“We had no idea where our compliance posture stood, or how much of our daily practices were already in compliance. However we did know that we were not in compliance as much as we should’ve been,” said Donnell, office manager for Internal Medicine Associates of Memphis, Tennessee. This is not an uncommon view among small medical practices nationwide. HIPAA data privacy laws coupled with HITECH security rules and enforcement is complex and foreign to most offices. These small businesses are not blessed by the deep pockets or internal IT resources enjoyed by larger clinics and hospitals to fund and obey HIPAA compliance standards. In most cases, outside consulting firms are hired, charging tens of thousands of dollars to ensure that hospitals receive the training and directives they need to stay in compliance. Not so for most small medical practices.

Key Requirements

Electronic health records (EHR) systems have certainly made management of confidential patient records easier in some respects but not necessarily more secure. The federal government is also encouraging the deployment of EHR via a program of monetary incentives that follow guidelines set out by “Meaningful use” practices. Offices that have not implemented EHR are not qualified to file for these incentives. The pressure is on for all medical practices regardless of size, to upgrade to EHR. “The sad reality is that, like many offices our size, we are still using paper forms,” said Donnell. “We have paper records that are 10-12 years old that can be difficult to find because nothing is online.” With three full-time primary care physicians and nine employees, Internal Medicine Associates of Memphis was facing a high degree of risk and potential fines for noncompliance.

Aegify RSC Suite: a HIPAA Solution to the rescue

Fortunately, they turned to David Altizer, vice president of SOS Systems of Memphis, to cure their ailments with a HIPAA compliance solution and set of best practices. Immediately, SOS Systems, a Managed Compliance Provider (MCP) partner of Santa Clara, Calif.-based Aegify, rolled up their sleeves and began putting into action a HIPAA strategy. Starting with an evaluation to assess needs, SOS used the native templates available in Aegify’s RSC Suite solution to set up policies and automate procedures, thus helping to manage a decade’s worth of patient records.“We started with nothing, and SOS thankfully provided all the documentation we needed,“ said Donnell. “We scanned into the system hundreds of patient files. Using Aegify RSC Suite, we performed an assessment that instructed us how to proceed with aligning ourselves with HIPAA compliance. We could browse and click and see where things had to be. SOS trained us on using Aegify RSC Suite and explained how and where we needed to be compliant.” Donnell also realized that following HIPAA best practices would also lead to running her medical office more efficiently as a business. With the help of SOS Systems, Donnell could rest assure they were on the right track. “We promised to do whatever it took to get compliant. The last thing we wanted was to deal with a fine,” she said.

Results of using Aegify RSC Suite

Donnell found Aegify RSC Suite easy to use and deploy. “The web-based system simply asks a lot of questions, like a multiple choice test. We selected the answers and then attached the appropriate document to update and prove compliance.” “The system gave me confidence that policies and procedures were being followed, and that patient records were being managed successfully.” “We enjoyed working with SOS Systems and did not consider using another service provider. They have been very helpful. This was our first working experience and we are satisfied with the results,” said Donnell.

Conclusions: quick deployment, easy to use, a business-saver

“The Aegify RSC Suite solution was self-explanatory from the get-go. I figured that if I could use it, then anybody else could, too. Soon enough, I found myself conducting the assessments alone without any help,” admitted Donnell. “The whole process took less than two hours, and that included attaching documents, proving compliance, and completing the entire process.” “Wherever we needed guidance, SOS stepped in to help. Regarding HIPAA, we now have peace of mind. SOS has been a true life, or rather, business, saver.”

The post Internal Medicine Associates of Memphis Achieves HIPAA compliance appeared first on Aegify.

Barbara is the office manager for a Grand Rapids, Michigan family practice with four staffers and 1800 patients. The practitioner has been providing healthcare services to patients for 24 years. While attending her monthly association meeting of regional physician office managers, Barbara met local services provider Joe Dylewski, president of ATMP Solutions, a provider of healthcare IT technology for more than 20 years. (http://www.atmpgroup.com) Her challenge posed to Joe? To help her find an online risk assessment solution she could use without any previous IT experience or formal computer education. Her goal was to meet and sustain compliance with HIPAA and HITECH regulations, to fulfill a few core requirements of “Meaningful use” statues, and to facilitate patient care reimbursements from insurers. Several years ago the office had transitioned its patient records to an EHR system to automate day-to-day processes, thus helping to reduce administration costs.

A Solution for Compliance with HIPAA/HITECH

After conducting an evaluation of her office environment, ATMP Solutions recommended that Barbara implement Aegify RSC Suite, a cloud-based, SaaS-delivered application developed by Aegify Inc., of Santa Clara, Calif. The application helps meet HIPAA and HITECH privacy and security rules at dramatically less cost and complexity than standard approaches. “Aegify RSC Suite is probably the only tool on the market built from the ground up to Page | 4 service small medical practices,” said ATMP’s Joe Dylewski. “It also had the incomparable value of not requiring its users to have deep domain knowledge with the intricacies of HIPAA laws.”

Results of using Aegify RSC Suite

Said Barbara, “A major attraction of Aegify RSC Suite is its ability to collect and store all HIPAA-related provisions and related documents online into a single repository, making it a hands-on tool and thereby easier to use and access. The system is understandable given our level of tech expertise.” Having Aegify RSC Suite automate the risk assessment process by providing a comprehensive list of questionnaires gave the office its clearest picture yet of its current state of compliance, highlighting specific non-compliant areas, such as backup and recovery, that needed immediate addressing before the office could take comfort in knowing they were 100% HIPAA compliant.

Conclusion: Quick Deployment of Aegify RSC Suite

The deployment went as planned. “There was no need to schedule 40 hours to walk through the system,” said Barbara. “It only took 3-4 weeks to complete the entire process and determine our level of compliance.” “Being an ACO (accountable care organization), it was important for our practice to fall in-line with prevailing compliance standards, to not cause a bottleneck with other doctors’ offices or business associates, and most of all, to not find ourselves in any hot water with regulators. I know this [Aegify RSC Suite] is going to be useful. We’re already seeing other groups within our association take interest. They too want to get involved with ATMP and Aegify’s compliance solution.” “Another added plus about this application is the positive impact it has had with expediting our reimbursements, which is always good for business.”

The post Finding ‘Meaningful Use’ in a simple HIPAA Solution appeared first on Aegify.

The Health Insurance Portability and Accountability Act demands that health care providers report data breach in cases that effect more than 500 people. In case of violation of HIPAA, enterprises and their business associates and covered entities, face a penalty of $50,000 reaching up to $ 1,500,000. Over 40% of cyber security breaches in 2014 has been across healthcare providers and their business associates. Such rampant breaches across this sector leads to loss of millions of digital healthcare records and personal information of patients and therefore calls for aggressive counter measures to address these rampant data breaches, given the fact that PHI is getting more valuable in the cyber-fraud scenario than the credit cards.

As per the requirements of HIPAA compliance, all patient health information and   critical assets have to be secure. But, the records compiled in 2014 points to a      disturbing trend in increased in data breaches, nearly 41 million from 29.3 million,  an increase of 41% over 2013. Moreover, records also display that the complaints  received by the Office for Civil Rights include nearly 5,447 unresolved cases and  around 53,000 closed. The reasons put across are lack of jurisdiction or  complaints being withdrawn, and not because there was no HIPAA violation.  Further, analysis of the HHS data also brings to light that a large portion of the security breaches (over 52%) have been through theft, nearly 10% due to unauthorized access due to loss of devices, and over 9% due to hacking incidents.

Source: Compilation by Erin McCann, Managing Editor at Healthcare IT News, using data from the Department of Health and Human Services, which includes HIPAA breaches involving more than 500 individuals, reported by 1,149 covered entities and business associates

Businesses across the healthcare industry and its verticals therefore need to scan their PHI assets and conduct security analysis besides ensuring meaningful use of the EHR. Understanding the criticality of the situation, enterprises have deployed a number of new age techniques to protect their electronic data from breaches.

However, Aegify has been developed as a comprehensive security, risk and compliance management solution that not only addresses all of HIPAA compliance needs but also provides the covered entities with meaningful use attestation reports with proof of security and risk analysis. Further, Aegify automates HIPAA management through continuous workflow assessment cycle, and provides instant remediation measures to correct the security deficiencies, a trusted Solution by 70+ MSPs with thousands of customers. Aegify protects your assets, detects vulnerabilities proactively, and responds with appropriate remedial measures. Aegify is the only solution that unifies a comprehensive Security, Risk, and Compliance Assurance system.

The post The Ever growing list of HIPAA breaches appeared first on Aegify.

 The initial attack occurred on May 5, 2014 as per Premera’s        investigation and Premera notified the FBI. Premera would be  notifying approximately 11 million affected individuals by mail and offering two years  of free credit monitoring and identify theft protections services, with a dedicated call  center for its members and affected individuals.

 This would have an adverse brand effect for Premera Blue Cross, Premera Blue Cross Blue Shield of Alaska, and its affiliate brands Vivacity and Connexion Insurance Solutions Inc.

Premera members’ breached information could include names, dates of birth, Social Security numbers, mailing addresses, email addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information, and the Social Security Numbers. The Company said, “Along with steps taken to cleanse its IT system of issues raised by this cyber-attack, Premera is taking additional actions to strengthen and enhance the security of its IT systems moving forward”.

More and more businesses are falling prey to cyber criminals. How confident is your organization to say that you are fully prepared? About 40% of cybersecurity breaches in 2014 were in the healthcare vertical. Recent reports indicate that healthcare data is becoming more valuable than the credit card data. HIPAA compliance requires that all PHI information and PHI critical assets be secured.

First, it is essential to protect your information assets, not just assuming that your endpoint computers remain well protected but to extend the protection to include laptops, tablets, mobile smartphones, and removable storage devices as USB flash drives. Knowing your critical assets and their roles in information processing, storage or in transit is very critical. Most often, as organizational members bring in their own devices (BYOD), information control becomes difficult. The 2015 security trend projects that Mobile devices will be increasingly the target of attack for credential and authentication thefts. Therefore, it is essential to implement an effective asset tracking management system for your internal and external/perimeter IT infrastructure.

To be HIPAA compliant – businesses need to do a HIPAA assessment, security scan their PHI assets and do Security Risk Analysis. This is also required for meaningful use attestation for various stages.

Second, with growing vulnerabilities discovered in dormant code – Poodle, Shell Shock, Ghost, the inadequate security built into new technologies, and not updating security patches and updates from software vendors, contribute continuously to exploitation of vulnerabilities resulting in data breaches. It is a Great risk for healthcare organizations as long as they continue to use outdated software and rudimentary security. You need to consider proactively acting against continuing challenges in ensuring security of your information assets, improve your security posture with Aegify Security Posture Management.  Aegify scanner gives you the following distinct features that other web scanners do not offer:

• Browser Emulation Scanning Technology (BEST) – Browser-based scanning of client-side Web applications to find vulnerabilities in deployed and running web applications such as JavaScript, AJAX, and Flash
• Web Application Pass-Through Scanning– Uses current vulnerabilities to scan and accurately report on unaddressed vulnerabilities and web applications including third-party applications exposures deep in the network, providing a more accurate and complete report.
• Batched Scanning– Reduces scan times and allows customers to target specific and mission critical addresses.
• Content Scanning– Scans Databases and applications for specific content such as credit card and social security numbers, ensuring personally identifiable information is not visible to hackers.
  Operating System Scanning

Aegify Security posture management solution uses innovative, patent-pending expert systems technology to automatically map the security vulnerabilities to compliance mandates. Representing the new breed of solutions from Aegify, Security Posture Management (SPM) is cloud-based and offers several distinct features. Read More…

The Third step is to integrate the security scan results automatically to your compliance control requirements using solutions such as Aegify Compliance Manager.

You can try out the free community edition before subscribing to Standard, Professional or Ultimate editions.

Aegify is a comprehensive Security, Risk and Compliance Management solution for addressing all HIPAA  Compliance needs. Provides Meaningful use attestation reports with proof of security risk analysis. Aegify automates HIPAA management using a continuous workflow of Assess->Remediate and Monitor so that businesses can be assured of their HIPAA compliance status. Aegify’s Simple 1-2-3 steps helps in establishing an automated state of continued readiness.

Businesses can prevent such breaches from happening using Aegify. Aegify provides HIPAA compliance Assurance!

The post Yet another Cyber Attack – Personal Information of 11 Million individuals Breached appeared first on Aegify.

The past year had seen enterprises and individuals from various industries falling prey to data breaches and HIPAA compliance failures more so from the healthcare industry. The office for Civil Rights (OCR) has therefore taken stern steps to ensure privacy and security of data across enterprises in 2015. Since the OCR wants to ensure that enterprises, medical practitioners, their business associates and covered entities take proactive steps to ensure compliance to Health Insurance Portability and Accountability Act, they intend to use HIPAA audit Program randomly across enterprises to check for compliance levels. With HIPAA audits in the horizon, enterprises need to institute smart practices and be audit ready.

The increase in HIPAA audits is a part of a stimulus and any complaint of security breach that involves more than 500 people are sure to trigger an audit. So even employers across other industries also need to take proactive steps to be compliant to these regulations, without which they are also liable to hefty fines.

Understanding some of the common pitfalls will help enterprises to avoid the same during HIPAA audits of 2015. These mistakes include:

• Non-compliance with the Security Rule by not updating and encrypting documents and overlooking associate agreements.
• Failures to implement security risk assessment and compliance programs that help employees understand the need for security of PHIs which include vital information and payment card data.
• Non-establishment of security programs that will ensure proactive monitoring of security and performance indicators and failure to continuously train and retrain employees with critical access on documenting processes of the vital data and EHR
• Failure to update Privacy Practices
• Ignoring privacy laws that interact with HIPAA

With OCR using HIPAA audit program to randomly assess covered entities and their business associates for compliance with the HIPAA privacy, security and breach notification rules, they must have a proactive approach to audits. As a step towards this, enterprises need to ensure that their plan is documented and well communicated across the various entities across the organization.

With regulators favouring a risk-based approach, enterprises need to make use of Security and Compliance programs such as Aegify, that will help them evaluate the risks and vulnerabilities in their environments. While this will implement security controls that will address these issues it will also prepare their business to face OCR as and when it reaches them.

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

Physicians who have had to compromise their Drug Enforcement Administration(DEA) number or have faced investigations from government will understand the need to use measures to protect the electronic health information of their patients and avoid HIPAA penalties in 2015. Further, as an after effect of the changes to HIPAA Omnibus Rule, the HHS Office of civil Rights has taken measures to scrutinise medical practitioners who move away from their directive to ensure privacy of patient data. Moreover, physicians need to understand that depending on the conduct of violations, this may vary from $100 to $50,000 per violation. Also that in case the violation results from “wilful neglect” the practitioners or their business associates involved will have to pay penalties to the tune of $10,000 to $50,000 per violation.

Professionals from the healthcare industry need to be very careful of the ways they handle their patient’s data. Even loss of physician’s personal laptops containing PHI’s may lead to numerous violations. Hence professional who face such circumstances will also be subjected to penalties on the basis of failure to implement protective measures to EHR. The covered entities are also supposed to report such breach cases to the affected parties as well as to HHS.

While HIPAA imposes regulations and restrictions on the medical practitioner, it also offers covered entities various ways to avoid HIPAA penalties. In case the breaches of protective health information is not an act of “wilful neglect” and the covered entities are ready to take up corrective measures within a period of one month then there are chances that they may avoid HIPAA penalties. Further, to mitigate resulting liability under the HIPAA rules and avoid penalties rising from breaches of EHR, the physicians need to conduct regular security risk assessments and implement administrative and technical safeguards. Moreover, executing business agreements with their business associates and providing their employees with effective training to monitor their performance, and documenting these actions will help covered entities to avoid HIPAA penalties. In the event of any breach, timely reporting is critical, as otherwise it will be construed as a wilful neglect as much as it is important to respond immediately to any suspected breach.

Conclusion
Integrating technological innovations may make 2015 a dynamic year for the healthcare industry. Nevertheless, physicians also need to take up adequate steps to maintain practice revenues and be compliant to HIPAA regulations. Aegify is a continuous security monitoring and compliance management solution that is built on a framework approach that allows physicians, covered entities and business associates to gain control and improve compliance across a number of regulations including HIPAA & HITECH and other country-specific ones. Its built-in vulnerability scanning technology is a simple and effective way of monitoring the security and meaningful use-approved HIPAA compliance levels with professional results.

The post How Physicians can Avoid HIPAA Penalties in 2015 appeared first on Aegify.

From the initial investigation, it appears that the devices included information of around 1,000 patients including patient names and perhaps medical record number, age, medications and information about diagnosis and treatment, who were treated at the hospital’s neurology and neurosurgery programs between October 2011 and September 2014.

In spite of the fact that the data in the stolen devices were encrypted, this was a reportable incident to HHS, as a risk analysis and vulnerability assessment would have established the high risk of storing PHI data on portable devices, although remote wiping of data could be possible. Lost or stolen unencrypted devices have been the primary cause of breaches listed by HHS’ ‘Wall of Shame’. The Brigham and Women’s Hospital had earlier in 2011 lost an unencrypted portable computing device, the breach affecting 638 individuals and again in 2012 theft of unencrypted desk top computer, the breach affecting 615 individuals.

Most health care establishments spent large amounts in creating firewalls and encrypting their data. In spite of these digital encryptions, the new trend in unusual circumstances could involve forceful extraction of access credentials!

Today’s environment is one wherein PHI’s are becoming more valuable that credit cards. Further, with the Department of Health and Human Services confirming the major data breach incidents during 2013 involved thefts of unencrypted computers, enterprises have taken proactive steps to protect themselves from data breaches, given that non-compliance to HIPAA Omnibus rule could cost the healthcare providers and their business associates as much as $1.5 million in penalties per violation.

A proactive measure is to effectively assess all security vulnerabilities and the risks involved using solutions such as Aegify Security Posture Management and Aegify SecureGRC that has proven to be extremely useful in preventing data breaches.

The post Robbers Force Physician to reveal access credentials and encryption key for stolen Laptop and Cell Phone appeared first on Aegify.

“Meaningful Use of EHR” is a Medicare and Medicaid program that awards incentives for using certified electronic health records (EHRs). This program enables healthcare providers to provide patients with improved patient care. However, to achieve the stamp of “Meaningful Use” and avoid any penalties these providers must follow the roadmap to effective usage of EHR not later than 2014. While this program encourages switch over to electronic records, it is not just the improved patient care but also includes improved efficiency and performance levels along with government incentives for the healthcare providers. The eligible healthcare providers who have not yet ventured into the meaningful use of EHR will be penalized in 2015 with a 1% equivalent to their Medicare Part B Reimbursement.

Staying away from penalties therefore calls for smart decision making. Moreover, to check on the EP’s attestation of meaningful use program and collection of incentives, government will be conducting random audits. The healthcare providers need to have in place all their documentation irrespective of whether it is in-house or outsourced. 2014 being the last year to begin MU and EHR incentive program, the EP’s not only lose out on $23,520 but will also be penalized in 2015.

Moreover, there are reports of CMS targeting 257,000 doctors with meaningful use penalties beginning January 5th, 2015. The EP’s need to therefore demonstrate that they have adhered to MU regulation since Oct 1, 2014 in order to avoid any penalty.

However, EP’s can still cut their losses by:

• Building a dedicated MU team who can initiate and adhere to the regulations.
• Demonstrating meaningful Use program prior to 2015.
• Availing hardship exceptions for EP’s.
• Making use of an integrated EHR or outsourcing services of specialist.

The Aegify solution through its simplified process will help EP’s achieve Meaningful Use status. Being a powerful, simple-to-use, cloud-based solution, Aegify provides all the necessary expertise to assess, analyze and mitigate regulatory risk while adhering to the on-going HIPAA/HITECH compliance. While this solution provides eligible professionals every means to secure the federal grant through tools that demonstrate meaningful use, it also helps them meet the industry-wide perspective of HIPAA compliance. Aegify SecureGRC, with its built-in assessment of meaningful use, produces reports that can be used for filing the online application for grant. This addresses the requirements relating to meaningful use core measures, menu measures, clinical quality measures, and in particular addresses requirement for eligible hospitals as well as for EP’s with respect to risk analysis.

The post How can EP’s avoid being penalized for Meaningful Use failures in 2015 appeared first on Aegify.

Even as reports showcased that 42% of serious data breaches in 2014 were in the healthcare sector, the recent reports from Experian, the credit reporting company talks of 2015 bringing in more data breaches. Such vulnerability of the healthcare industry is seen as a result of increase in the number of access points to patient health information through the increase in use of electronic health records. The presence of patient’s social security number on the Medicare card is a sensitive data which increases the vulnerability potential. While the Definitive Healthcare Hospital database has tracked 251 data breaches across 7,506 hospitals, the Health IT Security showcases that nearly 68% of these healthcare data breaches are due to theft and loss of portable devices and few due to human errors.

Data breach risk on high with increase in Smart devices usage:

With the increase in the use of smart phones and new age high end devices for accessing digital information, it is expected that 2015 will bring in even more healthcare data breaches. Healthcare providers and medical establishments must therefore take proactive measures to protect their electronic health information from data breaches. Further, the reports indicate that only 23 percent of healthcare data breaches are caused by cyber criminals. However, based on Brigham and Women’s hospital physician’s case of robbery and forced disclosure to encrypted data, it is clear that encryption of data alone is not enough to protect EHR.

According to the Department of Health and Human Services’ HIPAA Security Rule, encryption is a process which uses “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key, in such a way that data cannot be breached.” Nevertheless, in BWH case the key was indeed breached after the pass codes were given.

Conclusion:

Thus the health care providers and their business associates need to deploy effective and mature security solutions that will not only be economical but will also ensure safeguarding the security of the EHR. The security, risk and compliance solutions such as Aegify is a one-stop integrated web based solution that will allow the healthcare professionals to ensure security and compliance through an effective and practical automated risk management, significantly reducing the impact of data breaches, by providing continuous security and risk feedback on addition of new assets and security practices with instant recommended remedial measures for quick implementation. Aegify helps you to remain continuously secure, risk-free and compliant.

The post Data Breaches to Increase further in 2015 appeared first on Aegify.

As a result of releasing the medical records to a third party, by Avery Center for Obstetrics and Gynecology, the patient’s ex-boyfriend viewing her “highly sensitive” health records, used them to harass, embarrass and extort her. While HIPAA doesnot allow individuals to file lawsuit to claim violation of their privacy under the HIPAA regulations, the plaintiff in the Connecticut case alleges that the clinic was negligent when it  released confidential health records instead of protecting the patient’s information, a violation of HIPAA. Since the Connecticut Supreme Court ruling allowed for negligence claim for the alleged violations of HIPAA privacy standards, attorneys are explaining the HIPAA ruling.

However, health data breach lawsuits filed under statutes other than HIPAA required plaintiffs to show the impact of the breach. The case against Sutter Health was one such case which was dismissed by courts as plaintiffs failed to show evidence of harm  such as identity theft or fraud, caused by the breach. Nevertheless, even under HIPAA ruling the impact of breaches on victims plays a vital role while alleging HIPAA negligence. Therefore standards set forth in HIPAA both for privacy and data breaches calls enterprises to place regular safegaurds to protect patient information.

The healthcare establishments today receive heightened attention from regulatory bodies enforcing penalties for data breaches. The Connecticut Supreme Court through its ruling   in the Byrne case sends a clear message to the healthcare providers and their business associates to keep away the practice of  poor encryption and put in place an appropriate program to prevent any data breaches. In case they fail to follow HIPAA, ruling leaving an impact on breaches, they face legal risks.

With the HIPAA Omnibus Rule effectvie since 2013, business associates and covered entities handling patient health information are directly responsible for HIPAA compliance and must encrypt data and avoid mistakes of exposing data. Besides, the use of Aegify security and compliance monitoring system will ensure these covered entities, a continuous security monitoring and effective compliance that demystifies the complex compliance regulations. Since the Aegify solutions addresses the security and compliance requirements of covered entities as well as business associates, individuals can be assured that their private healthcare data remains safe and secure.

The post Understanding HIPAA Ruling and its Impact on Breaches appeared first on Aegify.