The initial attack occurred on May 5, 2014 as per Premera’s        investigation and Premera notified the FBI. Premera would be  notifying approximately 11 million affected individuals by mail and offering two years  of free credit monitoring and identify theft protections services, with a dedicated call  center for its members and affected individuals.

 This would have an adverse brand effect for Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and its affiliate brands Vivacity and Connexion Insurance Solutions Inc.

Premera members’ breached information could include names, dates of birth, Social Security numbers, mailing addresses, email addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information, and the Social Security Numbers. The Company said, “Along with steps taken to cleanse its IT system of issues raised by this cyber-attack, Premera is taking additional actions to strengthen and enhance the security of its IT systems moving forward”.

More and more businesses are falling prey to cyber criminals. How confident is your organization to say that you are fully prepared? About 40% of cybersecurity breaches in 2014 were in the healthcare vertical. Recent reports indicate that healthcare data is becoming more valuable than the credit card data. HIPAA compliance requires that all PHI information and PHI critical assets be secured.

First, it is essential to protect your information assets, not just assuming that your endpoint computers remain well protected but to extend the protection to include laptops, tablets, mobile smartphones, and removable storage devices as USB flash drives. Knowing your critical assets and their roles in information processing, storage or in transit is very critical. Most often, as organizational members bring in their own devices (BYOD), information control becomes difficult. The 2015 security trend projects that Mobile devices will be increasingly the target of attack for credential and authentication thefts. Therefore, it is essential to implement an effective asset tracking management system for your internal and external/perimeter IT infrastructure.

To be HIPAA compliant – businesses need to do a HIPAA assessment, security scan their PHI assets and do Security Risk Analysis. This is also required for meaningful use attestation for various stages.

Second, with growing vulnerabilities discovered in dormant code – Poodle, Shell Shock, Ghost, the inadequate security built into new technologies, and not updating security patches and updates from software vendors, contribute continuously to exploitation of vulnerabilities resulting in data breaches. It is a Great risk for healthcare organizations as long as they continue to use outdated software and rudimentary security. You need to consider proactively acting against continuing challenges in ensuring security of your information assets, improve your security posture with Aegify Security Posture Management.  Aegify scanner gives you the following distinct features that other web scanners do not offer:

• Browser Emulation Scanning Technology (BEST) – Browser-based scanning of client-side Web applications to find vulnerabilities in deployed and running web applications such as JavaScript, AJAX, and Flash
• Web Application Pass-Through Scanning– Uses current vulnerabilities to scan and accurately report on unaddressed vulnerabilities and web applications including third-party applications exposures deep in the network, providing a more accurate and complete report.
• Batched Scanning– Reduces scan times and allows customers to target specific and mission critical addresses.
• Content Scanning– Scans Databases and applications for specific content such as credit card and social security numbers, ensuring personally identifiable information is not visible to hackers.
  Operating System Scanning

Aegify Security posture management solution uses innovative, patent-pending expert systems technology to automatically map the security vulnerabilities to compliance mandates. Representing the new breed of solutions from Aegify, Security Posture Management (SPM) is cloud-based and offers several distinct features. Read More…

The Third step is to integrate the security scan results automatically to your compliance control requirements using solutions such as Aegify Compliance Manager.

You can try out the free community edition before subscribing to Standard, Professional or Ultimate editions.

Aegify is a comprehensive Security, Risk and Compliance Management solution for addressing all HIPAA  Compliance needs. Provides Meaningful use attestation reports with proof of security risk analysis. Aegify automates HIPAA management using a continuous workflow of Assess->Remediate and Monitor so that businesses can be assured of their HIPAA compliance status. Aegify’s Simple 1-2-3 steps helps in establishing an automated state of continued readiness.

Businesses can prevent such breaches from happening using Aegify. Aegify provides HIPAA compliance Assurance!

The post Yet another Cyber Attack – Personal Information of 11 Million individuals Breached appeared first on Aegify.

This incident is a stared reminder for the need for a systematic risk analysis and risk management system for the techno-centric healthcare establishments and business associates. Even as experts look into lack of encryption as a major cause of breach, data encryption is no silver bullet against data breaches.

The Anthem data breach is a cautionary call to all healthcare businesses for addressing the need to ensure compliance to security controls as detailed under the HIPAA/HITECH regulations.

Conclusion
While recent investigations point towards “backdoor malware” as also a cause for such large scale data breach at Anthem Inc, intelligent continuous monitoring and analysis system would have been able to detect the Anthem attack very early. Aegify Security Posture Management tool is optimized to prevent exploits across the entire IT infrastructure. Its unique flexible cloud-based architecture not only scans single as well as multiple assets, its enterprise-class protection scans for more nearly 32,000 vulnerabilities using about 92,000 checks across physical and virtual networks, operating systems, databases, and Web applications. Moreover, it’s automated compliance mapping system deployed across physical and virtual network environment ensures continuous monitoring of security, risk, and compliance with real-time status. The Security Posture Assessment and Management Tools will help enterprises protect their data from such breaches.

The post Anthem Breach Sounds Security Alarms against Data Hackers appeared first on Aegify.

The top level executives at the organisation agree to the fact that they have been a target of the attack by cyber criminals who gained unauthorized access to their IT system. However, based on digital forensics investigation reports, they are positive that no credit card data or medical records have been compromised. Nevertheless, the breach of 80 million data as per records is the biggest in history that brings to fore, today’s need for deploying industry-standard “sophisticated” defences. Encryption of data is a critical aspect to secure accessibility of any corporate database.

While this is nightmare for the affected individuals, is not a lone case. Other recorded incidents include

• Data breach at Montana Dept, of Health and Human Services where hackers gained access to a server leading to an estimated 1.3 million affected individuals.
• Breach at Community Health Systems Inc., which exposed the personal data of an estimated 4.5 million people.

With continuing data breaches, information security has attained critical importance across enterprises. An essential proactive step is to assess your assets and estimate the level of risk with key assets. Following this with an assessment of the security controls would have helped Anthem identify the gaps and plug those gaps with appropriate remedial measures. Tools like Aegify helps organization to assess their security, risk, and compliance posture and to help them take proactive measures to fix the security lacunae.

Aegify services, offered as a cloud-based model, includes all security and IT GRC functions. Equipped with a built-in compliance framework that supports HIPAA, RBI, NSE, BSE, MCDEX, PCI, ISO, COBIT, FISMA and other country based ones, Aegify also has advanced alert and monitoring systems that makes it a complete end-to-end automation solution for all security, audit, compliance and risk management needs of an enterprise.

The post Enterprises need to be proactive to Avoid Anthem Fate appeared first on Aegify.

President Obama called on lawmakers to ensure that the Personal Data Notification and Protection Act extends to educational institutions and successfully covers even student data as with customer information. However, even as the President with government heads were busy taking decisions and stern steps to control cyber security breaches and threats to credit cards and personal data, ISIL supporters were successful in hacking the US Central Command sites and Twitter Accounts.

As the Personal Data Notification and Protection Act considers data breaches a criminal offence and demands enterprises to inform any data breach within a 30 day period, it is seen that customers of small and medium sized enterprises operating in multiple states are not protected. If vandals supporting the Islamic State of Iraq and the Levant (ISIL) could easily deface four of the high security social media accounts of U.S. Central Command, then governments and IT majors need to consider this threat as a call to work their way through much more stringent measures that can ensure safety and privacy of every individual.

Global healthcare enterprises besides being HIPAA/HITECH compliant also need to take strong measures to protect their customer data and personal information from the hands of the cyber criminals.  As an approach to help a large number of small to medium sized enterprises including the healthcare practitioners, Aegify provides cloud based Software-as-a-service solution that has built-in best practices, ready-to-use security and privacy policies that could quickly and easily be customized too to meet client specific requirement.  The step-by-step process in Aegify ensures that clients meet their HIPAA/HITECH and data security requirements every year. This solution is widely by the healthcare professionals and their business associates, and can be scaled up and customized to meet the data security and compliance requirements of any size business.

The post Keeping Up President Obama’s Data breach Plan appeared first on Aegify.

The year 2014 discovered three major vulnerabilities – Heartbleed, Shell Shock Hash bug and the Poodle bug. These major vulnerabilities have shaken the edifice of security havens. The Heart bleed bug made it possible for attackers to steal data from a server including the keys to decode any encrypted contents.

Shellshock a more serious bug made it possible for hackers to take control of millions of machines around the world quietly without notice. Another new breed of bug, Poodle, was found in a 15-year-old web encryption technology called SSL 3.0. SSL, which stands for Secure Sockets Layer, a technology that encrypts a user’s browsing session, making it difficult for anyone using the public Wi-Fi to eavesdrop. The Poodle bug makes it possible for hackers to hijack their victim’s browsing session and do things like take over their email, online banking, or social networking account.

This GHOST vulnerability affects almost all major Linux distributions, except a few such as Ubuntu 14.04. Millions of servers on the Internet contain this vulnerability.

As a buffer overflow bug, GHOST affects certain function calls in the Glibc library. The vulnerability allows a remote attacker to execute arbitrary code using these function calls that are used for DNS resolving, a common event. In exploiting this vulnerability, an attacker may trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution. To eliminate the possibility of an exploit, the specific function calls, ‘glibc’ and ‘mscd’ is to be updated on the system using packages released by Linux updates.

Researchers at Veracode discovered that nearly 41% of enterprise applications using GNU C Library employ the Ghost-ridden ‘gethostbyname’ function[1]. Veracode rates this vulnerability as highly ‘Critical’, as 80% of applications like financial transaction applications or application that access sensitive databases uses ‘glibc’ library and which could be victim of GHOST vulnerability. According to Veracode, the code that initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ); function.initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ) function.

Veracode found that 72% of applications which is written in C or C++ are potentially vulnerable to GHOST; applications written in Java, .NET, and PHP are also vulnerable to GHOST.

The easiest way to check for this vulnerability is to run the Aegify scanner on Linux hosted servers within the organization and in its external IT infrastructure. Patches are now available for resolving this vulnerability.

Aegify suite of tools – security, compliance and risk management provide a rich set of solutions for identifying vulnerabilities that continuously emerge and threaten businesses and individuals ensuring that such risks are properly identified and addressed, and all the while remaining compliant to various regulatory requirements.

Aegify Security Posture Management, an innovative and completely cloud-based automated and integrated security monitoring and compliance assessment tool helps enterprises to take away the complexity of maintaining a secure posture and ensuring compliance. This tool simplifies the protection of their physical and virtual environment and IT infrastructure from security breaches by cyber attackers while also meeting regulatory requirements. Equipped with distinct features such as continuous security monitoring, vulnerability management engine, physical and virtual network scans, interoperability, re-mediation and multi-layered vulnerability analysis, Aegify’s security solutions provides a complete end-to-end and comprehensive solution to identify security gaps and help enterprises apply related patches or use virtual patching.

The post The new GHOST Vulnerability that could affect security of Linux based servers across the globe appeared first on Aegify.

Physicians who have had to compromise their Drug Enforcement Administration(DEA) number or have faced investigations from government will understand the need to use measures to protect the electronic health information of their patients and avoid HIPAA penalties in 2015. Further, as an after effect of the changes to HIPAA Omnibus Rule, the HHS Office of civil Rights has taken measures to scrutinise medical practitioners who move away from their directive to ensure privacy of patient data. Moreover, physicians need to understand that depending on the conduct of violations, this may vary from $100 to $50,000 per violation. Also that in case the violation results from “wilful neglect” the practitioners or their business associates involved will have to pay penalties to the tune of $10,000 to $50,000 per violation.

Professionals from the healthcare industry need to be very careful of the ways they handle their patient’s data. Even loss of physician’s personal laptops containing PHI’s may lead to numerous violations. Hence professional who face such circumstances will also be subjected to penalties on the basis of failure to implement protective measures to EHR. The covered entities are also supposed to report such breach cases to the affected parties as well as to HHS.

While HIPAA imposes regulations and restrictions on the medical practitioner, it also offers covered entities various ways to avoid HIPAA penalties. In case the breaches of protective health information is not an act of “wilful neglect” and the covered entities are ready to take up corrective measures within a period of one month then there are chances that they may avoid HIPAA penalties. Further, to mitigate resulting liability under the HIPAA rules and avoid penalties rising from breaches of EHR, the physicians need to conduct regular security risk assessments and implement administrative and technical safeguards. Moreover, executing business agreements with their business associates and providing their employees with effective training to monitor their performance, and documenting these actions will help covered entities to avoid HIPAA penalties. In the event of any breach, timely reporting is critical, as otherwise it will be construed as a wilful neglect as much as it is important to respond immediately to any suspected breach.

Conclusion
Integrating technological innovations may make 2015 a dynamic year for the healthcare industry. Nevertheless, physicians also need to take up adequate steps to maintain practice revenues and be compliant to HIPAA regulations. Aegify is a continuous security monitoring and compliance management solution that is built on a framework approach that allows physicians, covered entities and business associates to gain control and improve compliance across a number of regulations including HIPAA & HITECH and other country-specific ones. Its built-in vulnerability scanning technology is a simple and effective way of monitoring the security and meaningful use-approved HIPAA compliance levels with professional results.

The post How Physicians can Avoid HIPAA Penalties in 2015 appeared first on Aegify.

Following the legal dispute between Texas Health and Human services Commission and its former contractor Xerox, the state agency reported a data breach which affected 2 million individuals. This data breach added to the already existing number of breaches on “wall of shame” of the Dept. of Health and Human Services, which increased the count to 1,167 incidents and affected nearly 41.3 million individuals. With HIPAA breach notification rule being effective since 2009, most of these incidents involved business associates. However, with the HIPAA Omnibus Rule coming into effect business associates and subcontractors have now liable to maintain HIPAA compliance.

Texas HHSC reported the data breach incident as one of unauthorized access or disclosure. While this is believed to have involved electronic records of 2 million individuals this included their birth dates, Medicaid numbers, and medical and billing records related to care provided through Medicaid, reports, diagnosis codes as well as photographs. Even as Xerox takes data security very seriously with data protection measures, the covered entities also need to have in place information security risk analysis and contingency planning. Such proactive measures will help them be prepared to face any issues of business associate destroying protected health information.

Moreover, with OCR enforcing HIPAA, the business associates also need to spell out how they would safeguard the protected health information along with their covered entities. Further, under the HIPAA Omnibus rule, the covered entities need to report any security incidents which are presumed to be data breach cases until the risks are low as per the analysis.

Conclusion
Nevertheless, in the technologically enabled business world that uses portable devices and BYOD options for accessibility, data breaches may be caused due to lost or stolen devices without encryption. The use of comprehensive security solutions such as Aegify Security Posture Management or Aegify Risk Management will healthcare providers and their business associates to keep data threats at bay and maintain periodic risk analysis throughout their life cycle.

The post Why Data Breaches are reported after Vendor Disputes? appeared first on Aegify.

Even as reports showcased that 42% of serious data breaches in 2014 were in the healthcare sector, the recent reports from Experian, the credit reporting company talks of 2015 bringing in more data breaches. Such vulnerability of the healthcare industry is seen as a result of increase in the number of access points to patient health information through the increase in use of electronic health records. The presence of patient’s social security number on the Medicare card is a sensitive data which increases the vulnerability potential. While the Definitive Healthcare Hospital database has tracked 251 data breaches across 7,506 hospitals, the Health IT Security showcases that nearly 68% of these healthcare data breaches are due to theft and loss of portable devices and few due to human errors.

Data breach risk on high with increase in Smart devices usage:

With the increase in the use of smart phones and new age high end devices for accessing digital information, it is expected that 2015 will bring in even more healthcare data breaches. Healthcare providers and medical establishments must therefore take proactive measures to protect their electronic health information from data breaches. Further, the reports indicate that only 23 percent of healthcare data breaches are caused by cyber criminals. However, based on Brigham and Women’s hospital physician’s case of robbery and forced disclosure to encrypted data, it is clear that encryption of data alone is not enough to protect EHR.

According to the Department of Health and Human Services’ HIPAA Security Rule, encryption is a process which uses “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, in such a way that data cannot be breached.” Nevertheless, in BWH case the key was indeed breached after the pass codes were given.

Conclusion:

Thus the health care providers and their business associates need to deploy effective and mature security solutions that will not only be economical but will also ensure safeguarding the security of the EHR. The security, risk and compliance solutions such as Aegify is a one-stop integrated web based solution that will allow the healthcare professionals to ensure security and compliance through an effective and practical automated risk management, significantly reducing the impact of data breaches, by providing continuous security and risk feedback on addition of new assets and security practices with instant recommended remedial measures for quick implementation. Aegify helps you to remain continuously secure, risk-free and compliant.

The post Data Breaches to Increase further in 2015 appeared first on Aegify.

Incidences such as the one faced by Home Depot Inc, wherein hackers stole about 53 million email addresses in addition to customer data for 56 million payment cards estimates a loss of nearly $62 million. Reports showcase that the hackers used a third-party vendor’s user name and password to enter the perimeter of the company’s network, and acquired “elevated rights” that allowed them to navigate parts of Home Depot’s network. These criminals then worked their way to deploy unique, custom-built malware on its self-checkout systems in the stores across U.S. and Canada. A similar case of third-party vendor as the point of entry was reported in last year’s unprecedented breach in the retail giant Target Corp’s network which saw hackers steal at least 40 million payment card numbers and 70 million other pieces of customer data.

With such large volumes of data breaches the global business leaders need to look for methods to create a more threat -free environment. The Home Depot removed the terminals identified with the malware as first steps to protect customer data and close hacker’s method of entry. Further, the enterprise has also taken steps such as implementation of enhanced encryption of payment data across their US and Canadian stores by early 2015 as also the use of EMV technology in all the US credit cards. Unfortunately with technology providing cyber attackers an asymmetric advantage vis-à-vis businesses, the task of managing data security for this globally widespread enterprise is therefore a complex one. Moreover, with cyber attackers equipping themselves with sophisticated tools, enterprises need to look for new approaches rather than the traditional “scan and patch” approach to security threat management.

The growing number of security gaps and vulnerabilities demands the use of efficient Security Posture Management (SPM). Being an art of managing the security of vital data and network by  orchestrating process-people-technological resources the Security Posture Management helps enterprises to proactively achieve business security objectives and all issues in real-time. The unique, unified, automated cloud-based Aegify Security Posture Management (ASPM) tool, offers enterprises an end-to-end security management solution. This helps enterprises identify their business critical IT assets, evaluate their risks based on vulnerabilities and the impact of potential threats, and initiates appropriate measures towards ensuring Confidentiality, Integrity, and Availability of information assets. Such an innovative automated tool not only simplifies the method of protecting the IT infrastructure from security breaches but also ensure that the processes are compliant to HIPAA and HITECH regulations and established security Standards.

The post How to avoid Data breaches such as those faced by Home Depot Inc appeared first on Aegify.

Such common errors become the weakest link in protecting electronic patient healthcare information (PHI). Even as Touchstone Medical Imaging tries to ascertain the depth of the damage done, security consultants view the case of unsecured files left accessible to the Internet as a sign of deeper security control issues. While this case may be the result of inadequate oversight and control on enterprise network by their IT staff, unrestricted Internet access to a healthcare enterprises network servers and file share system is a warning signal of bigger problems which calls for stricter actions.

Further, as once a file becomes publicly accessible there is every possibility of another entity obtaining it and making a copy of the same. Security teams therefore need to look for controls that they need to put in place. Breaches involving unsecure patient data accessibility via the Internet have already caught the eye of federal regulators leading to HIPAA penalty enforcement in the past. The Department of Health and Human Services as of January 2013 issued the HIPAA Omnibus Final Rule, that significantly modifies the privacy security, enforcement and breach notification regulations. This demands business associates and covered entities to re-examine their service offering and business models to handle insider threats.

Moreover, to avoid such Touchstone-type breaches, covered entities, business associates and vendors should be very careful about sharing applications and data even across peer to peer networks. As healthcare enterprises take initiatives to implement effective HIPAA security audits systems in accordance with HIPAA Omnibus rule enforcement, business associates and their subcontractors who receive, create, transmit or maintain protected health information must also encrypt data and avoid mistakes of exposing data on the Internet as they are also now directly responsible for HIPAA compliance.

With its built-in vulnerability scanning technology Aegify security and compliance monitoring system ensures continuous security monitoring and effective compliance, demystifying the complex compliance regulations and standards. Further, business associates and their subcontractors who receive, create, transmit or maintain protected health information must also encrypt data and avoid mistakes of exposing data on the Internet as they are also now directly responsible for HIPAA compliance. Aegify suite of solutions address the security and compliance requirements of covered entities and their business associates, ensuring that the healthcare data remains safe and secure.

The post Secure Steps to Avoid Unsecure Folders and Big Breaches appeared first on Aegify.