Adding to the number, is a class action lawsuit filed against insurer Horizon Blue Cross Blue Shield of New Jersey, following a data breach which occurred late last year. This lawsuit will be one among the many breach-related suits in healthcare and other industries, to be filed this year.

Horizon had notified 840,000 members about the breach incident. The affected members, whose social security numbers may have been compromised, are being offered free credit monitoring and identity theft protection for one year, according to the company. However, the plaintiffs in the case, Karen Pakelney and Mark Meisel are suing the insurance company for failing to secure and safeguard sensitive, personally identifiable information adequately. They have alleged the insurer of acting negligently and of violating the Fair Credit Reporting Act and the New Jersey Consumer Fraud Act, and are seeking unspecified damages.

However, according to a Horizon Spokesperson, the lawsuit is without merit, and the company intends to defend itself vigorously. But one thing is for sure. This lawsuit opens the floodgates to many more such breach-related lawsuits, and it can be expected that settlements in such cases could be substantial.

David Navetta of the Information Law Group points out to the court ruling in 2011 in favor of the payment card breach victims who were affected by the 2007 breach involving Hannaford, a grocery chain in northwestern United States. He says that the ruling in this case meant that victims of the breach could sue for damages resulting from the costs of card replacement, theft, insurance and other reasonable mitigation efforts, and emphasizes that government enforcement actions related to breaches are heating up in healthcare.

According to Navetta, breaches such as the one involving Horizon and the recent complaint filed by the Federal Trade Commission against the medical testing firm LabMD, highlight the importance of data protection and prompt breach notification, and also bring the importance of cyber-insurance to the forefront. He points out that such cases could turn out to be very expensive to fight, and could potentially put small healthcare entities out of business. LabMD for example, had announced in January this year that its Atlanta-based medical testing lab would be winding down operations because of the cost of fighting the battle with the Federal Trade Commission over the breach case.

It does look very likely that 2014 will be the year of lawsuits for the healthcare sector as predicted by experts. However, the most important lesson for healthcare providers to take home is that data protection and breach prevention are to be taken with utmost seriousness. Providers have to adopt comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC in order to be able to identify vulnerabilities and detect threats in their systems and prevent breaches, rather than facing legal action and suffering dire consequences. The in-depth certification courses offered by 4Med could further strengthen your compliance understanding in remaining secure and compliant.

The post 2014 – The Year of Data & Privacy Lawsuits? appeared first on Aegify.

The ‘Wall of Shame’, to which the Department of Health and Human Services’ Office for Civil Rights adds breaches affecting more than 500 individuals, shows that as on December 20^th, more than 5.7 million individuals have been affected by over 130 health data breaches in 2013, as against 2.7 million affected by 160 breaches in 2012.

And what is noteworthy is that three large breaches are yet to be added to this federal tally. They include:

• The data breach reported by Horizon Blue Cross Blue Shield of New Jersey in November this year, where two unencrypted desktop computers were stolen from the company’s headquarters, affecting nearly 840,000 individuals.
• The malware breach reported by the University of Washington Medicine, affecting 90,000 individuals.
• The breach at Cottage Health System in California, which affected 32,500 patients who had their patient health information exposed on Google for 14 months because of a lapse in a business associate’s systems.

Out of the numbers included in the federal tally so far, more than 90 percent affected individuals have been victims of four large breaches including the July breach at an office of the Advocate Medical Group that affected 4 million individuals and resulted in a class action lawsuit; a breach in October at AHMC Healthcare, which involved two unencrypted laptop computers stolen from the administrative offices in California, affecting 729,000 individuals; a breach incident in May at Texas Health Harris Methodist Hospital Fort Worth, involving decades-old microfiche medical records, affecting 277,000 patients; and an incident reported in April at the Indiana Family and Social Services Administration, impacting 188,000 clients whose personal information was disclosed in mailings to other clients due to a programming error by a business associate.

It has been repeatedly noted that a large percentage of breaches involved business associates, and the most common cause for breaches has been loss/theft of unencrypted devices or media. Despite continued emphasis on the role of encryption in safeguarding patient data, most healthcare entities seem to be missing the point, and data breaches caused by lack of encryption continue to fill the ‘wall of shame’.

Moreover, with business associates becoming directly liable for HIPAA compliance, they are seen moving from a reactive to a proactive model for data security. It is only logical that with this shift, more data breach incidents will be identified and reported in the coming future.

How to Keep Breaches Away

By taking certain key steps, healthcare data breaches of all sizes can be prevented. Firstly, a thorough risk analysis is crucial to help identify security risks and threats looming over healthcare data. This can significantly help bringing down the possibility of a breach. Secondly, monitoring the practices of business associates and subcontractors can further improve the security posture of a healthcare entity. While modifying Business Associate agreements alone is not sufficient to prevent a breach, periodical review of their operations and ensuring their compliance with security standards are also essential to keep breaches at bay. And most importantly, data encryption is a crucial step in protecting healthcare data. Encrypting data can come a long way not only in avoiding breach incidents, but also in preventing legal action in the event of a breach.

This is where comprehensive security solutions such as Aegify Security Posture Management and Aegify SecureGRC prove extremely helpful. They address all security concerns with an in-built framework that follow all key steps necessary to safeguard healthcare information, thus eliminating the possibility of a breach incident.

The post Number of Data Breach Victims Doubled in 2013 appeared first on Aegify.

“Keeping track of where sensitive data is located, detecting breaches, and dealing with insider threats are amongst the most critical issues” said Kim, who also stated that most often organizations unfortunately are not even aware that there has been a security incident. Moreover, the proliferation of mobile devices including smartphones, laptops, tablets, etc., and the use of outsourcing, in addition to connected devices and systems makes it hard for organizations to keep track of where information is. This creates huge vulnerabilities, opening doors to a significant number of threats. Hence, organizations need to have an understanding of how to keep information both private and secure, while staying compliant with various regulations, including HIPAA.

In addition to this, Kim stated that healthcare entities also have to ramp up their breach detection efforts, because better breach detection can help identify security vulnerabilities that need to be addressed. Moreover, with increasingly sophisticated means for getting access to information, insider threats are becoming a growing concern for healthcare providers.

Challenges in Complying with HIPAA

According to Kim, one of the primary issues faced by the healthcare industry is that some providers are not prepared to comply with the HIPAA Omnibus rule and associated regulations. This is because of the lack of organizational culture in terms of promoting security and privacy measures. Insufficient workforce training on security best practices is also another common challenge.

Suggestions for Tackling Compliance Challenges

Kim is of the opinion that there is no magic formula to tackle challenges in compliance without putting in efforts. The best way to address compliance challenges is to have a framework with which to build policies and procedures. Structuring policies and procedures, handling problems in compliance, and having a concrete procedure to organize policies, human capital etc., are significant, irrespective of the approach taken. Without such a framework healthcare entities cannot successfully overcome compliance challenges.

It is this built-in compliance framework that Aegify Security Posture Management and Aegify SecureGRC offer. With compliance best practices integrated into this framework, these platforms can dramatically simplify the compliance process and help overcome all challenges in achieving and maintaining compliance with the HIPAA Omnibus rule.

The post Addressing Information Security Threats & Challenges in Healthcare appeared first on Aegify.

Although the organization had contracted with Toronto-based Shred-It to destroy the patient information, it is believed that the microfilms were not actually destroyed as it was agreed upon in the contract. A portion of the microfilm was found in a park in May, and three others were found in two other public locations.

While Shred-It is said to have assured the hospital that the microfiche in its possession was disposed of, the spokesperson for Texas Health Resources, Wendell Watson, said in an e-mail statement that it is unlikely that any information was accessed from the microfiche as they could be read only using a specialized reader. He also said that the microfiche was limited to Texas Health Fort Worth patients who were seen between 1980 and 1990.

As per data from the Department of Health and Human Services, this is the third big HIPAA breach for a Texas Health Resources hospital. This incident is another warning for healthcare entities to encrypt and protect physical data storage devices that pose a high risk of loss/theft. A comprehensive privacy and security management platform like Aegify Security Posture Management or Aegify SecureGRC can prove highly beneficial to healthcare organizations in protecting patient health information and preventing data breaches from taking place.

The post Biggest Breach of 2013 Reported in Texas appeared first on Aegify.

Sharing insights on how to win much needed funds for IT Security initiatives, Sharon Finney, corporate data security officer at Adventist Health System, and Chuck Christian, CIO at St. Francis Hospital in Columbus, GA, said that educating people is of primary importance. While Finney believes in giving monthly updates about security to her organization’s divisional CIOs and CTOs and quarterly updates to a compliance board committee, according to Christian, providing the appropriate level of education and sharing industry-related stories, studies and headlines are essential to gain buy-in from senior management. And this would mean keeping risk assessment up-to-date and executives well-informed.

A survey conducted by Healthcare Info Security about how information security budgets are being funded, revealed the following:

• 45% ask for money to be allocated from the overall IT budget
• 38% have an exclusive, clearly-defined security budget, separate from the IT budget
• 17% leverage risk assessment results to help funding
• 11% get funding from departments other than IT
• 9% have a clearly defined security budget as part of the IT budget

Key Takeaway Points

Christopher Paidhrin, Security Administration Manager in the information security technology division at Peace Health says that until this year, IT security was funded out of the IT division in a project-based way for capital expenses with staffing coming out of IT operation expenses. But now, the security budget has been separated into a department within IT. According to Paidhrin, since all capital requests require a ‘value-add’ rationalization, an ROI justification, and more importantly should be tied to business strategy, preparing for these security budgeting discussions would mean prioritizing all risks at the organizational level. In other words:

• Attach a rough cost of remediation and exposure to each risk
• Project-size the risks into business-meaningful and manageable chunks
• Design a comprehensive security governance model, framework, and action plan

For John Houston, Vice President and Privacy and Information Security Officer at University of Pittsburgh Medical Center, annual budget meetings are preceded by extensive groundwork including drawing out a security plan and identifying key projects that need funding, based on risk analysis. The organization uses a tool that ranks IT budget requests across divisions based on risk.

Determining the Size of Data Security Budgets

Healthcare Information Security Today’s survey findings reveal that spending 1 to 3 percent of the organization’s IT budget is most common, and that only 37 percent of the organizations expect their budgets to increase this year. Some organizations look at security spending as insurance. Security spending is also determined based on the likelihood of risk, and the cost of taking that risk versus the cost involved in avoiding it.

The Role of Regulatory Requirements

The use of Electronic Health Records as necessitated by the HITECH Act’s incentive program and the need to comply with the new HIPAA Omnibus Rule, have put additional pressure on security budgets. Healthcare entities therefore have to regard these requirements with greater seriousness and propose budgets that can accommodate these needs.

Hence what Healthcare organizations need, is one solution, that can address compliance and security while also enabling them to justify security spending. Aegify Security Posture Management and Aegify SecureGRC are designed to do just that. By providing comprehensive security and compliance capabilities at a reasonable cost, this platform is ideal for every healthcare organization and can fit well into any security budget.

The post Expert Tips for Winning IT Security Funding appeared first on Aegify.

Effective vulnerability management is therefore a perquisite for every business. But unfriendly economic conditions have compelled organizations to maintain a safe business environment, while also keeping costs low. This poses a major challenge since organizations today are spread across multiple geographic locations and time zones. In such a scenario vulnerability management can be a formidable task.

But with cloud-based security solutions offered by advanced GRC software, IT security compliance has assumed a new dimension. These solutions help streamline and automate vulnerability management processes and help patch security flaws.

Here are some other significant benefits of using a comprehensive security and vulnerability management solution:

Offers Complete Visibility- Vulnerability management solutions help in understanding the security posture of an organization, through comprehensive vulnerability assessment. This in turn helps in formulating security policies for IT Compliance with regulatory standards.

Ensures Compliance- Compliance audits are carried out at regular intervals to assess the actual degree of compliance in the organization. This helps in effective compliance management software by enforcing compliance best practices and ensuring fully compliant processes and procedures.

Facilitates Risk Management- By proactively detecting vulnerable areas within the network, and identifying exposure to potential threats, these software solutions help in effective risk management.

Offers Holistic View & Prompt Reporting- Vulnerability management solutions help gain complete control over risks and vulnerabilities by offering total visibility through a centralized view. Their advanced reporting capabilities enable organizations to take prompt corrective and preventive action before security gaps are exploited.

Improves Productivity & Lowers Cost- Since these security solutions are completely automated, they allow IT departments to focus on more critical tasks, thereby enhancing productivity. And they also help reduce administrative costs and management overhead, as a single efficient software solution, can effectively replace multiple disparate applications.

Managing a diverse network environment can be quite overwhelming. But a proactive, integrated, vulnerability assessment and management solution can dramatically simplify this by offering a complete GRC framework that can patch vulnerabilities, mitigate risks, and improve productivity.

The post Vulnerability Management: Secured IT, Assured Success appeared first on Aegify.

More often than not, organizations are unable to handle data security challenges because they are mostly unaware of the status of their file data security. And hence, assessing the file security posture of your organization is crucial in overcoming data security issues. Here are some questions that can help you assess the data security posture in your company:

1. 1. Who controls/owns file data? The critical nature of data and its relevance to the business is often best understood by data owners. Hence they are responsible for protecting file data. But if your organization is unable to specifically identify data owners, then it is an indication that your file data might be at risk. On the other hand, if you have a clear idea of who your data owners are, it is easier to ensure that they work with other groups responsible for compliance and data security.

1. 2. Who is accessing your data? To efficiently keep track of who is using the data and for what purpose, auditing is a prerequisite. An audit log can establish who the data owner is, who has access to file data, when or how frequently they access sensitive data, etc.  Audit logs also help identify security lapses and the reasons for these lapses. Hence, if your organization does not have a continuous auditing trail, your file data is at high risk.

1. 3. Who has file access rights? Many security regulations require organizations to have clear visibility of file access rights. While this is a best practice to ensure data security, it is also essential to demonstrate compliance and reconsider or remediate excessive access. Your organization should therefore be able to monitor and report data access rights on an ongoing basis in order to prevent security breaches.

1. 4. Do you know when there is a policy violation? Several organizations give excessive access rights, but do not review these rights periodically. If your organization is one of them, then your data is at risk. Access rights review cycles are very important as they help identify policy violations. By thoroughly analyzing access rights and file access activity, you can easily determine whether a violation has taken place. If this process is automated, problems can be detected and addressed as soon as the violation occurs.

While IT compliance mandates and data security concerns can be very challenging, you can effectively overcome these challenges by addressing the above questions. It is also a good idea to opt for integrated solutions for file activity monitoring, rights access, user rights management and compliance management. Such a solution can not only help address the above questions but also provide a comprehensive system of IT security and governance.

The post Is Your File Data at Risk? appeared first on Aegify.

Like in any other industry, division of labor and specialization, have taken shape making the hacking industry more structured than ever before. The 3 key players in the hacking community are:

-Researchers: Otherwise known as exploit developers, researchers are not actually involved in exploiting systems, but look for vulnerabilities in frameworks and applications.

-Farmers: These are people who write botnet software to infect systems, and also maintain and increase the presence of botnets in the cyberspace. They probe applications to extract valuable data, execute password attacks, disseminate spam, and distribute malware.

-Dealers: They distribute malicious payloads. They also rent botnets for repeated, persistent attacks or targeted one-time attacks to extract sensitive information.

The sophisticated nature of today’s cyber attacks is a definite product of ‘hacking industrialization’. And the use of advanced hacking techniques has also contributed to a focus shift from stealing personal information and credit card numbers to stealing application credentials, for which 3 attack techniques have been identified as commonly used:

SQL Injections: Data theft is most commonly administered through this technique. IBM reported around 250,000 SQL injection attacks on websites around the world, everyday, between January and June 2009.

Denial of Service: This is an attack which is usually executed by blackmailing application owners to pay a ransom to free their application from an invasion of unwanted traffic.

Business Logic Attacks: In this type of attack, hackers target vulnerabilities in business logic. Unlike attacks targeted at application codes, these attacks often remain undetected. These attacks are not usually apparent and are too diverse to be expressed in vulnerability scanner tests.

These highly advanced security attacks make it increasingly difficult for organizations to fight threats and remain protected. Today, no web application is out of reach of hackers. Attack campaigns are quite common, not only against applications but against any available target. Therefore data protection is a must, and effective vulnerability scanning tools along with application-level security solutions may be very helpful in effective threat management and overall security.

The post Common Attack Techniques – In an Era of Industrialized Hacking appeared first on Aegify.

Whatever the reason, cybercrime has been increasingly affecting the performance and productivity of companies. IT security is a matter of serious concern now, and companies are trying to adopt best practices to overcome this challenge. Here are some measures that you can take, to protect your company’s backup data:

1. Integrate backup security measures with the rest of the infrastructure. Make storage security a part of the overall information security policy. Even if the storage security responsibility lies with the storage team, they should integrate their security measures with the rest of the infrastructure, physical and virtual, in order to build in-depth protection.

1. Assess risk in terms of security. Ensure that a risk analysis of your entire backup process is done. Vulnerability management is crucial for every business and therefore it is essential to evaluate the backup methodology used by the company to identify security vulnerabilities in the process. For example, questions such as, can an administrator make copies of the backup tapes, are end-point devices easily accessible, and is there end-to-end custody for backup data, etc, need to be addressed to avoid security attacks.

1. Modify your security approach. If you do not have a comprehensive approach, adopt one. A multi-layered approach to security works well in most cases. Add different layers of protection such as authentication with anti-spoofing techniques, authorization based on roles and responsibilities as against complete access, encryption for data to be stored or copied, and auditing, along with log maintenance and log analysis, to ensure traceability and accountability.

1. Build awareness about data security. Communicate to your staff and managers, the risks involved in handling backup data and train them to abide by your backup security policies and regulations. Most often data loss is a result of ignorance or negligence of employees. If employees are made aware of the consequences of data leak, security lapses can be avoided to a large extent.

Secure data backup begins with formulating strategic policies. And implementing these policies requires proper planning and preparation. To fully protect a company’s critical data, complete control, continuous effort and constant monitoring are crucial. It’s important to understand that data security is as much a product of awareness, as it is an enforced directive. And it is your responsibility to create such awareness to ensure overall data protection.

The post Data Backup Security Best Practices appeared first on Aegify.

Creation of a new consumer protection agency at the Federal Reserve, provision of new powers to regulators for safely liquidating failed financial firms, and imposing new guidelines for transparency in the derivatives market, are some of the objectives of ‘The Dodd-Frank Wall Street Reform and Consumer Protection Act’. This law is an outcome of the 2008 banking crisis.

However, there are now mixed opinions about this law, especially with respect to its implication on data/ information security. Protiviti Inc.’s risk and compliance practice director Michael Brauneis noted that the provision in the law for creating a consumer protection agency may lead to a number of data security issues, since it calls for regulations to allow consumers to obtain information about their transactions from financial institutions. This causes a high risk of identity theft, if these financial institutions do not ensure effective controls to check the identity of the person requesting information.

Also, the concept of ‘systemic risk regulator’ meant to gather information from the banking industry to prevent another meltdown can pose serious concerns for overall data management and security. And a report by Delloite LLP on the new financial reform also cites data aggregation and reporting as one of the top implications of the new law.

Therefore, for all those involved in financial services, this regulatory reform is a groundbreaking event and is being described as the biggest since the Great Depression.

With the ever-increasing number of regulatory requirements, IT security has come a long way from being merely an IT-centric control mechanism, to becoming a complete compliance control technique. While the timeline for this law to take effect is long, this is yet another regulation that reinforces the need for secure GRC solutions.

The post Implications of the ‘Dodd-Frank Wall Street Reform & Consumer Protection Act’, on Data Security appeared first on Aegify.