The Paubox Encrypted Interview Series allows us to chat with leaders in healthcare IT, compliance and cybersecurity to pick their brains on trends and best practices.
In this Encrypted Interview, we chat with Paul Arguinchona, CIO of Frontier Behavioral Health, a Washington state based nonprofit Trauma-Informed Care organization and what they're doing to mitigate the biggest threat to most organizations - people.
Early career and professional growth
Rick Kuwahara: So before you started at Frontier Behavioral Health, you were an engineering manager at Echostar and had some information security experiencing in other healthcare organizations. How did that experience help you in your current role?
Paul Arguinchona: Well, the engineering management role that I had with Echostar was more pointed towards the physical, environmental security component of the company I was responsible for. And they had provided me exposure in processes and configurations that were well thought out and documented clearly for the security in the transmission of the information we were providing to our clientele.
While at the same time, I was confronted, and my team was confronted, with very short timelines to implement new equipment that would help handle and process that information with little or no documentation. And the instruction we were given was to figure it out.
Rick: [chuckle] That's always fun.
Paul: Yeah, and over the years I've learned that the non-healthcare regulations tend to be a little easier, a little more straightforward to implement without detrimentally hindering the flow of information. Well, HIPAA, on the other hand, the privacy regulations and requirements are more difficult because they tend to impede the flow of information between professional service providers.
Rick: Got it. That's a great way to put it. So how did you end up at Frontier Behavioral Health?
Paul: Well, it goes back to Y2K. I had some experience stepping into a role for a large medical clinic and they were not as ready for Y2K as they thought. And they ended up documenting roughly 230 issues with their practice management system, and this was at the end of October of '99, so it didn't have a lot of time to get those resolved.
But the scope was similar to what Frontier Behavioral Health was having after implementing an electronic medical record and not being able to report on the services appropriately to their payers.
And the scenarios in both companies were similar enough that my experience helping my previous employer deal with Y2K became very beneficial in helping Frontier get on more solid footing with their electronic medical record.
Rick: And since you've been there, how has things changed, evolved from when you first started to now? Have the challenges changed at all?
Paul: Well, it started out as a complicated situation but I was again, very fortunate, I had some great staff around me who helped a lot and I've allowed to implement changes and new systems to provide greater stability and more effective computing for our end users.
And I always look for the changes we can make to help our clinical staff take better care of our clientele. That's very important because I'm here for the clientele even though I don't interact with them directly.
But the biggest challenge has been implementing solutions while the agency has doubled in size and we've only increased our IS staff by 10% in that time, and keeping our data both available and secure is an ongoing challenge for us.
Social engineering and mitigating human error
Rick: So what are the biggest threats you're seeing right now?
Paul: Well, from a frequency standpoint, email threats, with a heavy leaning towards a social engineering theme. Several staff are being tricked into following nefarious links, asking for log-in credentials. That's our biggest threat vector at this point.
Rick: That seems to be what we see, too, even if you're just following things on the news. It seems when there is a breach, or something happens, email is usually the threat vector. So are there any upcoming trends or threats in particular that we should be aware of?
Paul: Well the biggest threat, which I think is often overlooked, is...it's not new...is staff. And as an employer, the staff are trying to get things done, and they end up either working too quickly, or trying to be helpful or they're inattentive and they'll not...going back to email being our biggest threat vector, they won't completely read an email. They won't evaluate whether it's valid and from an appropriate sender, and they will take short-cuts and click on things or execute something they shouldn't.
Rick: That's a good point that you bring up, that often times it's not even something that's malicious. The intent is good and they're just moving too fast, like you said, and it just takes one accidental click.
Rick: So what are some of the best practices or things that you do to help mitigate that threat?
Paul: Training the staff, making them aware of possible threats, probable threats. Teaching them how to read an email.
Training them that if they receive an unexpected email that's asking for something from them, to be cautious with it and partly suspicious and validate that it's really business-related and not problematic. And if they have any questions, to contact our IS support.
Rick: Great, and it's always an ongoing training, right? It's not something that you can do it once and forget?
Paul: Absolutely, and I'm not trying to promote what the bad actors are out there doing, trying to get in and take advantage of our data and things like that. But they're getting very sophisticated, and it's fascinating to watch it happen. And it will remain fascinating as long as we can keep blocking it and mitigating the risk to the agency.
Rick: Where do you see security and compliance going in the next 10 years?
Paul: Well, hopefully, and hope is not a strategy, I hope security regulations will catch up with the need to efficiently share sensitive data. As in healthcare, in particular, there's an approach towards more comprehensive care, and taking the silos of behavioral health and physical healthcare and tying those together. And the privacy regulations right now hinder that significantly.
Rick: How do you keep up with the industry trends?
Paul: Listening to good podcasts, reading blogs, and I scan the technology news and look for pertinent items to our systems. And for solutions to improve both security and performance. That is... again, that's an ongoing process because the technology is always gonna change and to try and make improvements for us, but every time the technology changes, that provides additional threat vectors for bad actors to take advantage of your systems.
Rick: Great, and what do you do to de-stress and relax?
Paul: Well, I don't get too stressed out, but leaving work sure helps. And as far as for really escaping from work and not thinking about it at all, nothing beats fly fishing.