STEPS TO PREPARE FOR SECTION 889 PART B

Federal agencies and contractors doing business with the federal government are prohibited from procuring or using “covered telecommunications equipment or services” produced by certain designated entities as a “substantial or essential component of any system, or as critical technology as part of any system” under Section 889 of the Fiscal Year 2019 National Defense Authorization Act. There are two components to the ban. 

The first, Section 889(a)(1)(A), also known as “Part A,” prohibits the federal government from “procuring or obtaining any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as a critical technology as part of any system.” This became effective on August 13, 2019.

The second part, Section 889(a)(1)(B), or “Part B,” which went into effect on August 13, 2020, prohibits the federal government from “entering into a contract (or extending or renewing a contract) with an entity that uses any equipment, system, or services that use covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system.” Read about why section 889 B is important to federal contractors on our blog for more information. 

How Can Contractors Prepare For Part B?

1.Reassess Your Compliance Solutions

Following the publication of the final rule, contractors should examine and reconsider their past compliance efforts to the extent that the rule clarifies or modifies the contractor’s prior assumptions or scope of review.

2.Conduct an Internal Audit Assessment

Identify any manufacturing ties with the five suppliers in the NDAA, including any subsidiaries or affiliates (as with OEM and ODM relationships, be mindful of equipment supplied under another manufacturer’s name). 

Also, ensure to check any covered equipment/services delivered on government contracts by any vendor. Further identify any business equipment or systems produced by or having components from a prohibited vendor such as computers, servers, phones, and other electronics capable of executing software commands. This will be required to comply with the second half of Section 889. 

3.Determine Whether Limited Waivers Apply 

Contractors with the Department of Defense contracts who solely supply food, clothes, supplies, and so on should check with the contracting officer to see if the latest waiver extension applies to your purchase. However, it is important to note that you may still be covered through other covered contracts. 

4.Document Compliance Efforts

Given the uncertainty and ambiguity surrounding Part B compliance, contractors must document what they have done to comply or attempt to comply. You must be able to verify your company’s efforts and that you have not just neglected compliance. Create and keep contemporaneous records of “reasonable inquiry,” meetings, compliance materials created, and staff education delivered.

5.Analyze the Ban’s Impact

 Evaluate compliance expenses based on the preceding review as Part B, like Part A may have a trickle-down clause or need certification wording.

6.Keep an Eye on the Rulemaking Process

 Consider if the issues and expenses raised warrant reaching out to your government relations team during rulemaking, submitting comments on the interim rule, or working with industry organisations that are actively lobbying on behalf of contractors in Section 889 rulemaking.

7.Seek Confirmation From the Contracting Officer

If the company feels that an exemption to Section 889 applies to any of its proposed goods, it should seek confirmation from the contracting officer as soon as possible- ideally, before making the required representation. Be cautious of manufacturers’ or their agents’ sweeping statements that their products or services are “free” from Section 889 without additional proof.

8.Evaluate Costing

Part B compliance can prove to be expensive, therefore account for compliance expenses separately, as they may be reimbursed.

To secure your organization and help you prepare for section 889 part B, using software solutions such as ComplyShield by SureShield can be beneficial. It can help give you:

  • A completely customizable platform that adapts to your compliance needs
  • Enterprise-wide use of ComplyShield
  • It keeps your team up-to-date with their responsibilities, as of any changes
  • It also ensures organizational participation
  • In meeting compliance requirements and integrates with established business processes
  • It establishes compliance monitoring in real-time to ensure that nothing slips through the cracks

To know more about our compliance and software solutions visit our website. You can also read about corporate compliance in healthcare for more information or follow us on LinkedIn and Twitter for some insightful posts and updates.

INSIGHT INTO THE WORLD’S LARGEST PASSWORD COMPILATION LEAK

What seems to be the world’s largest password collection has been released on a prominent hacker site. A forum member released a large 100GB TXT file containing 8.4 billion password entries, probably compiled from prior data dumps and hacks. All of the passwords in the leak are said to be 6-20 characters long, with non-ASCII characters and white spaces deleted. It is also said that the compilation comprises 82 billion passwords. However, the real number was cited to be nearly 10 times lower – 8,459,060,239 unique entries.

The forum user has dubbed the compilation ‘RockYou2021’, presumably about the infamous ‘RockYou’ data breach that occurred in 2009, where 32 million user accounts were exposed. Threat actors hacked their way into the social app website’s servers and obtained users passwords stored in plain text. 

The 2021 version of RockYou had so many passwords because it dipped into a slew of previously stolen datasets, including the Compilation of Many Breaches (COMB), which disclosed over 3.2 billion unique combinations of emails and passwords in cleartext. The only saving grace is that many of these passwords are from dormant accounts or have been changed afterwards. It is strongly advised that users immediately check to see whether their credentials were included in the breach. Also, read about the largest data breaches in 2020 for some more information about leaks and breaches. 

How to Check if Your Password was leaked?

Users concerned about exposed passwords and other sensitive information are encouraged to take a few steps to be sure so that if need be you can take preventive measures.

  • Use a reliable data leak checker where you can input your email address to see whether your account has been compromised. Some such software includes, Have I Been Pwned, Firefox Monitor and Avast Hack Check.
  • If you know or believe that one of your accounts was compromised in a data breach, reset your password right away.
  • Consider utilizing a password manager to generate, store, and manage strong passwords for your online accounts.
  • Enable multi-factor authentication on any accounts that support it.
  • Be on the lookout for an upsurge in spam and phishing emails in which criminals attempt to defraud you using your stolen email address.

If you find that one or more of your passwords were included in the RockYou2021.txt collection and are potentially being sold on the dark web, we urge that you take these measures to protect your data and avoid potential impact from threat actors at the earliest. Read about the SolarWinds Supply Chain attack and the dark web on our blog to get an idea of the working of the dark web.

Potential Impact of the Leak

Threat actors can utilise the RockYou2021 collection to mount password dictionaries and password spraying attacks against unfathomable numbers of internet accounts by combining 8.4 billion unique password variants with other breach collections that contain usernames and email addresses.

Because most individuals reuse their passwords across many apps and websites, the number of accounts potentially compromised by credential stuffing and password spraying assaults as a result of this breach may approach millions, if not billions. 

Organizations need to take precautionary measures to ensure such data breaches do not take place. Using software from SureShield such as BreachShield provides comprehensive dark web monitoring and risk response guidance:

  • Network intelligence with multiple risk assessment techniques
  • Compilation of threat actor communications to identify threats in one searchable database 
  • Dark web forum human-driven data analysis and advanced threat intelligence 
  • Key insights into real-time risks with breach intelligence and third-party exposure 
  • Protection for network assets such as infected devices, malicious access, compromised credentials etc.
  • Safeguards corporate credit cards 
  • Root cause analysis by integrating data from SureShield’s modules (SecurityShield, HackShield, and ComplyShield
  • Comprehensive risk response and remediation process

To know more about our software solutions and how to prevent breaches at your organization you can visit our website, read our blog or follow us on Twitter and LinkedIn

THE WORKINGS OF DARKSIDE RANSOMWARE

THE WORKINGS OF DARKSIDE RANSOMWARE

DarkSide ransomware is a relatively new ransomware strain that threat actors have been utilising to target numerous businesses, resulting in the encryption and theft of sensitive data as well as threats to make it publicly available if a ransom demand is not met. Read how the meat industry is the latest to be attacked by ransomware

The form of ransomware has been active since August 2020 and was used in a hack against Georgia-based Colonial Pipeline, causing a severe gasoline supply disruption along the United States East Coast. The virus is provided as a service to various hackers via an affiliate scheme and, like other well-known ransomware threats, utilises double extortion, combining file encryption with data theft, and is distributed on infiltrated networks by manual hacking tactics. Recent reports state that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS [ransomware-as-a-service] group.

Main Targets

As mentioned, DarkSide ransomware typically targets high-revenue businesses. With time, several other DarkSide victims have been discovered through incident response engagements and posts on the DarkSide blog. The majority of the victims were situated in the United States and worked in a variety of industries, including financial services, legal, manufacturing, professional services, retail, and technology.

How DarkSide Infiltrates Networks

DarkSide and its associates deliver ransomware using the same human-operated approach as other popular ransomware organisations that have plagued businesses in recent years. This implies that attackers acquire access to networks by several mechanisms, including stolen credentials followed by manual hacking techniques and lateral movement utilising a range of system administration or penetration testing tools.

The objective is to map the network to identify crucial servers, elevate privileges, get domain administrator credentials, disable and remove backups, exfiltrate sensitive data, and then spread the ransomware to as many systems as possible at once. This deliberate and precise technique is far more effective and difficult to fight against than ransomware programmes that spread automatically over networks by utilising built-in routines that may fail and trip detection measures. Read how to identify sensitive data on our blog for more information.

To get a footing, each DarkSide affiliate may use a different strategy. These techniques are similar to those used by other ransomware groups: purchasing stolen credentials from underground markets, performing brute-force password guessing or credential stuffing attacks, purchasing access to machines infected with botnet malware such as Dridex, TrickBot, or Zloader, and so on. It also happens by sending emails with malicious attachments that include a lightweight malware loader.

What is the DarkSide Ransomware Routine?

The DarkSide ransomware encrypts victims’ data with Salsa20 and RSA-1024 and is said to have a Linux variant. When installed on Windows, the virus examines the system’s language setting and, if it is the language of a nation in the former Soviet Bloc or its area of influence, it avoids encrypting the data. This is typical of malware created by groups who are based in the region and who want to avoid attracting the attention of local authorities by not hitting local organizations.

According to Cybereason researchers, the virus then disables services with the following names: vss, sql, svc, memtas, mepocs, sophos, veeam, or backup. These include backup procedures, such as the Windows Volume Shadow Copy Service (VSS), or security solutions. It then proceeds to identify ongoing processes and ends them so that it can decrypt the files they were accessing. It also employs a PowerShell command to remove any existing volume shadow copies that may be utilised to recover files.

DarkSide ransomware generates a unique ID for each victim and appends it to the file extension of the encrypted files. The ransom payments might range from a few hundred thousand dollars to millions of dollars, based on the assailants’ assessment of the victim’s size and yearly income.

Implementing software solutions such as SecurityShield helps to continuously scan servers or provides an endpoint to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them and more. To know more about our software solutions you can visit our website, read our blog or follow us on Twitter and LinkedIn.

HOW TO BUILD A VULNERABILITY MANAGEMENT PROGRAM

Vulnerability management is broadly described as the practice of identifying vulnerabilities in unpatched systems that, if exploited by adversaries, could jeopardize your entire business environment. Typically, vulnerability management is a foundational practice and an integral part of any standards initiative for cybersecurity. The ever-changing device demographics and the increasing complexity of cyberattack techniques are challenging existing methods of managing security vulnerabilities.

As such attacks continue to grow, a vulnerability management program is vital to adequately protect your infrastructure, applications, and data.

What are the 4 Key Elements in a Vulnerability Management Program?

1.Vulnerability Assessment

An effective vulnerability management program helps assess risks, weaknesses and exposure threats. It then instils the required protections that reduce the likelihood of a breach of your sensitive data. Learn how to identify sensitive data on our blog.

2.Vulnerability Management Tools

These are vital tools that help identify and scan the vulnerabilities in your system, aid deep learning and AI configuration.

3.Integration and Alignment 

A successful vulnerability management program must be linked to vulnerability databases and must be in sync with key stakeholders throughout the organisation as well as compliance and regulatory requirements.

4.Agility

A vulnerability management program needs to be agile enough to keep your organization safe. The security systems and related processes need to meet the ever-changing threat landscape and be cyber-resilient. Cyber-resilience and scale are also important considerations.

Steps to Building a Vulnerability Management Program 

1, Assemble and choose your team wisely: It is vital to identify all the key players needed in your team. For instance, having a security director or manager in charge of vulnerability management, as well as at least one analyst who identifies, tracks and assesses vulnerabilities throughout your environment is necessary.

2,Obtain the appropriate tools: The right tools used by security teams aid in discovering flaws in the environment, providing detailed information about all of an organization’s assets and identifying the top vulnerabilities that pose the greatest risk to the organisation. Read also, how to conduct a cyber risk assessment.

3.Compare the threat landscape to your environment: By doing this you understand your organization’s assets and known vulnerabilities. Threat intelligence will assist you in determining the impact of a potential exploit which is another important factor in risk assessment.

4Knowing your assets, applications, and risk tolerance are essential: Understanding your current assets and the level of risk for your organisation is critical for effective prioritisation. Automated tools like SecurityShield by SureShield assists with this discovery task by identifying assets such as servers, workstations, virtual machines, storage arrays, and network infrastructure.

5,Measure, evaluate and prioritise your vulnerabilities: Platforms that combine real-world vulnerability intelligence, data science, automated risk analysis, customised risk metrics, and even risk-based SLAs are vital when selecting the right platform for your organisation.

6.Communicate, correct, and report: Your vulnerability management solution should facilitate, rather than obstruct, internal communication among key teams. It should also help you remediate quickly and efficiently. Using a software solution such as SecurityShield can be greatly beneficial to your organisations. It continuously scans servers or endpoints to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them.

Broadly, SecurityShield helps to:

  • Spot missing patches, errors and weaknesses in system configuration settings and general deviations from policy
  • Map risks to non-compliance of regulatory controls like Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI)
  • Scan for more than 35,000 vulnerabilities and conduct nearly 100,000 checks across your networks
  • Auto-discover and scan any IT assets
  • Automate real-time continuous monitoring of IT assets
  • Automate mapping of vulnerabilities to control frameworks
  • Leverage big data analytics and machine learning for better organizational security
  • Significantly lower cost of ownership in months

Protect your organization by implementing the right software solutions and tools. Read our blog posts to know more about us, or follow us on Twitter and LinkedIn for some insightful updates and information.

 

LARGEST DATA BREACHES IN 2020

Data breaches have seen a steady increase in 2020 as opposed to 2019. Many notable data breaches took place, and they continue to increase in number. Health care sectors, especially, have seen a spike as hackers have been using the stress and chaos of the COVID-19 pandemic to infiltrate their systems. More accurately, there were 600 data breaches in the healthcare sector, showing a 55% spike as opposed to 2019. Read our blog on how data breaches continue to target the healthcare sector to know more.

Furthermore, there were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of the third quarter adding 8.3 billion records to what was already commonly referred to as the worst year on record.

Here we have compiled a list of 5 of the largest and most notable data breaches in 2020.

1. Easyjet Data Breach

In May 2020, a highly sophisticated cyberattack breached Easyjets’ security barriers. This compromised the data of 9 million customers. The data that was accessed in the breach included travel details, email addresses and complete credit card details of 2,208 customers. These breaches can severely disrupt clients’ privacy and security as well as ruin the reputation of a company. Additionally, because customer credit card information was leaked, this cyber-attack exposes Easyjet’s breach of the General Data Protection Regulation, which could result in a fine of up to 4% of its global annual turnover.

2.Zoom Data Breach 

In April 2020, when Zoom Video Communications were nearing their pandemic peak of signups, hackers breached 500,000 accounts. The hackers were said to have either sold or freely published their personal data on the dark web. They initially scouted through the dark web databases to find previously compromised login credentials dating back to as far as 2013. Because passwords are usually recycled, this gave them instant access to several active Zoom accounts. Then, a series of further attacks were launched to compromise the remaining accounts. Recipients of compromised Zoom accounts were able to log into live streaming meetings leaving them unaware of the reality of their situation.

3.Magellan Health Ransomware Attack

Magellan Health, a Fortune 500 company, in April 2020 was a victim of a sophisticated ransomware attack.  Over 365,000 patient records were breached. First, the hackers breached employee login information through malware that was installed internally. Then, they posed as a Magellan client in a phishing attack. Soon the hackers gained access to a single corporate server and implemented their ransomware. The data breach, unfortunately, included patient social security numbers, W-2 information and employee ID numbers. Implementing software solutions such as SecurityShield protects your sensitive data before it becomes a target, by continuously scanning servers or endpoints to search for flaws in software design. It discovers vulnerabilities, assesses their impact, classifies them, identifies risks they pose, and then generates a prioritized risk response remediation plan to fix them.

More precisely, SecurityShield helps to:

  • Spot missing patches, errors and weaknesses in system configuration settings and general deviations from policy
  • Map risks to non-compliance of regulatory controls like Health Insurance Portability and Accountability Act (HIPAA) or Payment Card Industry (PCI)
  • Scan for more than 35,000 vulnerabilities and conduct nearly 100,000 checks across your networks
  • Auto-discover and scan any IT assets
  • Automate real-time continuous monitoring of IT assets
  • Automate mapping of vulnerabilities to control frameworks
  • Leverage big data analytics and machine learning for better organizational security
  • Significantly lower cost of ownership in months

Additionally,  BreachShield provides comprehensive dark web monitoring and risk response guidance. Therefore, implementing these software solutions are important to maintaining an organization’s security.

4.Antheus Tecnologia 

Antheus Tecnologia is a Brazilian biometrics company specializing in the development of Fingerprint Identification Systems (AFIS). In March 2020, the company suffered a breach to its server which could potentially expose 76,000 unique fingerprint records. The data that was accessed consisted of 2.3 million data points which could be reverse-engineered to recreate each original fingerprint. Additionally, 81.5 million records were accessed, consisting of email addresses, employee telephone numbers and administrator login information.

5.CAM4 Data Breach 

In March 2020, CAM4, an adult video streaming website had its server breached. Over 10 billion records were breached. The records included sensitive information such as full names, email addresses, sexual orientation, chat transcripts, email correspondence transcripts, password hashes, IP addresses and payment logs. Most of the exposed email addresses were linked to cloud storage services. If the hackers were to launch successful phishing attacks on these users, they could gain deeper access to personal photos and business information. Additionally, compromised users could fall victim to blackmail and defamation attempts due to the nature of the website and the sensitive information that was breached.

Another notable breach in 2020 was the SolarWinds supply chain breach in March 2020. Read our blogs to know more about us, or follow us on Twitter and LinkedIn for some insightful updates and information.

CORPORATE COMPLIANCE IN HEALTHCARE

6 Steps to Continuous Risk and Compliance Management

Risk management process in healthcare is complex due to the nature of the industry and factors such as the explosion in use of technology; vulnerabilities arising from these myriads of technology leading to cybersecurity threats; and regulatory, legal, and reimbursement requirements. With the pressure to remain compliant, the healthcare industry must approach risk management from a broad perspective by implementing sound enterprise risk management (ERM) programs. Here we provide you with a step-by-step guide to simplify your healthcare compliance and data risk security. This guide will focus on:

  • Why corporate compliance in healthcare is critical
  • Areas that healthcare organizations should focus on for compliance
  • 6 steps to implementing a simple and nimble healthcare compliance and data security risk program
  • Cost analysis of implementing a comprehensive compliance and risk management solution

 

Importance of Corporate Compliance in Healthcare

A well-structured healthcare Enterprise Risk Management and compliance program is critical in the current healthcare climate. Having such a program promotes a comprehensive framework for making risk management decisions that maximize value protection, including putting in place safeguards to mitigate cybersecurity threats and sensitive data exposure or leaks. This is essential in a time of continual changes to regulatory requirements and associated audits, and penalties for non-compliance.

In reinforcing the need for corporate compliance programs in healthcare, The Office for Civil Rights (OCR) created guidelines that healthcare organizations can follow to begin to develop compliance programs that meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA). The guidelines, “The Seven Fundamental Elements of an Effective Compliance Program”, outline those elements that the OCR considers are essential in a corporate compliance program. The “Seven Elements” include:

  1. Implementing written policies, procedures, and standard operating protocols
  2. Designating a primary compliance officer and compliance committee/s
  3. Conducting effective training and education
  4. Developing effective lines of communication
  5. Conducting internal monitoring and auditing
  6. Enforcing standards through well-publicized disciplinary guidelines
  7. Responding promptly to detected incidents, offenses, and undertaking required corrective action

In addition to meeting HIPAA requirements, these “Seven Elements” also apply to the numerous other regulatory and security requirements that healthcare organizations must comply with such as the Medicare Access and CHIP Reauthorization Act (MACRA), the Payment Card Industry (PCI) data security standard, and the Federal Information Security Management Act (FISMA).

Areas of Focus for Compliance for Healthcare Organizations

Corporate compliance in healthcare and risk management must be organization-wide, however, there are some areas that are critical for all organizations to focus on. These include:

DARK WEB SECURITY MONITORING AND LEAK PREVENTION

Medical records can sell for 20 to 50 times more than other kinds of identity theft records. Sound compliance practices must take the dark web into account, and healthcare stakeholders should implement systems that can quickly and easily identify any compromised credentials or indications of stolen data and provide direction on actions to be taken.

SENSITIVE DATA PROTECTIONS

Healthcare organizations have a multitude of sensitive data which pose a security risk especially when being shared/accessed outside of internal protected systems. A good compliance program will include end point and data protection technology tools, encryption of local copies of data, and identification of sensitive data with rules governing access and distribution.

INTERNAL IT ASSET RISK AND COMPLIANCE MONITORING

All technological tools/assets used in healthcare pose a security risk and are susceptible to vulnerability threats. Healthcare security managers must implement consistent and regular monitoring and scanning of these assets to determine whether any have been compromised.

THIRD PARTY COMPLIANCE MONITORING

Third party vendors and contractors perform critical functions for the healthcare industry and are privy to sensitive health information. To comply with regulatory requirements, healthcare organizations need to have systems in place to monitor Business Associate (BA) compliance, and also perform regular sanctions and exclusion checks on all providers and contractors working with their organization.

STAFF COMPLIANCE MONITORING AND TRAINING

A 2018 report found that internal threats accounted for 56% of all data breaches in healthcare. Healthcare organizations must implement a solid risk and compliance program to include regular training of staff on their responsibilities to meeting HIPAA, patient privacy rights, and other compliance requirements. These activities must be tracked, monitored, and have audit trails to prove that the healthcare organization has conducted this training and sanction checking.

With all these areas of compliance to attend to, and the increasing threats of cyber attacks coupled with regulatory oversight, healthcare organizations need a solid and well-thought-out process to address compliance. A comprehensive ERM is essential and includes identification of key parties who will be responsible for addressing each of the different areas. Full buy-in is critical from all members of the organization to make any compliance program successful.

6 steps to implementing a simple and nimble healthcare compliance and data security risk program

With all the requirements and threats facing the healthcare industry, it can seem overwhelming for an organization to also establish a consistent, effective and easy enterprise compliance and risk process. Below, we provide you with 6 steps to follow to help you implement a simple and nimble healthcare compliance and data security risk program.

1.Establish your risk and compliance leadership committees

Determine the key individuals who will lead the risk and compliance team including someone responsible for each area of risk such as third-party vendors, employee compliance, and internal IT assets. Use the “Seven Elements” to identify high level concerns such as:

  • Does the organization have the proper policies and processes outlined for each area?
  • Does the organization have proper staff training plans in place?
  • Is there a feedback loop in place to communicate activities?
  • Does the organization have a strong process for taking corrective action?

 

2. Determine internal risk and compliance capabilities

Carefully evaluate the technical and resource competencies that exist within the organization to best determine what types of systems to implement. A web-enabled solution with faster and easier implementation timelines may be ideal for an organization with limited IT resources. It may also be advisable to choose a solution that can proactively and regularly check employees and vendors for exclusions and sanctions to reduce the administrative and resource burden on the organization.

3. Establish a healthcare risk and compliance solutions assessment and budget

Next, evaluate the cost of various solutions on the market that can competently address the issues identified based on your organizational needs, timelines, and budgetary constraints. Some solutions may require more internal IT support than others so be sure to consider your available IT resources before choosing a solution. Other factors to consider include:

  • Can results for a security and vulnerability scan be easily incorporated into your HIPAA compliance audit?
  • Will information from exclusion and sanctions checks be easily flagged and help update the compliance oversight processes as required by the Office of Inspector General (OIG)?
  • Can vendor audits for security be integrated with the OCR requirements for vendor compliance with HIPAA?
  • Are the proper systems in place to integrate all compliance and risk activities that will roll up into an overall report on security posture at the entity level and allow for easy identification of the highest risk and cost issues to allow prioritization?

Be sure to choose a solution that provides insight into how to resolve and remediate areas of risk and non-compliance identified, and the cost of doing so.

4. Conduct a baseline assessment

A baseline assessment of the risk profile of the organization should be conducted once the availability of internal resources and tools have been determined. Included in the baseline assessment should be an initial compliance audit of important frameworks such as HIPAA and MACRA, and a security review of the assets in the organization. Use the results to create a prioritized list for compliance and security vulnerabilities.

5. Initial risk prioritization and resource analysis

The prioritized list of compliance and security vulnerabilities created from the baseline assessment should be used to determine which areas to address first. In the risk analysis and prioritization process, ask questions such as:

  • Are there proper continuous monitoring activities in place to conduct vulnerability analysis and scans?
  • Are there remediation processes in place to address these vulnerabilities and processes to continuously monitor?

It may be necessary to hire consultants to address specific areas if the resources are not available internally to do this in a timely manner.

6. Confirm Repeatable Process with Continuous Reporting and Insight

The compliance and security management process should include regular assessments for new vulnerabilities and allow for easily resetting resources and budget for areas of concern. A solid ERM program must have the ability to conduct regular checks, remediate, and re-check.

Cost Analysis of Implementing a Healthcare Compliance and Risk Management Solution

Some cost factors to be considered when making plans to implement a comprehensive compliance and risk management program include:

  • Cost of fines for non-compliance: in the US, the average cost of a breach is $7.91 million with the average cost of penalties for a HIPAA violation being over $1.5 million per violation.
  • Damaged reputation costs: the cost of a damaged reputation can be significant in the highly competitive healthcare marketplace where consumers can easily choose to avoid an organization that they believe may expose their healthcare data to breaches.
  • Costs of inadequate compliance and risk solutions and services: ensure solutions purchased as part of an overall ERM program provide maximum return on investment and are easy to integrate and quick to implement to avoid having to expend more in human resources for integration, and so that implementation can occur before your systems become exposed to additional threats.

Implementing a sustainable, repeatable, and effective continuous healthcare compliance and risk management process is critical for healthcare stakeholders and organizations. Being able to bring all distributed compliance activities together consistently allows the key management team to understand areas of vulnerability, prioritize risk, and focus on highest impact remediation activities. Strong healthcare technology solutions can assist in reducing the overall cost of compliance and risk management processes and assure regular and adaptable action to new compliance threats.

Download the Playbook for Corporate Compliance in Healthcare for a more in-depth look into healthcare compliance and data risk security or contact SureShield directly to learn more.

RISK MANAGEMENT PROCESSES: RISK RESPONSE METHODOLOGIES IN THE HEALTHCARE INDUSTRY

Leveraging Technology for Optimal Risk Response

The purpose of the healthcare industry is to improve patients’ lives and as such, risks in this setting generally refer to factors and/or events that should they occur, could cause harm to the patient. Traditionally, healthcare risk management was reactive, focusing on patient safety, the prevention of medical errors, and the lawsuits that resulted from these errors. Nowadays however, healthcare risk management has broadened to become more proactive due to factors such as the increased use of healthcare technology; issues with cybersecurity; and regulatory, legal, and reimbursement requirements. Healthcare organizations now must re-evaluate their risk management programs to look at risk management from the perspective of the entire organization, Enterprise Risk Management (ERM), rather than just promoting patient safety and preventing exposure to litigation.

Managing Risks – Risk Response Planning

As stated by the Project Management Institute (PMI) in the article Risk Management in Healthcare Information Technology (HIT) Projects , “managing risk is the systematic process of identifying, analyzing, prioritizing, and responding to risk.” The PMI suggested four main methods for risk response planning:

  1. Risk Avoidance: avoid risk by taking steps such as changing methods, resources, or plans.
  2. Risk Acceptance: accept the risk. For example, having a contingency plan prepared as a back-up system should the risk occur.
  3. Risk Mitigation: lessen the impact of the risk. For example, adding countermeasures to plans.
  4. Risk Transfer/Shifting Risk: this can be done by contracting externally or outsourcing.

 

The Role of Technology in Mitigating Risks in Healthcare

 

While the increasing use and rapid expansion of technology in healthcare has led to increased exposure to risks, technology also has a role to play in mitigating risks and allowing risk response to be expedited. A ‘must do’ for healthcare organizations in mitigating risks is investing in a robust enterprise risk management system. There are many such systems on the market offering solutions for documenting incidents, tracking risk, reporting trends, benchmarking data points, and making industry comparisons. Software solutions are available that can identify breaches, protect systems and data from being hacked, continuously monitor for potential security incidents, and help the organization to remain in a constant state of compliance with requisite regulations.

A major function of ERM is eliminating the risks associated with departments operating as silos and standardizing risk mitigation strategies across the organization using technology. Healthcare organizations can also leverage technology to mitigate risks incorporating data analytics in processes such as decision-making, risk prioritization, and resource allocation, among other things.

Healthcare risk management continues to evolve as new risks emerge, lessons are learned, and changes continue to occur in the healthcare industry. Healthcare organizations need to be flexible and place themselves in positions to readily adapt to any changes. Technology can be a game changer in helping organizations stay on top of risk management and risk response processes.

Learn more about implementing SureShield’s Enterprise Risk Management Software here.

PLAYBOOK FOR HEALTHCARE COMPLIANCE NOW AVAILABLE FOR ORGANIZATIONS THAT WANT SIMPLE AND NIMBLE INFORMATION AND DATA RISK SECURITY SOLUTIONS

NEWS RELEASE – San Jose, California – September 2019 –  SureShield, a unique Healthcare IT risk and compliance software suite provider, introduces a new Playbook for Corporate Compliance in Healthcare. This free 20-page download will help directors and managers of security and compliance chart a simple and nimble approach to corporate compliance and data risk security.

Healthcare stakeholders are burdened today with new regulatory requirements and safety threats to their IT and data systems, requiring strong programs and tools to provide actionable insight into their overall security posture in order to mitigate risk and exposure from breaches. Until now, small and medium-sized organizations have not had simple or cost-effective ways to provide better monitoring and tracking of security risks. Cumbersome enterprise solutions or disparate point solutions have caused gaps that are hard to fill when you have limited time, money and resources to deal with ever-growing cyber security threats.

“We developed the SureShield software suite of solutions to help healthcare organizations take a different approach to compliance and security,” said SureShield CEO, Sanjaya Kumar. “We are sharing our Playbook for Corporate Compliance with the healthcare community in order to show them a new and more cost-effective way forward. The complexities of enterprise healthcare risk and compliance management continue to be a challenge – we want to help organizations change that.”

This Playbook was created for healthcare compliance and risk management professionals in order to assist with:

  • The changing requirements necessary to build an enterprise risk management strategy and related processes.
  • What to consider when building effective and continuous processes that will reduce risk, lower costs and improve organizational safety.
  • A framework of integrated components required when establishing a systems-based approach to data and security.

A well-structured healthcare risk management and compliance program makes decision-making easier, maximizes value protection and mitigates the risk of security breaches and data loss. SureShield paves the way forward for the healthcare community to have a simple and faster approach to safeguarding their organizations.

Those interested in obtaining the Playbook for Corporate Compliance in Healthcare can download the guide for free at the download page. Interested parties can also contact SureShield to book a risk assessment discussion.

“The team at SureShield is passionate about helping the healthcare community find a better approach to corporate compliance and security,” said Tom Leahy, SVP Business Development at SureShield. “Our team has a long history and extensive experience in the healthcare field. We wrote this Playbook to help those who want to be proactive about new and ongoing security risks. We constantly strive to lead the industry in comprehensive security solutions that ensure continuous compliance.”

About SureShield

SureShield is a fast-growing Silicon Valley company and leader in simple-to-implement continuous risk and compliance technologies. SureShield is led by a diverse healthcare-focused management team with proven track records in compliance, safety, risk, and cyber-security management. SureShield serves leading hospitals and healthcare delivery settings along with managed service providers focused on security and compliance. SureShield’s Healthcare IT Risk & Compliance Software technology is unique in how it integrates data across various compliance and security settings to provide a complete compliance and security overview.

For more information about SureShield, please visit www.sure-shield.com