WHITE PAPER ENDGAME, INC. HIPAA SECURITY ARCHITECTURE AND TECHNOLOGY WHITE PAPER BHAVNA SONDHI | CISA, QSA (P2PE), PA-QSA (P2PE) ANDREW HICKS | MBA, CISA, CCM, HCISPP, CCSFP
W H I T E P A P E R
ENDGAME, INC.
H IP AA SECURITY ARCHITECTU RE AND TECHNOLOGY WHITE P APER
BH AVN A SO NDHI | C IS A, QS A ( P2PE) , PA- Q S A (P2PE)
ANDREW HI CKS | M BA, C I SA, CCM, HCI SPP, C CSFP
Endgame HIPAA Security | White Paper 2
TABLE OF CONTENTS Executive Summary ................................................................................................................. 3
About Endgame ..................................................................................................................... 3
Audience ................................................................................................................................ 4
HIPAA Compliance ................................................................................................................ 4
Methodology .......................................................................................................................... 5
Summary Findings ................................................................................................................. 5
Assessor Comments .............................................................................................................. 5
Application Architecture and Security ................................................................................... 7
Technical Security Assessment.............................................................................................. 9
Assessment Methods ............................................................................................................. 9
Assessment Environment ....................................................................................................... 9
Network Traffic Assessment ................................................................................................... 9
Tools and Techniques ...........................................................................................................11
References ...........................................................................................................................11
Appendix A: HIPAA Requirements Coverage Matrix ............................................................12
Appendix B: Executed Test Plan ...........................................................................................15
Conclusion ..............................................................................................................................17
Endgame HIPAA Security | White Paper 3
EXECUTIVE SUMMARY Endgame, Inc. engaged Coalfire Systems Inc. (Coalfire), a leading provider of industry-specific cyber risk
management and compliance services, to conduct an independent technical assessment of their Endgame
platform against the requirements of the Health Insurance Portability and Accountability Act (HIPAA
Security Rule). Coalfire conducted assessment activities including technical testing, architectural review,
and compliance validation.
In this paper, Coalfire will describe how they confirmed that the Endgame platform satisfied the Protection
from Malicious Software requirement of the HIPAA Security Rule for Windows endpoints. An explanation
of the testing activities performed during Coalfire’s review is included.
ABOUT ENDG AME
Endgame is a centrally managed endpoint security platform that stops advanced threats before damage
and loss. The platform provides full stack prevention, accelerated detection and response, and automated
hunting across the depth of the MITRE ATTACK™ matrix. Endgame’s single, autonomous agent eliminates
multiple host agents including anti-virus (AV), next-gen AV, incident response, indicators of compromise
(IOC)-based agents, and forensic tools. The Endgame platform provides automated workflow and guided
response for analysts to instantly stop malicious activity.
Below are highlights of various features and capabilities within the Endgame platform:
• Full Stack Prevention: Endgame uses advanced signature-less techniques to prevent exploits,
malware, fileless attacks, malicious macros, and ransomware.
– Exploit Prevention: Patent-pending Hardware Assisted Control Flow Integrity (HA-CFI™) and
enhanced Dynamic Binary Instrumentation (DBI) blocks zero-day exploits before malicious
code execution.
– Malware Prevention at file execution: Endgame MalwareScore® prevents execution of known
and unknown malware and performs signature-less malware prevention.
– Fileless Attack Prevention: Patent-pending process injection prevention and Endgame
MalwareScore® prevents malicious module loads, dll injection, and shellcode injection to stop
adversary evasion and fileless attacks.
– Malicious Macro Prevention: Heuristic-based macro prevention blocks malicious macros
embedded in commonly targeted applications such as MS Office applications.
– Ransomware Prevention: Behavior-based ransomware prevention is effective against
ransomware families such as BadRabbit, Petya, WannaCry, etc.
– Technique-Focused Protection: Expands across the breadth of the MITRE ATTACK™ Matrix,
stopping ongoing attacks such as command and control, defense evasion, and privilege
escalation by leveraging Endgame’s knowledge of adversary tradecraft.
• Accelerated Endpoint Detection and Response:
– Endgame’s Enhanced Attacker Visualization, Endgame Resolver™, unveils various actions
taken by the attacker to instantly identify the origin and extent of compromise. Endgame
Resolver™ shows actions of the attack including process events, network connections, netflow,
user logons, DNS requests, and file or registry modifications.
– Endgame’s AI-Powered Security Mentor Artemis® uses natural language understanding to
automate data collection, investigation, and alert triage at enterprise scale.
Endgame HIPAA Security | White Paper 4
– Endgame Arbiter® automates advanced attack analysis to determine file reputation, attack
type, and other attributes, extracting IOCs to reveal previously unknown threats across the
entire enterprise.
– Automated hunting using tradecraft analytics and Outlier analysis streamlines detection and
response workflows to surface suspicious artifacts across millions of records in minutes.
– Precision and scalable response empowers Security Operations Center (SOC) teams to
restore endpoints at enterprise scale with zero business disruption.
AUDIENCE
This assessment white paper has two target audiences:
1. Covered Entities (CE) and Business Associates (BA): This audience may be evaluating
Endgame for use within their organization to support HIPAA compliance initiatives.
2. Administrators and Other Compliance Professionals: This audience may be evaluating
Endgame for use within their organization for HIPAA, PCI, or other regulations.
HIP AA COMPLI ANCE
The HIPAA Security Rule specifically focuses on the safeguarding of electronic Protected Health
Information (ePHI) through the implementation of administrative, physical, and technical safeguards.
Compliance is mandated to all organizations defined by HIPAA as a Covered Entity, Business Associate,
or Subcontractor. At a summary level, a Business Associate is required to:
• Ensure the confidentiality, integrity, and availability of all ePHI that it creates, receives, maintains,
or transmits;
• Protect against any reasonably anticipated threats or hazards to the security or integrity of such
information;
• Protect against reasonably anticipated uses or disclosures of such information that are not
permitted by the HIPAA Privacy Rule; and,
• Ensure compliance by its workforce.
However, the industry has struggled with the choice of technology solutions that could be utilized in the
absence of implementation guidelines. Penalties for noncompliance or actual ePHI breaches were
previously considered minimal compared to other regulations (e.g., PCI), causing many organizations to
delay or insufficiently secure ePHI systems. But the penalties have increased over the last few years,
resulting in organizations reconsidering the implementation of security-enabled technologies in their
environments. Endgame is one solution that, when implemented correctly and appropriately maintained,
could considerably reduce the risk of interacting with patient information.
The major sections for the full HIPAA Security Rule include:
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
The assessment focused mainly on the Administrative and Technical safeguards, as they are relevant to
the Endgame platform being assessed.
Endgame HIPAA Security | White Paper 5
METHODOLOGY
Coalfire completed a multi-faceted technical assessment during the course of this project using the below
industry and audit best practices. Coalfire conducted technical lab testing in its Colorado lab from October
6, 2017 to October 27, 2017 including remediation activities.
At a high level, testing consisted of the following tasks:
1. Technical review of the architecture of the full solution and its components.
2. Implementation of the sensor in the Coalfire lab environment for Windows endpoints.
3. Introduction of malware binaries on local systems with Endgame software installed.
4. Confirmation of Endgame’s ability to block and remove known malware samples for Windows
endpoints.
5. Execution of malware scans using API scripts for Windows endpoints.
SUMMARY F INDINGS
The following findings are relevant highlights from this assessment:
• When properly implemented following vendor guidance, the Endgame platform can provide
coverage for the following (based on the sample testing and evidence gathered during the
assessment):
▪ Administrative Safeguards: Protection from Malicious Software - 164.308(a)(5)(ii)(B),
Response and Reporting - 164.308(a)(6)(ii)
▪ Technical Safeguards: Audit Controls - 164.312(b)
• The Endgame platform detected and effectively prevented the execution of known malware
samples for Windows endpoints as required for the Protection from Malicious Software -
164.308(a)(5)(ii)(B) requirement.
• The Endgame platform effectively mitigated the malware with the following solutions for Windows
endpoints:
– Malware protection at file execution (prevents execution on installation)
– Malware detection for created and modified files
– Application exploits prevention (prevents execution on installation)
– Application exploits detection
– Ransomware prevention
– Deletion of files
• The Endgame platform adequately generated logs of events such that malicious activity security
incidents and their outcomes could be documented to help meet the Response and Reporting –
164.308(a)(6)(ii) requirements.
• The Endgame Host Sensor could not be disabled by unauthorized users.
• Endgame provides features for investigations (hunting for endpoints data), fileless attacks,
whitelisting of files or applications, and IOC search on file, network, process, registry, and users.
ASSESSOR COMMENTS
The assessment scope focused on validating the use of Endgame in a HIPAA environment, specifically to
include its impact on HIPAA Security Rule’s Administrative and Technical Safeguards. The Endgame
Endgame HIPAA Security | White Paper 6
platform, when properly implemented following guidance from Endgame, Inc., can be utilized to meet the
technical portions of requirements 164.308(a)(5)(ii)(B), 164.308(a)(6)(ii), and 164.312(b). Endgame
provides various features for compliance with the above requirements. However, as most computing
environments and configurations vary drastically, it is important to note that use of this product does not
guarantee security and even the most robust anti-virus solutions can fail when improperly implemented and
maintained. A defense-in-depth strategy that provides multiple layers of protection should be followed as a
best practice. Please consult with Endgame, Inc. for policy and configuration questions and best practices.
It should also not be construed that the use of Endgame guarantees full HIPAA compliance. Disregarding
HIPAA requirements and security best practice controls for systems and networks inside or outside of
HIPAA scope can introduce many other security or business continuity risks to organizations. Security and
business risk mitigation should be any company’s goal and focus for selecting security controls.
Endgame HIPAA Security | White Paper 7
APPLICATION ARCHITECTURE AND SECURITY The Endgame platform offers prevention, detection and response, and threat hunting capabilities. The
Endgame platform can either be hosted on premises or in the cloud. Customers can host it themselves on
their own infrastructure or Endgame can host it for the customer in the cloud. Endgame’s light weight,
autonomous agent provides online and offline 24x7 protection.
The Endgame architecture is represented in Figure 1:
Figure 1: Endgame Architecture Diagram
The following are the key components and features of the Endgame platform:
• Endgame Host Sensor: The Endgame Host Sensor is a lightweight sensor, consuming less than
1% CPU resources, that is deployed on all monitored endpoints and hosts. The sensor can either
run as a background process with no user interface or with a notification that gives details on current
system threats and blocked actions. The sensor does not interfere with any installed software on
the host, including anti-malware or anti-virus software. Endgame's advanced sensor technology
allows the analyst to choose to install a persistent sensor for long-term protection or a dissolvable
sensor for minimal endpoint footprint.
– Endgame Host Sensor Protection: The Endgame Host Sensor operates in the Operating
System (OS) kernel and user space. It is tamper resistant and has available protections to
prevent disabling of the sensor by the user. In addition, the sensor can be installed in disguised
mode that changes sensor driver file name, sensor file name, and popup name.
– Endgame Host Sensor Operation: The Endgame Host Sensor continuously gathers event data
including domain name system (DNS), file, image loads, network, netflow, process, registry
and windows logon/logoff events and stores them in a secure database. This real-time event
collection and tradecraft analytics allow analysts to identify threats and respond to them quickly.
• Endgame MalwareScore®: A machine learning model that performs signature-less malware
prevention and blocks known and unknown malwares on file-based execution. The model is used
Endgame HIPAA Security | White Paper 8
to determine if a file is malicious and looks for static attributes of files (without executing the file)
that include file structure, layout, and content. This also includes information such as portable
executable (PE) header data, imports, exports, section names, and file size. These attributes are
extracted from millions of file samples, which then are passed to a machine-learning algorithm that
distinguishes a benign file from a malicious one. The machine learning model is updated as new
data is procured and analyzed. This model is based on Google’s VirusTotal engine.
• The Endgame platform provides Application Programming Interface (API) integration through which
users can schedule periodic malware scans, generate audit log output and task audit logs, and
various other outputs required. API is based on representational state transfer (REST) principles
where data resources are accessed via standard HTTPS requests in UTF-8 format to an API
endpoint. The Endgame platform communicates over HTTPS using JavaScript Object Notation
(JSON) and response data received is encoded as JSON.
• Endgame Arbiter®: Endgame’s advanced cloud-based malware intelligence platform that provides
behavioral and static malware analysis for all generated malware alerts. Users can submit the file
for analysis from within the platform management console and login to Endgame Arbiter® to view
the analysis report. The report provides summary of the malware file, including filename, Endgame
MalwareScore®, hash values, static and behavioral analysis, reputation score, and VirusTotal
report. The reputation score is calculated from Endgame’s research team lab findings, VirusTotal,
and third-party partners.
– Endgame Arbiter® also communicates the updates pertaining to sensors, malware model, and
whitelists to the Endgame platform when connected to the cloud, and the Endgame platform
will distribute these updates to the sensors immediately.
• Multi-Client Management (MCM) Server/Endgame Platform: Management and monitoring server,
hosted on-premises at the customer’s headquarters or in the Amazon cloud. MCM allows
administrators and analysts to monitor enterprise health by viewing endpoint data across multiple
Endgame platforms from a single interface. MCM integrates several pieces of data from connected
endpoints, and with this data administrators can perform installations, monitor system health, and
take actions as necessary. The management console provides user and password management
features for login to MCM and can also be configured via Lightweight Directory Access Protocol
(LDAP). LDAP enables users registered within Active Directory (AD) to connect to the Endgame
platform with AD credentials. Role-based Access and Control (RBAC) functionality within Endgame
platform provides local users with access to only specific functionality, page views, and permission
rights. The Endgame platform can log various tasks or actions providing support for audit trail
logging.
Endgame HIPAA Security | White Paper 9
TECHNICAL SECURITY ASSESSMENT
ASSESSMENT METHODS
Coalfire used the following methods to assess the potential HIPAA coverage of the solution:
1. Analysis of the architecture and configuration of the solution in accordance with vendor guidelines.
2. Deployment of sensors to Windows systems along with enablement of policies. Windows policies
were configured to enforce the detection and prevention of known malware on file execution.
3. Examination of sensor configurations to confirm protection cannot be turned off by non-
administrators on Windows endpoints.
4. Execution of known malware samples (to include ransomware, backdoor, trojan horse, spyware,
virus, and worm) deliberately propagated to test machines.
5. Review of backend component for verification of detection, execution prevention, and deletion of
all test sample malwares for Windows endpoints. Also, evaluation of backend component for
verification that sensors were deployed, communicating, up-to-date, performing periodic scans via
API scripts, and protecting against potential threats for the Windows endpoints.
ASSESSMENT ENVIRONME NT
The Endgame platform was hosted in the cloud for testing purposes and the sensor was installed on the
following system:
• Windows 2012 Server deployed in a virtual environment including default Windows applications
with other anti-virus solutions disabled.
NETWORK TRAFFIC ASSE SSMENT
A Wireshark Ethernet port sniffer was used to monitor the following traffic for components within the
Endgame platform:
• Traffic from the Windows machine to the Endgame platform (Figure 2): No sensitive data was
transmitted over the network from the Windows machine with the sensor deployed to the Endgame
platform server and any log data or alert information was encrypted over TLS 1.2.
Endgame HIPAA Security | White Paper 10
Figure 2: Communication between the Windows machine and the Endgame platform machine hosted in the
cloud. Encrypted data (logs or update information) is always transmitted.
Endgame HIPAA Security | White Paper 11
TOOLS AND TECHNIQUES
Standard tools Coalfire utilized for this technical assessment included:
TOOL NAME DESCRIPTION
Live Malware Samples Sample binaries of known malware for Windows systems:
• Sample Windows malware obtained from theZoo aka Malware DB at
http://thezoo.morirt.com/
• Sample Windows malware provided by Endgame vendor for testing purposes
*Note – Visiting and downloading from the above sites may lead to malware infection. It is
highly recommended against.
Wireshark Wireshark Ethernet port sniffer to observe the traffic coming in and out of the system
REFERENCES
HIPAA Security Rule - https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
HIPAA Administrative Simplification- Regulation Text -
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-
201303.pdf
Endgame Administrator Guide: Admin User Guide - 2.4.pdf
Endgame User Guide: User Guide - 2.4.pdf
Endgame API Documentation: Endgame API Docs.pdf
Endgame Platform Upgrade: Upgrade Endgame to the 2.4[1].pdf
Endgame Sensor Upgrade: Sensor Upgrade via Upload and Execute[1].pdf
Cloud Updates to Platform: Cloud Communication Design.pdf
Endgame HIPAA Security | White Paper 12
APPENDIX A: HIPAA REQUIREMENTS COVERAGE MATRIX * Note: Some features described in the tables below extend beyond the requirements of the HIPAA Security
Rule. They are noted for audience review purposes.
COMPLIANCE LEVEL
DESCRIPTION
Compliance directly supported via use of the Endgame platform
Requires action by organization for full compliance
HIPAA COMPLIANCE REQUIREMENT
COMPLIANCE SUPPORTED
ASSESSOR COMMENTS
HIPAA Security Rule
Administrative Safeguards – §164.308
Security Awareness and Training – 164.308(a)(5)(i)
Implement a security awareness and training program for all members of its workforce (including management).
Protection from Malicious
Software – A 164.308(a)(5)(ii)(B)
Procedures for guarding
against, detecting, and
reporting malicious software.
Endgame provides the following features:
• Can directly deploy sensors (endpoint software
application) on Windows systems through the
Endgame management console. Sensors can also be
deployed manually on Windows through command line
terminal.
• Provides direct monitoring capability for the sensor
deployed systems through the Endgame management
console (hosted on a customer’s physical premises or
in the cloud).
• Endgame uses Endgame MalwareScore® to detect
and prevent against known malware This allows
Endgame to detect known malware, block them from
running, and remove them when requested by an
Administrator. Testing showed that Endgame was able
to detect, block at file execution, and remove malware
by providing the file path for several examples of
viruses, Trojans, ransomware, rootkits, and other
known malware on the Windows OS endpoint.
• Administrators can configure the policies on Windows
systems to detect and prevent malware. Deletion of file
requires actions to be performed on the endpoints
through management console. The configurations have
to be performed by Administrators to meet the
regulations.
Security Incident Procedures – 164.308(a)(6)(i)
Implement policies and procedures to address security incidents.
Response and Reporting – R
164.308(a)(6)(ii) Identify and
respond to suspected or known
security incidents; mitigate, to
the extent practicable, harmful
effects of security incidents that
are known to the covered entity
• This process/procedure requirement can only be
partially met since Endgame does not cover all security
incidents; the software only focuses on malicious
software incidents. The documentation of security
incidents and their outcomes remains the responsibility
of the customer.
Endgame HIPAA Security | White Paper 13
HIPAA COMPLIANCE REQUIREMENT
COMPLIANCE SUPPORTED
ASSESSOR COMMENTS
or business associate; and
document security incidents
and their outcomes.
• Administrators can configure the policies on Windows
systems to detect and prevent malware. Deletion of file
requires actions to be performed on the endpoints
through management console. The configurations have
to be performed by Administrators in order to be
compliant with HIPAA regulations.
• Alerting features are provided through the
management console for all malware-related threats.
Logging for actions taken by users or Administrators as
well as tasks that were executed for Windows
endpoints can be generated via API scripts. These
scripts have to be executed on the Endgame platform
for retrieving logs for all endpoints. The Endgame
solution provides features to be integrated with
Security Information and Event Management (SIEM)
products and Simple Mail Transfer Protocol (SMTP)
servers for log forwarding to retain logs as required by
the customer’s retention policy.
• The sensor software installed on Windows endpoints
checks and detects malicious files on execution and
performs real-time checks against Endgame
MalwareScore®.
• While Endgame can help to meet the requirements for
protection against malware, it is up to Administrators to
create and document specific policies as required for
their respective environments. The alerting features
can be used to address the security incidents specific
to Windows endpoints. Additional security incidents will
have to be documented and implemented by the
customer, as this platform only provides notifications
on actions taken on files.
HIPAA Security Rule
Technical Safeguards – §164.312
Audit Controls – R 164.312(b)
Implement hardware, software,
and/or procedural mechanisms
that record and examine activity
in information systems that
contain or use electronic
protected health information.
• Endgame can only provide assistance on this
requirement for examining malicious activities on the
information systems that could potentially contain
ePHI; however, ePHI data cannot be distinguished by
the Endgame platform and it remains the responsibility
of the organization to deploy the sensor on all
endpoints for compliance.
• The Endgame management and monitoring console
shows the monitoring status (Active, Inactive,
Unmonitored, or Deployment Failure status mode) of
all endpoints where the sensor is deployed through the
management console.
• The management console provides the functionality to
delete or uninstall the endpoint sensor device based on
the administrator type setting and permissions. No
users can disable the sensor software running locally
Endgame HIPAA Security | White Paper 14
HIPAA COMPLIANCE REQUIREMENT
COMPLIANCE SUPPORTED
ASSESSOR COMMENTS
on the Windows machine without appropriate
administrator permissions.
• Alerting features are provided through the
management console for all malware-related threats
identified. The Endgame platform provides features for
development of API scripts to generate audit logs for
actions performed by users or Administrators on the
management console as well as tasks that were
executed for Windows endpoints from within the
management console. The alerts and logging
information combined can meet the audit controls
requirement for HIPAA.
Endgame HIPAA Security | White Paper 15
APPENDIX B: EXECUTED TEST PLAN HIPAA COMPLIANCE REQUIREMENT
COMPLIANCE SUPPORTED
ENDGAME TESTING AND RESULTS
HIPAA Security Rule
Administrative Safeguards – §164.308
Security Awareness and Training – 164.308(a)(5)(i)
Implement a security awareness and training program for all members of its workforce (including management).
Protection from Malicious
Software – A 164.308(a)(5)(ii)(B)
Procedures for guarding
against, detecting, and
reporting malicious software.
Produced a report and log record that indicated that the
sensor software was installed, active, and gathered events
to detect and prevent threats from endpoints within scope of
HIPAA.
1. Detect all "KNOWN" types of malicious software:
Endgame MalwareScore® allows Endgame to detect known
malware and block them from running. The types of malware
that were detected included ransomware, backdoor, trojan
horse, spyware, virus, and worm.
2. Remove all “KNOWN” types of malicious software:
Demonstrated that administrator users can delete the
detected malicious file through the management console.
The types of malware that were deleted included
ransomware, backdoor, trojan horse, spyware, virus, and
worm.
3. Protect against all "KNOWN" types of malicious
software:
Demonstrated that the solution detected and then banned or
blocked known malware that was part of the known malware
list from VirusTotal for Windows endpoints. The types of
malware that were protected included ransomware,
backdoor, trojan horse, spyware, virus, and worm.
Security Incident Procedures – 164.308(a)(6)(i)
Implement policies and procedures to address security incidents.
Response and Reporting – R
164.308(a)(6)(ii) Identify and
respond to suspected or known
security incidents; mitigate, to
the extent practicable, harmful
effects of security incidents that
are known to the covered entity
or business associate; and
document security incidents
and their outcomes.
• Note: this is a process/procedure that has to be
developed by the customer. The below tested features
can, however, assist users in partially implementing or
meeting the requirement to address security incidents
that occur on Windows endpoints. The documentation
of security incidents and their outcomes remains the
responsibility of the organization.
• Demonstrated that Endgame scanned in-scope
systems for malware.
• Endgame MalwareScore® allows Endgame to detect
known malware and block them from running. The
types of malware that were detected included
ransomwares, backdoors, trojan horses, spywares,
viruses, and worms. The malicious files can be deleted
by administrators manually from within the
management console.
Endgame HIPAA Security | White Paper 16
HIPAA COMPLIANCE REQUIREMENT
COMPLIANCE SUPPORTED
ENDGAME TESTING AND RESULTS
• Demonstrated how MalwareScore® analyzed the
malicious files for Windows endpoints.
• Demonstrated that Endgame’s machine learning model
was sourced from current repositories and received
information through Arbiter. This information could then
be used by customers in their environment for risk
mitigation purposes.
• Demonstrated alerting and reporting of security
incidents such as detection and prevention of malware.
Alert information could be forwarded to the configured
Syslog server. Logging of actions performed by users
or Administrators on the management console as well
as tasks that were executed for Windows endpoints
from within the management console could be
generated by the Endgame platform via API scripts.
These logs could be forwarded by administrators for
review to Syslog servers.
HIPAA Security Rule
Technical Safeguards – §164.312
Audit Controls – R 164.312(b)
Implement hardware, software,
and/or procedural mechanisms
that record and examine activity
in information systems that
contain or use electronic
protected health information.
• Produced a report and log record that indicated that
the sensor was installed, active, and gathered events
to detect and prevent threats from endpoints within
scope of HIPAA.
• The Endgame management and monitoring console
demonstrated the monitoring status (Active, Inactive,
Unmonitored, or Deployment Failure status mode) of
all endpoints where the sensor is deployed through the
management console.
• Demonstrated that Endgame could be configured by a
user with proper administrative access and that a
policy was in place that dictated when authorized
changes could be made.
• Demonstrated that the sensor had tamper protection
enabled and that no unauthorized users could tamper
with the services.
• Demonstrated that Endgame logs were queried and
that health statistics regarding the client software were
collected to provide proof of agent uptime as well as
policy compliance.
• Demonstrated that email alerts were received for any
malicious activity that occurred on the Windows
endpoints.
Endgame HIPAA Security | White Paper 17
CONCLUSION After reviewing the requirements of the HIPAA Security Rule, Coalfire determined, through review of
business impacts and a technical assessment, that Endgame, as outlined in this document, meets the
Protection from Malicious Software requirement of the HIPAA Security Rule. The ability to achieve overall
compliance with any regulation or standard will be dependent upon the specific design and implementation
of the Endgame platform.
Endgame demonstrated a high level of flexibility for managing endpoints, customization of policies, file
analysis, notifications, configurations including logging, and LDAP and RBAC settings, which makes it an
option for companies aiming to comply with HIPAA malicious software requirements.
Endgame HIPAA Security | White Paper 18
ABOUT THE AUTHORS
Bhavna Sondhi | Senior Security Consultant | CISA, QSA (P2PE), PA-QSA (P2PE)
Bhavna Sondhi is a Sr. Security Consultant for the Application Security team at Coalfire. Bhavna is responsible for conducting PCI DSS, PA-DSS, and P2PE assessments as well as authoring technical whitepapers. Bhavna joined Coalfire in 2013 and brings over 11 years of software engineering and Information Security experience to the team, leading extensive consulting and assessment engagements within USA, Europe, and Asia. As a lead PA-QSA and P2PE-QSA, Bhavna supports assessments for some of the largest payment software providers in the world and her software engineering experience plays a vital part in ensuring the teams recognize the importance of secure code development and Information Security within their operational practices.
Andrew Hicks | Managing Principal, Healthcare and Life Sciences| MBA, CISA, CCM, HCISPP, CCSFP
Andrew Hicks is the Managing Principal for Coalfire’s Healthcare and Life Sciences Practice. He is responsible for the strategy and vision that allows Coalfire to best serve organizations in the healthcare industry. Andrew has nearly 20 years of experience in IT audit, security, and governance, 15 of which are directly related to healthcare.
Andrew is known in the industry as a thought leader and subject matter expert on the topics of HIPAA/HITECH, HITRUST, NIST, and various other IT security regulations and frameworks. Andrew is a sought-after advisor for some of the largest health systems in the world, as well as the world’s largest cloud service providers. He is an active speaker and member of numerous working groups within the industry.
Published November 2017.
ABOUT COALFIRE Coalfire is the cybersecurity advisor that helps private and public sector organizations avert threats, close gaps, and effectively manage risk. By providing independent and tailored advice, assessments, technical testing, and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives, and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 16 years and has offices throughout the United States and Europe. Coalfire.com
Copyright © 2014-2017 Coalfire Systems, Inc. All Rights Reserved. Coalfire is solely responsible for the contents of this document
as of the date of publication. The contents of this document are subject to change at any time based on revisions to the applicable
regulations and standards (HIPAA, PCI-DSS et.al). Consequently, any forward-looking statements are not predictions and are
subject to change without notice. While Coalfire has endeavored to ensure that the information contained in this document has
been obtained from reliable sources, there may be regulatory, compliance, or other reasons that prevent us from doing so.
Consequently, Coalfire is not responsible for any errors or omissions, or for the results obtained from the use of this information.
Coalfire reserves the right to revise any or all of this document to reflect an accurate representation of the content relative to the
current technology landscape. In order to maintain contextual accuracy of this document, all references to this document must
explicitly reference the entirety of the document inclusive of the title and publication date; neither party will publish a press release
referring to the other party or excerpting highlights from the document without prior written approval of the other party. If you have
questions with regard to any legal or compliance matters referenced herein you should consult legal counsel, your security advisor
and/or your relevant standard authority.