by Rick Kuwahara COO of Paubox
Article filed in
HIPAA Critical: Episode 005 | Project Orca Launch, FBI Alerts, Fake HIPAA Claims, and The Shrink Space.
by Rick Kuwahara COO of Paubox
On this episode we highlight the winners and failures of the week including what’s new at Google, Paubox’s recent Project Orca launch and a fake HIPAA violation claim making news headlines. Also an interview with the co-founders of digital health startup The Shrink Space.
Here’s the full transcript of this episode.
Olena Heu: Alright, well, welcome to the latest edition of the HIPAA Critical Podcast. I’m your host, Olena Heu and with me today is our Chief Marketing Officer, Rick Kuwahara.
Rick Kuwahara: Hi, Olena.
Olena: We’ve got a lot ahead on this latest HIPAA Critical podcast for you. Of course, we’re gonna start with what’s making the news. Rick, take it away.
Rick: Thanks, Olena. Yeah, so what’s in the news? Not to toot our own horn too much, but we have a pretty big launch that we did recently of Project Orca, which is our newest HIPAA compliant solution, and it’s an email marketing platform. So you can kinda think of it like a HIPAA compliant MailChimp. And we’re really excited for it.
We developed it based on feedback from our own customers, and just kind of seeing what’s in the marketplace. And healthcare has been really behind the times when it comes to email marketing only because of how HIPAA regulations really make it tough to do a lot of the best practices like segmentation being really personal, having really relevant emails that are just really targeted.
And with Project Orca people can now do that and still be HIPAA compliant, even if they are using patient information to kinda segment and target their emails.
So, really excited for it. It’s now open for all users, and we are developing it really fast. So we just, for example, launched a new feature for segmentation and lists, so that’s really great for things like population health, if you have people with a specific health problem, you can send relevant information just to them and not worry about it being something that is not HIPAA compliant.
Olena: Excellent, congratulations. I know you guys have been working on it for a little while now, and you already have some people signed up?
Rick: Right, yeah, we had an early access program that we launched very early on, and those people who signed up for that have access to the product roadmap and they’re able to get their feedback to kind of shape how we develop Project Orca.
So really excited for it. We have a bunch of people signed up already, including some health systems, so I’m excited to see where this goes. We think that there’s a really good market for it and if people wanna find out more, they can just go to our website.
Olena: Wonderful, yes. And our website is paubox.com, that’s P-A-U-B-O-X.com. Rick, what else do you have for us as far as news headlines?
Rick: Well, we have a couple of things and one of them, of course, seems to be ransomware.
Every week we seem to be talking about ransomware, but there’s another one that is out that the FBI just sent an alert for, it’s called Maze Ransomware, and it’s a little bit different than other ransomwares where they typically would just lock the data down and then, in order for you to unlock it, then they ask you to pay the ransom.
Well, Maze is a little bit different because a common defense against that is just to have really good backups in place and when that happens you don’t need to pay the ransom, because you have a good backup system and you could just get your data back yourself.
But how Maze differs is it doesn’t just lock the data down, it actually extracts it. And the Maze hackers then leverage that for the payment, for the ransom.
Olena: I see.
Rick: So even if you refuse to pay, then they’re gonna release all this private information out.
Olena: Ugh [chuckle] getting more and more developed.
Rick: Yeah. So the hackers are always trying to be one step ahead. And so the FBI released a warning recently just to be on the watch out for it.
And typically, it’s cyber criminals posing as legitimate security vendors or even government agencies to get someone to click on that email and deploy the Ransomware. So it started back in November, is when they saw the uptick in it, and the FBI is just warning everybody to be on the watch out for it.
And they (FBI) did give some takeaways for people to just try and defend yourself against it.
Of course, being vigilant first, but being sure that you have your systems updated and patched, especially for legacy systems, which are like older systems that you just consistently patch over time. So a lot of companies do that, especially older ones. So making sure you’re always up-to-date with the latest version of your software, having multi-factor authentication, where possible. And of course, like I said before, just being vigilant in training your staff.
Olena: That is valuable, because just one person can compromise everything.
Rick: Right, exactly.
Olena: Alright. And we have more to report in terms of HIPAA violations.
Rick: Yeah, so this was an interesting one. So, this recently made the headlines where a man in Georgia was charged for actually making fake HIPAA violation claims.
So, unlike a case where someone… where there was a HIPAA violation, there’s this case in Georgia where a man was charged with one count of making false statements because he alleged that there was a nurse at a hospital in Georgia that violated HIPAA by emailing graphic pictures of traumatic injuries of people who are treated at the hospital.
So, this supposed whistleblower leaked it to the media and tried to get that person in trouble for HIPAA violations, but it turns out after investigations that this actually was the person who was reporting it made it all up.
And there’s no motive so far, but the news station that he had contacted dug into it and it seems that the motive seems to be just to get back at an ex-girlfriend.
Olena: Ahhh, so he thought he was so clever.
Rick: Yeah. So, you know, they say a woman scorned, but I guess this guy, for a man scorned, he tried to go an extra step. But…
Rick: Yeah, good on the investigation for figuring it all out. And an interesting note, too, is that they have no idea if the photos that he used were of actual patients. The initial investigation says it’s not, but if he did then that adds a new wrinkle into it.
Olena: Then he could be in some kind of trouble, if he took someone else’s photos and then sent it to the media.
Rick: Yeah, and if… I mean, he’s working at the hospital and he took actual patients one, then that hospital can be on the hook. So it’s very… It can go down a bad path if it turns out that he used pictures of actual patients.
Rick: Yeah, but for right now he’s facing fines up to $250,000 and maximum sentence of five years in prison.
Olena: Well, that’s good, because this is a serious topic and not one that should be made fun of.
Olena: Alright, well, we also like to focus on winners and failures. And coming up this week, we have a good amount of people who are winning.
Rick: Yeah, we do, and there’s some… The first winner that we gotta talk about is actually Google. Really big win for researchers is the FDA. Real-world evidence is gonna be made available on Google Cloud.
So Google, which helps FDA with an open source platform, called MyStudies, is gonna be making it available and that’s gonna make it easier to access data for research into new medications, medical devices, and just more information. So it’s really great that this data is gonna be open, because it’s gonna just help more organizations perform research that can lead to better patient outcomes.
Olena: Can you give a better example of maybe how this would be beneficial?
Rick: Yeah, so as part of the initial initiative Google is gonna bring their MyHeart Counts research study that was run by Stanford University onto the FDA’s platform. So what that did was it enrolled more than 60,000 participants to help better understand people’s cardiovascular risk scores. And until now, all those participants were all iOS users.
So MyHeart Counts was launched back in 2015 as part of the first group’s iOS research apps, but by enabling it through MyStudies, Google Cloud will help research expand the insights to enable enrollment for both Android and iOS users.
So we’re not just stuck on one platform, and that’s better because even though iOS is a huge platform. Android is obviously bigger, right? So you’re enabling it to get more people, who can participate in the study, get more data and get better insights.
Olena: Excellent, and I am a Mac user, and you are a…
Rick: Yeah, I’m a Mac… So yeah, Mac user for laptop and computer, but yeah, phones are Android. So I would not have been able to participate if I was fitting their criteria. But yeah, it just opens up more data for them and hopefully they can do that through more programs.
Olena: Excellent. Who else is winning for us this week?
Rick: So, John Hopkins is a winner this week. They’re spearheading Chesapeake Digital Health Exchange that’s aiming to spur regional startup growth in that Maryland, DC, North Virginia area.
So we’re seeing more activity by health systems to kind of push innovation which is fantastic. And John Hopkins is leading the charge and they won a three-year $1.3 million grant from the US Economic Development Administration, so they got some money behind it and they’re gonna focus just on really building a startup ecosystem to connect people, really make a community around healthcare innovation.
And it’s really exciting, as we talked about before, I think on the last show, we saw NYU Langone Health do a biotech incubator in Manhattan. So now we’re seeing this Digital Health Exchange coming up in the northeast and it’s just exciting to see how there’s more of this innovation culture being… And forward focused getting developed in healthcare. So, really exciting.
Olena: It’s almost like a cultivation.
Rick: Yeah, exactly, and I mean, we saw it at I think the CES, the huge electronics show that recently finished up. I mean, there’s a lot of digital health products out there for… And like wearables for consumers to take a look at.
So I think it’s great that there’s formal ways that organizations and health systems to kinda cultivate that. So it can only help everybody move forward and get better health outcomes.
Olena: Well, as we just focused on those that are winning, we also have some failures.
Rick: Yeah, and unfortunately, like we say, there’s always a lot of these around. And one of the bigger ones that happened recently was the data of about 50,000 Alomere health patients were exposed by an employee getting their email hacked.
So it looks like there was a hack for two employee accounts, and that’s for Alomere Health, which is based in Minnesota. The staff first discovered that there was unauthorized access on one employee account on November 6th, that was secured.
They did an investigation and it looks like there was another account that was hacked as well. So, two email accounts are compromised and it contained patient names, contact details, dates of birth, just a lot of health information, including social security numbers, too, like very sensitive data.
So they couldn’t tell if the data was actually viewed by the attacker, but you have to kind of assume so on a worst case. So they did reach out to all the people who were affected and kinda helped them with their identity, tracking their identity, making sure there’s no identity theft, things like that.
But yeah, another bad, bad hack that happened from email.
Olena: Yikes [chuckle] and knowing that your social security number and possibly your driver’s license numbers and all of that could have been compromised, definitely puts about 50,000 people at risk.
Rick: Yeah, bad situation. Definitely a downer around the holidays with just everything that just happened. But it’s great that they’re trying to help everybody out with it and just gotta really keep an eye out on their identities and track that and make sure that there’s no identity theft.
Olena: And good thing that once they found something was compromised they did more research and found that there was another issue. So, hopefully able to nip that in the bud.
Olena: Another failure. 25,000 patients, their information might be compromised as well.
Rick: Yeah, so this is for the Native American Rehabilitation Association of the Northwest, based in Portland, Oregon. They were affected by a malware attack.
So, this organization provides education, physical, and mental health services, and substance abuse treatment services to Native Americans. So, great organization and they have learned that there was a malware infection that potentially allowed unauthorized people to gain access to PHI.
So this happened around November 4th, they contained it by November 5th and reset everything by the 6th. So they did a real good job of reacting quickly to it.
But the malware itself, they did find that it was called the Emotet Trojan, which basically steals log-in informations and can also take out… You could say export, but it can grab all emails and email attachments. And so it’s possible in that way they could have took information that contain PHI.
And of course, like we said, it could include your social security number, your birthdate, your medical record, or patient ID numbers.
Even if someone’s emailing about treatments, it could have taken that information. So a lot of bad things could have happened. And it possibly affected 25,000 patients.
Olena: Well, props to them though, they activated very quickly.
Rick: Yeah, at least… And they found it really fast, so that’s great that they had detection systems in place that they were able to find it. You ideally would like to do it faster even than what they did, but they did find it. So that’s great.
Olena: Excellent and I’m glad that you always kinda see the silver lining in the failures as well.
Rick: [chuckle] We try to. We don’t wanna be downers, but there’s just a lot of threats out there. It’s tough for anyone to stay up, so it’s always good to see when there’s organizations who can react well to it.
Olena: Mm-hmm. And a lot to learn from as well.
Olena: Well this week, our Chief Marketing Officer, Rick Kuwahara, was able to sit down with Aarti Khullar…
Rick: You know, unfortunately there still does seem to be a lot of stigma around mental health, especially for youth. How do you both see digital health being able to help with that?
Aarti Khullar: Yeah, absolutely, it’s a great question and I think this is one that we’ve talked a lot about.
We’ve put a lot of thought into the stigma around mental health as we’ve been designing and building out our platform. And here I think one of the most important things is that we really understand the technological expectations of both students and young adults today.
And in many ways I think our mental health field really needs to modernize to meet students and youth where they’re at, which is often on their phones. And so just as young adults expect to be able to make dinner reservations online or they expect to be able to book their next vacation online, I think they also expect to be able to connect and book a therapy session online.
And the fact that this capability is just not ubiquitous I think contributes to some of that stigma and the mystery surrounding mental health treatment.
So on our site, what we’ve done is really designed it intentionally to be intuitive, to be accessible, and just to provide more transparency for students about the mental health search process. So on our site, you’ll notice that much of our interface resembles what you might see on an OpenTable or an Airbnb.
And we’ve done this so that students feel a sense of familiarity, feel a sense of comfort and trust as they’re navigating through our site.
Because we think that when an online experience feels familiar and expected to students, that this will help to contribute to a reduction in stigma.
So there’s that piece, and then I think we have also gone the extra mile to have a social media presence and a blog for our students to just sort of further normalize mental healthcare and the process of accessing treatment.
Rick: That’s great, especially, like you mentioned, it could be a daunting process to try and get help if you need it, even to take that step so that anything you guys… It’s great that what you’re doing to make it easier.
Aarti: Yeah, that’s part of the goal.
Rick: Great. So one of the biggest challenges with any piece of healthcare technology, is being able to keep the data private and secure. So when you envisioned The Shrink Space, how early did you take into consideration securing all the PHI you’d be handling?
Aarti: Mm-hmm. Yeah, it’s a very, very important question.
So Beth and I went into this assuming that this would be the industry standard, I think from our expectations, and being psychologists ourselves, and how we protect student data.
And so the thought was that any time student PHI, or Protected Health Information was being handled, particularly on behalf of a university, we would honestly need to protect it and keep it secure. And so this has always been one of our goals and we think about it in the way of when a student goes to therapy they expect confidentiality.
And they should expect the same trust and privacy in The Shrink Space technology.
So, all that being said, we also understand and completely appreciate what you’re saying, which is keeping patients data private and secure can honestly post challenges and difficulties, because of course, this means the features are more costly and more timely to build, and it can also be difficult at times to manage and balance the needs of a university counseling center, for good reason, really wanting to know where a student is at in connecting to an off-campus provider.
And wanting that data, but then also needing to make sure we’re protecting our student privacy.
Beth and I decided early on that privacy was of paramount importance and so we’ve prioritized it.
And for many reasons, honestly, we’re very glad that we did because it’s allowed us to create a backend infrastructure from the start, and it now gives us and provides us with a framework that allows us to add more complicated features, such as asking students for their consent before we share any referral disposition to our university counseling centers.
And it also, in regards to future features, is allowing us to work through facilitating the flow of information between each of our users. And ultimately that is the goal of HIPAA, to help with care coordination and help with information flow.
And so while it has been timely and costly to implement and make sure that our PHI was being handled securely, we’re also very glad that we did because it allows for our future growth.
Rick: That’s great. Yeah, that’s a good point, what you said about HIPAA. A lot of people feel HIPAA actually can sometimes hurt information flow with its regulation, so that’s a big challenge you guys are taking on, working with those universities.
Aarti: Yeah, and I think HIPAA was built kind of in a structured box to some degree, and it can be complicated to know how does it apply in the wild or in real time. And ultimately, I think the goal of HIPAA to protect patient privacy and to improve care coordination, it ultimately works if you’re following the format of HIPAA.
And while it is difficult it has, I think, served us well because it allows us to instill that trust with our student but also with our universities.
Rick: Great, and it’s great that you are taking security into consideration as you’re designing your platform. That must have been a great help when you were actually going out to universities. I’m sure they had some worries about the security of everything.
Aarti: Mm-hmm. I think it has certainly alleviated concerns. I think we’ve seen some schools more concerned about it than others. I think it’s complicated to know how much does HIPAA apply in these third-party vendor situations.
And they felt a lot of relief knowing that we’re compliant because it allows them to say, “We may not know what the rules are here, but we wanna make sure that if we’re handing off the care coordination to The Shrink Space, they’re continuing to handle PHI in a way that we would be expected to.”
And so I think that that’s been a real advantage in us choosing to be compliant.
Rick: So, what’s your vision going forward in the next 10 years?
Beth Jago: Yeah, I think our vision, just as Aarti is mentioning, is really to just continue to improve the mental healthcare coordination process, through our platform, for all three of our users.
For university counseling centers, we plan to continue to grow and improve so that our service is more seamlessly integrated with other third-party services that universities might already use.
So something, for example, like EMR systems, to make sure that we’re integrating with them, with the overall goal of really saving them more administrative time.
And for students, young adults on our platform, it’s really to help them efficiently, connect with mental health providers so that they can spend more time in therapy actually working through the things that they need to, rather than spending time trying to find a therapist or even feeling demoralized when the referrals given to them are just not a good fit for a number of reasons.
And then lastly, I think for our mental health care providers we wanna continue to improve their practice management by automating parts of the referral process that are easily automated, so that then therapists can spend more time doing the part of the work that they love, doing the very human component of therapy that we believe no technology can ever replace.
And beyond that, I think we hope to one day become the one-stop shop for mental healthcare providers, as a space they can come to find renters for their private practice offices, to join consultation groups about client issues, to look for supervisors, etcetera. So that’s sort of a longer term goal.
Olena: And to read the transcript and to hear more, you can also visit our website, paubox.com, that’s P-A-U-box.com. Alright, Rick, great interview. Now we’re moving on to predictions.
Rick: Thanks, Olena. Yeah, predictions. So, first prediction of 2020, that I’m gonna make in the year 2020.
So population health, we think that’s gonna become more important this year, especially as more health care organizations are shifting to a value-based payment system, which is you’re getting paid on outcomes versus getting paid on doing a treatment itself.
So you can kind of think of it like instead of health systems getting paid or healthcare providers getting paid on treating someone who had high blood pressure, they’re gonna get paid more on, “How has your overall population blood pressure has gone down?” Or, “How can you get your at-risk segments to improve their overall health?”
So, value-based payment systems are gonna be a great way to help move people and encourage people to do more preventative healthcare. So doing the things like your regular health check-ups if you are in a high risk group, helping to educate patients more on what they can do to reduce their risks, and being more proactive and reaching out to them.
So this is really gonna drive home that a lot of healthcare providers are gonna be more proactive and reaching out and engaging with patients, so this is gonna really move healthcare providers to just be really more proactive in reaching out and engaging with patients and having programs and things in place to help everybody just be better with their health before they reach a point where they’re high risk, or to do more preventative things.
And that’s great because it helps everyone overall, there’s gonna be less people with maybe chronic health problems, that actually helps lower insurance costs for everybody. And who doesn’t wanna have a more healthy community and have a healthier population?
Olena: Oh, that’s wonderful.
Rick: Yeah. We think that’s gonna be a really huge… It’s gathered up steam, it’s gonna be even bigger in 2020, and we’re excited, because actually a lot of people who signed up for Project Orca that we mentioned earlier, they’re gonna be using Project Orca, being able to do HIPAA compliant email marketing to kind of push their population health and value-based payment goals.
Olena: For those that think that doctors are so quick to offer prescription and force medications on you and they just get paid, because you’re sick, this is a whole other way to rethink that, people being incentivized because they’re healthy.
Rick: Exactly, so it’s great alignment between the patient, the provider. So, really excited for that movement, the more we learn about it the more excited to see how that kind of develops.
Olena: Wonderful. Alright, well that wraps it up for another edition of our HIPAA Critical podcast.
And again, for more information and to read the full transcript, and of course follow along, you can follow us on social media at Paubox. Also, you can go to our website, paubox.com.