Read Whitepaper

The post Keep your Healthcare business Secure and Healthy! appeared first on Aegify.

Read Whitepaper

The post Security Elements in Aegify appeared first on Aegify.

This incident is a stared reminder for the need for a systematic risk analysis and risk management system for the techno-centric healthcare establishments and business associates. Even as experts look into lack of encryption as a major cause of breach, data encryption is no silver bullet against data breaches.

The Anthem data breach is a cautionary call to all healthcare businesses for addressing the need to ensure compliance to security controls as detailed under the HIPAA/HITECH regulations.

Conclusion
While recent investigations point towards “backdoor malware” as also a cause for such large scale data breach at Anthem Inc, intelligent continuous monitoring and analysis system would have been able to detect the Anthem attack very early. Aegify Security Posture Management tool is optimized to prevent exploits across the entire IT infrastructure. Its unique flexible cloud-based architecture not only scans single as well as multiple assets, its enterprise-class protection scans for more nearly 32,000 vulnerabilities using about 92,000 checks across physical and virtual networks, operating systems, databases, and Web applications. Moreover, it’s automated compliance mapping system deployed across physical and virtual network environment ensures continuous monitoring of security, risk, and compliance with real-time status. The Security Posture Assessment and Management Tools will help enterprises protect their data from such breaches.

The post Anthem Breach Sounds Security Alarms against Data Hackers appeared first on Aegify.

The top level executives at the organisation agree to the fact that they have been a target of the attack by cyber criminals who gained unauthorized access to their IT system. However, based on digital forensics investigation reports, they are positive that no credit card data or medical records have been compromised. Nevertheless, the breach of 80 million data as per records is the biggest in history that brings to fore, today’s need for deploying industry-standard “sophisticated” defences. Encryption of data is a critical aspect to secure accessibility of any corporate database.

While this is nightmare for the affected individuals, is not a lone case. Other recorded incidents include

• Data breach at Montana Dept, of Health and Human Services where hackers gained access to a server leading to an estimated 1.3 million affected individuals.
• Breach at Community Health Systems Inc., which exposed the personal data of an estimated 4.5 million people.

With continuing data breaches, information security has attained critical importance across enterprises. An essential proactive step is to assess your assets and estimate the level of risk with key assets. Following this with an assessment of the security controls would have helped Anthem identify the gaps and plug those gaps with appropriate remedial measures. Tools like Aegify helps organization to assess their security, risk, and compliance posture and to help them take proactive measures to fix the security lacunae.

Aegify services, offered as a cloud-based model, includes all security and IT GRC functions. Equipped with a built-in compliance framework that supports HIPAA, RBI, NSE, BSE, MCDEX, PCI, ISO, COBIT, FISMA and other country based ones, Aegify also has advanced alert and monitoring systems that makes it a complete end-to-end automation solution for all security, audit, compliance and risk management needs of an enterprise.

The post Enterprises need to be proactive to Avoid Anthem Fate appeared first on Aegify.

President Obama called on lawmakers to ensure that the Personal Data Notification and Protection Act extends to educational institutions and successfully covers even student data as with customer information. However, even as the President with government heads were busy taking decisions and stern steps to control cyber security breaches and threats to credit cards and personal data, ISIL supporters were successful in hacking the US Central Command sites and Twitter Accounts.

As the Personal Data Notification and Protection Act considers data breaches a criminal offence and demands enterprises to inform any data breach within a 30 day period, it is seen that customers of small and medium sized enterprises operating in multiple states are not protected. If vandals supporting the Islamic State of Iraq and the Levant (ISIL) could easily deface four of the high security social media accounts of U.S. Central Command, then governments and IT majors need to consider this threat as a call to work their way through much more stringent measures that can ensure safety and privacy of every individual.

Global healthcare enterprises besides being HIPAA/HITECH compliant also need to take strong measures to protect their customer data and personal information from the hands of the cyber criminals.  As an approach to help a large number of small to medium sized enterprises including the healthcare practitioners, Aegify provides cloud based Software-as-a-service solution that has built-in best practices, ready-to-use security and privacy policies that could quickly and easily be customized too to meet client specific requirement.  The step-by-step process in Aegify ensures that clients meet their HIPAA/HITECH and data security requirements every year. This solution is widely by the healthcare professionals and their business associates, and can be scaled up and customized to meet the data security and compliance requirements of any size business.

The post Keeping Up President Obama’s Data breach Plan appeared first on Aegify.

The year 2014 discovered three major vulnerabilities – Heartbleed, Shell Shock Hash bug and the Poodle bug. These major vulnerabilities have shaken the edifice of security havens. The Heart bleed bug made it possible for attackers to steal data from a server including the keys to decode any encrypted contents.

Shellshock a more serious bug made it possible for hackers to take control of millions of machines around the world quietly without notice. Another new breed of bug, Poodle, was found in a 15-year-old web encryption technology called SSL 3.0. SSL, which stands for Secure Sockets Layer, a technology that encrypts a user’s browsing session, making it difficult for anyone using the public Wi-Fi to eavesdrop. The Poodle bug makes it possible for hackers to hijack their victim’s browsing session and do things like take over their email, online banking, or social networking account.

This GHOST vulnerability affects almost all major Linux distributions, except a few such as Ubuntu 14.04. Millions of servers on the Internet contain this vulnerability.

As a buffer overflow bug, GHOST affects certain function calls in the Glibc library. The vulnerability allows a remote attacker to execute arbitrary code using these function calls that are used for DNS resolving, a common event. In exploiting this vulnerability, an attacker may trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution. To eliminate the possibility of an exploit, the specific function calls, ‘glibc’ and ‘mscd’ is to be updated on the system using packages released by Linux updates.

Researchers at Veracode discovered that nearly 41% of enterprise applications using GNU C Library employ the Ghost-ridden ‘gethostbyname’ function[1]. Veracode rates this vulnerability as highly ‘Critical’, as 80% of applications like financial transaction applications or application that access sensitive databases uses ‘glibc’ library and which could be victim of GHOST vulnerability. According to Veracode, the code that initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ); function.initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ) function.

Veracode found that 72% of applications which is written in C or C++ are potentially vulnerable to GHOST; applications written in Java, .NET, and PHP are also vulnerable to GHOST.

The easiest way to check for this vulnerability is to run the Aegify scanner on Linux hosted servers within the organization and in its external IT infrastructure. Patches are now available for resolving this vulnerability.

Aegify suite of tools – security, compliance and risk management provide a rich set of solutions for identifying vulnerabilities that continuously emerge and threaten businesses and individuals ensuring that such risks are properly identified and addressed, and all the while remaining compliant to various regulatory requirements.

Aegify Security Posture Management, an innovative and completely cloud-based automated and integrated security monitoring and compliance assessment tool helps enterprises to take away the complexity of maintaining a secure posture and ensuring compliance. This tool simplifies the protection of their physical and virtual environment and IT infrastructure from security breaches by cyber attackers while also meeting regulatory requirements. Equipped with distinct features such as continuous security monitoring, vulnerability management engine, physical and virtual network scans, interoperability, re-mediation and multi-layered vulnerability analysis, Aegify’s security solutions provides a complete end-to-end and comprehensive solution to identify security gaps and help enterprises apply related patches or use virtual patching.

The post The new GHOST Vulnerability that could affect security of Linux based servers across the globe appeared first on Aegify.

Following the legal dispute between Texas Health and Human services Commission and its former contractor Xerox, the state agency reported a data breach which affected 2 million individuals. This data breach added to the already existing number of breaches on “wall of shame” of the Dept. of Health and Human Services, which increased the count to 1,167 incidents and affected nearly 41.3 million individuals. With HIPAA breach notification rule being effective since 2009, most of these incidents involved business associates. However, with the HIPAA Omnibus Rule coming into effect business associates and subcontractors have now liable to maintain HIPAA compliance.

Texas HHSC reported the data breach incident as one of unauthorized access or disclosure. While this is believed to have involved electronic records of 2 million individuals this included their birth dates, Medicaid numbers, and medical and billing records related to care provided through Medicaid, reports, diagnosis codes as well as photographs. Even as Xerox takes data security very seriously with data protection measures, the covered entities also need to have in place information security risk analysis and contingency planning. Such proactive measures will help them be prepared to face any issues of business associate destroying protected health information.

Moreover, with OCR enforcing HIPAA, the business associates also need to spell out how they would safeguard the protected health information along with their covered entities. Further, under the HIPAA Omnibus rule, the covered entities need to report any security incidents which are presumed to be data breach cases until the risks are low as per the analysis.

Conclusion
Nevertheless, in the technologically enabled business world that uses portable devices and BYOD options for accessibility, data breaches may be caused due to lost or stolen devices without encryption. The use of comprehensive security solutions such as Aegify Security Posture Management or Aegify Risk Management will healthcare providers and their business associates to keep data threats at bay and maintain periodic risk analysis throughout their life cycle.

The post Why Data Breaches are reported after Vendor Disputes? appeared first on Aegify.

According to the annual study conducted by Ponemon Institute, the average cost of a compromised customer record can cost the enterprise anywhere from 4 to 156 USD. Further, leaked customer data leads to loss of reputation, customer abandonment and even fines, settlements and compensation fees. While the earlier data breaches at Sony PlayStation compromised 77 million user accounts, the recent one compromised 25 million.

Experts warn Big Businesses to Learn from Sony Pictures ‘Epic Nightmare’ Hack

Enterprises make use of different methods to detect and prevent leakage of each type of data. However, accidents such as that occurred at Sony have caused customers to turn to their competitors. Security experts therefore warn big businesses to learn from the Sony’s ‘Epic Nightmare’ Hack which broke last month when a group operating under the #GOP attempted to blackmail the firm. The cyber criminals hacked into Sony’s computer systems and paralyzed their operations and tapped into their trove of hypersensitive data. As an aftermath was the steady flow of revelations which included top employees’ salaries and nasty emails shared across various sites and lead to the former employees’ suing the company for data breach.

Security experts are of the opinion that enterprises need to invest more in their network security without being too concerned about the costs inferred. For Sony Corp. cleaning up the mess from the latest attack is going to cost millions. Enterprises need to be well prepared to respond to attacks with regular backups. Monitoring network traffic, ensuring use of updated versions of operating systems and applications and use of firewalls will help to protect valuable data. However, with Sony’s case being one wherein the intruders stole more than 25 gigabytes of sensitive data on tens of thousands of Sony employees, including Social Security numbers, medical information, name, location, employee ID, network user name, base salary and date of birth of more than 6,800 individuals. However, the endless leaks and crazy details emerging points to the fact that attacker had gained access to unknown number of internal systems at Sony.

The hack estimated to have cost Sony $100 million was a result of their security loopholes. Vulnerability monitoring and risk assessment have to be continuous. To avoid such situations, enterprises can deploy cloud based solutions for IT security and compliance management, vulnerability analysis and risk management. Aegify, a flagship product effectively addresses risk management, IT security and compliance. Offered as Software-as-a-service, this solution targets small, medium and large enterprises and is an easy-to-use cost-effective solution.

The post Sony Pictures Employee Data Breach – Valued lessons for the Digital World appeared first on Aegify.

From the initial investigation, it appears that the devices included information of around 1,000 patients including patient names and perhaps medical record number, age, medications and information about diagnosis and treatment, who were treated at the hospital’s neurology and neurosurgery programs between October 2011 and September 2014.

In spite of the fact that the data in the stolen devices were encrypted, this was a reportable incident to HHS, as a risk analysis and vulnerability assessment would have established the high risk of storing PHI data on portable devices, although remote wiping of data could be possible. Lost or stolen unencrypted devices have been the primary cause of breaches listed by HHS’ ‘Wall of Shame’. The Brigham and Women’s Hospital had earlier in 2011 lost an unencrypted portable computing device, the breach affecting 638 individuals and again in 2012 theft of unencrypted desk top computer, the breach affecting 615 individuals.

Most health care establishments spent large amounts in creating firewalls and encrypting their data. In spite of these digital encryptions, the new trend in unusual circumstances could involve forceful extraction of access credentials!

Today’s environment is one wherein PHI’s are becoming more valuable that credit cards. Further, with the Department of Health and Human Services confirming the major data breach incidents during 2013 involved thefts of unencrypted computers, enterprises have taken proactive steps to protect themselves from data breaches, given that non-compliance to HIPAA Omnibus rule could cost the healthcare providers and their business associates as much as $1.5 million in penalties per violation.

A proactive measure is to effectively assess all security vulnerabilities and the risks involved using solutions such as Aegify Security Posture Management and Aegify SecureGRC that has proven to be extremely useful in preventing data breaches.

The post Robbers Force Physician to reveal access credentials and encryption key for stolen Laptop and Cell Phone appeared first on Aegify.

While the audits for HIPAA compliance have become more common, many of the healthcare providers are not still effectively prepared for an audit. These healthcare providers and their business associates may therefore face serious consequences during the next round of OCR audits. What the healthcare providers need to understand is that while the Office of civil Rights is not out to get them, they definitely expect the healthcare enterprises to faithfully take good efforts to protect their vital patient data. Even after two years of 2012 OCR pilot program audits, the covered entities and business associates need to look for more effective measures to protect themselves and not fall victims to past mistakes.

In fact with technology being integrated into the audit process, the healthcare providers need to learn from their past mistakes and be ready to face the OCR audits. The 2012 OCR audits helped to expose the gaps in the healthcare compliance such as:

• Minimum to near to nil protection with absence of even the basic security tools and methods to identify vulnerabilities leading to exposure of patient data
• Clueless about the identification of data location while allowing anywhere any time access to the data from various hand held devices.
• Unavailability of training sessions for employees or techniques for data monitoring and reporting of data breaches.

Since the department of health and human services has recorded more than 500 cases of data breaches effecting 33 million PHI’s in its wall of shame, the covered entities and their business associates need to understand that OCR audits act as a vehicle to help them efficiently monitor HIPAA regulatory compliances. However, as first step to the process, these establishments need to conduct a risk assessment to identify areas of vulnerabilities.

Nevertheless, with HIPAA dictating the need to protect PHI’s, the covered entities and their business associates need to deploy more strategic methods that will help them identify the risks faced by their data. Deploying comprehensive security management solutions such as Aegify Security Posture Management and Aegify Secure GRC will help these healthcare providers face the OCR audits with confidence.

The post Facing OCR Audits with Confidence appeared first on Aegify.