16. Vulnerability Scanning Policy

Penn Medicine is proactive about information security and understands that vulnerabilities need to be monitored on an ongoing basis.

The purpose of the Threat & Vulnerability Operations (TVO) policy is to safeguard the organizations cyber infrastructure, protect sensitive data and maintain the trust of all stakeholders. The goal is to proactively identify and mitigate vulnerabilities that could potentially compromise the organizations systems and critical data.

This policy applies to all Penn Medicine entities, departments, employees, and workforce members within the University of Pennsylvania Health System and the Perelman School of Medicine, as well as any third parties who access, use, store, transfer, transport, produce or dispose of information technology, resources, or systems owned or managed by Penn Medicine. This document also covers any electronic devices connecting to any Penn Medicine networks or systems.

16.1 Applicable Standards

16.1.1 Applicable Standards from the HITRUST Common Security Framework

10.m - Control of Technical Vulnerabilities

16.1.2 Applicable Standards from the HIPAA Security Rule

164.308(a)(8) - Evaluation

16.2 Vulnerability Scanning Policy

W2H is subordinate to the Penn Medicine Cybersecurity policy - Threat and Vulnerability Operations (TVO) policy version 1.1 (or subsequent ones) released 10/16/2024. The policy is as follows:

Penn Medicine shall leverage industry-recognized vulnerability management practices to strengthen the security and resilience of its technology infrastructure against evolving and sophisticated attack vectors. To ensure the continued effectiveness of cybersecurity & data privacy controls, Penn Medicine shall systematically evaluate the entire cyber ecosystem, so that potential vulnerabilities can be identified and remediated according to a prioritized, risk-based approach.