Chandra Bilugu – Aegify

A perspective of compliance readiness of healthcare businesses

Chandra Bilugu — Wed, 13 Jul 2016 23:36:00 +0000

Checking compliance and security, the Aegify way

In 1996, the Health Information Portability and Accountability Act, most commonly known as HIPAA, was passed with one of its goals being to ensure uninterrupted coverage for patients. Health Care Organizations (HCOs) need to be able to pass patient records and other data back-and-forth. For this to happen efficiently and reliably, healthcare records would need to become more portable (hence the ‘Portability’ in the act’s title). So the bill set forth new terminology and Electronic Data Interchange (EDI) code sets for transmitting data.

Two parts of HIPAA require attention:

The Security Rule (164.306), which establishes safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (PHI).
The Privacy Rule (164.502), which orders HCOs to protect PHI and defines the allowable uses and disclosures of PHI, in contrast to “de-identified” health information.

The assured portability of healthcare information plays a tremendous role in improving the safety, efficiency, and quality of healthcare. The act seeks to assure that anyone and everyone who participates in moving PHI from place-to-place accepts accountability that, at least in part, assures privacy.

Sweeping changes were made to the HIPAA privacy and Security Rules since they were first implemented with the Omnibus Final Rule, effective September 23rd, 2013.

Protected Health Information (PHI) includes any data, including demographic information that relates to any of the following:

An individual’s past, present or future physical or mental health or condition.
The provision of healthcare to an individual.
The past, present, or future payment for the provision of health care to an individual that also identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, and Social Security number).

Why Security and Risk Analysis are a must for HIPAA Compliance and Meaningful Use Attestation?

Chandra Bilugu — Wed, 13 Jul 2016 22:09:37 +0000

Security Analysis

The task of managing security is complex. Over 32K security gaps are now documented as potential vulnerabilities and are growing alarmingly. The recently discovered vulnerabilities that were lying dormant for years, such as the Heart-bleed, shell shock, and poodle bugs, and the recent GHOST vulnerability have added new dimensions to the security gaps.

Many of the new path breaking technology developments, may not have factored the safety and security components adequately during their development, introduction in the market and their very fast acceptance due to their appeal. The interconnectivity of these new devices is leading us to voluminous data availability and exposure via, smartphones, Internet of Things (IoT), cloud -based – applications, authentication and storage solutions. Pieces of information picked up from these huge number of connected devices, and big data analytics could open new sources of information exploitation by the organized cyber criminals from volumes of information.

Over 92K checks must be performed to assess the status of security of your infrastructure across your physical and virtual networks, operating systems, databases, and Web applications.

With sophisticated tools, cyber-attackers unfortunately, have asymmetric advantages over businesses.

The need for security analyses stems from the regulatory requirement (45 C.F.R. §§ 164.302 – 318.) This is to help entities in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI).

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in this process.

The penalties are severe; the second reason why organizations must do a security analysis. For instance, the end of 2014 saw Anchorage Community Mental Services (ACMHS) settlement for potential violations by paying $150,000 and adopt a corrective action plan to correct the deficiencies in its HIPAA Compliance Program. Read more…Download the whitepaper

The post Why Security and Risk Analysis are a must for HIPAA Compliance and Meaningful Use Attestation? appeared first on Aegify.

Webinars – Upcoming

Chandra Bilugu — Fri, 24 Jun 2016 19:17:59 +0000

Join Aegify Webinars for an educational discussion on the challenges of securing patient data and ensuring it’s privacy and security in a Healthcare provider setting.

Upcoming Webinars

1. Learn How to handle the biggest danger faced by Healthcare organizations,
Tue Jul 12, 2016, 11am PT, Duration: 30 Mts

As a compliance professional dealing with business associates agreements, when you think of the OCR HIPAA audit, what’s your first reaction? Is it one of confidence? Or is it anxiety and stress? If it’s closer to the latter, you’re not alone. In fact, close to 50% of HIPAA breaches are due to issues related to business associates so it’s no wonder many healthcare organizations are stressed and anxious about the audit.
In 30 minutes, Learn how to:
Diagnose security vulnerabilities and compliance liabilities due to your BAs and vendors,
Prevent future breaches with BA-Vendor monitoring technology,
Track breaches and alerts associated with BAs and their vendors,
Provide a security blanket for your organization to demonstrate their oversight of all BA’s.

2. Learn How Healthcare Facilities can Avoid being the next victim of Ransomware Breaches,
Tue, July 19, 2016, 11am PT, Duration: 1 hour

3. Learn How Healthcare Facilities can Avoid being the next victim of Ransomware Breaches,
Tue, Aug 9, 2016, 11am PT, Duration: 1 hour

Join Aegify for a riveting discussion about the recent ransomware attacks that have created a lot turmoil in the healthcare industry and what steps you can take from becoming the next big victim. Ransomware attacks are on the rise. The attack that paralyzed MedStar Health’s computer systems last week mirrored that of ransomware known as MSIL/Samas, which the FBI issued an alert about March 25, three days before the MedStar attack began. Still, the health system has not specified the nature of its attack. Hackers and ransomware tools are becoming more sophisticated. The main objective in using ransomware is to destroy backups of files and databases that contain electronic patient health information and to encrypt and lock up files and databases that contain ePHI in order to charge covered entities and business associates hundreds to thousands of dollars to unlock the data.
This means that healthcare providers can no longer ignore the risk associated with implementing the HIPAA security program with adequate security risk analysis and management to detect and prevent such ransomware attacks.
In this webinar we will discuss:
What is Ransomware?Recent developments and why you could be the next victim?
Best Practices to avoid being the next Ransomware victim,
Automated Solutions for detecting and Preventing ransomware attacks

4. Learn How to prevent cyber Security breaches – Best practices,
Tue, Aug 16, 2016 11am PT, Duration: 1 hour

Join Aegify for a riveting discussion about the practical impact of a $28.0 mm settlement agreed to by St. Joseph Health System in costs after patient data was exposed on the web. This settlement of a suit stemming from a data breach illustrates that egregious breaches can have serious financial consequences. The reasons for the breach were due to failure to institute an organization-wide information security program with adequate security controls to mitigate risk to its patient information.
The size of the settlement means healthcare providers can no longer ignore the risk associated with implementing the HIPAA security program with adequate security risk analysis and management.
In this webinar we will discuss:
Some recent breaches including the St Joseph Health settlement,
Overview of changes in HIPAA requirements related to Covered Entities Best Practices to avoid Cyber-security breaches,
How to automate HIPAA cyber-risk monitoring and management?

Presenter:

Anupam Sahai, Co-Founder and CEO of Aegify Inc.

Webinar Registration

Webinar Rewind – Archives

The post Webinars – Upcoming appeared first on Aegify.

BA-Vendor Manager

Chandra Bilugu — Sat, 28 May 2016 05:26:26 +0000

Download PDF on Aegify-ba-vendor-manager

aegify-ba-vendor-manager-160526e

The post BA-Vendor Manager appeared first on Aegify.

Business Associate Agreements Are Critical to HIPAA Compliance

Chandra Bilugu — Mon, 23 May 2016 17:07:17 +0000

Business Associate Agreements Are Critical to HIPAA Compliance: OCR Announces $755,000 Settlement Action On April 19, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement in the amount of $755,000 with a North Carolina orthopedic clinic (“Clinic”) for failing to execute a business associate agreement with a thirdparty vendor. This is OCR’s second settlement this year related to business associate agreements, highlighting OCR’s efforts into investigating business associate relationships. OCR initiated its investigation following notification on April 30, 2013 of a breach where the Clinic disclosed protected health information (“PHI”) contained in xrays to a thirdparty vendor. The Clinic had orally agreed to allow this vendor to transfer xray images to electronic media in exchange for harvesting the silver from the xray films. Failing to execute a written business associate agreement, the Clinic gave the thirdparty vendor access to the PHI of 17,300 patients. OCR and the Clinic entered into a resolution agreement and corrective action plan that, in addition to the monetary payment, requires the Clinic to revise its business associates policies and procedures. The Clinic will also need to:

designate one or more individuals with authority to enter into and monitor business associate agreements;
create a process to determine which thirdparty vendor relationships fall under the business associate definition;
create a process for negotiating business associate agreements;
create a standard template for business associate agreements;
create a process;
create a document management system for business associate agreements;
limit disclosures of PHI to the minimum amount that is reasonably necessary to allow business associates to perform their duties.

In a press release announcing the settlement, OCR Director Jocelyn Samuels emphasized that “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere checkthebox paperwork exercise” and that “it is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” Practical Takeaways In light of this enforcement action and with Phase 2 HIPAA audits underway, covered entities need to take the following steps to ensure compliance with HIPAA’s business associate provisions:

Review current business associate relationships and execute written agreements (if not already in place);
Review current policies and procedures related to business associates to ensure there are individuals who are monitoring, negotiating and documenting business associate relationships.

More information on this enforcement action, including the resolution agreement and the OCR press release, is available here. If you have any questions, please contact: Posted on April 26, 2016 in Health Law, HIPAA Written by: Hall Render 5/19/2016 Hall Render – Main Blog http://blogs.hallrender.com/blog/businessassociateagreementsarecriticaltohipaacomplianceocrannounces755000settlementaction/ 2/2 Charise R. Frazier at (317) 9771406 or cfrazier@hallrender.com; Ashley L. Thomas at (317) 4293664 orathomas@hallrender.com; or Your regular Hall Render Attorney. Please visit the Hall Render Blog at http://blogs.hallrender.com/ or click here to sign up to receive Hall Render alert topics related to health care law. © 2002-2016. Hall, Render, Killian, Heath

The post Business Associate Agreements Are Critical to HIPAA Compliance appeared first on Aegify.

TRICARE in Trouble Again- More Lawsuits to Face

Chandra Bilugu — Mon, 02 May 2016 10:45:01 +0000

For TRICARE, the aftermath of last year’s massive breach incident has proved to be an ongoing nightmare. Being the largest health information breach reported since the HIPAA breach notification rule came into effect in September 2009, the TRICARE breach has repeatedly attracted aggressive legal action. Nearly 4.9 million beneficiaries were affected by the breach, and 3 class action lawsuits were filed against TRICARE, one of which demanded $4.9 billion in damages.

As the latest addition, some of the 4.9 million affected beneficiaries reported financial fraud in their credit card or bank account. An amended complaint tied to the original class action lawsuit provides details on five individuals affected by the TRICARE breach who have reported that they have been victims of financial fraud related to the breach. Out of these five individuals one has reported cancellation of credit card due to suspicious activity, and the other four reported unauthorized or fraudulent charges on their credit/debit cards or bank accounts. The complaint is also said to include new allegations contending that the data theft was intentional, and specifically targeted confidential information stored in the stolen backup tapes.

Eight class action lawsuits have now been filed against TRICARE. However, on March 8, Science Application International Corporation (SAIC) has requested to have all eight lawsuits consolidated into one. The attorneys involved in five cases filed in Washington, D.C., are also seeking to consolidate these cases.

In terms of the number of people affected, the TRICARE breach has been the largest so far on the federal tally of major breaches. And likewise, this breach incident has also been the first to attract such severe legal action. With eight class action lawsuits to fight, TRICARE stands testimony to the fact that no organization can escape the consequences of an information breach. This further proves that data breaches are best prevented rather than corrected. But preventing a data breach is not easy unless your organization is equipped with a comprehensive security and compliance management solution like Aegify RSC Suite.

Aegify’s RSC Suite is completely automated, and includes all security and IT-GRC functions required to be compliant. It provides end-to-end support for HIPAA and HITECH regulations and comes with built-in best practices, policy and procedure templates which can solve all security and compliance challenges. It can help you curb threats and prevent incidents of data theft/loss, thus saving your organization from the drastic consequences of a breach.

The post TRICARE in Trouble Again- More Lawsuits to Face appeared first on Aegify.

U.S., Canada Issue Ransomware Alert

Chandra Bilugu — Wed, 06 Apr 2016 15:46:22 +0000

With a new ransomware incidents popping up almost on a daily basis, the U.S. Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), have issued an official ransomware alert.

While the alert intended to educate the general population to the threat and how to combat becoming a victim it also recommends to not pay the ransom.

“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed,” the statement said.

The statement gives a primer on ransomware running through the types currently being favored – such as Locky and Samas – that it is spread primarily through phishing scams and what can happen to a computer’s files if infected.

The post U.S., Canada Issue Ransomware Alert appeared first on Aegify.

HIPAA Audit: OCR Is On The Move

Chandra Bilugu — Tue, 29 Mar 2016 20:26:33 +0000

Last week, the HHS Office for Civil Rights (OCR) announced the launch of phase 2 of the HIPAA Audit Program. OCR’s goal is to proactively uncover and address risks and vulnerabilities to protected health information (PHI). Effective immediately, OCR will ensure Covered Entities (CEs), their Business Associates (BAs) and vendors have comprehensive risk management frameworks in place.

CEs and BAs are required by law to implement the HIPAA security program and meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.

Friends, this is serious business. Earlier this month, North Memorial Health Care of Minnesota settled potential HIPAA violations with OCR for $1.55 million. Click to read OCR’s 3/16/16 press release.

Can you withstand a fine or settlement of this amount?

CEs and their business associates are protected with Aegify RSC Suite, or alternatively through a combination of Aegify Risk Manager, Aegify Security Manager, Aegify Compliance Manager and Aegify BA-Vendor Manager. It’s easy to get started. Contact sales@aegify.com.

Click to read OCR’s 3/21/16 press release.

Thank you,

The Aegify Team

The post HIPAA Audit: OCR Is On The Move appeared first on Aegify.

Avoiding Future Ransomware Attacks (Malware) Targeting Healthcare Providers

Chandra Bilugu — Fri, 04 Mar 2016 16:18:03 +0000

The “Ransomware” attack (Malware) described below definitely highlights the key value that the Aegify solutions suite offers to any scale of enterprises. The appropriate use of our security scanning and remediation solution would definitely have significantly mitigated the probability of such an attack from occurring as the organization would have stayed on top of any software patches in their web applications. As such, Aegify is a great fit for your organization, since such tasks are burdensome and resource intensive allowing such vulnerabilities to be exploited if not addressed in a timely fashion.

The attack was described as “…used vulnerability in web application that requires patching (updating software versions).” Which implied that the institution breached was not keeping their computing and web systems patched in a timely manner. Aegify’s regular/continuous scanning process would have uncovered this lapse and allowed the organization an opportunity to correct the vulnerability prior to such an attack. The compliance and risk assessment components of the Aegify solution suite would have worked to further educate the management and staff as to the importance of effective monitoring program and its’ elements.

Aegify allows you to safeguard your systems, network, and computing environments in the most efficient way. In fact this type of an attack highlights one of the key benefits that we bring to enterprises. It enables you to regularly monitor and track the enterprise’s Risk, Security and Compliance elements and factors that are key in any successful security protection program.

Thank you
Aegify Team

Avoiding Future Ransomware (Malware) Attacks Targeting Healthcare Providers

The recent malware attack on a healthcare provider in California has significant implications. The delivery approach was not through a phishing email or malware infecting a personal device. Instead, the attackers opportunistically used vulnerability in web applications that requires patching (updating software versions). The attack methodology has impacted companies outside of healthcare and the sophistication of the attack is relatively high.

Information for Your IT Department

Aetna Global Security is sharing the attached document from Dell SecureWorks Counter Threat Unit(TM) (CTU) and the National Health Information Sharing & Analysis Center (NH-ISAC). Please forward this document to your IT department and encourage them to review your web applications and upgrade outdated Jboss applications (upgrade to 7.0) to avoid future attacks of ransomware on hospitals.

Aetna is the brand name used for products and services provided by one or more of the Aetna group of subsidiary companies, including Aetna Life Insurance Company and its affiliates (Aetna).

Help/Contact us:
If you have any questions, please Contact Us.

We are located at 151 Farmington Ave, Hartford, Connecticut 06156.
©2016 Aetna Inc. The Aetna name and logo are trademarks of Aetna Inc.

Privacy Information | Legal Statement | Program Provisions | Member Disclosure | Aetna Companies: State Directory

Jonathan Houck

Network Manager
houckj@aetna.com

Office: 417-837-0225

Fax: 860-907-2191

Aetna OfficeLink Updates are electronic. Sign up at: https://aetna.providerpreference.com

The post Avoiding Future Ransomware Attacks (Malware) Targeting Healthcare Providers appeared first on Aegify.

Aegify And Maize Analytics Partner to offer Live Privacy and Security Management

Chandra Bilugu — Fri, 29 Jan 2016 20:59:24 +0000

Aegify, a leading provider of risk security and compliance management solutions announced today that it has partnered with Maize Analytics to provide their leading edge privacy and access monitoring solution along with

Aegify’s suite of risk, security and compliance products to address next generation compliance challenges. Privacy advocates around the world lack a proper automated privacy auditing solution. Common practices

include manual and rules-based solutions that result in wasted effort and high false positive rates, making it impossible for providers to practice proactive auditing. Maize Analytics provides the only system that allows

users proactively audit with minimal oversight and training. Aegify provides a cloud-based, comprehensive, unified, enterprise platform for continuous risk, security and

compliance monitoring and resolution. The Aegify solution delivers risk, security and compliance management with an intuitive dashboard and advanced analytics. Using a Diagnose, Cure and Protect framework driven by

an expert systems based technology, customers get a clear path to diagnosing risk, security and compliance gaps, curing them through wizard based remediation guidance, and continuous monitoring to ensure business

continuity and protection. The company has won numerous awards and accolades from analysts for product innovation.

As part of the partnership, Aegify with Maize Analytics will help Healthcare Providers address institutional challenges in the changing privacy environment. Maize Analytics’ innovative Explanation-Based Auditing

System (EBAS) is an Electronic Medical Record (EMR) access-monitoring tool that allows hospitals to monitor and audit for internal data breach threats. The solution integrates with any EMR and has been successfully

deployed in Epic, Cerner and other leading EMR implementations. The tool combines rules and clinical context to dramatically increase internal fraud detection.

“The Explanation-Based Auditing System can automatically audit 95% of EMR accesses, drastically reducing the workload for privacy officers and reducing risk for healthcare organizations.” said, Dr. Daniel Fabbri,

Founder and CEO of Maize Analytics. Anupam Sahai, Co-founder and CEO at Aegify Inc., “We are excited to partner with Maize to combine our market leading risk, security and compliance management solution offering with Maize’s privacy auditing

solution to offer an even more robust continuous risk, security and compliance monitoring solution. Maize’s EBAS is a disruptive force in the Healthcare privacy space that will forever change how we do privacy audits.

The combined solution addresses a huge problem that remains unsolved today. We foresee that hospitals, health systems and Health Information Exchanges will have a strong need for Aegify’s-Maize’s technology to ensure

privacy and security.”

The solution is available immediately. To learn more about Aegify, visit http://www.aegify.com or call 408 689 2586, email info@aegify.com. To learn more about Maize Analytics, visit http://www.maizeanalytics.com

About Aegify:

Aegify Inc. (http://www.aegify.com) is a world-leading provider of Cloud-based software-as-a-service (SaaS) solutions for business security monitoring, risk and compliance management. The company’s flagship product

Aegify is the world’s first software only solution that disrupts the way businesses manage security, compliance and risk using an easy-to-use, cost-effective, subscription-based, SaaS solution. Headquartered in Cupertino,

California, Aegify has offices in the United States and India. Earlier this year, the company introduced Aegify BA-Vendor Manager, solving a significant HIPAA compliance challenge faced by all U.S. covered entities for

their business associates and vendors. The company has received numerous industry awards and accolades. Aegify was nominated to the 2016 CyberSecurity 500 list of hottest Cybersecurity companies to watch. It

received the highest possible, five-star rating, based on features, performance, documentation, support, and overall rating from SC Magazine, June 2014.

About Maize Analytics:

Maize Analytics (http://www.maizeanalytics.com), based in Nashville, TN, provides EMR access log monitoring tools for improved data privacy and security. The patented and peer reviewed Explanation-Based

Auditing System leverages machine learning to understand why accesses occur to patient data. In contrast to standard anomaly detection systems, Maize can filter away 95% of false positives, allowing privacy officers to

focus on suspicious behavior. Maize’s technology was recognized as a top 20 most promising healthcare compliance solution providers by Healthcare Tech Outlook for 2015.

The post Aegify And Maize Analytics Partner to offer Live Privacy and Security Management appeared first on Aegify.