All this boils down to the fact that there is growing pressure on public CIOs (Chief Information Officers), who now have added responsibilities. Analysts and consultants are of the opinion that it is critical for state CIOs to be involved in health IT policy issues, and also be more knowledgeable and familiar with issues related to the governance of Health Information Exchange (HIE). They should also be aware of how telehealth and HIE investments can impact Medicaid costs, and should be able to coordinate between Medicaid, the Children’s Health Insurance Program, and planned HIEs.

Hence there is a need to recreate or revamp IT infrastructure to prepare for huge numbers of Medicaid enrollments in the coming years, and this has added to the growing anxiety of public CIOs. However, upgrading information systems to these changing needs is a challenge in itself, because of the high cost of most IT applications.

Also, there has been growing reliance on IT in the healthcare industry, and rapid adoption of Electronic Medical Records (EMR), which have made it essential to ensure safe handling of sensitive data. And in addition to this, the Health Information Technology for Economic and Clinical Health (HITECH) Act has also renewed focus on HIPAA Compliance. Hence, safeguarding medical records and preventing unauthorized access to patient records have been of high priority lately.

So public CIOs are now taking an objective look at how statewide health systems can be made more efficient. One way of dealing with this would be to adopt services hosted in the cloud, instead of using traditional methods, which involve procuring and managing IT systems. While on the one hand cloud-based services provide an opportunity for rapid deployment and greater interoperability, on the other, they are highly cost-effective. And with state budgets being cut, cloud-based solutions can prove much safer than traditional systems.

The post Federal Health Care Reform- What they Mean to Public CIOs appeared first on Aegify.

Kern Medical Center in Bakersfield faced the largest civil penalty of $250,000 for losing 596 patient records, and an additional fine of $60,000 for allowing two employees to access and disclose a patient’s medical record on three occasions.

In a similar breach, Pacific Hospital in Long Beach was fined $225,000 after an employee admitted to memorizing personal information of nine patients, and setting up fake Verizon accounts using their information.

The state of California has the toughest privacy laws in the country with high penalties for data breaches. And Kaiser Permanente’s Bellflower Hospital was the first to be issued penalty under the state law enacted in 2008 for patient protection. The institution was fined $437,500 for failing to prevent unauthorized access to medical records of Nadya Suleman.

In all these incidents employees have been identified as the main cause for the breach. However, these institutions are also equally responsible for not being proactive in identifying and curbing insider threats. These incidents re-emphasize the need for an efficient security solution with effective threat management capabilities that can not only prevent such breaches in future, but also ensure a more secure data management process.

The post 7 Facilities in California Fined for Privacy Breaches appeared first on Aegify.

Timely Recognition of Long-Term Risks

Security cannot merely be defined in terms of Trojans, viruses or spam eagerly waiting to enter and incapacitate the central IT nervous system of an organization. Even the careless attitude of employees can cause security breaches within the network, and intentional attempts like hacking or willful destruction of critical data also cannot be ignored. In order to deal with this growing concern, you require automated IT Compliance software that can provide you with robust, end-to-end integration solutions.

Many organizations fail to enforce a compelling security environment that is in alignment with the business goals. The alarming rate at which these security threats are increasing is an indication that you need result-oriented techniques to help overcome this problem. The answer lies in an automated and integrated solution that can handle all IT risk management issues, and carry out overall effective corporate governance.

Intensifying the IT Environment with Cognitive Security Parameters

A cloud-based model capable of providing unified governance risk and compliance management solutions can help crack down potential threats, and can provide a remarkably safe IT environment. The solution contains a centralized repository for all compliance-based organizational data, and it considerably reduces the total cost of ownership due to its SaaS-based model.

It helps monitor and enforce the best regulatory standards and practices without delay. Due to its integrating feature, the time required for compliance is minimal, and the process is simple. Such an integrated compliance solution, addresses all vulnerability management solution needs by performing comprehensive scanning procedures, scheduling audits and providing exhaustive audit log trails for all compliance related tasks, so that compliance gaps can be bridged promptly with corrective measures. It also provides a complete report of compliance statistics which in turn helps identify your compliance status.

The aim of a capable IT security solution is to provide a set of comprehensive features, with solutions for effective threat management. Its main objective is to resolve issues concerning data leakage, insider threats, intrusion detection, and verification of controls. Therefore, with an integrated, comprehensive security solution, enterprises can ensure a healthier and safer IT environment.

The post A Wake-Up Call for IT Security: Are Your Compliance Practices Fit for the Test? appeared first on Aegify.

Get cracking; threats are real!

Threats to systems and networks worldwide have been on the rise. For instance, the blaster worm in 2009 managed to shut down close to 120,000 systems in just 3 minutes, ensuring that networks across the world were affected. In another such attack, the Slammer worm infected nearly 55 million hosts per second in just 11 minutes. Susceptibilities in enterprise systems and the perpetrators of such actions are increasing globally, and IT organizations are more and more vulnerable to these attacks.

Be it internal or external, security threats can cause not just financial losses, but can also tarnish the image of an enterprise. Hence threat management has to take precedence over other activities. Enterprises should therefore follow best practices and invest in the best solutions to manage security threats effectively.

What are the best practices for effective threat management?

Managing threats is not an easy task, especially because enterprises today want their threat management efforts to coincide with compliance management as well. So an ideal threat management solution should essentially:

• Crack multiple data-centric information security challenges
• Decipher and detect in real-time advanced persistent and pervasive threats
• Detect automatically for any kind of data leakages
• Search for insider threats
• Provide detailed malware analysis
• Undertake continuous and automatic controls verification including e-discovery
• Deliver a holistic solution for both security as well as for IT- Governance and Risk Compliance that can be easily monitored through an integrated dashboard
• Provide an end-to-end automatic enterprise security solution that is all encompassing for compliance, audit and risk management needs.
• Swiftly update software with latest information
• Stay ahead of potential threats
• Thwart threats at their source

A company’s network, its information systems, databases, and processes are essentially its backbone. Hence, they must be made secure from threats, both internal and external. Therefore, deploying the right threat management system can prevent data breach and safeguard the company’s networks, systems and assets.

The post Best Practices for Threat management appeared first on Aegify.

Like in any other industry, division of labor and specialization, have taken shape making the hacking industry more structured than ever before. The 3 key players in the hacking community are:

-Researchers: Otherwise known as exploit developers, researchers are not actually involved in exploiting systems, but look for vulnerabilities in frameworks and applications.

-Farmers: These are people who write botnet software to infect systems, and also maintain and increase the presence of botnets in the cyberspace. They probe applications to extract valuable data, execute password attacks, disseminate spam, and distribute malware.

-Dealers: They distribute malicious payloads. They also rent botnets for repeated, persistent attacks or targeted one-time attacks to extract sensitive information.

The sophisticated nature of today’s cyber attacks is a definite product of ‘hacking industrialization’. And the use of advanced hacking techniques has also contributed to a focus shift from stealing personal information and credit card numbers to stealing application credentials, for which 3 attack techniques have been identified as commonly used:

SQL Injections: Data theft is most commonly administered through this technique. IBM reported around 250,000 SQL injection attacks on websites around the world, everyday, between January and June 2009.

Denial of Service: This is an attack which is usually executed by blackmailing application owners to pay a ransom to free their application from an invasion of unwanted traffic.

Business Logic Attacks: In this type of attack, hackers target vulnerabilities in business logic. Unlike attacks targeted at application codes, these attacks often remain undetected. These attacks are not usually apparent and are too diverse to be expressed in vulnerability scanner tests.

These highly advanced security attacks make it increasingly difficult for organizations to fight threats and remain protected. Today, no web application is out of reach of hackers. Attack campaigns are quite common, not only against applications but against any available target. Therefore data protection is a must, and effective vulnerability scanning tools along with application-level security solutions may be very helpful in effective threat management and overall security.

The post Common Attack Techniques – In an Era of Industrialized Hacking appeared first on Aegify.

Creation of a new consumer protection agency at the Federal Reserve, provision of new powers to regulators for safely liquidating failed financial firms, and imposing new guidelines for transparency in the derivatives market, are some of the objectives of ‘The Dodd-Frank Wall Street Reform and Consumer Protection Act’. This law is an outcome of the 2008 banking crisis.

However, there are now mixed opinions about this law, especially with respect to its implication on data/ information security. Protiviti Inc.’s risk and compliance practice director Michael Brauneis noted that the provision in the law for creating a consumer protection agency may lead to a number of data security issues, since it calls for regulations to allow consumers to obtain information about their transactions from financial institutions. This causes a high risk of identity theft, if these financial institutions do not ensure effective controls to check the identity of the person requesting information.

Also, the concept of ‘systemic risk regulator’ meant to gather information from the banking industry to prevent another meltdown can pose serious concerns for overall data management and security. And a report by Delloite LLP on the new financial reform also cites data aggregation and reporting as one of the top implications of the new law.

Therefore, for all those involved in financial services, this regulatory reform is a groundbreaking event and is being described as the biggest since the Great Depression.

With the ever-increasing number of regulatory requirements, IT security has come a long way from being merely an IT-centric control mechanism, to becoming a complete compliance control technique. While the timeline for this law to take effect is long, this is yet another regulation that reinforces the need for secure GRC solutions.

The post Implications of the ‘Dodd-Frank Wall Street Reform & Consumer Protection Act’, on Data Security appeared first on Aegify.

Information on the files included people’s names, addresses, phone numbers, birth dates, social security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, and information on diagnoses and treatments. It had data on patients, employees, doctors, volunteers, donors, vendors, and other business partners and covered records over a 14-year time span.

The growing frequency of these incidents only reinforces the pressing need to secure end-point devices and comply with HIPAA and other regulations. Hospitals and institutions in possession of confidential data should adopt a cloud-based approach to storing records. Only this can help prevent such incidents of massive security breach and data loss.

The post South Shore Hospital Reports Loss of Confidential Data- 800,000 Private Records at Risk appeared first on Aegify.

Coming to effect from July 1st 2010, this new standard would mean that SMBs now have a mandate to build secure networks aimed at protecting cardholder information. It prohibits third-party payment software from storing authentication details like the cardholder PIN and Magnetic Stripe. Read more on this in Visa Puts Credit Security on You.

While that is for SMBs, larger enterprises are required to comply with the full version of PCI DSS standard by 30th September. The new standard would now control how cardholder data is stored, processed or transmitted.

With these new requirements, GRC solutions have gained more significance. By using SecureGRC^TM, a GRC platform that integrates with the business process, companies can now successfully deal with compliance and risk management.

The post New Security Standard for SMBs to Protect Cardholder Information appeared first on Aegify.