium organizations.
Looking at HICP practice requirements
For small organizations, HICP calls for the following activities:
- Schedule regular vulnerability scans for systems and web applications.
- Remediating flaws discovered by the scanning process.
- Patch management process.
For medium organizations, HICP has the following additions:
- Classify the severity and exposure of potential attacks by leveraging Data Protection, IT Asset Management, and Network management practices
- Configuration management (ensure the use of safe configuration)
- Change management (vulnerability scans after implementing change)
Lastly, HICP describes the following practices for large organizations:
- Penetration testing (to mimic attackers and determine the level of access that they can gain)
- Remediation planning (assigning stakeholders, then creating a plan with dates and status)
Scoping and Planning
Before we dive into product selection criteria, we need to understand the scope of our planning effort:
- We are responsible only for the systems that we own.
- We want to focus our limited resources on high-impact and high-likelihood systems and data.
- We want to have optimum coverage and minimize cost and effort.
With Software-as-a-Service (SaaS), they follow the concept of shared responsibilities. This model clearly defines the scope of their responsibilities vs. the customers. For example, in this diagram, Microsoft states that for their SaaS, they are responsible for the physical host, operating system, and applications for their SaaS services . Compare the scope of SaaS with the On-premise system where the customer is on the hook for the whole stack.
Vulnerability Management is concerned with vulnerabilities found in those areas (host, OS, and applications). When we have critical systems (EHR, ERP, RCM, etc.) that are SaaS-based, the SaaS company is responsible for vulnerability management. This aspect is one of the appeals of SaaS since the users do not need to worry about this task.
Assuming the SaaS company hosts these critical systems, we can focus on on-premise devices with a high impact and high likelihood of a breach. If these vital systems are still on-premise, they need to be high on our list. Other on-premise devices in scope would be endpoints, medical devices, and infrastructure.
Next, we want to optimize for coverage and cost. We do this by reviewing our existing tools to minimize overlap and cost for managing vulnerabilities on the on-premise devices like endpoints, medical devices, and infrastructure.
For the endpoints (whether on-premise or remote), we can use device manager tools like Microsoft Intune (for Windows)  and Mosyle (for macOS) . These tools can keep track of patch level on endpoints and perform patch management to address its vulnerabilities. Furthermore, with the bulk of the network population being endpoints, we minimize the cost and license requirements for the vulnerability scanner.
In summary, we optimize the cost by moving critical systems to the cloud (SaaS) and using device managers to perform patch management for the endpoints. Therefore, we can optimize the vulnerability scanners for high-impact, high-likelihood, on-premise devices.
Product selection criteria
Looking at a few review sites (TrustRadius , Gartner peer insights , G2 ), Nessus consistently appears as a market leader on all three.
It is compelling when a market leader has a pricing structure accessible by small organizations. Two main reasons are reputation and finding the people familiar with it.
Market leaders have built and maintained their reputation over the years. This reputation is proof that they have products and processes that work. It also tends to be cheaper and easier to find people who can work with popular tools.
Using these signals as indicators of product quality and market acceptance, let us dive into Nessus.
Looking at Nessus Essentials & Tenable.io
Tenable is the company behind Nessus. They have grown the product beyond the original vulnerability scanner tool. With the trends moving toward cloud-based services, now they offer cloud-based products like Tenable.io.
Tenable.io is a hosted vulnerability management SaaS that uses Nessus as the vulnerability scanner. From Tenable.io, you’d be able to create schedule tasks for the vulnerability scanner, apply the policies, and share the results.
Tenable offers Nessus Essentials, which has the same capability as Nessus Professional to scan vulnerabilities . However, it is limited to 16 devices.
With Nessus Essentials, small organizations can adopt HICP practice for vulnerability management. They can schedule Nessus Essentials for regular scans to discover vulnerabilities on systems and web applications (sample below). Once the scanning process is complete, they can prioritize the remediation effort.
Looking at the cost
Nessus Essentials are free for up to 16 devices. This essential license should be sufficient for a small organization with 1 FTE physician and 3 support staff. Furthermore, we plan to use device managers for patch management on the endpoints, further reducing the number of licenses required.
If more licenses are required or need features beyond what Nessus Essentials provide, they could upgrade to Tenable.io ($2,275/year for up to 65 devices).
Nessus Essentials is an on-premise solution and requires a knowledgeable IT person to install and schedule scans. Like our IT Asset Management, we need to install Nessus Essentials on a server. We can use the same server for IT Asset Management to save costs. We can then schedule IT asset and vulnerability scans at different times.
As for labor requirements, it should not take more than 3 hours for an experienced engineer to set up an initial scan for a small office. Assuming that the IT contractor charges $200/hour, we could budget $600 for the labor.
Projected cost for adopting HICP practices so far for 1 FTE Physician + 3 support staff: $5,896 (1st year) & $2,872 (subsequent years)
Vulnerability management is important to minimize the chance of threat actors exploiting our system vulnerabilities.
Small organizations can utilize Nessus Essentials as a starting point to adopt this practice.