Busy week this week on HIPAA Critical as we dive into the latest news regarding healthcare data breaches topping the charts. Saluda Nursing & Rehab is winning as Paubox has adequately encrypted thousands of emails, blocked hundreds of spam emails, and prevented many phishing and virus attacks. Florida Orthopaedic Institute is breached, and Paubox Marketing Manager, Sierra Reed, chats with Michael Parisi, Vice President of Assurance Strategy & Community Development at HITRUST.
Here’s the full transcript of this episode.
Olena Heu: Welcome to another edition of the HIPAA Critical Podcast. I’m your host Olena Heu. And joining me this week is our Marketing Manager of Paubox, Sierra Reed.
Sierra Reed: Hi, Olena. Happy Wednesday!
Olena: Happy Wednesday, Hump Day! Now each podcast we’d like to highlight a few things… of course winners and failures. But first, we want to jump into what’s happening in the news right now.
Sierra: Yeah, great. So I subscribe to Healthcare IT Security for news and updates. And I came across this interesting article that discusses the results from IBM’s annual cost of a data breach report.
This report states that data breaches are the most expensive and healthcare when compared to other industries, with cost topping 7 million annually. And healthcare has had the highest breach cost for the last 10 years.
And this year’s numbers increased to 10.5% from 2019, which I thought was really interesting.
Olena: Wow. Is there a reason why healthcare breach costs are more expensive?
Sierra: Yes. So the costs are tied to: length of time between detection, lost customers as a result of the breach, and then estimated cost of business disruption. So those types of things.
Olena: That makes sense. And how are the breach costs different compared, you know, the US compared with other countries?
Sierra: Yeah, so breaches in the US are amongst the highest at around 8.6 4 million annually, followed by the Middle East and then Canada. And then the report mentions some interesting stats. So the average life cycle for all sectors to identify a breach and contain is around 280 days, but for healthcare, it’s longer at 329 days.
Olena: Interesting. Is there anything that companies can do to decrease the breach lifecycle?
Sierra: Yes, so security automation helps companies reduce the lifetime cycle by 74 days.
And then the report also assesses the leading causes of healthcare data breaches, and found that malicious attacks were behind 50% of the incidents and of those, human error caused 27% followed by system glitch with 23% and incidents where the hackers attack, attackers assessed enterprise networks through stolen credentials saw almost 1 million more breach costs compared to the global average at about 5 million per incident.
And then along with some more stats, the second most expensive attack was tied to attackers exploiting third-party vulnerabilities, which cost 4.5 million across all sectors.
And all of these stats together are definitely really alarming given recent reports and articles that millions of IoT medical devices are impacted by Ripple20 vulnerabilities and there are more than 15 billion compromised credentials for sale on the dark web currently.
Olena: Wow. So are there any recommendations for the healthcare sector?
Sierra: Yes. So first, the company should work to identify and classify technologies, such as IOHT and IOMT, while monitoring the behavior to protect patient care and operations, and then second, practice an enterprise-wide incident response plan with all team members.
Third, adopt a zero-trust security model which would create self-defending systems and data. And then fourth, invest in security automation technologists, technologies, which is what we kind of discussed a little bit before.
Olena: Wow, well, thank you, Sierra, so much. That’s really, really great to know. And now it’s time to highlight who is winning this week and who you got.
Sierra: Yeah, this is great. Favorite part of the podcast. So our winner of the week is one of our customers Saluda Nursing and Rehab. And they are a 176-bed skilled nursing and rehabilitation care facility in South Carolina. And the challenge for them was that there was no standard for encryption email, and people were using personal email addresses.
And additionally, email phishing attacks are a big problem in the healthcare industry as a whole. And although no one at Saluda had been the victim of any phishing or hacking attacks, they knew that they needed to be proactive and act quickly to shut down that potential threat.
So our solution was to really have them go with Paubox Email Suite Plus, which is one of our products.
Olena: Excellent. And what exactly is Paubox Email Suite Plus?
Sierra: Yeah, so Paubox Email Suite is a newer subscription, and the Plus specifically is, essentially, our encrypted email and inbound security with exact protect under one umbrella and Paubox customers also have the added security of knowing that our products are HITRUST CSF certified, which is the gold standard for HIPAA compliance in the healthcare industry.
Olena: Okay, and any notable results by using Paubox?
Sierra: Sure, sure. In the past 12 months, we have encrypted 27,000 emails sent by Saluda. And we’ve blocked 627 spam emails, blocked 76 phishing attacks, and stopped 53 emails that contained viruses.
Sierra: Right. So for the failure, I would like to talk about a hacking incident that affected 640,000 patients – a large breach here. Florida Orthopaedic Institute detected that a ransomware attack had encrypted data stored on the FOI servers.
Olena: Do they know what type of patient information was compromised?
Sierra: Yes, they do. So essentially names, birthdays, social security numbers, medical information, and so much more was accessed during this breach.
Olena: What is the Institute doing to resolve this problem?
Sierra: Sure. So they are providing identity monitoring to endangered patients. And then they restored the affected data and put additional security measures in place.
And then they hired a third-party forensic expert to help investigate the matter. And then the healthcare data breaches of 500 or more records are reported to the Department of Health and Human Services, as I’m sure most of you guys know.
And then the Office for Civil Rights is currently investigating 30 Florida data breaches from the past 24 months.
Olena: Wow. Well, thank you for bringing that to light and sharing that information with us. And we’ve also got a great interview to share. Now, earlier in the week, Sierra chatted with Michael Parisi, he’s Vice President of Assurance Strategy and Community Development with HITRUST. And so let’s take a listen to this valuable interview.
Sierra: Before you joined HITRUST you worked at PricewaterhouseCoopers and have been in the industry for a number of years. How has this experience helped you in your current role?
Mike Parisi: Yeah, it’s a good question, Sierra.
Reflecting on my experience with PwC. It’s helped me tremendously in my current role for a number of different reasons.
Not only did I have the opportunity to learn, but the concept of auditing and providing assurances relative to security and privacy, but I think that the most valuable aspect of working within that environment was learning and understanding how to work with people and building relationships is everything that we do, I think regardless of what our career is what company we work for, with what industry we’re in, if you don’t understand and appreciate how to work with people and build relationships, you’re not going to be as successful as you can be.
And that’s what I really learned.
And what I take away from PwC is not only having to work with multiple different individuals internally across the firm, but certainly externally right from a client from a stakeholder perspective and having the opportunity at such a, I’m going to date myself a little bit in such a young age back then, you know, to interact with individuals that were in higher positions and within clients and within organizations having that opportunity so early in my career was invaluable because you are the one that’s looked at within that setting and with a professional services firm like PwC, you’re looked at as the expert.
And you’re looked at as the one that needs to provide perspective, and the stakeholders sitting across the table from you, or maybe in this day and age, sitting on virtual calls from you, asking questions and wanting you to provide a perspective that that’s going to help them and sometimes that perspective, and the greatest value that you can provide is just connecting personally and the rest.
You can figure out together from there.
Mike: Yeah, so that’s an interesting story and another chapter throughout the years. So, I had when I was at PwC ironically enough, you know, I worked in and ran their HITRUST practice. So, I was very familiar with HITRUST as an organization and the standards and the assessment process.
And I had the responsibility for managing a team across the country that was executing HITRUST related services, whether it be confrontative, or readiness or actual full assessments and certifications throughout the country.
And even prior to that, no going back and 12-13 years ago, when HITRUST was still just an idea. The organization at that point in time and a number of the stakeholders had reached out to some professional services firms to help them create the idea and the initial programs that they were going to release to the marketplace, the very first one being the CSS and the control framework.
So back then I had the opportunity to be part of the working group. That actually created aspects of the CSS and later on once the organization took off and the successor program became part of the organization, I was one of those assessors.
So throughout the years, and not only working with organizations from a HITRUST program perspective, but also working with HITRUST themselves, I identified a number of opportunities for improvements relative to HITRUST and so many great programs and so many great ideas, and I saw an opportunity to assist that the CEO directly and also the organization to adopt that and take that more broadly.
So, I got to a point in my career PwC, multiple years of working in the professional services space and Big Four, it can take a toll on you, and I have a number of personal things, and health-related, family-related, that all kind of hit me at once, in addition to some things that were happening around the forefront within PwC, that, frankly, didn’t really align to my own personal and professional values that I knew were going to be coming down the pipe.
So at that point in time, you know, like think we all collectively felt that it was a good time to move on and seek out a new opportunity and I wanted to do something completely different.
So I went from a very large private, obviously for-profit consulting organization to a very small, almost like startup not-for-profit organization. And I had the opportunity based upon conversations with the CEO, to come hang my hat for a while and give some ideas and terms So what we can do with the company in three years and two months later, I’m still here.
Mike: Yeah, you know, I’m gonna give you a couple. We are the demand for our programs and the assurances that we provide to the marketplace in I would say, especially the last year has outpaced our own internal growth. So one of our biggest challenges is to make sure we continue to scale up to meet the demands, that exist within the marketplace.
That’s one and then two, and I would say that the second challenge is probably more of a challenge than the first one. The first one is more tactical and operational. But two is getting more organizations to recognize the value of the programs and to adapt and leverage those programs.
And that only comes through conversations and education to make sure they understand everything that’s included within the programs themselves.
Mike: Yeah. That seems to be you know, the leading question these days and I won’t spend a lot of time on the obvious things that I think, you know, a lot of individuals have brought up, such as the shift to work remotely.
Obviously, there’s been some new threats and challenges for some organizations that have not been accustomed to that type of environment. In the past, those that are really focused on being in an office every day, and now having to shift to work remotely or work from home, naturally will introduce a number of new threats.
Everything from “do you have the appropriate hardware security configurations at home” from a network perspective, but I’ll add a little twist on that, which would be IoT. And it’s one thing if you’re sitting in an office and you’ve got your phone with you, and you know, your phone’s always listening anyway.
But now all of a sudden, you take that individual, that employee and you drop them within their home. Well, now there’s multiple devices and things that are listening, how many people have Alexa, how many people have other types of things within their home, and then things that you don’t even think about?
It’s so funny, you bring this up, Sierra, because I was talking to a good friend of mine, who’s with a large health plan this morning prior to us having this discussion, and he gave the example that he was sitting in his kitchen and he was on a work call, he’s in information security, and they were discussing some pretty sensitive topics, right.
And his back door, his slider, was was open on to his patio. We just had it open, letting the air in, and his wife was sitting outside while he’s having this conversation. So his wife came inside, close the patio door, interrupted him, and said, I just heard your entire conversation and our neighbor is on the other side of the fence, which means they heard it, too. So it’s not just about the environments and the devices, but it’s also the activity and the behaviors that can introduce a lot of risks.
But that’s not the riskiest thing that I’m concerned with. The riskiness aspect of the new threat is not knowing what we’ve introduced or let in the door. And what I mean by that is, when you look at organizations impacted by COVID, one of the things that most if not all organizations have had to do is they’ve had to bring on contract, introduce new business partners into their environment, in order to address COVID.
So, whether that’s, you know, we got to use more software, we got to use the cloud more, we got to buy hardware to ship to people’s houses. If it’s in the healthcare space, we need to get as many ventilators in the doors we possibly can. We need personal protective equipment, right. So all of those things have forced us to create new business relationships, and bring on vendors quicker than we’ve ever had to before.
And naturally, as part of that process when we think about COVID, and the ultimate risk is to stop the loss of human life, we’re going to get those vendors on quicker, right. And we’ve naturally probably cut some corners and haven’t done as much diligence as we’ve done in the past due to the significance of this issue.
But what worries me is, if we don’t go back and close those doors that we opened up, what are those new threats and vulnerabilities that are lurking, sitting there now? Where 6 to 9 months down the line, they can actually show how ugly they can be.
Mike: Yeah, so that’s another great, great question.
I’ll give you a couple [of] different perspectives there. When there’s a difference between what I would call, you know, what is the regulatory and compliance landscape and standards and requirements versus enforcement, right. So, I would tell you if there is no relaxing, there’s no, you know, public statements that say, the regulations or the requirements are being removed if you will.
The expectation is, and the fact is, they’re still there, right? Everyone is expected to be performing appropriate procedures executing appropriate controls have stopgaps in place, etc., in line with all these requirements and matter of fact, when you look at something like HIPAA, you know HIPAA indicators that, you know, you must maintain compliance with the standard, even in times of operating in emergency mode. I mean, it actually says that right as a requirements perspective.
What’s changed is the enforcement. So, when you look at entities like the OCR, I mean, the OCR has publicly indicated that we recognize during these times, you need to be able, from an interoperability perspective to share more information openly across health information exchanges, hospital systems, when you look at what happened in New York, you know, back in April.
And so, recognizing that the speed of sharing data definitely, you know, offsets the ability to protect it appropriately, they’ve indicated that we will relax some enforcement of the standards, although you should be following it still, during these times and recognizing that organizations may have to relax the ability to enforce it. I don’t know that I necessarily agree with that.
I think I would say that if you’ve made appropriate investments and a strong security and privacy program, and solutions and tools, then you should already be in a good position to continue compliance and operation and enforcement even during times like this.
And the last perspective I would give is, when you think about the concept of business continuity plans, right, it’s funny back in my PwC days, we would come across those requirements and those controls and we would kind of laugh and say, ah, these things are never really used, you know, let’s just make sure that they’re doing a tabletop exercise and there’s a policy and a procedure in place and they’re never going to have to use that or that has certainly changed.
And I think what you will see is you’ll see more requirements and regulations standards, relative to business continuity and being able to react to things like a pandemic in the upcoming years.
Mike: Sorry, can you say that again?
Mike: Yeah, good. Good question. I think it definitely does in a couple of different ways.
So as I mentioned before, out of necessity, I think it has changed the onboarding process. process and how we interact with vendors during the onboarding process.
So we may be willing to not have as much transparency and comforts relative to security and privacy upfront. with the understanding that we will go back and revisit it later on, I think that’s one beep behavior change that that’s happening has been necessary for a lot of organizations.
The future outcome of that, knowing that that’s put us in an uncomfortable position because we don’t know what we don’t know, is I think you’ll see more and more, in the future, of organizations unwilling to even enter into a relationship with the third party unless they have those assurances upfront relative to security and privacy.
And I think they’re going to start building their directory, if you will, of third parties or business relationships that they can call up in the event that they need them and they’re going to build that base off of who has strong security and privacy posture that they can contact at any point in time to engage for necessary services.
I think those will be some behaviors that that change.
Mike: Oh my, another great one and one that did that we talked about a lot. It’s difficult to tell at this point in time. However, I do believe they will come back, but you not see them performed as frequently as they were before. And what I mean by that is today, it’s not an option.
Right? So auditors are finding different ways and authoritative bodies that enforce to certain requirements are relaxing their standards we did from a HITRUST perspective, right, right, or recognizing the challenges. We said, “Hey, we’re going to provide a waiver for on-site validation procedures”, we have to.
So I say from that the auditing organizations, the authoritative sources, and standard bodies are really having a good look inside themselves and saying if we were able to get it done this time, and if we were able to relax our standards this time, why can’t we continue that model and I think here’s the difference.
It’s all about how far can you extend or extrapolate assurances. And if one year, you’re doing an on-site audit, and the next year, a pandemic hits, and you’re not able to do an on-site audit, and you could still provide that same level of assurance and auditors can still issue their opinions and etc., and when does that become stale, and maybe they’ve done some additional alternative procedures to extend or extrapolate the assurances, but at some point, it’s going to become stale.
So maybe we’ll see a model where it doesn’t all go away, but it shifts to every other year. There’s an on-site audit as an example. So, I don’t think you’ll see them fully go away, but I do think they will be more relaxed and not as rigid as they’ve been in the past.
Mike: Yeah, I mean, I doing a number of different things.
You know, everything from looking at Flipboard with topical items and articles that are relevant to the industry.
I stay in contact with a lot of the industry thought leaders relative to, obviously, security, privacy, third-party risk management, I interact with a lot of the other standards organizations and authoritative sources, such as CMS, HHS, NIST, etc. and follow some other organizations that are thought leaders within the third party risk management space so I do a lot naturally, but I would tell you, most of my updates is from talking to people.
And it’s just understanding, you know, what are they seeing, what are they dealing with maybe hearing about something new or something interesting to take a note on that and then going back and doing my, my own research to learn more about it.
Mike: Yeah, yeah, de-stress, and relax. You know, I would tell you, some of those things are the same as they were before. And some things are naturally different considering the environment that we’re having to live with within today. I’m certainly a big fan of wine.
So, I enjoy the hobby of exploring and, naturally, drinking wine, especially being in Northern California. I love spending time with my family, of course, kids, life, friends, and also our dog who recently just got out of surgery yesterday. So looking after her right now.
Mike: You know? Yes, she’s doing okay.
So you know, all those things were things from before. And also today, we love to travel as a family. And that’s something that we really enjoy and exploring new places.
Naturally, that is not something we’re able to do right now. We’re looking forward to when we can begin to do that again, and have no agenda on those trips and just really explore and be open and so what that been replaced with.
Maybe it’s a little more tactical. But every day we make a point to cut the workday off and go for a walk with the family, with friends, with the dog. And every day, right get out of the house clear your mind. I guess it’s a form of a trip and travel or to the extent that they can do it right now.
Yeah. But that’s important because in today’s day and age, it’s funny and you’re probably experiencing this as well, Sierra, that now I think, working from home, of course, has its benefits, but it has its detriments as well. And a lot of people are working more now without breaks and without ways to escape than they have been before. Just because the laptop is always on.
You don’t have to necessarily commute to work or your commute is very short to your desk and as a result, I think as a society, we are working a lot more now than we had before. And it becomes harder to draw those lines, you know, to stop working and shift to the personal life. So it’s really important to have some diligence in place.
Mike: You’re welcome. Thank you.
Olena: Thank you so much, Sierra, for that insightful and really in-depth interview.
Sierra: Yeah, it’s always great to talk to Mike, he’s a personal friend and always provides valuable insight. So it was really, really fun to interview him.
Olena: Great. Okay, well, that’s gonna wrap it up on this edition of the HIPPA Critical Podcast. For more information, you can also log on to our website. That’s Paubox.com P-A-U-B-O-X.com. If you like what you hear be sure to like and subscribe to the HIPAA Critical Podcast. Subscribe via Apple Podcasts, Spotify, iHeart Radio, or Stitcher.