Information Systems Security and Control

Case Study: Ajuba and its Security Policy

Ajuba is a leading worldwide provider of outsourced healthcare revenue management services,

has an established repuatation for providing services to its clients in hospitals, academic medical
centres, medical equipment suppliers, and billing and receivables management companies. Ajuba
is headquartered in Charlotte, North Carolina, and has centres located in Michigan, Illinois and
Chennai, India. Since the start of its operation in 2001, Ajuba has established itself as one of the
leading outsourcing companies in India. Ajuba has now established itself as the leader in
outsourced healthcare billing and management of the revenue cycle. They process claims with a
gross value of over Rs 150 billion (USD 3 billion).

Ajuba provides revenue cycle management services to healthcare service providers in the US.
Recent acts in the US like the Health Information Technology for Economic and Clinical Health
(HITECH) Act, along with additional laws such as Health Insurance Portability and
Accountability Act (HIPAA) and Fair Debt Collection Practices Act (FDCPA) has enforced strict
data security rules on healthcare providers. Knowing that the regulatory environment for the US
healthcare industry is extremely stringent to protect the privacy and confidentiality of patient
information, the healthcare providers need to ensure the protection of the patient information
throughout the process cycle. Hence the healthcare providers in the US are extremely reluctant to
outsource the job to any service provider outside the country.

According to the ISACA framework for Information Security Model, the four pillars of the
information security practice are “People,” “Process,” “Technology,” and “Organisation.” “The
‘People’ factor is given more importance over other factors in this approach. ‘Process’ and
‘Technology’ are ultimately woven around ‘People’” explains T. Jaganathan, Director of
Technology. He believed that the traditional approach had “lack of ownership” issue from
employees. The new tweak helped the company achieve its goal.

The weakest link in IT data security are often the employees. Their lack of awareness, lack of
care, or unintended misuse causes danger to the organisation. Devendra Saharia, President,
Ajuba International, LLC, explains the reasoning. “Given the criticality of information security
in our business and the fact that every employee at Ajuba has a responsibility to ensure
compliance with various healthcare-related laws, we decided early on that, instead of taking a
top-down approach to implementing information security, it would be far better to educate, train,
and involve employees across the organisation, across various functions.” Ajuba has redefined
the accepted model of security by empowering its employees to drive the security policy of the
organisation. By this change, Ajuba has made the weakest link to act as its strongest link. The
empowered employees enable, watch, and shape the security policies, rather than simply adhere
to it.

Ajuba initiated policies and practices that inspired its employees to work hard and build a trusted
and transparent system. This model not only helped Ajuba to improve the quality of its
deliverables but the transparency improved employee retention. Ajuba’s people development
process focused on competency mapping and robust career path development. The employee
performance was connected to SLA of their client. Coaching and mentoring were provided if
Copyright ©2018 Wiley India Pvt Ltd. All rights reserved. Instructor Resource for MIS, by Rahul De, July 2018
Page 1
help was required to finish the deliverables on time. The reward system based on performance
encouraged the employees to go for the extra mile.

Ajuba stressed on an internal compliance program that was based on ethics, integrity, and values.
Written policies and procedures were periodically checked and reviewed to enhance data
collection, data security, violation of compliance, and corrective actions. In-house compliance
officer and trained compliance committee with members from all departments were formed to
monitor and report violations and frauds in the system.

 The Central Security Team was replaced by Centrally Enabled Participative Team.
 The committee for security was replaced by a Steering Committee coordinated by a
chairperson.
 Policy enforcement was substituted by participation of employees and peer pressure, and
Internal Audit was conducted by peer review.
 An Information Security Steering Committee (IISC) was formed to lead the security
implementation, and an Information Security Task Force (ISTF) was formed for
information security implementation.
 An Incident Response Team (IRT) was made responsible for incident response and
resolution, Internal Audit Team (IAT) was made responsible for internal and external
audits, and an Emergency Response Team (ERT) was made responsible for response to
emergency conditions and drills.

Some of the new policies adopted by Ajuba were Automated Incident Registration Tracking and
Resolution, Anonymous Incident Registration, Weekly Security Posture Review, Standard and
structured disciplinary matrix known to all staff. Employee participation was encouraged to
improve the process of information security incident reporting and resolution. Employees were
asked to report serious violations and suspected frauds using the intranet, voice mail, or
hotline services. Security conformance became part of all employees’ job description and was
included as a part of the HR track record. Quarterly ERT training and surprise ERT drills were
enforced to all employees.

Ajuba has been certified by ISO27001:2005, HIPAA, FDCPA, SAS70 Type. Ajuba has also
received awards like – “#1 Healthcare Revenue Cycle Management Company by The
Black Book of Outsourcing, published by John Wiley & Sons,” “The Top 100 Offshore
Outsourcing Companies in the World by Managing Offshore and Neo IT in 2005,” “The
2006 Global Services 100 list by CMP and Cybermedia ” The strategy of making employees a
part of the security system worked very well for Ajuba and should work very well for any
company with a little customisation to suit the needs of the organisation. Ajuba has achieved an
efficient security system at minimum cost.

 Sources

1. http://www.Ajubanet.net/comp_ovr.htm ( Viewed on 22 May, 2010).

2. http://www.informationweek.in/Security/10-03-18/Ajuba_redefines_security—

its_employees_shape_security_policy.aspx (Viewed on 22 May, 2010).

Copyright ©2018 Wiley India Pvt Ltd. All rights reserved. Instructor Resource for MIS, by Rahul De, July 2018
Page 2
 3. http://www.slideshare.net/InteropMumbai2009/jaganathan-an-inclusive-approach-to-

information-security-interop-mumbai-2009 (Viewed on 22 May, 2010).

Discussion Questions:

1. Why is security an important issue for Ajuba? Why did it have to be extra careful?

To maintain the security of customer data. Strict rules were introduced

Ajuba provides revenue cycle management services to healthcare service providers in the US.
Recent acts in the US like the Health Information Technology for Economic and Clinical Health
(HITECH) Act, along with additional laws such as Health Insurance Portability and
Accountability Act (HIPAA) and Fair Debt Collection Practices Act (FDCPA) has enforced strict
data security rules on healthcare providers. Knowing that the regulatory environment for the US
healthcare industry is extremely stringent to protect the privacy and confidentiality of patient
information, the healthcare providers need to ensure the protection of the patient information
throughout the process cycle. Hence the healthcare providers in the US are extremely reluctant to
outsource the job to any service provider outside the country.

2. What were some spin-offs of their security strategy?

 The Central Security Team was replaced by Centrally Enabled Participative Team.
 The committee for security was replaced by a Steering Committee coordinated by a
chairperson.
 Policy enforcement was substituted by participation of employees and peer pressure, and
Internal Audit was conducted by peer review.
 An Information Security Steering Committee (IISC) was formed to lead the security
implementation, and an Information Security Task Force (ISTF) was formed for
information security implementation.
 An Incident Response Team (IRT) was made responsible for incident response and
resolution, Internal Audit Team (IAT) was made responsible for internal and external
audits, and an Emergency Response Team (ERT) was made responsible for response to
emergency conditions and drills.

Copyright ©2018 Wiley India Pvt Ltd. All rights reserved. Instructor Resource for MIS, by Rahul De, July 2018
Page 3