System Vulnerability Scanning

Vulnerability scanning services give transparency into the vulnerabilities that exist in systems and software. HMS Information Security can setup regular vulnerability assessments of systems and web applications in order to gain transparency into security vulnerabilities that may exist. Vulnerability scan reports are based on the criticality of the risk so that patches and remediation can be prioritized.

Vendor Security Assessments

It is critical that, when dealing with 3rd party vendors, their security posture be reviewed for their fitness to store HMS information. HMS Information Security is responsible for the review and approval of any vendor that will access, store, or process Harvard Medical School information. You can begin the process of having a vendor reviewed by sending an email to or by contacting the HMS IT Service Desk.

The process followed by HMS Information Security is as follows:

  1. Receive request from business unit
  2. Obtain and review any independent assessment to the vendors security controls
    1. Is there an SSAE16 SOC 1 and SOC2?
    2. Code Assessment? (Veracode or Appscan)
    3. PenTest or Vulnerability Assessment?
  3. Obtain and review any policy or governance documentation, including:
    1. Information Security Policy
    2. Incident Response guide
    3. MA 201 CMR 17 compliance statement or completed checklist
    4. Evidence of Training or background screening
    5. System build or hardening guide
    6. Data handling and destruction
    7. Implementation guide
  4. Classify data using Harvard data classification standards
  5. Send data classification worksheet to vendor for established data security level and review responses
  6. Communicate approval or caution to requesting business unit

The HMS Information Security Officer will review the information received from the vendor and make a determination as to the vendor's ability to meet the information security requirements based on the data classification.

Note that a contract must also be in place with the vendor. Contracts must be reviewed by the Harvard Office of General Counsel for appropriate language.

Web Application Security Assessments

Web application security is an increasingly important part of a holistic information security program. HMS Information Security provides scanning services that can evaluate the integrity of web applications by identifying any vulnerabilities that could be exploited in order to cause an outage of the application, cause a breach of Harvard data, or affect the integrity of the data.

Web applications should be scanned for security vulnerabilities prior to going into production. Web applications should also be periodically reviewed to ensure that they remain secure.

HMS Information Security will work with application developers to provide security scans in order to remediate any vulnerabilities. Applications that are not scanned run the risk of being removed from production should they be determined to constitute an information security risk to the HMS network.

Since the vulnerability scans can be intrusive, HMS Information Security recommends the following:

  • Site contents and any connected databases should be backed up prior to the scan and restored following the scan
  • The scan will try to inject code into the database and may cause other issues with sites as it tries to exploit any vulnerabilities in the code
  • All email forms should be “black holed” or disabled
  • Credentials should be provided if the site has an option to authenticate

If applications are hosted by another vendor (AWS), then the application owner must provide notification to the provider that the scan will occur.

To schedule an application security scan, contact HMS Information Security at or through the HMS IT Service Desk.

Research Data Security Services

HMS Information Security works with the Harvard LMA IRB and HMS Sponsored Programs in order to review security requirements from Harvard policy, applicable state and federal regulations, and contractual agreements.