Antivirus and Anti-Malware

HICP Practice 2.2 requires you to keep current antivirus and anti-malware software on every endpoint, with automated signature/definition updates enabled and working. To operationalize it fast, standardize on an endpoint protection tool, enforce coverage via device management, monitor update/health status centrally, and retain proof that endpoints are protected and updating. ¹

Key takeaways:

• You must cover all endpoints (workstations, servers, laptops, and managed mobile endpoints where applicable) with anti-malware and automatic updates. ¹
• Auditors care less about the brand and more about coverage, update currency, alert handling, and evidence you can produce quickly.
• Treat exceptions (legacy devices, medical devices, third-party managed endpoints) as a governed workflow with compensating controls and documented risk acceptance.

“Antivirus and anti-malware requirement” sounds simple until you have to prove it under audit conditions: every endpoint is covered, signatures update automatically, protections can’t be casually disabled, and alerts lead to action. HICP Practice 2.2 is short, but it implies an operating model: a standard endpoint protection baseline, deployment and enforcement mechanisms, continuous monitoring, and an evidence trail that survives staff turnover.

For healthcare organizations and Health IT vendors, endpoint scope is where most programs fail. Endpoints often include more than corporate laptops: shared clinical workstations, on-prem and cloud-hosted servers, kiosks, and contractor devices that access production environments. You also have “hard” endpoints like legacy systems, thin clients, and medical devices where traditional agents may be constrained. HICP does not give you a pass. It expects you to maintain current protections and automated updates, and to manage gaps in a controlled, documented way. ¹

This page translates the requirement into step-by-step execution, the artifacts to retain, and the audit questions you should be ready to answer in minutes, not weeks.

Regulatory text

HICP Practice 2.2 (excerpt): “Maintain current antivirus and anti-malware software with automated signature updates on all endpoints.” ¹

Operator interpretation (what this means in practice):

• “Maintain current” means the software is installed, supported, and reporting healthy status; definitions/signatures are updating; and the engine is not outdated or broken. ¹
• “Automated signature updates” means endpoints receive updates automatically without relying on manual user action or ad hoc IT pushes. ¹
• “All endpoints” means you need a defined endpoint inventory and a control that reaches every endpoint in scope, plus an exception process for the ones you cannot instrument. ¹

Plain-English requirement

You need an endpoint protection program that (1) installs antivirus/anti-malware on endpoints, (2) keeps it up to date automatically, and (3) lets you prove—at any time—which endpoints are protected, which are not, and what you did about it. ¹

Who it applies to (entity and operational context)

Entity types ²:

• Healthcare Organizations
• Health IT Vendors ¹

Operationally, apply it wherever endpoints exist, including:

• Corporate IT endpoints (Windows/macOS workstations, laptops)
• Servers (on-prem, virtual, and cloud-hosted OS instances you manage)
• Shared clinical endpoints (nurse stations, registration kiosks, exam-room workstations)
• Managed mobile endpoints (if your organization manages them and they run supported endpoint protection tooling)
• Remote endpoints connecting via VPN/VDI/remote access
• Third-party managed endpoints that connect to your environment or process your data (handle via contract requirements, attestations, and access controls if you cannot deploy your tool)

Scope decision you should document once and reuse: Create a one-page “Endpoint Protection Scope Statement” that defines:

• What counts as an endpoint in your environment
• What environments are included (corp, clinical, production, dev/test)
• How you handle BYOD, contractors, and third parties
• What constitutes “current” and “automated updates” in your tooling

What you actually need to do (step-by-step)

1) Standardize the endpoint protection baseline

• Pick the standard anti-malware capability per endpoint type (workstation vs server). Brand matters less than manageability and proof.
• Define minimum settings:
  • Real-time protection enabled
  • Automatic signature/definition updates enabled
  • Tamper protection (or admin controls) to prevent users from disabling protection
  • Quarantine/response defaults aligned to your risk tolerance (document the default actions)
• Write an “Endpoint Protection Standard” that is short and testable. Avoid aspirational language.

Practical tip: If you support multiple tools due to mergers or special environments, treat that as a temporary state with an explicit consolidation plan and a unified reporting view.

2) Build and reconcile an endpoint inventory (the control’s foundation)

You cannot prove “all endpoints” without an authoritative list. Build a reconciled inventory view using:

• Directory/identity sources (for corporate devices)
• Device management (MDM/UEM) sources
• Server/VM/cloud instance listings for managed servers
• Network discovery for unmanaged/unknown devices

Then compare the inventory against endpoint protection console coverage to identify:

• No agent installed
• Agent installed but unhealthy
• Definitions not updating
• Endpoint not checking in

3) Deploy the software to endpoints and enforce coverage

• Use centralized deployment mechanisms:
  • Endpoint management tooling for workstations and laptops
  • Server configuration management for servers
  • Golden images for VDI and shared workstations
• Enforce policies:
  • Block local admin removal where feasible
  • Require device compliance for access to sensitive systems (where your access stack supports it)

Minimum operational outcome: New endpoints must receive protection automatically as part of provisioning, not as a manual ticket.

4) Prove automated updates are enabled and working

Automated updates are not “set it and forget it.” You need monitoring that detects update failures.

Operationalize this as:

• A console report (or dashboard) showing signature currency and last update time
• Alerts/tickets when endpoints exceed your defined “stale” threshold (define it internally, then apply consistently)
• A remediation playbook:
  • force update
  • troubleshoot proxy/firewall/DNS
  • reinstall agent if broken
  • isolate endpoint if suspicious or persistently noncompliant

5) Establish alert triage and incident handoff

Anti-malware findings become audit issues when alerts are ignored.

Build a simple workflow:

• Who reviews detections (IT Ops, SecOps, or MDR)?
• What severity levels trigger escalation?
• When do you isolate a host?
• What evidence do you capture for closure (hash, hostname, user, time, action taken)?

Keep the playbook tight enough that an analyst can follow it at 2 a.m.

6) Handle exceptions with compensating controls (don’t hide them)

You will have endpoints where agents are not supported (legacy OS, specialized medical devices). Treat these as managed exceptions:

• Document the endpoint, owner, business justification, and constraint
• Apply compensating controls appropriate to the environment, such as:
  • network segmentation
  • application allowlisting (where feasible)
  • restricted internet access
  • enhanced monitoring at network layer
  • virtual patching or strict change control

Define who can approve exceptions and how often you review them.

7) Extend expectations to third parties where relevant

If third parties access your environment or handle your data, make endpoint protection part of access and contracting:

• Require endpoint protection and automatic updates for third-party devices that connect to your network or access sensitive systems
• If you cannot enforce, restrict access (VDI, jump boxes, conditional access) and collect attestations

Daydream can help centralize third-party due diligence requests and keep endpoint protection attestations, exceptions, and renewal evidence tied to each third party’s record so you can answer “who has access without endpoint controls?” fast.

Required evidence and artifacts to retain

Keep evidence that proves coverage, currency, and operations:

Governance artifacts

• Endpoint Protection Standard (settings baseline)
• Endpoint Protection Scope Statement (what “all endpoints” means for you)
• Exception register (with approvals and compensating controls)
• Roles and responsibilities (who monitors, who remediates, who approves exceptions)

Technical evidence

• Endpoint protection console exports:
  • device coverage list
  • signature/definition update status
  • health status (agent running, real-time protection enabled)
• Sample endpoint configuration screenshots (or policy exports) showing:
  • automatic updates enabled
  • tamper protection / disablement controls
• Ticket/alert records showing:
  • detections
  • triage actions
  • remediation and closure notes
• Deployment evidence:
  • device management policies
  • software deployment logs
  • provisioning checklist showing automatic installation step

Audit-ready packaging tip: Maintain a single “Endpoint Protection Evidence Packet” folder with dated exports and a short readme that explains each artifact and where it came from.

Common exam/audit questions and hangups

Expect these questions, and prep answers with artifacts:

1. “Define ‘endpoint.’ Did you include clinical workstations and servers?”
   Hangup: A narrow definition that excludes shared systems.

2. “Show me a list of all endpoints and which ones are protected.”
   Hangup: Inventory and tool coverage don’t reconcile.

3. “How do you know signatures update automatically?”
   Hangup: Settings exist, but you cannot demonstrate update success rates or identify stale devices without manual work.

4. “Can users disable protection?”
   Hangup: Local admin rights or weak tamper controls.

5. “What do you do when malware is detected?”
   Hangup: No consistent triage workflow; closures lack evidence.

6. “What about devices where an agent can’t be installed?”
   Hangup: Undocumented exceptions or compensating controls that aren’t real (for example, “we’re careful”).

Frequent implementation mistakes (and how to avoid them)

• Mistake: Counting “installed” as compliant.
  Fix: Define compliance as installed + healthy + updating + reporting.

• Mistake: No owner for clinical endpoints.
  Fix: Assign a business owner and a technical owner per endpoint group; make patching and endpoint protection part of their operating responsibilities.

• Mistake: Overlooking server coverage.
  Fix: Treat servers as first-class endpoints. Ensure licensing, deployment, and monitoring cover them explicitly.

• Mistake: Exceptions by email.
  Fix: Use a tracked exception register with approvals, review cadence, and compensating controls.

• Mistake: Third-party access without endpoint requirements.
  Fix: Put endpoint protection expectations into access methods (VDI/jump host) and third-party security requirements.

Risk implications (why auditors push on this)

HICP Practice 2.2 targets common malware entry points: email attachments, drive-by downloads, compromised software, and infected removable media. If signatures are stale or protection is disabled, endpoint compromise becomes a realistic path to credential theft, lateral movement, and disruption of clinical operations. The operational risk is compounded in healthcare because shared endpoints and specialized devices often have weaker controls and longer replacement cycles. ¹

Practical 30/60/90-day execution plan

First 30 days (stabilize and get visibility)

• Publish the Endpoint Protection Scope Statement and Endpoint Protection Standard.
• Stand up a single reporting view: inventory vs endpoint protection coverage.
• Turn on automated updates and tamper protections in policy (or confirm they are already enforced).
• Start an exception register for devices that cannot run the agent.

Days 31–60 (close coverage gaps and operationalize response)

• Remediate endpoints without protection or with unhealthy agents.
• Implement alert routing into your ticketing/incident workflow with clear ownership.
• Create the remediation playbook for stale signatures and non-check-in endpoints.
• Add third-party endpoint requirements to access pathways and security questionnaires where relevant; track attestations and exceptions.

Days 61–90 (make it durable and audit-ready)

• Automate compliance reporting (scheduled exports or dashboards) and archive evidence snapshots.
• Run an internal tabletop: “malware detected on a clinical workstation” and validate triage, isolation, and evidence capture.
• Review exceptions with stakeholders; tighten compensating controls where needed.
• Package an “Endpoint Protection Evidence Packet” that you can hand to auditors without rebuilding it.

Frequently Asked Questions

Does HICP Practice 2.2 require a specific antivirus product?

No product is specified in the HICP text. The requirement is outcome-based: current antivirus/anti-malware on all endpoints with automated signature updates enabled and working. ¹

What counts as an “endpoint” for this requirement?

Treat endpoints as any device or system instance that runs an operating system and can execute code in your environment, including workstations and servers. Document your scope explicitly and reconcile it to your tool’s coverage reporting. ¹

How do we handle medical devices or legacy systems that can’t run an agent?

Put them in a formal exception register with an approval, a reason the agent is not possible, and compensating controls such as segmentation and restricted connectivity. Auditors look for managed, reviewed exceptions rather than hidden gaps. ¹

Is “automatic updates enabled” enough to meet the requirement?

You also need to show that endpoints actually receive updates and remain current over time. Keep console evidence of signature currency and a process for investigating stale endpoints. ¹

How should we treat contractors or third parties who access our systems?

If third-party endpoints connect to your network or access sensitive systems, require endpoint protection with automatic updates through contractual requirements and access controls. Where you cannot enforce an agent, restrict access through managed pathways like VDI or jump hosts and retain attestations.

What evidence is most persuasive in an audit?

A reconciled endpoint list mapped to protection status, plus dated exports showing signature currency and health, and a small set of closed tickets that demonstrate your response workflow. Keep exceptions documented with approvals and compensating controls. ¹

Footnotes

1. HICP 2023 - 405(d) Health Industry Cybersecurity Practices

2. HICP