This incident is a stared reminder for the need for a systematic risk analysis and risk management system for the techno-centric healthcare establishments and business associates. Even as experts look into lack of encryption as a major cause of breach, data encryption is no silver bullet against data breaches.

The Anthem data breach is a cautionary call to all healthcare businesses for addressing the need to ensure compliance to security controls as detailed under the HIPAA/HITECH regulations.

Conclusion
While recent investigations point towards “backdoor malware” as also a cause for such large scale data breach at Anthem Inc, intelligent continuous monitoring and analysis system would have been able to detect the Anthem attack very early. Aegify Security Posture Management tool is optimized to prevent exploits across the entire IT infrastructure. Its unique flexible cloud-based architecture not only scans single as well as multiple assets, its enterprise-class protection scans for more nearly 32,000 vulnerabilities using about 92,000 checks across physical and virtual networks, operating systems, databases, and Web applications. Moreover, it’s automated compliance mapping system deployed across physical and virtual network environment ensures continuous monitoring of security, risk, and compliance with real-time status. The Security Posture Assessment and Management Tools will help enterprises protect their data from such breaches.

The post Anthem Breach Sounds Security Alarms against Data Hackers appeared first on Aegify.

President Obama called on lawmakers to ensure that the Personal Data Notification and Protection Act extends to educational institutions and successfully covers even student data as with customer information. However, even as the President with government heads were busy taking decisions and stern steps to control cyber security breaches and threats to credit cards and personal data, ISIL supporters were successful in hacking the US Central Command sites and Twitter Accounts.

As the Personal Data Notification and Protection Act considers data breaches a criminal offence and demands enterprises to inform any data breach within a 30 day period, it is seen that customers of small and medium sized enterprises operating in multiple states are not protected. If vandals supporting the Islamic State of Iraq and the Levant (ISIL) could easily deface four of the high security social media accounts of U.S. Central Command, then governments and IT majors need to consider this threat as a call to work their way through much more stringent measures that can ensure safety and privacy of every individual.

Global healthcare enterprises besides being HIPAA/HITECH compliant also need to take strong measures to protect their customer data and personal information from the hands of the cyber criminals.  As an approach to help a large number of small to medium sized enterprises including the healthcare practitioners, Aegify provides cloud based Software-as-a-service solution that has built-in best practices, ready-to-use security and privacy policies that could quickly and easily be customized too to meet client specific requirement.  The step-by-step process in Aegify ensures that clients meet their HIPAA/HITECH and data security requirements every year. This solution is widely by the healthcare professionals and their business associates, and can be scaled up and customized to meet the data security and compliance requirements of any size business.

The post Keeping Up President Obama’s Data breach Plan appeared first on Aegify.

The past year had seen enterprises and individuals from various industries falling prey to data breaches and HIPAA compliance failures more so from the healthcare industry. The office for Civil Rights (OCR) has therefore taken stern steps to ensure privacy and security of data across enterprises in 2015. Since the OCR wants to ensure that enterprises, medical practitioners, their business associates and covered entities take proactive steps to ensure compliance to Health Insurance Portability and Accountability Act, they intend to use HIPAA audit Program randomly across enterprises to check for compliance levels. With HIPAA audits in the horizon, enterprises need to institute smart practices and be audit ready.

The increase in HIPAA audits is a part of a stimulus and any complaint of security breach that involves more than 500 people are sure to trigger an audit. So even employers across other industries also need to take proactive steps to be compliant to these regulations, without which they are also liable to hefty fines.

Understanding some of the common pitfalls will help enterprises to avoid the same during HIPAA audits of 2015. These mistakes include:

• Non-compliance with the Security Rule by not updating and encrypting documents and overlooking associate agreements.
• Failures to implement security risk assessment and compliance programs that help employees understand the need for security of PHIs which include vital information and payment card data.
• Non-establishment of security programs that will ensure proactive monitoring of security and performance indicators and failure to continuously train and retrain employees with critical access on documenting processes of the vital data and EHR
• Failure to update Privacy Practices
• Ignoring privacy laws that interact with HIPAA

With OCR using HIPAA audit program to randomly assess covered entities and their business associates for compliance with the HIPAA privacy, security and breach notification rules, they must have a proactive approach to audits. As a step towards this, enterprises need to ensure that their plan is documented and well communicated across the various entities across the organization.

With regulators favouring a risk-based approach, enterprises need to make use of Security and Compliance programs such as Aegify, that will help them evaluate the risks and vulnerabilities in their environments. While this will implement security controls that will address these issues it will also prepare their business to face OCR as and when it reaches them.

The post Common mistakes to avoid to be guarded from HIPAA Audits and Penalties in 2015 appeared first on Aegify.

Physicians who have had to compromise their Drug Enforcement Administration(DEA) number or have faced investigations from government will understand the need to use measures to protect the electronic health information of their patients and avoid HIPAA penalties in 2015. Further, as an after effect of the changes to HIPAA Omnibus Rule, the HHS Office of civil Rights has taken measures to scrutinise medical practitioners who move away from their directive to ensure privacy of patient data. Moreover, physicians need to understand that depending on the conduct of violations, this may vary from $100 to $50,000 per violation. Also that in case the violation results from “wilful neglect” the practitioners or their business associates involved will have to pay penalties to the tune of $10,000 to $50,000 per violation.

Professionals from the healthcare industry need to be very careful of the ways they handle their patient’s data. Even loss of physician’s personal laptops containing PHI’s may lead to numerous violations. Hence professional who face such circumstances will also be subjected to penalties on the basis of failure to implement protective measures to EHR. The covered entities are also supposed to report such breach cases to the affected parties as well as to HHS.

While HIPAA imposes regulations and restrictions on the medical practitioner, it also offers covered entities various ways to avoid HIPAA penalties. In case the breaches of protective health information is not an act of “wilful neglect” and the covered entities are ready to take up corrective measures within a period of one month then there are chances that they may avoid HIPAA penalties. Further, to mitigate resulting liability under the HIPAA rules and avoid penalties rising from breaches of EHR, the physicians need to conduct regular security risk assessments and implement administrative and technical safeguards. Moreover, executing business agreements with their business associates and providing their employees with effective training to monitor their performance, and documenting these actions will help covered entities to avoid HIPAA penalties. In the event of any breach, timely reporting is critical, as otherwise it will be construed as a wilful neglect as much as it is important to respond immediately to any suspected breach.

Conclusion
Integrating technological innovations may make 2015 a dynamic year for the healthcare industry. Nevertheless, physicians also need to take up adequate steps to maintain practice revenues and be compliant to HIPAA regulations. Aegify is a continuous security monitoring and compliance management solution that is built on a framework approach that allows physicians, covered entities and business associates to gain control and improve compliance across a number of regulations including HIPAA & HITECH and other country-specific ones. Its built-in vulnerability scanning technology is a simple and effective way of monitoring the security and meaningful use-approved HIPAA compliance levels with professional results.

The post How Physicians can Avoid HIPAA Penalties in 2015 appeared first on Aegify.

From the initial investigation, it appears that the devices included information of around 1,000 patients including patient names and perhaps medical record number, age, medications and information about diagnosis and treatment, who were treated at the hospital’s neurology and neurosurgery programs between October 2011 and September 2014.

In spite of the fact that the data in the stolen devices were encrypted, this was a reportable incident to HHS, as a risk analysis and vulnerability assessment would have established the high risk of storing PHI data on portable devices, although remote wiping of data could be possible. Lost or stolen unencrypted devices have been the primary cause of breaches listed by HHS’ ‘Wall of Shame’. The Brigham and Women’s Hospital had earlier in 2011 lost an unencrypted portable computing device, the breach affecting 638 individuals and again in 2012 theft of unencrypted desk top computer, the breach affecting 615 individuals.

Most health care establishments spent large amounts in creating firewalls and encrypting their data. In spite of these digital encryptions, the new trend in unusual circumstances could involve forceful extraction of access credentials!

Today’s environment is one wherein PHI’s are becoming more valuable that credit cards. Further, with the Department of Health and Human Services confirming the major data breach incidents during 2013 involved thefts of unencrypted computers, enterprises have taken proactive steps to protect themselves from data breaches, given that non-compliance to HIPAA Omnibus rule could cost the healthcare providers and their business associates as much as $1.5 million in penalties per violation.

A proactive measure is to effectively assess all security vulnerabilities and the risks involved using solutions such as Aegify Security Posture Management and Aegify SecureGRC that has proven to be extremely useful in preventing data breaches.

The post Robbers Force Physician to reveal access credentials and encryption key for stolen Laptop and Cell Phone appeared first on Aegify.

Even with meaningful use regulations being in use, there have been cases of fraud by the healthcare providers such as the one wherein the CFO of a leading hospital pleaded guilty to lying about meaningful use for Medicare payments. The former chief financial officer of Shelby Regional Medical Centre, Texas, now-closed, pleaded guilty to wrongly claiming EHR incentive money. Joe White, the CFO while overseeing the hospital’s EHR implementation, falsely attested to the Centre for Medicare & Medicaid Services that the medical centre met meaningful use requirements for the 2012 fiscal year. This helped them to receive $785,655 in payments while the hospital actually relied on paper records throughout the fiscal year of 2012 and only minimally used an EHR. This fraud involved software vendors and hospital employees who manually transferred data of patients who were already discharged into electronic health record at the end of the fiscal year.

Six Texas hospitals operated by the same individual were paid $16.8 million in meaningful use incentives for fiscal years 2011 and 2012 in this case. However, with federal govt rolling out dollars to providers to adopt electronic health record systems, there is a possibility of more cases such as this. Further, under the HITECH Act, to obtain financial incentives from Medicare or Medicaid, healthcare establishments and providers must submit detailed documents that attest to meeting the requirements for the program, including conducting a HIPAA security risk assessment.

While such frauds on the part of the Healthcare provider and hospitals work as a wakeup call, the federal authorities need to take action to crack down such abuse of HITECH Act. The Office of Inspector General demands eligible hospitals and critical access hospitals to demonstrate they’re using certified EHR technology in ways that can be measured significantly in quantity and in quality. The use of Aegify solutions will help these healthcare providers and hospitals to demonstrate meaningful use through simplified methods.

Aegify is a powerful, simple-to-use, cloud-based solution, that provides necessary expertise to assess, analyze and mitigate regulation risk and move towards on-going HIPAA/HITECH compliance. This tool help the healthcare providers demonstrate meaningful use of their EHR and help them secure federal grants.

The post Adopting a Guilt-Free Method to Demonstrate Meaningful Use of EHR appeared first on Aegify.

“Meaningful Use of EHR” is a Medicare and Medicaid program that awards incentives for using certified electronic health records (EHRs). This program enables healthcare providers to provide patients with improved patient care. However, to achieve the stamp of “Meaningful Use” and avoid any penalties these providers must follow the roadmap to effective usage of EHR not later than 2014. While this program encourages switch over to electronic records, it is not just the improved patient care but also includes improved efficiency and performance levels along with government incentives for the healthcare providers. The eligible healthcare providers who have not yet ventured into the meaningful use of EHR will be penalized in 2015 with a 1% equivalent to their Medicare Part B Reimbursement.

Staying away from penalties therefore calls for smart decision making. Moreover, to check on the EP’s attestation of meaningful use program and collection of incentives, government will be conducting random audits. The healthcare providers need to have in place all their documentation irrespective of whether it is in-house or outsourced. 2014 being the last year to begin MU and EHR incentive program, the EP’s not only lose out on $23,520 but will also be penalized in 2015.

Moreover, there are reports of CMS targeting 257,000 doctors with meaningful use penalties beginning January 5th, 2015. The EP’s need to therefore demonstrate that they have adhered to MU regulation since Oct 1, 2014 in order to avoid any penalty.

However, EP’s can still cut their losses by:

• Building a dedicated MU team who can initiate and adhere to the regulations.
• Demonstrating meaningful Use program prior to 2015.
• Availing hardship exceptions for EP’s.
• Making use of an integrated EHR or outsourcing services of specialist.

The Aegify solution through its simplified process will help EP’s achieve Meaningful Use status. Being a powerful, simple-to-use, cloud-based solution, Aegify provides all the necessary expertise to assess, analyze and mitigate regulatory risk while adhering to the on-going HIPAA/HITECH compliance. While this solution provides eligible professionals every means to secure the federal grant through tools that demonstrate meaningful use, it also helps them meet the industry-wide perspective of HIPAA compliance. Aegify SecureGRC, with its built-in assessment of meaningful use, produces reports that can be used for filing the online application for grant. This addresses the requirements relating to meaningful use core measures, menu measures, clinical quality measures, and in particular addresses requirement for eligible hospitals as well as for EP’s with respect to risk analysis.

The post How can EP’s avoid being penalized for Meaningful Use failures in 2015 appeared first on Aegify.

Located in Northwest Washington, Skagit County has 118,000 residents. Its Public Health Department provides services to several individuals who would otherwise be unable to afford health care. Upon receiving a breach report that money receipts with electronic protected health information (ePHI) were being accessed by unknown parties, OCR opened an investigation of Skagit County. The report stated that ePHI of seven individuals were accessed and inadvertently moved to a publicly accessible server maintained by the county.

However, OCR’s investigation revealed a bigger exposure of PHI in the case, including the ePHI of 1581 individuals. The accessible files included sensitive information such as PHI concerning the diagnosis and treatment of infectious diseases. The investigation also further revealed the county’s widespread non-compliance with HIPAA Privacy, Security, and Breach Notification rules.

Skagit County’s HIPAA violation is a clear indication that despite continued efforts of OCR to bring about HIPAA compliance, there continues to be widespread indifference in the matter of safeguarding protected health information of patients.

Although Skagit County has been cooperating with OCR by implementing a corrective action plan to ensure that policies and procedures are put in place, documentation requirements are met, training and other measures are undertaken to comply with HIPAA rules, the fact is that such an incident could have been entirely avoided if the county had employed a simple yet comprehensive security solution like Aegify Security Posture Management or Aegify SecureGRC.

The post County Government Makes Monetary Settlement for HIPAA Violation appeared first on Aegify.

According to Holtzman, who recently joined the security consulting firm CynergisTek after eight years as HIPAA and HITECH Act Policy Adviser at the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), health information should be viewed and safeguarded just like any other business asset. Hence, covered entities have to clearly understand the requirements of the HIPAA privacy and security rules and take a realistic approach to identify potential threats and vulnerabilities in their systems that could put the confidentiality, integrity and availability of health information at risk.

In his interview with the Information Security Media Group, Holtzman stressed the importance of being aware of threats, particularly those associated with relying on subcontractors who hold/process health information, and taking appropriate measures to mitigate those threats.

While the HIPAA Omnibus rule does not change the relationship between covered entities and their business associates, it makes vendors and subcontractors directly liable under the rule. So, according to Holtzman, covered entities should understand the importance of having business associate agreements in place with all those hired to perform services related to PHI. In cases where a vendor/subcontractor refuses to sign an agreement, it should be taken as a sign to find another vendor who will agree to sign a business associate agreement.

Hotlzman also stresses the importance of breach prevention, especially in light of the changes in the breach notification rule in HIPAA Omnibus. Healthcare entities should therefore take a proactive approach to information security, rather than reacting to data breach incidents. Which is why, a comprehensive information security solution such as Aegify Security Posture Management or Aegify SecureGRC is a prerequisite. Adopting such a solution can help safeguard health information throughout its lifecycle, and detect potential threats and vulnerabilities at an early stage thus helping entities take measures to curb them before they lead to a breach incident.

The post Treating PHI as a Business Asset – OCR’s HIPAA Compliance Insights appeared first on Aegify.

Taking an Incremental Approach – This would mean conducting tests to prove that healthcare providers can comply with the updated requirements of the rule. This can help determine how transparency of data disclosures can be ensured without overburdening healthcare organizations. Approaching this in a structured fashion and pursuing an implementation method that would be feasible from the perspectives of policy and technology would prove helpful. The HIT Policy Committee urges HHS to take a focused approach that gives priority to quality over quantity, where the scope of disclosures and related details reported to patients contains information that is useful to them while not overwhelming them or putting undue burden on providers.

Focusing on Disclosure of Records to Those Outside the Entity – Providing patients with a report of disclosures made to parties outside of the healthcare entity, should be the first step in taking an incremental approach. So HHS should follow a method wherein disclosure reports are triggered whenever an entity transfers control of information to an external party. While the current HIPAA Privacy Rule requires covered entities to make available, an account of information disclosures of individual Patient Health Information (PHI), on paper or in electronic form, upon request, the HITECH Act calls for revising the disclosure requirement to include those disclosures made for healthcare payment, treatment, or operations made using an EHR.

Scaling Back Plans for Providing Detailed Access Reports – OCR’s notice in May 2011 for carrying out the HITECH Act requisite for revising the disclosure requirements, also included a controversial provision necessitating that, upon a patient’s request, an ‘access report’ should list out everyone, including internal users who have viewed their information. As per this requirement, patients have to be provided details of the date and time of access, name of the person/entity accessing the information, and the action performed, such as creation, modification, or deletion. However, the HIT Policy Committee has now endorsed scaling back on these reports, allowing patients to suspect inappropriate access to their health information and requesting for an investigation inside the entity that controls the information. These recommendations were crafted over several months based on public and industry feedback about the original rule revision that was proposed.

Conducting Technology Pilots – To enable covered entities to conduct investigations of inappropriate access, the HIT Policy committee recommends the addition of the two following implementation specifications to the existing audit control standard in the HIPAA rule: 1. Addressable audit controls must record PHI access activities to the granularity of the individual user and the individual whose PHI is accessed; and 2. Information recorded by the audit controls must be sufficient to support the information system activity review required by the HIPAA Security Rule and the investigation of potential inappropriate access to PHI.

As soon as the pilots are completed, OCR will resume work on a revised rule taking the recommendations and pilot findings into account. However, safeguarding PHI is not just about being transparent in disclosing details of access to patients. It has to begin with ensuring comprehensive security, improving risk assessment capabilities, and building an efficient system of information access management, for which, Aegify Security Posture Management and Aegify SecureGRC can come in handy. These solutions can prove valuable in preventing breaches due to inappropriate access to PHI and other such HIPAA violations.

The post Revamp of HIPAA Disclosures Rule Endorsed appeared first on Aegify.