Unified SaaS Solution for Cybersecurity and Risk Curran Data Technologies – 317-974-1009 www.currandata.com
Solution Discover the effective simplicity of a unified RSC solution Discover
Solution Diagnose Assess RSC Gaps Cure Protect Wizard Continuous driven RSC monitoring remediation Cloud-SaaS based Comprehensive Risk, Security and Compliance Management Platform. Unified and Integrated. Expert systems driven with Big Data Analytics
Solution Portfolio Assesses risk, prioritize and remediate exposures with continuous monitoring Discovers security threats and vulnerabilities, prioritizes and remediate exposures followed by continuous monitoring Provides an integrated and harmonized control set to assess compliance issues, prioritize gaps and remediate through policies, procedures and implementation guidance Continuous monitoring of contractual compliance and risk exposure of BA-Vendors / Employees / Contractors. Automated monitoring of sanctions / exclusions / licensure / credentials
Aegify Integrity Manager Minimizing the Risks Of Third Parties and Employees Avoiding costly fines with real-time monitoring solutions
Healthcare Organizations Have Compliance Requirements Under Health & Human Services Office of Inspector General (OIG) • Requires that organizations work with vendors and individuals who are not sanctioned or excluded from working with federal or state programs. Doing so can come with huge fines. Office for Civil Rights (OCR) • Oversees HIPAA compliance requirements • Requires that any entity working with Protected Health Information (PHI) have proper security and risk assessment programs in place to monitor any third party handling PHI data. Failure to do so can result in huge fines.OIG and OCR compliance requirements THE DOUBLE WHAMMY
Enforcement Efforts by Both OIG and OCR Continue to Ramp Up “ In 2015 over $3 Billion in investigative and audit receivables was collected by OIG- sanctions and exclusion violations” “Breaches in the healthcare industry total an exorbitant $ 6.2 billion annually, with the average cost of a single data breach across all industries now $ 4 million.“ - OCR continues to ramp up enforcement Source: 2016 Cost of a Data Breach Study: Global Analysis from IBM and Ponemon Institute
Consequences of Poor Implementation
OIG Civil Monetary Penalties - examples Licenses / Credentials Monitoring Exclusions/Sanctions Exclusions / Sanctions CE: Planned Parenthood Health Monitoring Monitoring System Inc., NC CE: Alternative Consulting CE: Antelope Valley Hospital Date: 06/24/2016 Enterprises, Inc. (ACE), PA (AVH), CA Event: After it self-disclosed conduct to Date: 12/22/2016 Date: 11./30/2016 OIG, Planned Parenthood agreed to pay $1,572,752.80 for potentially Event: After it self-disclosed Event: After it self-disclosed violating the Civil Monetary Penalites conduct to OIG, ACE, agreed to conduct to OIG, AVH agreed to Law. Planned Parenthood submitted pay $126,102.38 for allegedly pay $ 190,087.90 for allegedly claims to Medicaid programs in North violating Civil Monetary violating the Civil Monetary Carolina, South Carolina, Virginia and Penalties Law. OIG alleged that Penalties Law. OIG alleged that West Virginia that included the following ACE employed an individual that AVH employed an individual billing errors: it knew or should have known that it knew or should have - services billed under a provider was excluded from participation known was excluded from number different that the medical in Federal health care programs. participation in Federal professional who provided the service healthcare programs. - billed for services of non-physician Penalty: $ 126,102.38 practitioners who were not properly Penalty: $ 190,087.90 enrolled in their state Medicaid Program Penalty: $ 1,572,752.80
OCR Wall of Shame- examples Vendor Risk HIPAA Violation / PHI Breach HIPAA Violation | ePHI Breach CE: Dr. Q. Pain and Spine d/b/a CE: North Memorial CE: Advocate Medical Group Arkansas Spine and Pain Affected Individuals: 9,497 Affected Individuals: 4 Million Affected Individuals: 17,100 Event: Approx. 9,497 patient Event: Failed to conduct an accurate Event: A virus or malware was health records were and thorough assessment of the potentially installed on the compromised by Accretive potential risks and vulnerabilities to information systems of Bizmatics Health Inc., a business all of its ePHI; - implement policies and procedures Inc. a business associate of the associate of the covered entity. CE, Arkansas Spine and Pain Accretive Health was given and facility access controls to limit (CE). Approx. 17,100 individuals' access to a hospital database physical access to the electronic electronic medical records were containing the ePHI of 289,94 information systems housed within a compromised, but the BA and CE patients. Under HIPAA Rules, large data support center - obtain satisfactory assurances in the were unable to determine whose covered entities must obtain a records or what information, if nay, signed BAA from any vendor form of a written business associate was accessed. OCR obtained a that provides functions, contract that its business associate copy of the BA agreement in place activities or services for or on would appropriately safeguard all between the CE and this BA. This behalf of a covered entity that ePHI in its possession - and reasonably safeguard an review has been addressed by a requires access to patient separate review of the BA. ePHI. unencrypted laptop when left in an unlocked vehicle overnight Penalty: $ 4 Million Penalty: $ 1.55 Million Fines: $ 5.55 Million
The Risk Perspective
Risk Approaches • The vendor is just as much at risk of being found non- compliant as the covered entity! Yes and No • People are honest! Should be, but aren’t always • They are supposed to be in compliance. Trust, but verify • They don’t know what they are doing. I better do it for them.
Limited Strategies Seen Today • Excel spreadsheets • Manual or periodic spot checks • Siloed (one department doing sanctions checks and another doing vendor risk management. No uniformity) • Very expensive and time consuming with many manual labor processes • No real-time continuous monitoring of vendors • No real-time continuous monitoring of HIPAA certification status for all BA’s/Vendors
Results of Current Strategies • Financial risk is high • Too many spreadsheets • Too much time spent on manual checking and verifying the integrity of business associates, contract workers, employees • Up to $11,000 fine per claim • Personal criminal fines and/or jail time
The Solution
Integrity Manager – Key Features • Real-time, Automated and Continuous Monitoring Across Multiple Databases • Regular monitoring of all federal and state exclusions databases • Configure, Deploy and Start Using in Less Than 30 days • Maintain a state of ever-readiness for compliance. Attestation of policies for staff. • Perform Integrity Checks on Vendors, Business Associates, Employees and Contract Workers • Be proactive and mitigate risk - easily and quickly check on current or past status of vendors and employees with one comprehensive solution • Perform HIPAA Risk Assessments on Vendors handling PHI data • Provide a dashboard of risk profiles of all vendors • Get Strategic Insights from Reports and Comparative Analytics • A rich library of reports enables visibility into current vendor risk profile and exposure from fines and penalties at the click of a mouse
Integrity Manager Business Benefits • Increase productivity with easy to use simple interface • Fast and easy reporting with a rich library of reports • Accelerate trouble shooting and resolution time with a web-based exceptions based dashboard = makes it easy to identify an issue and take immediate action • Be up and running in 30 days. Easy configuration and fast deployment • Improve operational efficiencies with a comprehensive automated workflow to manage all exclusions and sanctions • Mitigate risk and avoid costly fines while maintaining regulatory compliance
Why Choose Integrity Manager? • Improved and automated oversight for all Integrity Checking processes • Automates all of the manual processes in exclusions/sanctions and employee background checking. Eliminate/avoid costly fines and penalties from the OIG and OCR • • Ability to proactively identify vendors, business associates and employees who are on the excluded lists • Breakdown the silos - one comprehensive solution that can be accessed anywhere at anytime by multiple staff members • Ability to be notified via a web-based dashboard of any infractions and take immediate action remedy
Establishing an Automated State of Continued Readiness
Easy Access to Federal and State Databases and Exclusions Lists
Recommend
More recommend
