The past year had seen enterprises and individuals from various industries falling prey to data breaches and HIPAA compliance failures more so from the healthcare industry. The office for Civil Rights (OCR) has therefore taken stern steps to ensure privacy and security of data across enterprises in 2015. Since the OCR wants to ensure that enterprises, medical practitioners, their business associates and covered entities take proactive steps to ensure compliance to Health Insurance Portability and Accountability Act, they intend to use HIPAA audit Program randomly across enterprises to check for compliance levels. With HIPAA audits in the horizon, enterprises need to institute smart practices and be audit ready.

The increase in HIPAA audits is a part of a stimulus and any complaint of security breach that involves more than 500 people are sure to trigger an audit. So even employers across other industries also need to take proactive steps to be compliant to these regulations, without which they are also liable to hefty fines.

Understanding some of the common pitfalls will help enterprises to avoid the same during HIPAA audits of 2015. These mistakes include:

• Non-compliance with the Security Rule by not updating and encrypting documents and overlooking associate agreements.
• Failures to implement security risk assessment and compliance programs that help employees understand the need for security of PHIs which include vital information and payment card data.
• Non-establishment of security programs that will ensure proactive monitoring of security and performance indicators and failure to continuously train and retrain employees with critical access on documenting processes of the vital data and EHR
• Failure to update Privacy Practices
• Ignoring privacy laws that interact with HIPAA

With OCR using HIPAA audit program to randomly assess covered entities and their business associates for compliance with the HIPAA privacy, security and breach notification rules, they must have a proactive approach to audits. As a step towards this, enterprises need to ensure that their plan is documented and well communicated across the various entities across the organization.

With regulators favouring a risk-based approach, enterprises need to make use of Security and Compliance programs such as Aegify, that will help them evaluate the risks and vulnerabilities in their environments. While this will implement security controls that will address these issues it will also prepare their business to face OCR as and when it reaches them.

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

With the federal money flowing in the form of EHR incentive program, hospitals, providers, vendors and consultants are working their way to a meaningful use of EHR. Nevertheless, if a hospital or medical practitioner accepts the federal money to put EHR to meaningful use, they must also prove it by using appropriate electronic tools as per the norms put across by the Center of Medicare and Medicaid Services. Further, incidents such as those that occurred at Shelby Regional Medical Center in Texas, and Detroit Medical Center that led to heavy data leakage and financial loss, demands that the healthcare providers, their business associates and vendors consider meaningful use of electronic patient health records as a compliance requirement. In the wake of such requirement, the eligible professionals, hospitals, and critical access healthcare centres were asked to maintain relevant documentation to support this activity.

Besides, as Daniel R. Levinson, U.S. inspector general points out, among the important changes that are taking place across the healthcare industry there is an emphasis on coordinated care and increased use of electronic health records. The OIG will therefore need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and also customizable to protect programs and patients from existing and new vulnerabilities. The OIG audits till date have discovered that the state agency overpaid 13 hospitals, $3.1 million in federal EHR cash. The payment errors were found to be the result of unclear and incorrect patient volume calculations. Further, nearly 80 % of the state’s hospitals analyzed in the audit also failed to comply with federal regulations.

By 2015, OIG will therefore need to leverage data analytics and “forensic enhancements” to investigate the increasingly sophisticated healthcare frauds, including the electronic health records in the process.

The OIG authorities will not only perform audits of various covered entities receiving the EHR, but will also look into factors such as:

• Identify EHR system fraud and determine if  EHR systems address vulnerabilities
• Review Medicaid and Medicare EHR incentive payments
• Analyze the IT security of community health centers funded by the Health Resources and Services Administration.
• Regular review of the Centers for Medicare & Medicaid Services health information technology systems to cross check on necessary security controls.

Besides these, conducting mock audits will help the healthcare providers to stay prepared to face both pre-payment and post-payment audits. However, it is also prudent for enterprises to implement a comprehensive and an effective solution. Security solution like the Aegify Security Posture Management or Aegify SecureGRC offered by the leading service providers of IT Risk and Compliance management solutions will help the healthcare establishments to achieve meaningful use status with ease, while ensuring a near to nil breach of security protocol.

The post Healthcare Industry gears up to meet the EHR Audits in the New Year appeared first on Aegify.

Use of enhanced technology facilitates them to provide access to vital data across regions for better and faster clinical understanding and increased patient care. Nevertheless, the increase in mobility and accessibility are sadly also the reasons for these organizations being challenged by data breaches. The most recent experience being that of Community Health Systems earlier this year, where the Chinese hackers are believed to have taken advantage of the Heartbleed Open SSL vulnerability and gained access to the data of 4.5 million patients of the hospital chain. Such incidents clearly indicate the wide range of risks faced by the healthcare sector.

A close study by HHS on the breaches showcase hacking as the cause of at least 89 major breaches since 2009; security experts are of the opinion that these incidents are becoming more common posing bigger threats. Besides hacking, insider threats and lack of encryption also cause data breaches. The increase in digitally stored patient information has seen insider threats growing substantially. Though IT leaders work to harden perimeter security the defences, the threat prone environment calls the healthcare organization to take up proactive measures to mitigate the risk posed by the Bash flaws known as Shellshock.

While Shellshock refers to security vulnerabilities in the Bourne-again shell system software known as Bash, it is a common line interface that is used across Unix based systems, including Linux and Apple’s MAC OS. Since Bash exists across the Internet in web servers, email servers, standalone systems, physical security systems, routers and even web cams, researchers are identifying new Shellshock attacks in the wild on a daily basis.

There is every possibility of attackers exploiting the Shellshock flaw to execute shell commands remotely and potentially taking control of the systems in the healthcare sectors. Through the process attackers would dump the stored data and launch automated worms to exploit the vulnerability of a Bash system in a network. Security experts therefore call enterprises across this sector to use systems that can scan Bash flaws and mitigate risks. Most healthcare establishments carry out periodic self-assessment and risk analysis as vital activities to prevent breaches.

However, advanced security solutions such as Aegify SecureGRC  and Security Posture Management facilitates these enterprises with an ideal platform to identify this vulnerability and take necessary measures to secure their environment from data breaches.

As a healthcare organization you need to,

• Work with vendors to identify all systems that need patching, such as those running Unix, Linux, Mac OS X, and as well as Windows
• Monitor and assess all technology dependent medical devices and network devices for patching
• Patch Internet-facing systems first as this is the crucial source of Bash flaws
• Continuously monitor logs and network traffic over a period to help identify any potential compromised systems

However, as with HIPAA compliance, to ensure complete security, both covered entities and business associates also need to take up proactive measures to handle Shellshock issues, address vulnerabilities and data breaches.

Aegify Security Posture Management, an innovative and completely cloud-based automated and integrated security monitoring and compliance assessment tool helps the healthcare entities to take away the complexity of security posture and compliance management. This tool simplifies the protection of their physical and virtual environment and IT infrastructure from security breaches by cyber attackers while also meeting regulatory requirements. Equipped with distinct features such as continuous security monitoring, vulnerability management engine, physical and virtual network scans, interoperability, re-mediation and multi-layered vulnerability analysis, Aegify’s security solutions provides a complete end-to-end and comprehensive solution to identify security gaps and help enterprises apply related patches or use virtual patching.

The post Shellshock – New Vulnerability that Healthcare Sector must address now appeared first on Aegify.

Following an established documentation procedure is crucial. No documentation that the medical companies create will count after the date that Department of Health and Human Services’ Office for Civil rights issues the audit notice. In his interview to the Information Security Media Group on the latest Healthcare Information and Management Systems Society safety and privacy forum in Boston, Tom Walsh asserted that policies must reflect precisely what is being done in your environment. A brief policy that in reality highlights your initiatives is better rather than downloading something online that appears impressive with requirements but not in practice. The vital aspect here is to ensure its precision in an audit through a three-step technique.

"The 3 P’s" – Practice, Policy and Perception

Walsh names this three-step technique as "The 3 P’s" – Practice, Policy and Perception. The perception is what the regulators perceive by interviewing multiple levels of management about different policies, such as the password policy. Post this; the regulators will review the enterprise’s actual documented policies to analyze if they match the requirements. After this, to ascertain that the policy is indeed practiced the audit will examine the system administrator. To pass through all these audit criteria, all the 3-P’s must be met.

Linda Sanches, Senior Advisor, OCR asserts that OCR had planned to start the HIPAA audits, but could not until the agency finishes the technology rollout to facilitate documentation collection from the audited entities through a web portal. Furthermore, OCR also plans to update the HIPAA audit protocol released in 2012. According to Walsh, companies need to download the original protocol that has the requirements for compliance with the HIPAA security, privacy and breach notification rules.

eGestalt presently offers compliance services for security and compliance assessment under HIPAA to address the needs of healthcare providers (covered entities) for and Business Associates of covered entities. Various Aegify editions address the needs of small, medium, and large enterprises. Aegify SecureGRC provides built-in templates for policy management documentation based on detailed practice analysis. Based on your practice specific requirements, if needed, it is relatively easy and fast to customize these policies to meet your requirements.

Contact sales@egestalt.com for more information.

The post Significance of Documentation in HIPAA Audits appeared first on Aegify.

The upcoming audits will also aim to identify best practices and uncover vulnerabilities and risks that were not identified through other enforcement activities. The findings of the Phase 2 Audit Program will be used by OCR to identify areas where technical assistance has to be developed for covered entities and their business associates. In cases where the audit identifies serious non-compliance, OCR will initiate a review process of the audited organization, which in turn may lead to civil monetary penalties.

So the time is now ripe for covered entities to learn from the findings of the Phase 1 audits, understand the course of the Phase 2 audits, and prepare in advance to face the upcoming audits by taking necessary action and demonstrating compliance. Here is a more detailed look at what covered entities need to know:

Findings from Phase-1

115 covered entities were audited under the first phase of the audit program, and the following results were found:

• Only 11% of the covered entities audited did not show any findings
• It was found that the smallest covered entities had the maximum difficulty in complying with all three HIPAA standards
• About 53% of the audited entities were responsible for 65% of the total findings and observations
• Over 60% of the findings were related to Security Standard violations and 58 out of 59 audited entities had at least one finding or observation surrounding Security Standards
• More than 39% of the findings were concerned with Privacy Standards, and this was attributed to the lack of awareness about the applicable Privacy Standard requirements
• 10% of the findings were attributed to lack of compliance with Breach Notification Standards.

What to Expect in Phase-2

While Phase I focused only on covered entities, Phase 2 audits will include both covered entities and their business associates. OCR has randomly selected 550-800 entities through the National Provider Identifier database and America’s Health Insurance Plans’ databases of health plans and healthcare clearing houses. These entities identified by OCR will soon be issued a mandatory pre-audit screening survey, which will address the organizations’ size, location, services, and contact information. Based on the survey findings, around 350 covered entities, including 232 healthcare providers, 109 health plans, and 9 healthcare clearing houses will be selected for the Phase 2 audits. A wide range of covered entities will be selected by OCR, who will be audited between October 2014 and June 2015.

The shortlisted entities will be notified by OCR by this fall, and will be asked to identify and provide contact details of their business associates. Based on this information, the business associates that will participate in the Phase 2 audits will be selected.

The Audit Process

Once the covered entities and business associates have been identified, they will have two weeks to respond to OCR’s audit request. The data request will list out the content, file names, and other documentation required, for demonstrating compliance. The auditors may then contact these entities for clarification and additional documentation. Failure to respond to these requests may lead to a referral to the applicable regional office of OCR for a compliance review.

Approximately 150 of the 350 selected entities and 50 selected business associates will be audited during this phase, for compliance with Security Standards, 100 entities will be audited for compliance with Privacy Standards, and 100 entities for compliance with the Breach Notification Standards. Unlike Phase 1, this phase of audits will be conducted as desk reviews with an updated audit protocol and not on-site. This audit protocol will be made available on the OCR website so that covered entities and their business associates may refer to it for internal compliance assessment purposes.

The second phase will primarily target all those HIPAA standards that were identified as being the highest sources of non-compliance in the first phase. These will include risk analysis and management, content and timeliness of breach notifications, notice of privacy practices, individual access, Privacy Standards’ reasonable safeguards requirement, training to policies and procedures, device and media controls, and transmission security.

OCR is also likely to focus on the Security Standards’ encryption and decryption requirements, facility access control, breach reports and complaints, etc., in the audits to be conducted in 2016. The Phase 2 Audits of business associates will focus on risk analysis, risk management and breach reporting to covered entities.

Following the audits, OCR will present a draft report to the organizations and allow them to comment before it is finalized. Their responses will be taken into account before the final report is issued.

Preparing for the Phase 2 Audits

All covered healthcare entities and business associates should take the following steps to ensure that they are well-prepared to face the upcoming audits:

• Make sure that a comprehensive assessment of the security status of the organization has been completed in the recent past to identify potential security risks and vulnerabilities.
• Ensure that all action items listed out following the risk assessment, have been completed or will be completed within a reasonable timeline.
• Prepare a complete inventory of business associates for handling data requests for the Phase 2 audits.
• In cases where the organization has not implemented any of the addressable implementation standards for any of its systems, make sure there is adequate documentation to explain why implementation of such standards was not reasonable and appropriate, and list out all alternative security measures that have been implemented.
• Confirm whether a breach notification policy that accurately reflects the content and deadline requirements under the Breach Notification Standards, has been implemented.
• Ensure that not just a website privacy notice but a compliant Notice of Privacy Practices is in place.
• Confirm whether reasonable and appropriate safeguards for PHI are in place, and they cover paper and verbal PHI.
• Make sure workforce members are adequately trained on HIPAA standards that are necessary for them to perform their job duties.
• Maintain an inventory of information system assets, including mobile devices even in BYOD environments.
• Make sure all systems and software processing or transmitting electronic PHI are encrypted, and in cases where encryption has not been done, ensure that adequate documentation with reasons supporting the decision to not employ encryption, is in place.
• Confirm whether a facility security plan is available at each physical location with access to PHI
• Review the security policies from time to time and identify actions that have not been completed as required. This should cover physical security plans, disaster recovery plans, emergency access procedures, etc.

At this crucial juncture, where covered entities can leave no stone unturned to completely secure their PHI and comply with the requirements of HIPAA, a comprehensive automated security posture, compliance, and risk management solution such as Aegify Security Posture Management or Aegify SecureGRC or Aegify Risk Management can prove highly valuable for healthcare covered entities and their business associates in meeting the audit requirements in a  simple, timely, and cost-effective manner.

The post Phase 2 HIPAA Audits to Begin Soon appeared first on Aegify.

HIPAA expert, Reza Chapman, deems it necessary for healthcare organizations and their business associates, to take the necessary crucial steps to prepare for the potential breach investigations and HIPAA compliance audits. Chapman, a senior manager in the healthcare advisory services practice at consulting firm EY (formerly Ernst & Young), says in an interview with Information Security Media Group, that the OCR is not only warning covered entities and business associates about ongoing enforcement, but is also effectively responding to the [HHS] Office of Inspector General that the OCR did not do enough to enforce the rules last year.

It is evident that all healthcare entities and their business associates need to step up their measures, more than ever, and be ready for intense regulatory scrutiny. Covered entities and business associates need to accelerate compliance and security measures, and make certain they leave no avenue for any breach. Although the primary focus should be on updating security and privacy policies, and procedures to meet the HIPAA requirements, it is also vital for healthcare organizations to ensure they have a breach response and notification plan in place. While preparing for the upcoming audits, Chapman emphasizes, that it is essential for organizations to take necessary measures to lower their risk of expensive enforcement actions. Going further Chapman reiterates that,

• All organizations looking to stay away from the scrutiny of OCR, must essentially carry out a thorough risk analysis, and implement "positive steps to remediate the findings".
• Entities must "demonstrate a culture of compliance that shows privacy and security are not new concepts to the organization".
• Besides ensuring that all policies and procedures are scrupulously documented, it is also essential to evaluate potential breaches, and report them quickly.

All healthcare organizations involved in an active HIPAA investigation by OCR, need to fully cooperate with the agency. Organizations that take evasive or combative stances are likely to be penalized the most. Healthcare organizations can greatly benefit by adopting comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC to ensure compliance with HIPAA regulations and be ready to effectively handle the upcoming audit.

The post Surviving OCR Breach Investigations & Audits with Tips from HIPAA Expert appeared first on Aegify.

OCR will soon launch a survey of 1200 organizations as the first step towards selecting those to be audited. Organizations that would undergo the audit will be chosen from a large database, and the survey is intended to verify details such as whether the organization is still in business, and is genuinely the healthcare entity indicated in the database, etc. These details will not only help OCR determine if the entities chosen are suitable for the audit, but also give them a good idea of the size and complexity of the entity. Amongst other things, the survey is aimed at collecting recent data about the number of patient visits or insured lives, use of electronic records, business locations, and revenue.

Although McAndrew did not disclose the number of organizations to be audited, she said that the 1200 surveyed organizations will be an oversupply as not all of them will end up being suitable candidates. According to an OCR spokesperson, the survey will be targeting nearly 800 covered entities and 400 business associates.

OCR, with the help of KPMG had conducted a pilot HIPAA audit program in 2012, involving 115 covered entities. However, according to McAndrew, the next round of audits will be in-sourced. But details such as whether OCR will conduct these audits by training the existing staff or by hiring new auditors, and whether these activities will be carried out from the regional OCR offices or from the central office, are still unclear.

Focus Areas for Upcoming Audits

According to McAndrew, one of the primary areas of focus in the 2014 audits will be whether covered entities have conducted timely and thorough security risk assessments as per HIPAA requirements, because this was one of the common weak spots found during the pilot audits as well as previous breach investigations. Moreover, the upcoming audits will have a revised protocol to fit the changes brought about by the HIPAA Omnibus rule that came into effect in 2013.

So the time is ripe for healthcare entities to do a reality check and prepare themselves with thorough risk assessments. Comprehensive security management solutions like Aegify Security Posture Management and Aegify SecureGRC can prove handy at this juncture, and help entities face the upcoming audits with confidence.

The post OCR Gears-Up to Resume HIPAA Audits appeared first on Aegify.