Friday, September 30, 2011

Understanding the Significance of PCI Compliance

There are certain rigorous requirements companies must adhere to when processing cardholder data, in order to be PCI compliant. Due to the ongoing compromises occurring at a number of levels, various card brands set up different security programs to safeguard and protect cardholder data, before PCI was established. The major credit card issuers formed PCI (Payment Card Industry) compliance standards to safeguard personal information and guarantee protection when transactions are processed using a payment card. The five major card brands (Visa, MasterCard, American Express, Discover Card and JCB) then decided to unify their policies and procedures under one universal standard that was called the Payment Card Industry Data Security Standard (PCI DSS). PCI applies to all organizations or merchants, irrespective of size or number of transactions that accepts, conveys or stores any cardholder data. To put it simply, PCI DSS requirements apply to any customer of an organization that pays the merchant directly using a credit card or even with a debit card. The PCI security standards council  administers the payment industry and make certain that all entities accepting, storing or transmitting credit card data adhere to the PCI DSS. Many companies were under the impression that they were all set after complying with such regulations as the Sarbanes-Oxley Act and healthcare compliance discovered that their controls were not adequate to meet the PCI DSS.
The significance of PCI to an organization
With PCI DSS, organizations can safeguard important customer information as well as payment card details. IT also protects against the loss of significant business information and the cost associated with data compromise. PCI protect against the negative publicity associated with a data breech and guarantees constant customer confidence in the use of payment cards. Reducing the number of security breaches and protecting the card brands is the main aim of PCI.
Achieving PCI Compliance
PCI compliance can be achieved by an organization by meeting the security essentials that are set out within the PCI DSS. By presenting a validated Self-Assessment Questionnaire (SAQ) or by undergoing an onsite assessment with a Qualified Security Assessor (QSA), an organization can become PCI DSS compliant. The volume of transactions that are handled per annum is also a deciding factor. If an organization handles over six million transactions it is necessary to carry out an onsite assessment each year by a QSA in addition to quarterly network scans. In cases where organizations carry out twenty thousand to six million transactions, it is necessary to fill out an SAQ and experience quarterly scans of their external network in order to conform to PCI compliance. When the member of PCI security standards council falls prey to a security breach, they can suffer a substantial fine and be prohibited from handling future credit card payments.
Businesses also can help themselves in being PCI compliant by purchasing sophisticated security equipment, configuring it to minimize risk, and implementing a host of policies and protocols that comply with the latest data security standards.
Click here for more on IT Compliance, compliance management solution

Thursday, September 15, 2011

HIPAA - Ensuring Security of medical data through compliance

HIPAA HITECH Acts, it has now become mandatory for them to protect Patient healthcare information and show to the authorities that they have implemented policies and practices that are in conformity with the control requirements of the Regulations. The Department of Health and Human Services of United States of America has enacted Compliance regulations for all medical practioners in the country. To ensure privacy and security of sensitive health information, medical records and confidential data of any individual through appropriate administrative, technical, and physical safety measures, the US government brought the HIPAA or the Health Insurance Portability and Accountability Act into effect in the year 1996.  Further the Health Information Technology for Economic and Clinical Health (HITECH) Act came into force in early 2009, extending the privacy requirements enacted in HIPAA beyond the health care providers to the services and companies with which they do business, ensuring that in case of any violation of the HIPAA security regulations, the entities and their business associates covered under the act will face penalties for the same. The combination of HIPAA and HITECH compliance would definitely ensure that these records are encrypted and secure during any associated electronic transmission of health information.
Health care providers who need to comply with this healthcare regulation may be large health insurance companies, company health plans or small and medical enterprises and their business associates handling Medicare and Medicaid. All medical practioners, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies and even dentists, who handle patient health information, are covered entities of this regulations and need to be compliant. Even the Healthcare clearinghouses processing data also need to meet healthcare compliances.   
Cloud computing and Software-as-a-Service (SaaS), innovations from the technical world, have now made it possible to offer comprehensive and scalable compliance solutions from the cloud. Some of its clear advantages are the low cost in remaining compliant, easy updates of regulations and software code, multi-tenanted solution with different stakeholders having secure and exclusive access to their data, central repository of updated regulations citations, best practices accessible to the users while assessing their compliance status, advanced risk algorithms that help prioritizing the action plan for remediation, unification of controls from different regulations and standards, and many others.  This has helped medical practioners concentrate on their patients and leave the compliance processes to the experts in the field. The development of unified security monitoring system and compliance management software work towards safeguarding the patient health records within the policy framework and guidelines.

Click here for more on governance risk, PCI Compliance

Wednesday, September 7, 2011

Tips to choose a HIPAA-HITECH Compliant Solution

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a large regulatory burden on organizations that deal with patient health-related information. The HIPAA Act was passed in the interest of securing sensitive patient health care information and availing health insurance benefits. All business organizations have to comply with the HIPAA security rules covering all types of safeguards. The HIPAA/HITECH Act has resulted in significant changes to the industry’s approach to data protection.  HITECH compliance is most likely to influence every facet of your operations like business and healthcare processes - IT data security, retention, and monitoring; contracts and business relationships. It is therefore necessary to have a better understanding of the compliance process that will prove beneficial to the patients, employees and businesses. Medical practices and their Business Associates can become HIPAA compliant in a very cost-effective manner without requiring deep domain expertise, by just opting for an efficient and compliant solution.

There are a couple of HIPAA compliant software available in the market. But in selecting the right solution, the following tips can help:

        Does it support uploading of documents that can be shown as evidence of compliance to the auditors or authorities?
        Is the solution cost effective without having to invest heavily into hardware, software and expensive updates?
        Does it offer a central repository for all compliance related up-to-date regulatory controls, documentary evidence, Security policies, best practices, etc and easily accessible to the user?
        Can the solution provide a common interface to various stakeholders such as Auditors, Managed Compliance Providers, Business Associates, and users?
        Will it facilitate unification of controls under different regulations?
        How extensive are the reports and risk management algorithms?
        How simple is the user interface that non-IT savvy users can easily handle the application?

Investing in a solution that can handle compliance requirements easily helps healthcare providers to ensure best healthcare compliance. And to ensure this, adequate steps must be taken to reinforce safeguards for EMRs/EHRs and facilitate secure messaging of this valuable data. The risk and impact of a security breach has become more significant with great number of health information put into electronic form and shared across the healthcare system. Irrespective of which solution is chosen, it is vital to ensure that staff dealing with patients or clients is trained in a uniform, facility specific, HIPAA compliance procedure. With the right compliant software, organizations can achieve HIPAA compliance, and also reduce the risk involved from hackers and misuse of information.

Monday, August 29, 2011

e-Framework of compliance for Enterprises - Compliance Management Software

Every organization, whether big or small, needs to conform to certain stated requirements. This compliance is achieved through various management processes such as regulations, strategies, contracts and policies. Compliance management is not a new term for the industries, but in today’s industrial scenario, Governance, Risk management and Compliance are grouped under one umbrella as GRC and it is a new way of adopting an integrated approach to corporate governance, enterprise risk management and corporate compliance.

The compliance management software solution has paved the way for an integrated approach to the various compliance issues faced by any organisation. Management of compliance procedures traditionally, were done at department levels. With the industries going global and user groups spread worldwide, these compliance initiatives have become complicated and intertwined with regulatory and organisational requirements. This intertwined network brings down the efficiency of the organisation and poses a great risk to its existence.

The advantage of using compliance management software is that it continuously monitors the process across enterprises. The compliance dashboards highlight issues and triggers off alerts that need immediate attention and correction from the respective organization authorities. With an automated flow of information assessments and testing methods, the integrated document management system controls change and keeps business process in sync, complete with audit and change reports. This software also provides the managers track the status of issues till these are solved as per the compliance procedures. Further, it provides for workflow, document management, inventory controls, compliance scanner, and detailed access controls through a secure web based interface.

The impact of the use of virtual desktops and cloud computing has effected every organization. This has made the business world a smaller place and has increased the complexity of security and management of resources. With resources spread globally and in a virtual space, the need for a cloud based automated IT security and compliance management solution makes enormous sense that consolidates GRC compliance management solution and information security that is easily adaptable with a built-in support to various compliance management frameworks and to different industry segments. The compliance management software with an effective system of IT governance, and advanced risk mitigation system, will definitely cover threats from all areas whether external, internal, deliberated or accidental. Additionally, it would also be flexible enough to seamlessly accommodate new regulations and policies that would be developed in future.

Also read on: PCI Compliance, Healthcare compliance here.

Tips to Ensure HITECH Compliance

THE HITECH or Health Information Technology for Economic and Clinical Health Act (HITECH Act) came into effect on February 17, 2009 aimed at providing funds and safeguarding the usage of electronic exchange of health information. This Act has brought in significant changes in the healthcare industry's approach to data protection. In order to reduce data breaches, the new Act makes it mandatory for healthcare organizations to notify  privacy breaches to their patients. With greater emphasis laid on storing and safeguarding of vital patient information, the new compliance rule states that access to patient information should be restricted.

The need for effective documentation of policies and procedures on security-related issues has left many healthcare providers worrying about adhering to these compliance measures. On matters such as risk assessments, incident reports, and logging system activities, healthcare providers are uncertain as to how to handle these issues. By investing in a solution that can handle compliance requirements easily and effectively, healthcare providers can efficiently manage these matters, ensuring best HITECH compliance. Steps must be taken to reinforce safeguards for EMRs/EHRs and facilitate secure storage and movement of these valuable data. With large number of health information elements taking an electronic form that enables sharing across the healthcare system, the risk and impact of a security breach of the electronic data has become more significant. The following tips can help healthcare facilities prepare for HITECH regulations.

●        Categorizing of Content by PHI
●        Ensure the Protection of PHI at rest and in motion
●        Ensure secure exchange of files
●        Track and ensure correct Message delivery

With the creation of suitable secure information exchange, it can be assured that healthcare facilities are on the right path to meeting the requirements of the HITECH Act. It is therefore important to seek out a compliance management software solution that can offer optimized HITECH compliance management techniques that can be of great advantage to any healthcare provider.

Click here for more on compliance healthcare, ISO 27002

Tuesday, August 9, 2011

How Prepared Are You for the Upcoming HIPAA Audit?

With the long overdue HIPAA privacy and security compliance audit program scheduled to begin later this year or early next year, it’s time for every healthcare entity to do a reality check and find out if their privacy and security policies really work. Is your organization prepared for the upcoming HIPAA compliance audit? If yes, how well are you prepared?

“An important component of preparing for a potential HIPAA compliance audit is to complete a ‘walk through’ to make sure privacy and security policies and procedures are practical and effective” says Adam Greene, (a veteran health law attorney and a former key regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing HIPAA privacy, security, and breach notification rules) in his article ‘HIPAA Audits: Preparation Steps’. Most organizations formulate policies and procedures, assuming that they would work best to meet their privacy and security needs. But as in Greene’s words, “in the reality of a complex and busy environment” these policies and procedures may not work as expected. It is therefore of prime importance to conduct a self-audit to identify areas that may require policy or procedural changes, and ensure optimal HIPAA compliance.
According to Adam Greene, there are four things that are crucial when preparing for the HIPAA compliance audit: First is to make sure that all your privacy and security policies are up-to-date. Second is to ensure that your employees are comprehensively trained in the latest privacy and security protocols. Third is to formulate a clear sanctions policy to ensure that employees do not violate these protocols. And fourth is to be prepared with extensive documentation to demonstrate your compliance management efforts.

So, while you may have put in place policies and procedures to protect sensitive information, merely doing this will no longer suffice. To effectively handle the HIPAA audit, you need to keep track of how your security and privacy measures work, and also maintain adequate supporting records. This is where our SecureGRC solution may come in handy.

SecureGRC is an automated and integrated IT security and compliance management platform, which not only offers a comprehensive threat management capability, but also provides a unified view of your compliance status, making it easy to keep track of compliance related information. It holistically covers all aspects of threats – internal or external, known or unknown, intentional or unintentional, deliberate or accidental through an effective risk mitigation system.

This solution is flexible and scalable to address new requirements, giving you the capability to seamlessly manage existing and potential risks. Its 24X7 information security monitoring and real-time reporting capabilities enable you to effectively manage threats. And most importantly, the centralized dashboard view summarizes the compliance status helping you generate comprehensive reports to help you demonstrate compliance for any regulatory or standard-based audits, including the periodic HIPAA compliance audit.

Know more information about - compliance management software here.

Friday, July 29, 2011

Staying Clear of Health Information Breaches


Did you know that 2.7 million Americans were affected from around 32 major health information breach incidents recently? The bulk of the people were affected by the information breach that occurred with the Insurer Health Net and its business associate IBM. The Federal list released on June 22nd lists all the major healthcare information breaches that occurred from September 2009 wherein somewhere to the tune of around 11 million individuals were affected. The Health information breaches continued unabated with firstly the health net incident followed closely with the theft of a desktop computer at the Eisenhower medical center that compromised information security of over 5, 00,000 individuals.


There was large number of information security breaches since 2009 ranging from thefts of hard drives (BlueCross Blueshield of Tennessee), laptop (AvMed), and backup tapes (New York City Health &Hospitals Corp.) resulting in compromising sensitive medical and health information of millions of people. Even as the full and final version of the HITECH breach notification rule is expected to be released later this year as part of an ‘omnibus’ package that would include several rules, the current version requires that organizations should conduct risk assessment to determine any incident that could be a potential threat and if it does cause harm, the eventual breach must be reported.


So is it really that difficult for healthcare organizations to take the right action as far mitigating such information risks are concerned? Actually no! It is not difficult if a prudent medical practitioner or healthcare enterprise owner ensures that healthcare compliance measures are in place by adopting the appropriate HITECH compliance solution. All that a healthcare organization needs to do is to enforce such a security policy that can restrict any unauthorized access. SecureGRC, an automated compliance solution from eGestalt, can help healthcare organizations deal with their compliance woes comprehensively. The solution is so designed that it can identify, remediate and maintain HIPAA and HITECH compliance for all healthcare organizations that handle Patient Health Information.


SecureGRC is equipped to help healthcare organizations achieve and maintain compliance to regulations set forth in both HIPAA and HITECH acts. Additionally, since the solution can be delivered via Cloud, not requiring any custom hardware investments, the compliance solution is actually future-proof! The solution not only automates the audit process but also provides concrete evidence of what risks need to be addressed and also how it should be addressed. eGestalt makes it easy to stay clear of Health information breaches with its fully optimized solution that addresses all healthcare compliance issues.


Know more information about – vendor management and governance risk and compliance here.