undefined | Better HN

0 pointstptacek2h ago0 comments

As is the case with SOC2, the "vulnerability scan" requirement here is likely to be meaningless; any automated process that can plausibly be described as instrumental in finding some kind of vulnerability is a "vulnerability scan", so all you have to do is run nmap.

0 comments

john_strinlai2h ago

they have comment/request for information sessions for HIPAA rule proposals, which your input would be valued.

dgellow2h ago

If it is like SOC2 I would expect respected auditors to reject that

morpheuskafka2h ago

But there are no auditors required for HIPAA. Only the government (HHS OCR) itself can enforce the standards.

dgellow1h ago

Thanks for the clarification, in that case the text is indeed really weak. Does that system work in practice, or are companies just claiming they are HIPAA compliant with close to no actual auditing mechanism?

1 more reply

tptacekOP1h ago

No? Like, wildly no? This is a big part of why you pay for the most respected auditors.

dgellow1h ago

I guess we had different experiences. The ones I interacted with were ok and wouldn’t have accepted a simple nmap here

1 more reply

jasonlotito31m ago

> so all you have to do is run nmap.

This is ignorance at best. No one who has ever actually had to do SOC2 compliance legitimately has just run nmap and been done with that.

john_strinlainew19m ago

>No one who has ever actually had to do SOC2 compliance

while i find tptacek's opinions very strong on the subject, you would be extremely mistaken to think those opinions were formed without experience

j / k navigate · click thread line to collapse

0 comments

john_strinlai2h ago

they have comment/request for information sessions for HIPAA rule proposals, which your input would be valued.

dgellow2h ago

If it is like SOC2 I would expect respected auditors to reject that

morpheuskafka2h ago

But there are no auditors required for HIPAA. Only the government (HHS OCR) itself can enforce the standards.

dgellow1h ago

1 more reply

tptacekOP1h ago

No? Like, wildly no? This is a big part of why you pay for the most respected auditors.

dgellow1h ago

I guess we had different experiences. The ones I interacted with were ok and wouldn’t have accepted a simple nmap here

1 more reply

jasonlotito31m ago

> so all you have to do is run nmap.

This is ignorance at best. No one who has ever actually had to do SOC2 compliance legitimately has just run nmap and been done with that.

john_strinlainew19m ago

>No one who has ever actually had to do SOC2 compliance

while i find tptacek's opinions very strong on the subject, you would be extremely mistaken to think those opinions were formed without experience

j / k navigate · click thread line to collapse