13. Marc Haskelson "Three quarters of the of the breaches or incidences that occur were not caused by technology failing."

This week on the HIPAA Critical Podcast we chat about the latest changes to HIPAA penalties amid the COVID-19 pandemic and how it relates to testing, learn what hospitals on the frontlines of the outbreak are doing to help, and more bad news for Zoom users, Plus we chat with Marc Haskelson President & CEO of Compliancy Group about the compliance risks businesses face with a newly remote workforce.  

Rather read?

Rick: Hey Olena.

Rick: Yeah, it's always top of mind these days.

But another announcement from the Office of Civil Rights...so they are doing even more things to make responses to COVID-19 even faster and easier for covered entities and business associates.

So the latest news that they announced was that they are going to be waiving HIPAA penalties for care that is related to COVID-19 testing. They announced this on April 9, but are doing retroactively all the way back to March 13.

Basically, for as long as there is a public health emergency, this temporary amendment makes it so that the OCR will not impose penalties for non-compliance to HIPAA regulations, if the activities itself is related to the operation of a COVID-19 community based testing site.

So similar to the other provisions and waivers that they've had, you know, they're assuming that covered entities or business associates are operating in good faith. But as we know, testing is not happening fast enough, or is available for enough people.

So a lot of these community based testing sites have been popping up. You can think of it like those drive thru or mobile pop up spots where they are doing testing for the community.

A lot of these places may not have the setup needed, because it is temporary space that has popped up, it's quick, it's fast, it might not have necessarily have all the protections in place that you would normally find at a hospital or more controlled location.

So a lot of times it would become a HIPAA violation. If, for example, you don't have a secure area where you're storing all patient information like if you're taking information from someone and then you have to go back to your temporary workstation where you're inputting it all that area is supposed to be secure and no one can get to.

But of course, it's not always possible in like these mobile pop up sites. So a lot of times, these places are just setting up temporary privacy canopies, they are trying to control car traffic and foot traffic as much as possible, but there's only so much they can do.

So it's good that the OCR is kind of waiving the penalties for these situations, as long as those covered entities are doing it in good faith and trying to do as best they can to protect the PHI that they are collecting.

And really, this is super important so that, you know, these cover entities won't be afraid of a violation if they were to set up a pop up site. And of course, the most important thing right now is to try and get testing out to as much people as possible, as they need it as fast as possible.

Rick: Right, because that should be the first priority. I mean, as we all kind of know, rapid testing is one of the critical things that's needed if we have any hope to, you know, get back to some sort of normalcy.

Rick: Well, we just published our monthly HIPAA Breach Report last week. And every month we look at the previous month of the breaches that have been reported to the U.S. Department of Health and Human Services.

And last month, it looked like the top three breach types were again, email number one by a big margin, which are with over 235,000 people's PHI potentially affected.

Desktop as the source of the breach came in at number two. And that's the first time it really cracked the top three for this year. And it had over 80,000 people have their PHI potentially effective because of a breach caused through desktop computing.

And then the third one is a new one, kind of, it's electronic medical record breaches. And that came in third.

But the number one threat factor, again, is still email.

As we see, it's number one in the breach types and it's consistently, you know, at that top spot. Because it is, you know, one of the easiest entry points for hackers. So last month, there were 13 reported breaches that were caused by an email attack. So a lot of times that's like phishing, ransomware, something like that.

But the silver lining is that even though the number of breaches total actually increased to 34, last month versus 30 in the previous month, the actual severity of the breaches did drop. So that's great news.

Last month, about 390,000 people were affected, but the previous month, there's 1.2 million people affected, which is really big because of one gigantic breach. But still, overall, it's good to see that at least the severity is going down. I think the largest breach last month was from a phishing attack that happened to Tandem Diabetes Care, and that affected over 140,000 patients.

Rick: Good question. In this case, it was a rare breach that happened. And it's still... I think the covered entity is still fighting it but it was one breach that affected close to 70,000 people. So if you take that out, then this still is not going to be the top three. But that is a little bit unusual. Well, you know, desktop, we don't usually see that as one of the more effective ones. A lot of times it's email and servers being hacked. So this one was a little bit unusual. But yeah, first time desktop has cracked the top three this year.

Rick: Yep. So winners. A lot of, you know, eyeballs are on New York because that is kind of the epicenter of the pandemic.

But some good news out there is Montefiore, a health system, recently gotten to the news for doing a good thing, which was trying to use chat bot on their website to help get information out better and faster to people trying to....who are maybe looking for that info online.

So they are using chat bot, which if you're not familiar with, is where you go online to a website, there's usually something in the corner. And you can chat with the company directly versus having to call in or go in person.

As we know, with people trying to do social distancing and staying away if they don't have to go to the hospital, chat is a great tool to use. Especially since a phone, you know, phone lines can get oversaturated.

So what they're doing is they have a chat bot and they're trying to use artificial intelligence to kind of help with keeping FAQs for people updated, you know, as they change this, everything's changing so fast.

One big thing that they're doing is they're trying to help people find CDC guidelines and keep that updated in real time through their chat bot. So someone's going on and they have questions and, you know, they can be helped by going to the CDC guidelines, they're able to keep all that flow updated in real time versus having a person trying to manually update it and, you know, maybe having a typo or something, you know, they're trying to actually feed that information through and keep it updated with this chat bot.

Rick: Right, and it helps the staff too, because a lot of these, you can call them FAQs, right, frequently asked questions.

You know, if you're you get asked same thing over and over again, a lot of times they have built resources that people can help themselves with. This chat bot can help better direct people to the information they need faster than having to even email someone then wait a day or two for an answer, they can just go and the chatbot can help direct people to the resources they need.

So it's really good for both sides and chat bots are pretty common in most industries. And we have one on our website at Paubox. And these...it's great to see that, you know, during this time to get more efficient, you know, health systems like Montefiore are kind of using this tool to help both patients and their staff.

Rick: Well, not surprisingly, it's Zoom again. We talked a little bit about it last week how you can make Zoom secure. But as we know, they had the huge increase in users and credentials... they get compromised.

Well now last week, news came out that a bunch of these credentials are now being swapped in underground forums on the dark web. So thousands of compromised Zoom credentials, like password, logins, that sort of thing, were discovered in these forums that cyber criminals look at in order to get personal information.

So researchers found that there was a database that had more than 2,300 compromised Zoom credentials. Like I said, that's username, passwords, even meeting IDs, names, things like that, and those across all industries, from banks, to healthcare providers, to you know, educational facilities.

And nobody knows exactly how these credentials got there. But the good news is it is a smaller number relative to what people usually see when there's these data dumps.

And it's also likely, though, that a lot of these came from small lists that people kept from a bunch of different agencies, and were kind of put together and shared publicly. And researchers say that's because it is being shared publicly, and it's not being sold.

So unfortunately, you know, it's out there, there's not much you can do about it now, but of course, you can do things to secure your zoom meetings. And there's a lot of best practices... because a lot of these type of... the reason why a lot of these credentials were hacked and stuff is because people didn't do the basic things they needed to do to make their meeting secure.

And we wrote a blog post about that on our website so people can visit that. Take a look. It takes just like five minutes to read and make sure that you're kind of using the best practices when you are using Zoom.

Rick: If you wanted to, you could, just to be safe. If you weren't following the best practices before, then it's probably a good idea. Better to be safe than sorry. But again, you know, if you were doing a lot of these things in the beginning, chances are that you weren't compromised.

Marc Haskelson: So, you know, the big it's funny, because we've gotten so many inquiries recently around those lines, you know, and in our, in our case, if you had always been compliant, you know, many of these issues would have already been addressed.

But the big ones we're seeing is that a lot of people just really do not understand the risks, or the increased risks of how you maintain or protect privacy and how you protect the information that you're working with. Right? And in the way it's what we're seeing, especially in the smaller practices.

Large organizations understood VPNs and that, you know, they had proper equipment that had the right up to date and the correct virus and backup and disaster recovery or, you know, in your case, you know, the right secure messaging tools in place.

But a lot of the small ones really never thought of it that way. Right? So now they're grappling with... not only are they working remotely, which is a total change in some cases can be, you know, may actually prevent their business from running. Especially if you take healthcare, you know, the idea of switching to telehealth, what technology they can use, you know, why is it okay to use Zoom versus FaceTime versus some of the other tools?

So they're really grappling... the biggest ones I would say are, how to use what the technology that's available to them in a safe and secure way to serve their patients and to protect their organizations. And there's a lot to it, but that I would say is that the most common set of questions we get, how do I do this in a safe and compliant fashion?

Marc: So, you know, a couple of just really simple tips and tricks, especially for the small organizations that are now working from home, a couple of basics.

Like, you as an organization should have had or and actually if folks are looking for it, we're actually giving away for free, a bring your own device and a remote worker policy instead of procedures, right, so that people know what they should and should not do. But let me just give you some simple tips and tricks, right?

First of all, most of these folks are working from home. And you know how most people just tend to just you know, their modem or the router that came with "admin 123," first step, please update your passwords. Okay, you know, if you thought it was easy, trust me, you know, every hacker in the world thought it was easy.

So please, step one is just really take the time, make sure your passwords are correct that you've updated them that they're secure.

Another one that we're seeing is a lot of folks, especially now that they're working, let's say, either could be on shared equipment with their family, is understand that if you are dealing with PHI, make sure that different computers, you can set up different profiles, make sure that your malware is up to date.

We strongly recommend having good backup, having good encryption, which if you're on Windows 10, it's easy. And if you're on a Mac, it's easy, right? It's just a function of turning it on.

The other one that we've seen is, that we saw a lot of questions on the webinar that we had yesterday, was the concept of what a VPN is.

Because part of what we were saying is, look, you know, even if you really don't have the rest of your act together, if you understand how to use a VPN, and there's some expensive ones that you can get, you know, for a couple of bucks a month, can make a really big difference in helping you protect it.

The other one, which which goes back to Paubox, is, you know, look, your patients do not understand and you're going to be exchanging information with them now, from primarily via email. Understand how to use that correctly, because when set up correctly, it's going to protect both you and your patients or your clients.

Marc: So we have a whole free resources, or free education section on our website. So if you go to compliancy-group.com under the resource tab, you'll see different types of resources that are available.

Probably right now because the rate or frequency of how how much is happening so quickly, you'll find that going to the blog section is where you're going to see daily where we're releasing, how-to guides.

So for example, how-to make your conference services compliant. Things like Bring Your Own Device Policy so that your your staff, you know, you have a correct way they can use their own tools at home in a secure fashion, remote worker policies, and then a bunch of other, you know, a checklist and you know, from a security perspective.

They're all available on the website, and really recommend you come grab them. And no, we won't harass you. It's really meant to be free and educational.

There's also a whole bunch of webinars we have in recordings around different topics that our clients and our prospects have been asking us about.

Marc: So, you know, that's a good question. Being in the business, you know, and being a compliance geek, we think it's easy, right?

But a lot of times, this is a... I think for most people it's fear, right. It's not really that hard. But I think, you know, when they think of federal regulation and administrative and privacy and security requirements, they get very overwhelmed and they're afraid that they're going to answer something wrong.

In reality, look, this is just a good way to look at your business once a year, you know, objectively look where your risks are and fix them. Right? So you know it but but it's amazing how many people find that and, you know, the concept of doing that extremely intimidating.

You know, and that's part of what we do is really, you know, boil this down to, you know, a very simple... it's not easy.

One of the things I say to a lot of folks is if you think compliance is easy or if someone's telling you compliance is easy, then runaway. But it actually you know... when broken down into, you know, how you did an elephant? You know, one bite at a time.

There are definitely ways, and this is what we're very proud of, of helping people break this down into small bite sized chunks that that is, let's say plain English and helps them get it done in a very efficient fashion.

Marc: Oh, thank you. We appreciate you guys being clients. And you know, we love the Paubox product and recommend it to all our folks, it's it's a great way to solve, you know, one of the biggest problems is exchanging information in a secure way.

Marc: So I think regulatory compliance is growing at a truly at an international level, right? Because in the end, although we think of regulatory laws, the concept of compliance in, or let's say my view of the concept of compliance is really helping groups of people, systems, companies, whatever, work together in the most frictionless way.

Because in the end, really what compliance is saying is, hey, I want to make sure everyone understands the rules of engagement and that should allow us to do... whether it's, you know, seeing a patient for for treatment or two companies trying to solve a problem.

If we understand those rules, then compliance becomes the thing that makes it easy, right? That simplifies how to stay in your lane.

Now, what I do think is happening, though, is that the world of compliance and the world of security are quickly running into each other.

Because compliance or regulatory compliance as we knew it, although it had a security component, was really around people.

And still, you see, you know, three quarters of the of the breaches or incidences that occur were not caused by tech technology or technology failing, but were calling caused by human error. Okay, people not following the rules.

So I think that what you're gonna see over the next 10 years is both the concept of how to help people, you know, follow the rules better and not put their businesses or their patients information at risk or whatever, there's so many different different types of regulatory compliance.

And then the security component of the technology that will help you do that, and do that safely, are going to come together. And what we see it's one of the big areas of growth we've seen is the relationship we have with the cybersecurity and the outsourced IT world.

Because I can make you compliant, but you're not going to be secure, which means something's gonna go wrong.

Technology might be able to make you secure, but if your people don't understand the right way, how to use it and how not to use it. They're gonna make mistakes and bring you down.

So I believe that over time, those two things will really come together. You know, some people may think they're already together now. They're really not. But I think those two things are going to become much more of a common set of, let's say tools, that we're all used to using. Right?

And then you think about it, you know, you would have thought that the concept of encrypted email just says, "Hey, I'm sending my information in a way that, you know, if it gets if it gets unfortunately exposed, it's secure." Why is that so mind bending, right? Combination of educating people and having the, you know, technology that, you know, that is convenient for people to use.

I think that's where the compliance industry will end up, is basically becoming very integrated into what is the security community, or vice versa.

Rick: Yeah, it's always fun to do. And as you could hear Marc is super passionate about what he does. They're a great partner of Paubox as well. So we love working and talking with them and hopefully more things we can partner with in the future too.