Medical Research Leader Ochsner Clinic Foundation Drives HIPAA Compliance With Application Security, Inc.

Market Wire, May, 2005

Application Security, Inc. (AppSecInc) (www.appsecinc.com) today announced that Ochsner Clinic Foundation (Ochsner) is using the company's award-winning, application-level vulnerability assessment scanner, AppDetective(TM), to protect its proprietary patient and research information, and ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA). AppSecInc is the leading provider of proactive security solutions for health care, corporate and government applications.

Additionally, reflecting the April 20 HIPAA data security compliance deadline, AppSecInc announced the immediate availability of a best-practice policies template to further assist organizations in meeting HIPAA requirements.

Founded in 1942 and one of the largest non-university based physician training centers in the U.S., Ochsner is a not-for-profit integrated health care delivery system that includes a 478-bed acute care hospital, and a 71-bed sub-acute care facility located in New Orleans. Ochsner also has 26 clinic locations throughout Southeast Louisiana. It is a leader in medical research with approximately 650 ongoing research trials, and nearly 200 annual publications in medical literature.

With Ochsner's breadth of services and multiple locations, it was imperative for the organization to secure and audit its distributed Oracle and Microsoft SQL databases, which house sensitive patient and research information. Because its database administrators (DBAs) were already involved in equally important projects, Ochsner did not believe that it could allocate the necessary resources to the manual and extremely time-intensive endeavor of auditing its intellectual property. The organization, however, wanted to avoid contracting with outside DBAs. Instead, it sought a solution that could perform audits efficiently and accurately in order to safeguard data quickly.

"Database security was a concern for Ochsner for four years prior to engaging with AppSecInc, but there were few products on the market that could do an automated audit and penetration test," said Mark Maher, Security Administrator, Ochsner Clinic Foundation. "AppDetective provided unprecedented capabilities in performing penetration testing and identifying weak passwords in our databases, as well as discovering and securing databases we didn't know even existed. Audits that previously took weeks now take an hour -- without affecting network performance or introducing downtime in our applications or databases -- leading to exponential growth in DBA productivity. Most importantly, AppDetective helps protect extremely sensitive information, ensuring compliance with HIPAA regulations."

"Effective HIPAA compliance is grounded in the systems that house patient information and is repeatable so that demonstrating ongoing compliance is a simple process," said Ted Julian, VP Marketing, AppSecInc. "Leveraging our solutions, customers are bolstering their HIPAA compliance efforts by including ongoing assessments of the database applications where sensitive patient information spends most of its existence. AppSecInc is committed to providing the most comprehensive vulnerability management solution for the application tier, bolstered by best-practices templates that help ensure compliance with the expanding list of regulations."

A study issued this year by Healthcare Information Management and Systems Society (HIMSS) and Phoenix Health Systems revealed that only 18 percent of providers were in compliance with HIPAA. And according to AMR Research, companies will spend $3.7 billion on HIPAA compliance-related activities in 2005.

AppSecInc HIPAA Policies: Best Practices Approach to Compliance

AppSecInc's HIPAA best-practice policy templates are available for AppDetective and the company's real-time database intrusion detection and security auditing solution, AppRadar(TM). By using these policies, organizations can easily tune their application security to the protections that are most relevant to HIPAA compliance. With database applications part of their compliance strategy, firms can bolster their HIPAA compliance efforts while making them more granular, demonstrable, and repeatable.

Intuitive and easy to use, the HIPAA policies templates for AppDetective are available immediately for download from the AppSecInc website at http://www.appsecinc.com/solutions/hipaa/. Policies for AppRadar will be available later this month. The HIPAA templates augment AppSecInc's extensive range of best-practice policies, including those that address the Sarbanes-Oxley Act (SOX) Act, and the Federal Information Security Management Act (FISMA). The HIPAA policies for AppDetective consist of a Penetration Test policy and an Audit policy. The Penetration Test policy tests security strength from an external perspective to ensure confidentiality, integrity and availability by determining susceptibility to privilege escalation, password attacks, and other known vulnerabilities. The Audit policy determines vulnerability to insider threats by testing for privilege escalation -- users with limited capabilities attempting to gain enhanced status. These tests span all application components and include checks for misconfigurations (i.e. using default passwords, disabling/enabling insecure database features/functions), as well as for strong access and identification/password controls.