What’s in the news? A mobile device data breach settlement. We chat with cybersecurity expert Christine Sublett on her insights after serving on the HHS Healthcare Cybersecurity Task Force. Learn who is winning and failing right now and what we can expect in 2020.
Here’s the full transcript of this episode.
Olena Heu: Welcome to the HIPAA Critical podcast by Paubox. I’m Olena Heu, your host, and joining me is President and CEO Hoala Greevy.
Hoala Greevy: How’s it Olena fired up to be here.
Olena: Excellent. We’ve got a lot happening on the show. We’re gonna talk about the latest in news, of course, winners and failures and predictions.
Olena: All right, let’s dig right into it. And our latest news development we’re gonna chat about is the mobile device data breach settlement. Ah. What can you tell us about that Hoala?
Hoala: Sure. Okay, So this is why you should care. A large organization, The University of Rochester Medical Center. It was issued a $3 million HIPAA fine for not encrypting data at rest.
So what is that? It means that they had a laptop and a flash drive stolen, one of their employees. These devices had protected health information, and these devices did not have their hard drives encrypted.
So, they were required to report that to the HHS, Health and Human Services, a two year investigation ensues, and then they get issued a $3 million fine. During the course of the investigation, as is often the case, they find other things to add to the list, one of which was not conducting an enterprise wide risk analysis.
So key takeaways. One, encrypt all your hard drives of all your computers in your organization. I don’t care for the laptop or desktop. Easiest way to do this. Encrypt all of them. There are free and straightforward ways to do this.
If you’re on a Mac, it’s built into the computer. If you’re on Windows, the latest versions of Windows have ah BitDefender or BitLocker and Windows has free hard drive encryption tools in the latest versions of Windows, so it’s free to do do it.
Also, I have a somewhat controversial idea here, which we’ve been discussing internally for a couple of years, and that is, if you’re a HIPAA organization, whether that’s covered entity or business associate, just forbid all flash drives.
That’s the easiest way to do it. It’s too damn hard to figure out if the flash drive is the one that’s encrypt, that encrypts itself at rest or not, just forbid all of them.
Use cloud device storage things like Box or Dropbox. You can get a business associate agreement with them way simpler. Just ban all that stuff. It’s three million bucks here. That’s crazy.
Olena: Right. Hoala, I think that’s a really good point. Um, and who goes around with flash drives anymore?
Hoala: Oh, yeah. I mean, this is probably somebody’s car, right? And you know that maybe they were shopping at a mall, and some some thief just breaks in, steals the backpack, and boom, it’s got double whammy in there.
So just ban the flash drives if you’re in HIPAA and encrypt all your hard drives at rest if you got laptops or desktops.
In fact, we’ve seen instances where desktops that were in an office location. These guys just broke in and just stole everything that wasn’t bolted down. And so that organization, they’re in Los Angeles, they had the report a HIPAA breach because they didn’t encrypt the drives of the death stops in the office because they incorrectly assumed those computers would never leave the office. And what do you know? These thieves just stole anything that wasn’t bolted down. So even that is at risk.
Olena: You would think that by now, um, all of this would be, you know, under lock and key, and people would be responsible and they would have some form of ah, standard. You know, don’t take your laptop from work and leave it in the car. Don’t leave flash drives with important information available, you know, in public settings.
So definitely a good reminder. Um, obviously great takeaways and great insight from you, Hoala. Thank you for sharing that.
Hoala: Oh, yeah. Fired up. Like I said, man, this is HIPAA Critical stuff here.
Olena: Definitely, definitely. And you know, what other things do you foresee in terms of… because we’ve seen this many times over the past few years and you’ve probably seen this, you know quite often as well. What other kind of things can we learn from this situation?
Hoala: Yeah. Great. Great question. Okay. So as I mentioned during the investigation, Health and Human Services discovered that this organization, Rochester Medical, had not conducted in enterprise wide risk analysis. This thing needs to be done every year.
And we would highly recommend organizations like the Compliancy Group, which is a partner of ours, that provide this kind of service. So the, uh, the keynote or the big takeaway with using companies like Compliancy Group is, they make sure that this doesn’t happen to you. In fact, it’s my understanding no customers of Compliancy Group have ever been issued a HIPAA fine.
So you just gotta stay on top of that. You got to budget for vendors like that. And you got to do that once a year. Go with people like these guys, and then you just take that away as a potential fine item. Because we see this all the time, not doing the enterprise wide risk analysis.
Olena: Excellent. Great to hear you know your insights as well.
So this week we’re gonna feature an interesting interview conducted by our Chief Marketing Officer, Rick Kuwahara. He had a chance to talk with Christine Sublett. She’s president and principal consultant of Sublett Consulting.
In part one of the interview, Christine covers her thoughts on how government is doing with cyber security and health care since she served on the HHS Healthcare Cyber Security Task Force in 2017. Take a listen.
Rick Kuwahara: It’s been a few years since you’ve been on the HHS Healthcare Cyber Security Task Force. How do you think the government has been doing in supporting cyber security efforts.
Christine Sublett: The vast majority about 90% of healthcare in the U. S. is delivered by a practice of nine or fewer providers. The majority of the healthcare people are getting is not from a huge organization like a you know, um, a Stanford Hospital or a UC San Francisco or a New York Presbyterian or Mayo. It’s coming from, you know, small provider in a small to midsize town.
And the vast majority of these folks don’t have someone on their staff with cybersecurity expertise. And so they either don’t have the expertise or they don’t have or not willing to put forth the money to get those cybersecurity resources, or they can’t find the cybersecurity resources.
Because we’re really short in terms of, in this country, in terms of the numbers of security resources that we need and the people who actually do that kind of work. Um and so, you know, it’s a huge challenge when you think about 90% of the healthcare being delivered by these organizations where they have inadequate cybersecurity, resourcing and technology.
And so what this waiver would do, um, change of policy would allow um, uh, organizations like a cybersecurity vender to provide technology at no or low cost to two different vendors. Or it would allow, you know, a big entity.
So let’s say you’re a giant healthcare conglomerate and you have a bunch of community physicians who, you know you do who kind of partner with you, but they’re not part of your organization.
And because of the kickback rules, the anti kickback rules, you couldn’t… you know this giant conglomerate couldn’t give this smaller community based physician, um, you know, a firewall or couldn’t give them, you know, anti virus software or you know, any other type of cyber security technology.
But under this proposed policy change, it would allow these types of things to actually happen. And the reason this is so important to all of us is that you know, healthcare, part of its aim right now and for the last many years has been this concept of interoperability and this ability to share data freely amongst providers so that patients can get the care they need when they need it.
And that’s a wonderful goal, and something we really should be aspiring towards, but part of the problem there is when we start connecting these systems, it’s like the analogy of, ah, weak of, ah, you know, of a chain. It’s only a strong as its weakest link.
And if you read this link is you know, um, a community provider with, you know, two computers with no passwords and, you know, no firewall and no anti virus. And you know, your resident hacker from Eastern Europe has taken up residence in it. You probably don’t want to connect that to your systems.
But, you know, if you can use the big conglomerate can say, Well, now I’m confident that we you know, you have adequate security practice on your side, right? It makes the sharing of data on the delivery of the kind of healthcare we want to be delivering in this country more of, ah, possible reality. In terms of other progress we’ve been making at the federal level.
There is also a group called the Healthcare Sector Coordinating Council, and this group maintains a joint cybersecurity working group made up of government and industry partners.
And we’ve been working diligently since the task force report came out to address the recommendations in the report and have put out what I think is some incredibly fine guidance related to a variety of different areas. Um, including medical device security.
And, um, we’re finalizing telehealth and telemedicine security and, you know, just a series of all sorts of wonderful guidance to industry. And what makes us so unique, I think and, um, such a such a fine project is that this the joint cyber working groups have been made up of professionals not only from healthcare, what we think of patient delivery, healthcare, but also, um, security consultants and technology vendors and folks from government.
So from HHS or DHS, FDA, some of the federal departments that have, you know, a stake in this game. As well as, uh, folks like the medical device manufacturers and digital health companies and EHR companies.
And so what’s great about the the different sets of guidance that they’re issuing is that, um, you know, nobody is getting everything they want, but we’re all agreeing that this is the right approach.
And so, you know, I take something like the…what we call the JSP. It’s the joint security program, and it’s a, um, document put together by medical device manufacturers as well as healthcare providers.
And what we’ve said in this document, really is these are things that we say need to be done from the perspective of a healthcare provider to ensure that these devices are secure. And these are the things that a medical advice company needs to do to ensure these devices are secure. And this is how we’re going to work together to ensure that we’re creating an environment where we can use these devices safely in healthcare.
And so it’s fantastic because the medical device manufacturers have agreed to these set of requirements and the healthcare providers have agreed to their set of requirements.
And so when a medical device manufacturer goes into a hospital and wants to sell their device there, the hospital can pull out this joint security plan, the JSP, and say, “Well, here’s a great check list of all the things that you should have built into your device from a security perspective and talk to us about where you are with these.” And the medical device manufacturer hopefully have seen this before and can say “Here’s exactly how we’re doing that.”
And so we’re trying to create a situation with all of these different sense of guidance where healthcare providers can look at these, and no matter of their size, no matter how many resources they have or don’t have on the security side, and figure out how to start, you know, from where they are.
Whether it’s literally, we haven’t done much, and we really know we need to do things, help us understand how to start. To working with more mature programs that already do have some pretty amazing systems and processes in place. But, you know, still can go a little bit further along.
Rick: That’s great. And that sounds like it’s really helping to address, you know, some of the gaps that have kind of been created when you know all these new innovative you know, technologies come along.
There’s a gap to the adoption and also a gap in, like you said, the knowledge the security knowledge needed to make sure that if you are implementing them, that is done in a safe way.
Rick: So as we wind down 2019 a lot of organizations are planning for next year. Is there any security areas that healthcare organizations may not be focusing enough on?
Christine: Definitely. When I think about what organizations should be planning for in 2020. You know, I think to a large degree, because of things like the task force report, which now is, you know, it’s been out 2 1/2 years and the work of the sector council groups, as well as frankly, just the realization and the fact that that, you know, so many healthcare organizations are being hacked or are suffering some type of inappropriate disclosure of data or cybersecurity event.
You know where either data’s disclosed or data disclosed, and they’ve had a ransomware attack or they’ve had a ransomware attack and can’t function and are truly unable to deliver healthcare.
And we’re seeing that more and more often throughout the world nowadays. That they’re just really more aware of the problem and understand that they need to be more proactive.
And so you know most…I think that most healthcare entities at least know, that they have these issues that they need to focus on.
And so, you know, I think for a lot of organizations where, you know, that are really starting still at a fairly low level from a cybersecurity posture perspective, you know, doing doing a risk assessment to understand where the risks are so that they can address those gaps first.
You know, when some organizations, particularly those that don’t have cybersecurity leadership, often end up, hearing about a technology and thinking that sounds like it might address some of their issues and buy it, and they make it some value from it, but, you know, without understanding where the gaps are and the level of risk associated with those gaps, it’s really hard to, you know, take a limited amount of of dollars and or resourcing, human resourcing, and attack those things that bring the biggest value from a risk reduction perspective.
And so having a program in place to help you understand the gaps and understand the risk associated with the gaps, right?
You know, you could have a list of, you know, 100 things that are truly security issues, right? But many of these probably don’t present nearly the level of risk as a handful of them, you know? So it’s what are the things that really present that type of risk to the organization and then how do we address those?
And that’s how I like to focus generally with company that I advise is “Yes, we have, you know, a basket full of things we should be doing.” But we can’t do them all today. So how do we mitigate the greatest amount of risk in the shortest amount of time with the least, you know, with whatever type of budget we have to work with.
The other thing I think that companies in healthcare as well as in other verticals need to be doing much more of is incident response planning.
And, you know, it is, I think, for a long time companies really believed they weren’t a target. You know, I truly cannot tell you how many times I’ve heard in the last 30 years that we’ve never had a breach or… and I have to confess every time I’ve heard that in my head, I have this little voice that says “that you know of.”
Because, you know, in many cases companies that say this they don’t actually have the monitoring tools in place to even know it happened, right?
So it’s truly not a matter of, you know, whether a company hasn’t had a breach or thinks they haven’t had a breach. Or, you know, a lot of folks think because they’re small, that they’re not a target. And the reality is everybody’s a target.
You know, if you’re on the Internet, you’re a target.
And so it’s, you know, we…I think what we have to do is to stop thinking like that and start thinking more about how will we respond when we have an incident?
Because we will all have incidents and many of them will not reach the level of a breach. Right? Or the bar of inappropriate disclosure of information. Or a system compromise. But we’ll have incidents, you know, things that reached the level of what our organization considers something that we have to have an organized response for.
And so I think that companies need to spend a lot more time thinking about, um, you know, what does their incident response plan looks like? Who are the members of this incident response plan? How are you going to work through these incidents? When do you actually invoke your plan?
And then, of course, what I think is one of the most important pieces is testing that plan. You know, having a really tabletop exercise where you work through, uh, scenarios that are designed to help an organization bring the right people to the table and think about and what literally walk through this pretend scenario from a cybersecurity perspective and your instant response plan and understand how are we going to react when this happens to us?
Because it is truly not a matter of when or if, it’s not an if this will happen question, it’s a when this happens question.
Olena: We’ll have part two of the interview on our next episode. You can also find the full transcript of the interview on our blog. It’s posted on paubox.com. All right, so now we’re gonna focus on winners people who are winning this week, and, uh, you know, obviously it’s good to have a little bit of good news to share.
Hoala: That’s right Olena. So first winner that I’d like to talk about is our homies at Redox. This is a start up that’s on fire right now. Ah, I know some of the founders, they’re really nice folks and they’ve also launched their own podcast right around the same time is us.
So go ahead and subscribe to them. I highly recommend it. You just type in R-E-D-O-X, Redox. You’ll find their podcast right there. I’ve subscribed myself a couple days ago looking to learn from them on best practices and maybe share a few guests as well. I think then Jonathan Bush as their first guest, which was which is a big get.
Olena: Very cool. What did they do specifically?
Hoala: OK, so Redox bills itself as the simplest way for vendors and providers to exchange healthcare data. They standardized data, they maintain integration and they get technology in the hands of patients and providers. Supercool startup ah, friends of ours, customers of ours.
These guys are on fire, rocket ship style man.
Olena: Wonderful. And also we want to focus on another winner. AWS launches Amazon transcribe medical and another highlight that we want to focus on.
Hoala: Yeah, so ah, not to be on the band wagon for AWS and winning. But we do got to give these folks props. They are looking to integrate further into Alexa and having Alexa transcribe medical notes.
I personally cannot stand Alexa, I unplug the damn thing in my house. I don’t want Big Brother listening to me, but in this kind of healthcare situation, especially considering most physicians are burned out by transcribing medical notes, I think that could be some real value here.
So we gotta get hats off these guys. Um, very clever use of, ah, getting Alexa into HIPAA compliant situations over medical transcription.
Olena: And that’s good. Also, because people can learn from their example.
Hoala: Yeah, that’s right. Um I mean…yeah, Amazon’s ah, doing its thing. They got pill pack now. They’re doing transcription. They’re definitely making a big push in the healthcare. So something keep an eye on for sure.
Olena: Okay. And so, you know, we focused on those that are winning this week, and ah, of course, when you have winners, there are also some failures. And we’ve heard about this in the news Sentara Hospitals making headlines. What can you tell us about this Hoala?
Hoala: Oh, man. Yes. Oh. Headlines for the wrong reasons. $2.2 million HIPAA fine. They had a billing mix up where, um, invoices and receipts were physically mailed to the wrong people. I guess it was a bad mail merge.
They initially thought it was only eight individuals. But it turns out after the investigation, there was a lot more than that. Close to 600 individuals were affected, and so that under reporting got him in hot water with HHS, which led to a $2 million fine.
So, um, real fines, real penalties. Um, you know, it’s just in every…yeah, that’s where that’s a state of HIPAA right now. Real fines and real penalties.
Olena: Yeah. They’re saying, ah, you know, obviously the information from over 16,000 different mailing labels were merged, and so they discovered 577 billing statements containing unsecured information were mailed. And that’s obviously could impact hundreds, maybe even thousands of people. So unfortunate. Unfortunate.
But we also have another situation in terms of failures, Nebraska Medicine breached by a rogue employee.
Hoala: Yeah, they had the insider threat there. That’s ah, typically why organizations purchase data loss prevention solutions, DLP, to prevent rogue employees from doing stuff like this.
Um, emailing patient healthcare information. I don’t know why, but, you know, uploading a spreadsheet or a pdf and just emailing it to their personal Gmail account. You know, you know, on some surreptitious method where they’re not telling anybody, I don’t know why they do that, but this happens more than we then we care to admit, and this is why people buy solutions like DLP.
So let’s so I’m fired up to cover predictions this week.
Ah, we are learning some new stuff on the front lines of healthcare. And if you’re not in healthcare, you might think what I’m about to say is pretty lame. Pretty simple. But if you’re in healthcare, you know that what I’m about to talk about is fricking cutting edge man.
So here’s the deal. We’ve got DMEs right?
These are companies that provide durable medical equipment. These are people that drop off equipment to homes, houses, hospitals, nursing homes. Facilities like that. We’re talking beds, breathing devices, ah, masks just dropping off medical equipment. DMEs right. There’s some big players in the space.
And here’s what’s going on, right? So these DME companies 90 maybe even 99% of their revenue comes from the insurance companies, right? So they’re not…yes, the patient is getting the equipment delivered to them. Whether that’s at their house or in a hospital or in a nursing home.
However, the insurance company is paying for it. Um, big ones are COPD devices, right? If you’ve got, uh, you know, lung problems from smoking too many years, a lot of COPD devices are delivered in DME.
Now DMEs at this state in 2019 they’re barely touching e-commerce at all. Right, so if you’re a patient and you want to buy some stuff directly from the DME vendor, you just can’t do it. They want you to negotiate with the insurance company yada, yada, yada.
However, there’s a lot of stuff that insurance companies won’t pay for right that these DMEs will supply.
So I think what we’re going to see going forward is this push by DMEs to incorporate e-commerce into their marketing and business development strategies to allow consumers to purchase equipment directly from them and pay for it with their own credit card.
I know this sounds really simple compared to things like Amazon and buying a book, but in healthcare I mean, this is like cutting edge stuff, right? But this is why it’s so tough.
Because if you’re gonna do e-commerce, well then a critical component should be email marketing, right?
This is how people buy stuff. Uh, talking Black Friday, Cyber Monday. Hey over half that stuff is taking place over email.
And if you’re trying to target consumers based on past purchases, that immediately triggers HIPAA regulations because that involves protected health information. Just the mere fact emailing someone on their past purchase history of medical equipment.
So we’ve already done the research. We know that a majority of email marketing firms want nothing to do with HIPAA or any regulations like that. They don’t want you even storing stuff in their cloud.
And so I think, in the time ahead of us this secure patient outreach, this concept of allowing e-commerce to occur for healthcare entities, ah, and players in the market like these DMEs is gonna be a huge revenue booster. A
nd I think this is why, you know, on our end we see a definite opportunity here to enable them to do that via email. So email marketing in healthcare, especially for these DMEs to really kick off their e-commerce objective.
So that’s my prediction. That’s my 2020 prediction. Boom.
Olena: And where do you when do you forsee ah, your launch?
Hoala: We’re looking a launch. Our HIPAA compliant email solution by February 1st of 2020 were heads down on it right now.
We’ve got a stripped down V1 that we’re looking to launch. We’ve already signed up customers for it that can’t wait for us to finish so they can use it. Um, we think this is gonna be a hit.
We obviously are gonna have to iterate quickly after launch. But hey man, that’s what we do with every other product we’ve launched.
So looking forward to doing this, and I think, um, there’s just an ocean of untapped opportunity here, um, when we’re talking about email marketing as it relates to healthcare and especially when HIPAA gets triggered.
There’s just an ocean of opportunity. So were fired up on 2020 and the road ahead for sure.
Olena: Excellent. And I know a lot of people were excited for that.
Hoala: Yes. Oh yeah.
Olena: All right. Well, thanks for tuning in to the HIPAA Critical podcast to my name’s Olena Heu, and we’ve got Hoala Greevy joining us. And for more information on Paubox, you can log on to paubox.com. That’s P-A-U-B-O-X dot com. Thanks for tuning in.
Olena: See you next week.