Security specialist Andrew Hicks, who analyzed the results of the survey, contended that covered entities need to scrutinize their BA’s security efforts based on the risks involved. While there are numerous BA agreements tossed about the healthcare industry, there are some covered entities going to great lengths to ensure that the BA are leaning backwards and forwards, just to prove they are compliant. Hicks, also believes that compelling all business associates to go through a costly assessment may not make the most sense for every single type of business associate.

With business associates bound by HIPAA compliance requirements, they can also be subjected to audits by the Department of Health and Human Services in the near future. Therefore it is essential for organizations to adopt a risk-based approach and consider the risk that a business associate gives back to that covered entity, and thus to manage those BAs appropriately.

Business associates can avert security threats, prevent data breaches, and avoid consequent legal action with a solution like Aegify SecureGRC and Aegify Vendor Management. Designed by eGestalt’s team of qualified experts who have vast experience in the area, Aegify has built-in security best practices, security scans, implementation brief, citation guidance, policies, and risk parameters, and provides an inside audit of the state of security and compliance.

The post HIPAA Omnibus Rule to Hold BA Directly Liable for HIPAA Compliance appeared first on Aegify.

“Keeping track of where sensitive data is located, detecting breaches, and dealing with insider threats are amongst the most critical issues” said Kim, who also stated that most often organizations unfortunately are not even aware that there has been a security incident. Moreover, the proliferation of mobile devices including smartphones, laptops, tablets, etc., and the use of outsourcing, in addition to connected devices and systems makes it hard for organizations to keep track of where information is. This creates huge vulnerabilities, opening doors to a significant number of threats. Hence, organizations need to have an understanding of how to keep information both private and secure, while staying compliant with various regulations, including HIPAA.

In addition to this, Kim stated that healthcare entities also have to ramp up their breach detection efforts, because better breach detection can help identify security vulnerabilities that need to be addressed. Moreover, with increasingly sophisticated means for getting access to information, insider threats are becoming a growing concern for healthcare providers.

Challenges in Complying with HIPAA

According to Kim, one of the primary issues faced by the healthcare industry is that some providers are not prepared to comply with the HIPAA Omnibus rule and associated regulations. This is because of the lack of organizational culture in terms of promoting security and privacy measures. Insufficient workforce training on security best practices is also another common challenge.

Suggestions for Tackling Compliance Challenges

Kim is of the opinion that there is no magic formula to tackle challenges in compliance without putting in efforts. The best way to address compliance challenges is to have a framework with which to build policies and procedures. Structuring policies and procedures, handling problems in compliance, and having a concrete procedure to organize policies, human capital etc., are significant, irrespective of the approach taken. Without such a framework healthcare entities cannot successfully overcome compliance challenges.

It is this built-in compliance framework that Aegify Security Posture Management and Aegify SecureGRC offer. With compliance best practices integrated into this framework, these platforms can dramatically simplify the compliance process and help overcome all challenges in achieving and maintaining compliance with the HIPAA Omnibus rule.

The post Addressing Information Security Threats & Challenges in Healthcare appeared first on Aegify.

Although the final HIPAA rule is viewed as the beginning of a much needed push towards health information security and privacy protection, for healthcare entities and their business partners this is clearly a change that is most likely to affect their information technology ecosystem. Most CIOs are now leaving no stone unturned in the search for feasible and efficient means to protect health data to the fullest extent. The possibility of breaches of data-at-rest, caused by loss/theft of mobile devices, seems to be the worst nightmare for most healthcare providers today. Moreover, the fact that monetary penalties and legal action are no longer restricted to massive data breaches adds to their worry.

While some of these vulnerabilities stem from the use of technology, it is to be noted that operational and people-related processes also pose a major risk. And overcoming this risk is possible only through better education, training, and change management. Security experts believe that healthcare organizations are often in a hurry to adopt new technology; and in the process of doing so they often ignore the long-term problems in managing risk. It’s therefore crucial to first understand the risks associated with new technology and adopt appropriate security measures to mitigate them.

Other than complying with HIPAA, healthcare entities and their business partners have to ensure security of data-at-rest, data in the cloud, and also manage information sharing as well as data on mobile devices. They have to provide patients with secure access to their health records while managing risks and creating employee awareness through training programs. Aegify Security Posture Management and Aegify SecureGRC are platforms designed to meet these specific needs. These platforms can come in handy at this crucial time when healthcare entities, their business associates and subcontractors are expected to take immediate action to completely protect health data and to comply with the requirements of HIPAA.

Health information security is the most discussed topic in the healthcare industry today. There is widespread action in the healthcare industry to overcome data security threats and prevent data breaches. The National HealthTech Council and some leading action groups are to convene at the HealthTech Meeting to be held on April 21-23 in Chicago to join hands with industry-leading solution providers. The aim is discuss the new policies and to come up with solutions of the like that are in high demand.   At this upcoming meeting, industry experts are to lead roundtable strategy sessions on topics such as “The Mobile Revolution: Remote Care without Compromising Security and Quality”; “Operational Risk Management: People, Process, Technology”; “Help, My Data Has Been Breached!: Insights on Threat Prevention, Detection, Response” etc. These sessions are likely to bring out the best practices and lessons learned by healthcare providers. Some of the most important topics that affect the sphere of healthcare information security will also be discussed. The healthcare industry is clearly preparing for a much more risk-free and compliant future.

The post HIPAA Omnibus Rocks the Health IT Security Landscape appeared first on Aegify.

This would mean that every healthcare entity is responsible for the conduct of their downstream business associate if this business associate is an ‘agent’ of the hospital, who has received instructions from the covered entity about how to perform various functions.  So according to Stephen Wu, in the event of a breach where the ‘agent’, i.e. the business associate of a hospital is at fault, the hospital itself could face civil penalties for the breach.

Since the final HIPAA rule redefines ‘business associates’, a whole range of companies, including health information organizations and e-prescribing gateways fall under this category. All these organizations are now bound by HIPAA and have to fulfill the requirements of the rule. Moreover, the HIPAA Omnibus rule has a multi-level impact on the healthcare industry, and it necessitates modifications in the agreements made by covered entities and business associates to cover the new HIPAA compliance responsibilities.

Therefore vendors providing services to healthcare entities have to firstly determine if they qualify as a business associate under the new definition in HIPAA Omnibus, and if they do, they have to take immediate steps to comply with the requirements of the rule. However, compliance with HIPAA can be made much simpler by adopting Aegify Security Posture Management and Aegify SecureGRC which can ensure complete protection of patient information and also offer full-fledged support for meeting the compliance requirements of HIPAA.

The post HIPAA Omnibus Extends Compliance Liability down the Chain appeared first on Aegify.