Think about healthcare.  Offense is a given.  There are frequent C-Suite discussions about new services, attracting the best clinical talent, effective community outreach and the like.

What about defense?  Sure, providers have whole departments to reduce risk in its many insidious forms, but playing defense in the SRC (security, risk and compliance) arena just isn’t as sexy as playing offense.  Unfortunately, mistakes on the defensive side of the ball can wipe out years of good offense work.

With this pleasant thought, let’s turn out attention toward data security.  Doesn’t it seem like data breaches happen disproportionately in healthcare?  I haven’t seen any definitive numbers to prove this point, but I am convinced healthcare breaches are more common because of the shear amount of healthcare data being put on computers and into the cloud.

According to peer60, 96% of hospitals claim health information security is a huge priority for them.

Key findings include:

• There are multiple obstacles to security, risk and compliance but key challenges revolve around lack of budget and non-compliant employees.
• While lack of budget is an issue for most providers, it is especially so for smaller hospitals.
• Although total threat prevention is daunting, significant optimism exists, especially at the manager and director levels. While 54% of CIO’s said threat prevention is impossible, only 22% of security managers and directors responded the same way.  This is good news!
• Hospitals with 500+ beds see fault with the underlying security weakness of Healthcare IT systems, not their SRC efforts.

I would like to invite you, your compliance officer, CSIO, CIO, CFO and any other appropriate team members to dedicate an hour to improving your game on the defensive side of the ball.  Sure, offense is sexy.  But, as winning coaches know, defense wins the game and ensures your healthcare organization’s long-term safety.

Join me for Aegify’s next helpful webinar, “HIPAA Omnibus: How to do Security Risk Analysis” on Tuesday July 7 at 11am PT.  This valuable webinar is designed to help you analyze and quantify your security risk and give you a practical roadmap for risk reduction and compliance for today and tomorrow.  As a special bonus, we’ll outline the Aegify disruptive SRC solution that can save your organization up to 80%.

To register for this webinar, please click HERE.  On behalf of all of us at Aegify, we look forward to your participation on Tuesday, July 7 at 11a PT.

Yours truly,
Anupam Sahai
Co-Founder & CEO, Aegify Inc., Cupertino, CA, USA

About Aegify:

Aegify’s comprehensive, unified platform uniquely operates at the intersection of security, risk and compliance for healthcare providers and their business associates. Discover what more than 400 other organizations already know: Aegify is the affordable, disruptive solution for IT security and compliance management, vulnerability analysis and risk management.

Aegify earned the highest rating of 5 out 5 stars by SC Magazine for Features, Performance, Documentation, Support and Overall Rating (June 2014).

The post Offense is Sexy. Defense Wins the Game appeared first on Aegify.

With the permanent HIPAA audit program scheduled to begin sometime after the start of the fiscal year 2014, its time organizations started looking at risk assessment as a regular part of their business.

Highlighting the key findings of the pilot program, Rinker said that there were no clear trends seen when it came to privacy findings. But, about 44% organizations had trouble spots in areas of use and disclosure of PHI, and quite an alarming number of organizations, 47%, were identified with problems related to policies and procedures, and 26% had training deficiencies.

Speaking about the challenges involved in HIPAA compliance, Rinker explained that risk analysis and ongoing risk assessment stands out as a major challenge, and that those entities which did not carry out risk assessments, or had done a poor risk assessment, showed a pattern of non-compliance with the HIPAA rules.

Rinker said that the OCR is in the process of updating the audit protocol and that while the current website has the pre-HITECH protocol, with the change in provisions and criteria, the audit protocol would be updated. When the website finally publishes the audit protocol, it would be in compliance with the HITECH standards.

The upcoming audit program may be much narrower in scope according to Rinker, who said that although the pilot audit program covered 59 individual requirements and standards, this is a substantial number and it is unlikely that a permanent program would be so comprehensive in scope. Hence the upcoming audits are expected to be much more streamlined, with a smaller scope and would aim to reach a broader range of covered entities and business associates.

All organizations that wish to prepare for the audits should have an active, integrated, and fully functional HIPAA compliance program in place, according to Rinker. A comprehensive platform like Aegify Security Posture Management or Aegify SecureGRC can greatly simplify this task and ensure compliance with HIPAA. Rinker also said that entities should look at the audit protocol on the OCR website to assess how they measure up to the existing standards, and advised covered entities to conduct a comprehensive risk analysis considering all systems, as these are subject to change with any changes in the IT infrastructure. Therefore ‘ongoing’ risk assessment is the key. While it can catch vulnerabilities in new systems, it can also detect risks in existing ones and help correct them in the timely manner.

The post Thorough Risk Assessment-The Need of the Hour appeared first on Aegify.

The pilot HIPAA program conducted by HHS Office of Civil Rights last year brought to light, the disturbing fact that most healthcare providers did not conduct timely risk assessments. The audits clearly revealed that this specific requirement under the rule was not met by many providers. According to OCR, out of the 115 healthcare entities that were audited during the pilot program in 2012, the most commonly seen weakness was the lack of a thorough and timely risk assessment.

Taking this into account, the tiger team plans to explore methods that will call for greater attention to existing requirements in Stage 3, mainly addressing the question whether self-attestation by healthcare entities is an effective means to ensure that risk assessments are being done, and if so are they being done well. A subgroup of the tiger team is likely to examine the effectiveness of the attestation process itself. The tiger team will continue to investigate how best to ensure security in health information exchange, and the team has scheduled a virtual meet on the 24th of June to discuss matters involving non-targeted queries, and to share experiences in dealing with non-targeted queries.

While Stage 1 of the EHR incentive program emphasized that participants in the program should attest that risk assessment has been conducted, Stage 2, which is set to begin in 2014, will require healthcare providers to further attest that their risk assessment addressed encryption for data at rest, and if the data has not been encrypted they have to document what other methods have been used to protect data. Stage 3 goes one step further to check the reliability and effectiveness of the attestation process.

Healthcare entities should therefore prepare themselves well to meet these changing requirements, and a thorough risk assessment should be the first step in this direction. A comprehensive solution such as Aegify Security Posture Management and Aegify SecureGRC is the need of the hour. With built in capabilities that address all risk assessment and health information security needs, this solution can alleviate pressure, simplify compliance, and in turn facilitate meaningful use of EHR.

The post More Emphasis on Risk Assessments in Stage-3 of Incentive Program appeared first on Aegify.

The lack of a current and  thorough risk assessment can be very costly and  a recent action by federal regulators reiterated  the same. The authorities have issued penalties in excess of $1 million to two organizations that were investigated post minor breaches. And these organizations were found to be lacking in current risk assessment as required under HIPAA. The Department of Health and Human Services’ Office for Civil Rights issued a $1.5 million HIPAA penalty against one of the organizations, Massachusetts Eye and Ear Infirmary as part of a settlement agreement. The report of a breach involving a physician’s stolen unencrypted laptop also sparked an OCR investigation.

Likewise an investigation  triggered by the theft of an unencrypted storage device in June, resulted in the OCR issuing a $1.7 million penalty against the Alaska Department of Health and Social Services. While each case had alleged HIPAA compliance shortcomings, the  lack of risk assessments  seemed to be strategic in the regulator’s decisions to impose hefty penalties.

An enterprise that is able to enforce strict corporate policies and adhere to all the latest regulatory requirements will be able to protect vital information assets, keep customer confidence, and safeguard business interests. Many industry experts opine that such incidents emphasize the need for organizations to improve their HIPAA compliance efforts. The recent final rules for Stage 2 of the HITECH Act, electronic health record incentive program are another excellent gauge of the significance that is placed by regulators on risk assessments as well as encryption.

As any failure to conduct a thorough, timely risk assessment will result in severe penalties by the OCR in the coming months, health care organizations need a reliable solution that can take care of all the security requirements. Secure GRC from eGestalt is one such solution that  has an in-built HIPAA compliance framework and allows organizations to steer clear of security challenges by effectively addressing all its compliance, audit, assessment, and risk management needs.

The post Risk Assessment Is Imperative – Avoid Small Breaches Becoming Huge Penalties appeared first on Aegify.

So is your enterprise truly GRC-ready? Here are some tips to help your enterprise effectively achieve GRC goals this year:

Develop a valuable risk management strategy: A perfect Governance, risk and compliance plan can be followed only when you develop an effectual risk management strategy. This strategy must incorporate essential processes and policies to enable optimum risk management and mitigation throughout the enterprise. A proactive approach is the best mechanism to tackle risks across your enterprise.

Entrench core enterprise processes with GRC initiatives: Automated GRC solutions offer immense benefits for your enterprise by ensuring cost savings, mitigating risks and also efficiently tackling compliance-related concerns. Therefore, pushing in GRC procedures into key processes can help you enhance business performance.

Opt for a 24X7 GRC solution: A solution that can offer best monitoring capabilities, and can scrutinize threats on a 24X7 basis is the most desirable.

Plug threats in advance: Swift and significant analysis can ensure that looming threats are dealt with effectively. Hence by capturing all data and analyzing them for threat patterns, incidents, or security events you can take proactive measures to tackle threats before they harm your enterprise.

Integration is the key: When you opt for Governance risk and compliance software, an integrated solution is perhaps the best bet for optimized GRC. Therefore a solution which can offer an integrated governance risk and compliance support system works best. The idea is to simplify and reduce the time spent on regulatory compliance and its corollary certification requirements. Therefore the same solution needs to cater to and offer total end-to-end automated processes for security, risk management and compliance requirements.

Being GRC-ready is easier once your enterprise understands the importance of risk management and the need to abide by regulatory standards. And the above-mentioned tips can be quite valuable for your enterprise in its GRC endeavors.

The post Top Tips to be GRC-Ready in 2011 appeared first on Aegify.

Kern Medical Center in Bakersfield faced the largest civil penalty of $250,000 for losing 596 patient records, and an additional fine of $60,000 for allowing two employees to access and disclose a patient’s medical record on three occasions.

In a similar breach, Pacific Hospital in Long Beach was fined $225,000 after an employee admitted to memorizing personal information of nine patients, and setting up fake Verizon accounts using their information.

The state of California has the toughest privacy laws in the country with high penalties for data breaches. And Kaiser Permanente’s Bellflower Hospital was the first to be issued penalty under the state law enacted in 2008 for patient protection. The institution was fined $437,500 for failing to prevent unauthorized access to medical records of Nadya Suleman.

In all these incidents employees have been identified as the main cause for the breach. However, these institutions are also equally responsible for not being proactive in identifying and curbing insider threats. These incidents re-emphasize the need for an efficient security solution with effective threat management capabilities that can not only prevent such breaches in future, but also ensure a more secure data management process.

The post 7 Facilities in California Fined for Privacy Breaches appeared first on Aegify.

Timely Recognition of Long-Term Risks

Security cannot merely be defined in terms of Trojans, viruses or spam eagerly waiting to enter and incapacitate the central IT nervous system of an organization. Even the careless attitude of employees can cause security breaches within the network, and intentional attempts like hacking or willful destruction of critical data also cannot be ignored. In order to deal with this growing concern, you require automated IT Compliance software that can provide you with robust, end-to-end integration solutions.

Many organizations fail to enforce a compelling security environment that is in alignment with the business goals. The alarming rate at which these security threats are increasing is an indication that you need result-oriented techniques to help overcome this problem. The answer lies in an automated and integrated solution that can handle all IT risk management issues, and carry out overall effective corporate governance.

Intensifying the IT Environment with Cognitive Security Parameters

A cloud-based model capable of providing unified governance risk and compliance management solutions can help crack down potential threats, and can provide a remarkably safe IT environment. The solution contains a centralized repository for all compliance-based organizational data, and it considerably reduces the total cost of ownership due to its SaaS-based model.

It helps monitor and enforce the best regulatory standards and practices without delay. Due to its integrating feature, the time required for compliance is minimal, and the process is simple. Such an integrated compliance solution, addresses all vulnerability management solution needs by performing comprehensive scanning procedures, scheduling audits and providing exhaustive audit log trails for all compliance related tasks, so that compliance gaps can be bridged promptly with corrective measures. It also provides a complete report of compliance statistics which in turn helps identify your compliance status.

The aim of a capable IT security solution is to provide a set of comprehensive features, with solutions for effective threat management. Its main objective is to resolve issues concerning data leakage, insider threats, intrusion detection, and verification of controls. Therefore, with an integrated, comprehensive security solution, enterprises can ensure a healthier and safer IT environment.

The post A Wake-Up Call for IT Security: Are Your Compliance Practices Fit for the Test? appeared first on Aegify.

Get cracking; threats are real!

Threats to systems and networks worldwide have been on the rise. For instance, the blaster worm in 2009 managed to shut down close to 120,000 systems in just 3 minutes, ensuring that networks across the world were affected. In another such attack, the Slammer worm infected nearly 55 million hosts per second in just 11 minutes. Susceptibilities in enterprise systems and the perpetrators of such actions are increasing globally, and IT organizations are more and more vulnerable to these attacks.

Be it internal or external, security threats can cause not just financial losses, but can also tarnish the image of an enterprise. Hence threat management has to take precedence over other activities. Enterprises should therefore follow best practices and invest in the best solutions to manage security threats effectively.

What are the best practices for effective threat management?

Managing threats is not an easy task, especially because enterprises today want their threat management efforts to coincide with compliance management as well. So an ideal threat management solution should essentially:

• Crack multiple data-centric information security challenges
• Decipher and detect in real-time advanced persistent and pervasive threats
• Detect automatically for any kind of data leakages
• Search for insider threats
• Provide detailed malware analysis
• Undertake continuous and automatic controls verification including e-discovery
• Deliver a holistic solution for both security as well as for IT- Governance and Risk Compliance that can be easily monitored through an integrated dashboard
• Provide an end-to-end automatic enterprise security solution that is all encompassing for compliance, audit and risk management needs.
• Swiftly update software with latest information
• Stay ahead of potential threats
• Thwart threats at their source

A company’s network, its information systems, databases, and processes are essentially its backbone. Hence, they must be made secure from threats, both internal and external. Therefore, deploying the right threat management system can prevent data breach and safeguard the company’s networks, systems and assets.

The post Best Practices for Threat management appeared first on Aegify.

Like in any other industry, division of labor and specialization, have taken shape making the hacking industry more structured than ever before. The 3 key players in the hacking community are:

-Researchers: Otherwise known as exploit developers, researchers are not actually involved in exploiting systems, but look for vulnerabilities in frameworks and applications.

-Farmers: These are people who write botnet software to infect systems, and also maintain and increase the presence of botnets in the cyberspace. They probe applications to extract valuable data, execute password attacks, disseminate spam, and distribute malware.

-Dealers: They distribute malicious payloads. They also rent botnets for repeated, persistent attacks or targeted one-time attacks to extract sensitive information.

The sophisticated nature of today’s cyber attacks is a definite product of ‘hacking industrialization’. And the use of advanced hacking techniques has also contributed to a focus shift from stealing personal information and credit card numbers to stealing application credentials, for which 3 attack techniques have been identified as commonly used:

SQL Injections: Data theft is most commonly administered through this technique. IBM reported around 250,000 SQL injection attacks on websites around the world, everyday, between January and June 2009.

Denial of Service: This is an attack which is usually executed by blackmailing application owners to pay a ransom to free their application from an invasion of unwanted traffic.

Business Logic Attacks: In this type of attack, hackers target vulnerabilities in business logic. Unlike attacks targeted at application codes, these attacks often remain undetected. These attacks are not usually apparent and are too diverse to be expressed in vulnerability scanner tests.

These highly advanced security attacks make it increasingly difficult for organizations to fight threats and remain protected. Today, no web application is out of reach of hackers. Attack campaigns are quite common, not only against applications but against any available target. Therefore data protection is a must, and effective vulnerability scanning tools along with application-level security solutions may be very helpful in effective threat management and overall security.

The post Common Attack Techniques – In an Era of Industrialized Hacking appeared first on Aegify.

Whatever the reason, cybercrime has been increasingly affecting the performance and productivity of companies. IT security is a matter of serious concern now, and companies are trying to adopt best practices to overcome this challenge. Here are some measures that you can take, to protect your company’s backup data:

1. Integrate backup security measures with the rest of the infrastructure. Make storage security a part of the overall information security policy. Even if the storage security responsibility lies with the storage team, they should integrate their security measures with the rest of the infrastructure, physical and virtual, in order to build in-depth protection.

1. Assess risk in terms of security. Ensure that a risk analysis of your entire backup process is done. Vulnerability management is crucial for every business and therefore it is essential to evaluate the backup methodology used by the company to identify security vulnerabilities in the process. For example, questions such as, can an administrator make copies of the backup tapes, are end-point devices easily accessible, and is there end-to-end custody for backup data, etc, need to be addressed to avoid security attacks.

1. Modify your security approach. If you do not have a comprehensive approach, adopt one. A multi-layered approach to security works well in most cases. Add different layers of protection such as authentication with anti-spoofing techniques, authorization based on roles and responsibilities as against complete access, encryption for data to be stored or copied, and auditing, along with log maintenance and log analysis, to ensure traceability and accountability.

1. Build awareness about data security. Communicate to your staff and managers, the risks involved in handling backup data and train them to abide by your backup security policies and regulations. Most often data loss is a result of ignorance or negligence of employees. If employees are made aware of the consequences of data leak, security lapses can be avoided to a large extent.

Secure data backup begins with formulating strategic policies. And implementing these policies requires proper planning and preparation. To fully protect a company’s critical data, complete control, continuous effort and constant monitoring are crucial. It’s important to understand that data security is as much a product of awareness, as it is an enforced directive. And it is your responsibility to create such awareness to ensure overall data protection.

The post Data Backup Security Best Practices appeared first on Aegify.