Unified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies

Transcription

1 Unified SaaS Solution for Cybersecurity and Risk Curran Data Technologies

2 Solution Discover the effective simplicity of a unified RSC solution Discover

3 Solution Diagnose Assess RSC Gaps Protect Continuous monitoring Cure Wizard driven RSC remediation Cloud-SaaS based Comprehensive Risk, Security and Compliance Management Platform. Unified and Integrated. Expert systems driven with Big Data Analytics

4 Solution Portfolio Assesses risk, prioritize and remediate exposures with continuous monitoring Discovers security threats and vulnerabilities, prioritizes and remediate exposures followed by continuous monitoring Provides an integrated and harmonized control set to assess compliance issues, prioritize gaps and remediate through policies, procedures and implementation guidance Continuous monitoring of contractual compliance and risk exposure of BA-Vendors / Employees / Contractors. Automated monitoring of sanctions / exclusions / licensure / credentials

5 Aegify Integrity Manager Minimizing the Risks Of Third Parties and Employees Avoiding costly fines with real-time monitoring solutions

6 Healthcare Organizations Have Compliance Requirements Under Health & Human Services Office of Inspector General (OIG) Requires that organizations work with vendors and individuals who are not sanctioned or excluded from working with federal or state programs. Doing so can come with huge fines. Office for Civil Rights (OCR) Oversees HIPAA compliance requirements Requires that any entity working with Protected Health Information (PHI) have proper security and risk assessment programs in place to monitor any third party handling PHI data. Failure to do so can result in huge fines.oig and OCR compliance requirements THE DOUBLE WHAMMY

7 Enforcement Efforts by Both OIG and OCR Continue to Ramp Up In 2015 over $3 Billion in investigative and audit receivables was collected by OIG-sanctions and exclusion violations Breaches in the healthcare industry total an exorbitant $ 6.2 billion annually, with the average cost of a single data breach across all industries now $ 4 million. - OCR continues to ramp up enforcement Source: 2016 Cost of a Data Breach Study: Global Analysis from IBM and Ponemon Institute

8 Consequences of Poor Implementation

9 OIG Civil Monetary Penalties - examples Licenses / Credentials Monitoring CE: Planned Parenthood Health System Inc., NC Date: 06/24/2016 Event: After it self-disclosed conduct to OIG, Planned Parenthood agreed to pay $1,572, for potentially violating the Civil Monetary Penalites Law. Planned Parenthood submitted claims to Medicaid programs in North Carolina, South Carolina, Virginia and West Virginia that included the following billing errors: -services billed under a provider number different that the medical professional who provided the service -billed for services of non-physician practitioners who were not properly enrolled in their state Medicaid Program Penalty: $ 1,572, Exclusions/Sanctions Monitoring CE: Alternative Consulting Enterprises, Inc. (ACE), PA Date: 12/22/2016 Event: After it self-disclosed conduct to OIG, ACE, agreed to pay $126, for allegedly violating Civil Monetary Penalties Law. OIG alleged that ACE employed an individual that it knew or should have known was excluded from participation in Federal health care programs. Penalty: $ 126, Exclusions / Sanctions Monitoring CE: Antelope Valley Hospital (AVH), CA Date: 11./30/2016 Event: After it self-disclosed conduct to OIG, AVH agreed to pay $ 190, for allegedly violating the Civil Monetary Penalties Law. OIG alleged that AVH employed an individual that it knew or should have known was excluded from participation in Federal healthcare programs. Penalty: $ 190,087.90

10 OCR Wall of Shame- examples HIPAA Violation ephi Breach CE: Advocate Medical Group Affected Individuals: 4 Million Event: Failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ephi; -implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center -obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ephi in its possession -and reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight Fines: $ 5.55 Million Vendor Risk CE: Dr. Q. Pain and Spine d/b/a Arkansas Spine and Pain Affected Individuals: 17,100 Event: A virus or malware was potentially installed on the information systems of Bizmatics Inc. a business associate of the CE, Arkansas Spine and Pain (CE). Approx. 17,100 individuals' electronic medical records were compromised, but the BA and CE were unable to determine whose records or what information, if nay, was accessed. OCR obtained a copy of the BA agreement in place between the CE and this BA. This review has been addressed by a separate review of the BA. Penalty: $ 4 Million HIPAA Violation / PHI Breach CE: North Memorial Affected Individuals: 9,497 Event: Approx. 9,497 patient health records were compromised by Accretive Health Inc., a business associate of the covered entity. Accretive Health was given access to a hospital database containing the ephi of 289,94 patients. Under HIPAA Rules, covered entities must obtain a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered entity that requires access to patient ephi. Penalty: $ 1.55 Million

11 The Risk Perspective

12 Risk Approaches The vendor is just as much at risk of being found noncompliant as the covered entity! Yes and No People are honest! Should be, but aren t always They are supposed to be in compliance. Trust, but verify They don t know what they are doing. I better do it for them.

13 Limited Strategies Seen Today Excel spreadsheets Manual or periodic spot checks Siloed (one department doing sanctions checks and another doing vendor risk management. No uniformity) Very expensive and time consuming with many manual labor processes No real-time continuous monitoring of vendors No real-time continuous monitoring of HIPAA certification status for all BA s/vendors

14 Results of Current Strategies Financial risk is high Too many spreadsheets Too much time spent on manual checking and verifying the integrity of business associates, contract workers, employees Up to $11,000 fine per claim Personal criminal fines and/or jail time

15 The Solution

16 Integrity Manager Key Features Real-time, Automated and Continuous Monitoring Across Multiple Databases Regular monitoring of all federal and state exclusions databases Configure, Deploy and Start Using in Less Than 30 days Maintain a state of ever-readiness for compliance. Attestation of policies for staff. Perform Integrity Checks on Vendors, Business Associates, Employees and Contract Workers Be proactive and mitigate risk - easily and quickly check on current or past status of vendors and employees with one comprehensive solution Perform HIPAA Risk Assessments on Vendors handling PHI data Provide a dashboard of risk profiles of all vendors Get Strategic Insights from Reports and Comparative Analytics A rich library of reports enables visibility into current vendor risk profile and exposure from fines and penalties at the click of a mouse

17 Integrity Manager Business Benefits Increase productivity with easy to use simple interface Fast and easy reporting with a rich library of reports Accelerate trouble shooting and resolution time with a web-based exceptions based dashboard = makes it easy to identify an issue and take immediate action Be up and running in 30 days. Easy configuration and fast deployment Improve operational efficiencies with a comprehensive automated workflow to manage all exclusions and sanctions Mitigate risk and avoid costly fines while maintaining regulatory compliance

18 Why Choose Integrity Manager? Improved and automated oversight for all Integrity Checking processes Automates all of the manual processes in exclusions/sanctions and employee background checking. Eliminate/avoid costly fines and penalties from the OIG and OCR Ability to proactively identify vendors, business associates and employees who are on the excluded lists Breakdown the silos - one comprehensive solution that can be accessed anywhere at anytime by multiple staff members Ability to be notified via a web-based dashboard of any infractions and take immediate action remedy

19 Establishing an Automated State of Continued Readiness

20 Easy Access to Federal and State Databases and Exclusions Lists

21 Integrity Manager Automated Process Manage-by-Exception Dashboard Matching Entity / Individual Sanctions/Exclusions License / Credentials Master Database Query the Master DB RE Matching Services Unique record for every Individual / Entity. Source 1 History Source 2 History..... Source n History Consolidated Source Database Consolidated Source Database will have all the records from all the data sources. Deduplication algorithms are run on the Consolidated Source Database Manual / review is done on duplicate groups and merger policies fine-tuned to automate the process. Source Data Preparation and Maintenance Data Loading Source Staging Source Data History Synchronization OFAC NY NJ SAM LEIE State-wise Exclusions Data Loading and Data Synchronization processes are custom for each data source and will vary based on source update frequency, approach and content format Practitioner License DB Practitioner Credentials DB

22 RSC With and Without Aegify PROVIDER WITHOUT AEGIFY RSC Siloed/Fragmented approach Higher Total Cost of Ownership Needless Complexity Ineffective RSC analysis Lack of Unification for RSC controls Manual processes for monitoring and oversight RSC MANAGEMENT Actionable Analytics DIAGNOSE I CURE I PROTECT PROVIDER WITH AEGIFY RSC Unified and Integrated RSC with single pane view Simple to deploy with low TCO Real-time Continuous monitoring Comprehensive, integrated suite for effective risk analysis using an unified control set Significantly reduced risk exposure

23 Summary Key Differentiators Today, Aegify is the only Comprehensive Cybersecurity vendor in the Healthcare marketplace that uniquely provides: A framework for enterprise-wide RSC unification with a unified console A cloud-based remote deployment of security scanning and management Automated and efficient oversight of all BA-Vendors A harmonized regulatory control set with mappings to security threats and vulnerabilities Automated asset discovery and management with role based access control History of all organizational vulnerabilities and threats with remediation Demonstration of reasonable efforts for legal defense Selected as the only Innovative Technology Provider for Cybersecurity by Vizient

24 Unified SaaS Solution for Cybersecurity and Risk Curran Data Technologies