Findings of the survey

Some of the findings highlighted in the PWC survey revealed that organizations detected an average of 135 security incidents in the past year. While nearly 77% of the participants of the survey experienced a security incident, almost 67% of the survey respondents were unable to gauge the financial impact of these incidents. The finding further revealed that less than half of respondents lacked an effective risk management program, with only about 47 percent performing periodic risk assessments. Enterprise mobility emerged as a cause for concern, with only 31 percent of respondents admitting to have a mobile security strategy and a mere 36 percent employing a Mobile Device Management (MDM) solution. These statistics clearly indicate that companies need to take a serious note of the kind of cyber security threats and risks that are out there.

Are you prepared?

The important question that needs to be answered is whether your enterprise has implemented a proper Governance, Risk and Compliance system. If it hasn’t, then your enterprise could be vulnerable with very high risks. PWC recommends that every enterprise evaluate the risks that come with supply chain partners. Besides developing threat-specific policies, enterprises need to conduct regular cyber risk assessments and implement mobile security practices in pace with adoption of mobile devices. Additionally, efforts to boost cyber awareness across the organization must include workforce training. PWC also suggests that enterprises make the best of information sharing, both internally and externally, to be abreast of all the latest cyber risks and threats.

In many instances, cyber criminals continue to find ways to circumvent the usual security technologies and acquire sensitive information. This is precisely why enterprises need to adopt a balanced approach that comprises of people, processes, and effective partnerships to strategically counter cyber security threats. Enterprises need to combat cyber threats by implementing a comprehensive security, risk and compliance assessment platform such as Aegify Security Posture Management or Aegify SecureGRC or Aegify Risk Manager. Aegify strengthens an enterprise’s security posture with powerful security monitoring and reporting capabilities. By deploying a solution like Aegify, enterprises can seamlessly address cyber threats and completely mitigate risks.

The post A Right Approach to Cyber Security appeared first on Aegify.

OCR will soon launch a survey of 1200 organizations as the first step towards selecting those to be audited. Organizations that would undergo the audit will be chosen from a large database, and the survey is intended to verify details such as whether the organization is still in business, and is genuinely the healthcare entity indicated in the database, etc. These details will not only help OCR determine if the entities chosen are suitable for the audit, but also give them a good idea of the size and complexity of the entity. Amongst other things, the survey is aimed at collecting recent data about the number of patient visits or insured lives, use of electronic records, business locations, and revenue.

Although McAndrew did not disclose the number of organizations to be audited, she said that the 1200 surveyed organizations will be an oversupply as not all of them will end up being suitable candidates. According to an OCR spokesperson, the survey will be targeting nearly 800 covered entities and 400 business associates.

OCR, with the help of KPMG had conducted a pilot HIPAA audit program in 2012, involving 115 covered entities. However, according to McAndrew, the next round of audits will be in-sourced. But details such as whether OCR will conduct these audits by training the existing staff or by hiring new auditors, and whether these activities will be carried out from the regional OCR offices or from the central office, are still unclear.

Focus Areas for Upcoming Audits

According to McAndrew, one of the primary areas of focus in the 2014 audits will be whether covered entities have conducted timely and thorough security risk assessments as per HIPAA requirements, because this was one of the common weak spots found during the pilot audits as well as previous breach investigations. Moreover, the upcoming audits will have a revised protocol to fit the changes brought about by the HIPAA Omnibus rule that came into effect in 2013.

So the time is ripe for healthcare entities to do a reality check and prepare themselves with thorough risk assessments. Comprehensive security management solutions like Aegify Security Posture Management and Aegify SecureGRC can prove handy at this juncture, and help entities face the upcoming audits with confidence.

The post OCR Gears-Up to Resume HIPAA Audits appeared first on Aegify.

Adult & Pediatric Dermatology, P.C; of Concord, Massachusetts, notified OCR in October 2011, that an unencrypted thumb drive containing health information of about 2,200 individuals was stolen from a staff member’s vehicle, and was never recovered. Following this, OCR conducted a breach investigation, which revealed that the practice had not conducted a thorough risk analysis.

The Department of Health and Human Services’ Office for Civil Rights (OCR) announced a resolution agreement with APDerm on December 26th. In addition to the $150,000 penalty, the agreement calls for a corrective action plan to address the deficiencies in HIPAA compliance. This would also include conducting a thorough risk analysis and developing a risk management plan.

OCR pointed out that this is the first HIPAA settlement that cites a covered entity for not complying with the requirements of the HIPAA breach notification rule to have policies and procedures in place and to train members of the workforce. While this case illustrates OCR’s ongoing emphasis on conducting risk analysis, it also brings to the forefront, OCR’s emphasis on the importance of having written policies and procedures in place, and training staff members adequately with respect to breach notification.

The Warning Bell

This case clearly illustrates that failure to analyze risks associated with health information, negligence or irresponsibility in safeguarding protected health information will be inevitably followed by enforcement action. It also highlights the need for healthcare entities to take two importance steps towards breach prevention: 1. Understanding and addressing risks surrounding health information, and 2. encrypting data irrespective of where it is kept.

There have been two other cases where similar penalties were imposed for relatively small breaches, first of which was in January 2013, when Hospice of North Idaho agreed to pay $50,000 following the investigation of the theft of an unencrypted laptop computer that affected 441 individuals; and secondly, in May, when Idaho State University agreed to pay $400,000 as part of a resolution agreement arising from a breach that affected 17,500 patients as a result of the firewall protecting the server being disabled.

What these incidents repeatedly remind us is that protecting health information is not a one-time task. It should be treated as an ongoing requirement. Comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRCcan facilitate meeting this ongoing requirement. With built-in policies, procedures, and frameworks for HIPAA compliance, these security solutions can greatly simplify the process of compliance and dramatically improve the security posture of healthcare entities.

The post Small Breach but Big Price for HIPAA Violation appeared first on Aegify.

Moreover, while some entities use systems that generate reports based on a snapshot in time, others have ‘rolling systems’ that cause numbers in the EHR to change after the entity has attested. In these cases, a copy of the original report has to be kept to substantiate the numbers used for attestation. While this is one of the concerns, there are also many other issues to be considered and steps to be taken while preparing for the Meaningful Use audit.

How to Survive a Meaningful Use Audit

Although only a small percent of healthcare entities will go through the Meaningful Use attestation audit, all healthcare entities should bear in mind that even a single attestation misstep could result in loss of the entire incentive payment. This is a major concern for a number of healthcare CIOs, and is one of the main topics addressed by the attendees at the CHIME13 CIO forum in Scottsdale, Arizona recently. Elizabeth Johnson, Vice President of Applied Clinical Informatics at Tenet Healthcare Corporation, and Pam McNutt, Senior Vice President and CIO at the Methodist Health System in North Texas provide 5 steps to survive the Meaningful Use audit:

1. Preserve the Data. Meaningful Use audits may go as far back as six years. So entities should have preserved data over all those years to support attestation claims. It is therefore important to protect data at all costs. Entities that have an aggressive purge criteria to save disc space, should be careful not to do away with all the data that may be needed to prove Meaningful Use. It may also be helpful to configure EHR systems ahead of time in such a way that patient records and audit logs contain everything the auditors may seek.
2. Plan in Advance. Logs and system settings should help produce the required data when needed. Moreover, in order to make documentation easier, the vendor’s name and software version should be on the header of all the Meaningful Use reports. This can help prove that they have come from a certified system.
3. Be Prepared for Surprises. Although it is crucial to prepare well in advance for the audits, it is also equally important to expect the unexpected. For both Tenet and Methodist, an unexpected area of focus was HIPAA security risk assessment. While many entities may be conducting vulnerability testing and annual HIPAA risk assessment, these may not suffice for the Meaningful Use audit. The audits may also focus on the EHR technology and the version that is being used. In addition to this, the audit, the report, and the reaction to the report should all be done within the attestation time period. Hence entities should proceed with caution and be prepared for surprises.
4. Think Before Upgrading. Entities may have to prove to auditors that they have been on a certified release the entire time. But some entities get tripped up with this during the upgrade cycles thinking that all that is needed is to be on the certified release before running all the reports. But this is not the case, because they have to prove with screenshots showing the date on which the certified EHR technology went into production. And this date has to be on or before the date of the attestation period.
5. Proceed Quickly. Once the Meaningful Use audit notice is received, entities have two weeks to respond and send documentation through an online portal. But it is important to be ready to file in less than two weeks because there is no guarantee that the notice will reach the right person. There have been cases where the notice had been completely overlooked. So entities should prepare all employees to recognize the audit notification, and understand the importance of taking quick action by alerting the right person.

While these steps can be extremely helpful in facing the Meaningful Use audits with confidence, what will also prove beneficial is the adoption of a unified and comprehensive solution such as Aegify Security Posture Management or Aegify SecureGRC which can help organizations sail through these audits very smoothly. Aegify SecureGRC provides quick access to documentation and evidences from a central repository for pre/post audits. This significantly eases the audit process.

The post Surviving a ‘Meaningful Use’ Audit appeared first on Aegify.