by Rick Kuwahara COO of Paubox
Article filed in
2. Paul Arguinchona “The biggest threat, which I think is often overlooked, is staff.”
by Rick Kuwahara COO of Paubox
This week on HIPAA Critical we tackle the latest headlines, chat with Frontier Behavioral Health CIO, Paul Arguinchona and discuss a much-needed strategy to create Secure Email Marketing in 2020.
Here’s the full transcript of this episode.
Olena Heu: We’re back. HIPAA critical podcast number two, joining me now is Chief Marketing Officer, Rick Kuwahara.
Coming up on this week’s episode, we’ve got an exciting show for you. What’s in the news, we’ve got winners and of course those that are failing and some predictions. We’re going to talk a little bit about what we spoke about in episode one. So get ready. It’s going to be an exciting show.
Olena: Rick, thanks for joining me today.
Rick Kuwahara: Hey Olena, my pleasure. Always fun.
Olena: And we’ve got a lot to talk about. So let’s just dive in. We’re going to talk a little bit more about project Nightingale, which we talked about last week and there’s some exciting news that just took place this week.
Rick: Yeah, so evidently, you know, the fallout was kind of big as you talked about with Hoala but it looks like now, you know, the legislation is, been introduced and proposed, that’s going to help close some of those privacy gaps that were of big concern from project Nightingale.
So the big thing is that, the legislation is looking to ban companies that collect data through smart devices or personal health trackers, uh, to stop them from actually selling, sharing, transferring or allowing access to data without explicit consent from the consumer.
Olena: Wonderful. And, but the whole time Google has been saying that they haven’t done anything to violate HIPAA is what their argument is.
Rick: Yeah. And they might not have, but there is definitely a gap between how technology and innovation has, evolved within healthcare and HIPAA regulations, you know, as it currently is, is just missing a little bit of that, addressing some of those needs and concerns.
Because we do want the innovation, you know, that helps everybody but not at the cost of security and privacy. So the current legislation that’s been introduced is going to help address some of those gaps. Especially as people are more aware of, you know, privacy concerns as there’s more hacks and breaches in the news.
You know, people need to be more concerned and have more control over their own data.
Olena: So what’s the concern from legislators now that they’ve proposed the Smartwatch Data Act?
Rick: Yeah, the concern really is, what is happening to the data after it’s collected? You know, not necessarily is it secure up in the cloud or not, but you know, what is Google doing with it? Who is seeing the data? How are they sharing it? Are they using it for their own purposes, not just only within the confines of the agreement with Ascension.
So that is the question that is coming up. People don’t want where, okay, maybe I’ve agreed for Ascension to collect my data and, but because Ascension is partnered with Google, I don’t want Google to then take that data and use it for its own purposes.
So this ban just really explicitly calls out that you have to be really clear on what is happening with people’s personal health data when they are allowing it to be tracked or collected for valid reasons and research.
Olena: One of the items that was in question is a Fitbit and I guess I didn’t really think about it, but um, the content or the information that’s collected within a Fitbit, what kind of information is that and what kind of risks does that pose if it’s, you know, given to other people?
Rick: Well, it definitely can be a concern because it is health data that’s getting collected. You know, your heart rate, how you’re moving, where you’re going, those types of information. If it’s used in unison with any of your treatment, for example, that is definitely protected health information.
We want to make sure that that is secure. So when you’re using a Fitbit that you have control over who is seeing that information, if you want only yourself to see it, um, or maybe a friend or family member or even your doctor, you should have control over it and you shouldn’t be concerned with what Fitbit’s doing with it.
Olena: I bought my husband a Fitbit a few years ago and I returned it because he never used it. But, we do have that tracking device on our phone where it tells you how many steps you take and whatnot and really enjoy that.
Rick: Yeah, those things are great. Yeah. My dad took a trip to Korea and he was telling us how many steps they took every day. Like it was, those things can be helpful.
Olena: Definitely. Well, essentially what are you hoping for will come from this project, Nightingale situation?
Rick: Well, I think it’s good in that it’s raising a lot of these questions and bringing it to the forefront. So that people, you know, whether their concerns are valid or not, I think that clarity and how data is being used, protected and shared is good for everybody and I think it can only help give confidence to consumers too.
And even the healthcare industry to really adopt innovation and move forward knowing that, hey, we have these things in place that’s going to make sure that everybody’s safe and secure.
Olena: Excellent. I agree. And then talking a little bit more about what’s in the news. Solara Medical Supplies reported on November 13th that it was hacked earlier this year. What did we learn from this?
Rick: We learned once again how big a threat, email is as far as phishing and spam emails coming in.
So Solara, which is the largest, US independent supplier of continuous glucose monitors and other products to help people manage their diabetes. So big company. They found that some of their employees fell for a phishing scam that gave the hackers access to their Office 365 accounts.
And so once that happened, those hackers could collect information that include name, address, date of birth, social security numbers, just a lot of sensitive information. And over 114,000 people were affected and it was just a big data breach and it was caused because of a human error with employees clicking on a link, a malicious link from, you know, the phishing attack.
Olena: Surprisingly, it’s still very prevalent today. I mean, you, you heard about phishing years ago and then something like this happens and then you realize over a hundred thousand people can be affected by one click.
Rick: Yeah, it’s a really big problem. And it’s why training is so essential because something’s going to get through.
I mean, Office 365 does have… it’s notorious for not catching everything, but at the same time, if something does come through, you need to make sure that your staff is properly trained to know what to look for and how to spot a malicious email.
Olena: So when you say that compromised information included, you know, social security numbers, address. Is that only the information of the employees or would it also be people that were ordering the glucose monitors?
Rick: Well, for, you know, Solera is a big company, but it’s not 114,000 big. So I’m pretty sure that those are all patient data or customer data and they have reached out to those people already.
So hopefully they’re working to monitor their identities because once those hackers get that information, you know, the money is in selling that data on the dark web.
So that’s something that a lot of people gotta look at. All those people who are affected need to be able to monitor, you know, their identity and credit reports and everything to make sure that nothing’s going to happen.
You know, as these attacks keep happening more and more, a lot of it is because not just the money, and people are attracted to money for the hackers, but also for the ease that people can execute some of these attacks now.
It’s not…you don’t have to be super technical as a hacker anymore. A lot of times this is all like, people can buy these phishing attacks on the dark web and execute it without needing to be overly technical. So that just increases the amount of attacks that are coming out and which further emphasizes that, you know, organizations have to be very proactive in how they are training their staff to help prevent, you know, these type of breaches from occurring.
Olena: They’re making it easier and easier to steal information and hack into personal data.
Rick: Yeah. It’s…I mean the technology is there and it can be used, you know, for good or bad. And so we just have to make sure that we’re doing our job on the good side to fight all these bad actors.
And you know, we were very fortunate to have a chat with Frontier Behavioral Health CIO Paul Arguinchona to discuss more in depth about how social engineering is such a major threat to healthcare organizations and also how to prevent those attacks from, being successful. So here’s a quick excerpt from that interview.
Rick: So what are the biggest threats you’re seeing right now?
Paul Arguinchona: Well, from a frequency standpoint, email threats with a heavy leaning towards a social engineering theme, several staff were being tricked into following nefarious various links, asking for login credentials. That’s our biggest, threat vector at this point.
Rick: Yeah, that seems to be what we see too. Even if you’re just following things on the news, always in the news, it seems that when there is a breach or something happens, email is usually the threat factor.
So are there any upcoming trends or threats that in particular that we should be aware of?
Paul: Well, the biggest threat, which I think is often overlooked, it’s not new, and its staff.
And as an employer, the staff are trying to get things done and they end up either working too quickly or trying to be helpful or they’re inattentive and they’ll not, going back to email being our biggest threat vector.
They won’t completely read an email, they won’t evaluate whether it’s valid and from an appropriate sender and uh, they will take shortcuts and click on things or execute something that they shouldn’t.
Rick: Yeah. And that’s a good point that you bring up that oftentimes, you know, it’s not even something that’s malicious. The intent is good and they’re just, moving too fast, like you said. It just takes one accidental click.
So what are some of the best practices or things that you do to help mitigate that threat?
Paul: Training the staff. Making them aware of possible threats, teaching them how to read an email. Training them that if they receive an unexpected email that’s asking for something from them to be cautious with it and partly suspicious and validate that it’s really business-related and not problematic.
And if they have any questions to contact the RIS support.
Rick: Great! And it’s an ongoing training. Right? It’s not something that you can do it once and forget?
Paul: Absolutely. And I’m not trying to promote what the bad actors are out there doing, trying to get in and take advantage of our data and things like that.
But they’re getting very sophisticated and it’s fascinating to watch it happen. And it will remain fascinating as long as we can keep blocking it, keep mitigating the risk of the agency.
Rick: Where do you see security and compliance kind of going in the next 10 years?
Paul: Well, hopefully, and hope’s not a strategy, I hope security regulations will catch up with the need to efficiently share sensitive data.
As in healthcare in particular, there’s an approach towards more comprehensive care and taking the silos with behavioral health and physical healthcare and tying those together and the privacy regulations right now hinder that significantly.
Rick: Great. Thanks so much Paul.
Rick: And you can find the full transcript of that interview on our blog.
Olena: Log on to our website, paubox.com. P-A-U-B-O-X dot com. We just covered some of the current news headlines. Now let’s transition over to our winners that are doing well this week.
Rick: And obviously, you know, Frontier Behavioral Health, like we heard, they’re obviously a winner in how they’re proactively trying to keep staff updated on spotting email threats. It’s such an important part of any security strategy.
But another winner is actually anybody who’s looking for a job in cybersecurity.
Olena: Why would you say that?
Rick: So a recent study, by ISC2 which is a nonprofit association for information security leaders, a study that they did shows that there’s a big gap in the current workforce and the demand for skilled cybersecurity employees.
So there’s a big opportunity for people, especially if you’re looking to switch careers because only 42% of the respondents in the study said that their first job was in cybersecurity.
So it’s good news if, you know, you’re somewhat technical and you’re looking for somewhere to, you know, put your energy. Cybersecurity is a good industry for you to be in. And it looks like there, you know, there’s a big need for more people to be in that, uh, to fill the all the job opportunities that are out there.
Olena: That’s great. And you know, obviously people looking for good people and lots of people looking for work and jobs with the unemployment rate so low, it’s, it’s refreshing to hear about something like that that’s going to protect a lot of people.
Rick: Yeah. And the need is only going to grow. So, if you’re looking for a job or you know, anybody who, who is technical and you know, you might want to nudge them over into cybersecurity as a path. Good news.
Olena: Well, we just focused on our winners. Now we’re going to highlight some of the failures and one of them we just talked about a few moments ago,
Rick: So Solara is obviously in here, but another recent attack within the healthcare industry occurred for Ferguson Medical Group, which is part of St. Francis Health. And they reported a data loss that occurred from a ransomware attack.
So again, it’s phishing that led to this attack and it actually locked down the network for them.
And you know, thankfully it wasn’t that…I mean it’s a big deal, but it wasn’t, it could have been way worse. So this actually… Ferguson Medical Group, this is in the failure section because that phishing email was successful, but it’s still partly a win for them because they had the appropriate measures in place to mitigate the damage.
There was, as far as they are disclosing right now, that there was no compromised patient information. You know, they had the backups in place so that they weren’t…they did not have to pay the ransom, which is the worst thing people can do and they were able to recover most most things.
The bad news is that they did permanently lose records between September and December of 2018 but really it could have been much, much worse.
Olena: Good on them. You know, obviously they took initiative and took action immediately.
Rick: So it’s in the failures only because the attack was successful, but, you know, as a part win too, because they had to things in place to make sure they could recover from that attack.
Olena: And healthcare organizations aren’t the only ones that are having some issues when it comes to hacking and a potential identity theft.
Rick: Right. You know, with holiday shopping around the corner, here now, it’s kind of big news that may Macy’s, got hacked.
Their checkout page was hacked and they found…I mean they’ve, they were able to notice the suspicious activity, but their checkout pages were hacked in October and customers could have had their name and credit card information stolen.
And Macy’s is going to foot the bill for credit card monitoring for all effected customers. But you have to check in with them to see if you were affected. So if you bought anything from Macy’s online in October, you might want to contact them.
Olena: Do you think that means that there’s a possible risk for black Friday sales or anything cause a lot of people are going to be shopping next week.
Rick: Yeah, definitely. I think a big, big thing, especially around the holiday season is when people make a lot of, you know, big purchases, like expensive purchases.
So people will take advantage, not just on the websites of these retailers, are setting up fake websites but also spoofing emails. So people could see a rise of phishing attacks where people are pretending, where hackers are pretending to be banks or credit card institutions sending a notice saying, “your card has been frozen because of suspicious activity. Click here.”
Or you know, “we noticed an unusual purchase” or something that you would get normally if you spent a lot above your normal limit. Um, and banks often do send these type of notices.
So they might try to pretend to be those banks sending these notifications. But instead of being an actual, verification of a purchase, it’s a malicious link that you click on that can compromise your, your information.
Olena: How do you recommend people ensure that it’s not a suspicious link?
Rick: So number one is mixture of course that you have your spam filters on good, if you have them. And that includes antivirus on your computers.
The other part is just to really pay attention to the details of the emails that you’re getting. So typos are getting less and less as people are getting good at copying legitimate emails. But you can see who the sender is. Don’t just pay attention to the sender name.
Make sure that you see what email address is being sent from and if it looks suspicious, contact your bank or credit card company and validate that, Hey, is this a real email address that you guys are sending?
Olena: Yeah. Just the other day, one of my friends said that I emailed him about weight loss supplements and I said, are you sure about that? Which email was it from? And then he said, Oh, I replied to you and I forwarded it. And I said, where? And I never got anything.
I said, check that, click on the email address cause I don’t think that was from me and he said, sure enough. Yep. It wasn’t from me, but when he just glanced at it, I guess, you know that display name spoofing took effect for whatever reason.
Rick: Yup. Yup. People can, people, especially when you get so many emails and sales emails and things, and it’s second nature to just look at, Oh, who’s the from, what’s the name that is being sent from without actually looking at the email itself.
Olena: How did they get my name?
Rick: They could have gotten it from someone else. If they hacked into someone else’s and you were in their address book. They could have just done social engineering. They know how popular you are. We gotta get Olena Heu.
Olena: Haha. I did hear about a fraudulent Instagram page pretending to be me. People were asking me, is this you? Is this? I said, no, it’s not. So I’m someone now.
All right, well now you know, talking a little bit more about a display name spoofing and email. We’re going to transition into our predictions this week, with some great things that you guys may want to check out.
Rick: Yeah. And our prediction this week is something that we’ve learned from discussing with customers and potential customers. And that’s outreach within healthcare.
You know, we always focus on the security of healthcare, but really the end goal is always tied to health outcomes and helping patients and everybody stay healthy or get healthy.
And that often means you need great patient engagement to reach those outcomes, which in the end means you need solid communication or a way to communicate with patients.
So we found in a recent call that a lot of contracts that some health organizations are fulfilling requires a certain number of engagements in order to meet the obligations of that contract or even use a minimum number of ways someone has to be contacted.
So for example, you know, we are talking to a pretty large provider that won a contract for diet and health. And one of the requirements, the contract was that they had to contact patients or participants a minimum of three different ways. So they, they already knew they were going to do phone calls, they were going to do snail mail and for a third option they wanted to do email.
But on the market right now, there’s no real solution out there for email marketing or a way to send secure email in mass, like a HIPAA compliant version of MailChimp. So we know that…we’re predicting that this need is only going to grow.
And that’s why we just opened up, early access to our HIPAA compliant email marketing solution that we’re developing.
Olena: That is fantastic.
Rick: So we’re very, yeah, we’re very excited for it. There’s been a lot of good feedback early on and we’re getting a lot of early adopters and the advantages is people can come on now as we’re finishing up the development of our version one, is that they could participate in the roadmap and help us develop the next features for version two and onward.
So people can become an early adopter just by saying an email to email@example.com.
Olena: That’s excellent. Very exciting.
Rick: Yeah, we’re, we’re very, very happy about it. Excited everybody’s…was pretty stoked and we have a lot, a few customers who’ve already become early adopters and we’re excited to keep this early access program open up through December.
Olena: Well I think that is going to be phenomenal and I’m glad that you guys are taking the initiative.
Rick: Thanks. Yeah, we’re very happy too.
Olena: All right. Well I think that does it for us on this very exciting and fruitful episode of HIPAA Critical, a lot going on, but I feel like there’s a lot that we can learn from as well and a lot of takeaways today.
Rick: Yeah. And also thanks to Paul Arguinchona, the CIO of Frontier Behavioral Health for giving us the time to sit down and talk a bit.
Olena: Wonderful. Well, on behalf of Rick Kuwahara and myself Olena Heu, thank you for tuning in to HIPAA Critical. We’ll see you next week.