Episode 70 of HIPAA Critical features an interview with Beth Krudop, Vice President of Administration at Aging and In-Home Services of Northeast Indiana.
Hannah Trum: I'm Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders. Beth Krudop, vice president of administration at Aging and In-Home Services of Northeast Indiana, is my guest on today’s episode. Beth has over 30 years of experience at her organization and has guided through her fair share of technology changes. In fact, when she first started with Aging and In-Home Services, everything they did was paper-based. So, you could say over the last 30 years, Beth has constantly upped her knowledge through self-education, collaboration with her IT Services company, and with the customer success team on the solutions her organization utilizes. Today, I pick Beth’s brain on a number of areas. From HIPAA compliance to vetting technologies, how to educate employees in a way that isn’t overwhelming are all on the table. Hi, Beth, thank you so much for joining me on HIPAA Critical today. How are you doing?
Beth Krudop: I'm doing well, thank you for inviting me.
Hannah: Oh, of course, we are so happy to have you. And I'm very happy to talk about your career because you have been with the same organization for 30 years, which is a huge accomplishment. But that also means that you have probably seen a lot of change. And I'm sure it's very interesting to navigate the change in technology, especially because we work in an industry that is so slow to change. How do you prepare yourself in your role as the head of technology and compliance for these kinds of changes?
Beth: Yeah, so I’ve definitely seen a lot of changes. When I started over 30 years ago, we did not have computers, everything was handwritten. So that was a change in itself.
Hannah: I remember when you told me that, and it just completely blew my mind.
Beth: So I don't have a professional background in IT and sort of fell into that role, as I said. I think one of the big things that really helps me is surrounding myself with other folks that do have that background and leaning on other folks that I've run into, the rest of the team, and their expertise.
HIPAA was not a thing when I started. So we had to implement that and merge it in with what we were doing and really to try and see, how did we fit into the HIPAA compliance and what was required?
Hannah: How do you feel about technology and compliance? Do they have similar approaches to cybersecurity from what you've seen?
Beth: I think some of it's similar, but I also think it adds to some confusion when you're thinking about compliance.
We have all these great computers and this wonderful network. We've got all the technology in place, so we must be secure and in compliance. There's so much more to it. And that's not my background.
We definitely make sure we work with folks whose background [it is] so they can keep the computer part of it secure. It's very far-reaching, and there's a lot involved. Keep yourself familiar with all of the parts, find those professionals that it in their background, and can come to the table and bring that [expertise].
Hannah: What advice would you give to someone like yourself, who doesn't have a formal background in technology or compliance, but finds themselves as that subject matter expert within their company?
Beth: I've found that trying to make myself as familiar as I can with [something] and making sure I understand [it]. There's so much and so much is changing. So I don't want to say “keep on top of everything,” that's a daunting task. But being familiar.
I was thinking about [technology] inventory, [having] all of your hardware [in an] inventory, but then hav[ing] all of your software. There are so many databases and so many things online, but just stay familiar and aware.
Hannah: So are there other kinds of resources you use to educate yourself?
Beth: Engag[ing] with other professionals.
As part of being a Paubox customer, every couple of months I have a phone call with our customer success manager, Aja. That's always really helpful to talk about what's going on out there. There's so much happening. Getting another professional perspective on things is helpful.
Hannah: Not that I have a biased opinion or anything, but the customer success managers at Paubox do a really good job of educating themselves, staying up to date in this space, and educating their customers on things that you don’t have time to read about.
Beth: Absolutely. I think that's very evident in our conversations.
Hannah: Yes, and make sure to patch your vulnerabilities and your software.
Hannah: When you vetted Paubox [or any software] at your company, what criteria or parameters did you and your team look for in an inbound email encryption partner?
Beth: Yeah, that's a great question. When Paubox was presented to me, it was, “there's this email encryption with no interaction from the user except to send their email like [normal].” Oh yeah? This sounds too good to be true.
Hannah: Right? It's such a simple concept. That's what I told Hoala when I first started at Paubox. [I can see how] this seems fake because it's so easy.
Beth: Right. So, I definitely dug in and did my research. I engaged our IT folks and some other professionals that I work with regarding compliance, and asked their opinions. It really helps to know we have that partner on the IT side of it because I wouldn't have known what to ask.
So do your due diligence there, make sure [to talk] to folks, and reach out and get their questions answered.
Look at all of the threats and everything that's happening. So much falls back now on that individual user. Anything we can take off [the users'] plate to help them out, yet [keep them] secure, is huge for us.
Hannah: I agree. Very often HIPAA breaches and data breaches come down to one specific person clicking a rogue link that they don't mean to. As you know, that can come with a disaster. How do you approach security and technology training? I know that you work in tandem with another company to do your IT work. So how do you approach that with them and with your employees?
Beth: This is an area where there are so many resources out there. I'm a big fan of not recreating something. Don't recreate the wheel.
I was thinking about some of the different resources. We definitely have come across some podcasts. I love your podcast, there's always something to learn. Even if you think “oh, I know about the subject,” you can always learn something by listening to other folks. There's another podcast that I came across about HIPAA that helped me with HIPAA.
Hannah: Something that you and I talked about in our pre-conversation was taking the burden off of end-users and not over-educating them. So I like to hear that you have found some podcasts that help you. Because for me, educating anyone in your life, whether it is your employees or your mom, is really about meeting them where they are and giving them the information that way.
Beth: And it really goes beyond that. Because each person [needs to] think about themselves and the security of their own personal items. And then that can spill over back and forth between work and your personal life.
The National Cyber Security Alliance has some really great resources. There's a big push right now and a presence within the federal government, [too]. Things like the 405 D tasks.
That's part of HHS. They've developed health industry cybersecurity practices. So there are those kinds of documents. Then CISA has a lot, too. They are really reaching out and providing resources, especially to folks in healthcare agencies in healthcare.
Another aspect of it for us is the individuals we serve, the seniors that we're working with, and other individuals. The National Council on Aging posted a really great story recently, about an individual senior who had lost 1000s of dollars through a technology support scam. And then gave their resources on how folks can report that.
The FTC is really coming on the scene for reporting. They say to report [scams like that] to the local FBI. Folks, they're like, “The FBI, oh, my goodness!”
Hannah: It freaks them out, but we don't have another task force to deal with it.
Beth: Right. But it's serious.
Making people aware they need to report it, and they need to talk about it. There's that embarrassment level, but getting past that, we are working with [them], so they know how to stay safe and secure. There's so much out there and education is a big part of it.
Hannah: The shame and embarrassment of a data breach or doing something wrong, falling for something like that is where cybercriminals thrive. In the dark, gross places of the internet is where they thrive. So if you talk about it, and you bring the light to it, there will be less there for people to exploit. I'd like to talk a little bit about how the pandemic and everything that is going on globally has affected your cybersecurity and how you and your company approach it.
Beth: In the spring of 2020, when everyone was scrambling to work remotely, and come up with a different business plan, we already had a lot of things in place as far as our overall security. So it was nice to build off of that and not have to scramble, putting some of that in place.
Now as we move forward, a couple of years later, folks are still working remotely and I don't see that changing greatly. Because look at the benefits and being able to continue anything you can do, proactively, to build up your security and get those things in place. Look at what's going to be most beneficial, and what you need to have in place, so you can move forward with that.
Hannah: How do you think organizations get to a point where users are proactive and accurately educated but not overly-educated?
Beth: Sure. And that's something that can be a challenge. Using those resources that keep things more in a language that is meaningful to someone in the work that they do.
We talked a little bit about that shame of reporting. And so getting to that point where I need you to report this because we have to keep track of it, we're required to have this information, and then we need to decide if we need to act further on it. Most of the time, we only need to report it and document it. Getting folks to where they're comfortable with [reporting], as part of their routine, is important.
One of my goals [is to educate] on a more continual basis, as opposed to this huge thing we need to do every year. Which is bad enough, but a lot of folks look at it that way. So finding that in-between, and then to find small pieces of information. Instead of overwhelming [them].
If you send a big huge email out, it's not going to be read. Is anyone going to read it? So finding either some humor that catches their attention, or keeping it short and simple, just this one little item. Which is hard to do, because there's so much to it, and, but it can be overwhelming. And so just trying to make that balance between getting the information out there. Then really making it part of your work culture, and not a separate thing.
Hannah: There's a definite connection between practicing that cybersecurity muscle at work and then at home. It's like anything else that you do. If you want to create this habit in your home life and protect yourself, you also need to do it through work. I like to hear that you are sending your employees smaller references, smaller educational pieces, to hit them more often than with one giant thing. To switch gears just a bit, you mentioned earlier that one of the many hats you wear is you are the HIPAA subject matter expert, and you have done a lot of education for yourself on HIPAA. I think HIPAA is wild. It is wild to navigate. It's wild to know everything that is happening. And it definitely needs a digitized update. What do you think are the keys to HIPAA compliance?
Beth: It's a great question. And as you said, HIPAA is wild and it's wide. There's so much to it. Bringing that focus back to how are we protecting this information that we've been given as a part of the services we're providing, we've been charged with protecting that.
So whether it's because of a law or whatever, you can get mired down in the details of all of that, and you need to comply with the laws, yet find a way to focus on protecting that information. That's where I really then have to lean strongly on other resources, because I can't know all of that. I can't have all of that expertise. But knowing that we can bring different people to the table when needed.
We have an attorney we can lean on. We have the compliance experts that I've mentioned, our IT experts, and we have a network in Indiana of our area agencies and our colleagues.
We lean on each other a lot and say, “What do you know about this?” Or “what do you think about this?” Drawing those folks in.
Hannah: I like to hear that you have a connection and that it's not all on your shoulders. There are people there for you to reach out to and that you're comfortable reaching out to. I really like that because that makes you more organized and more secure. And then it also makes your company more secure as well. We mentioned a little bit earlier about this pandemic that we're living in. We are going on year three of this global pandemic. But the landscape, both offline and online, are totally different than it was two and a half years ago, three years ago. What has changed about your organization, and how have y'all approached working during the last three years?
Beth: It was such a hectic time at the beginning of it. And we thought, “oh, this is just temporary. Just get this going. We'll be home for 90 days. Regroup later.” And as you said, we’re going into year three, that's a little more permanent.
Hannah: This is the new normal now.
Beth: Right. Why can't we do this remotely? Or why can't we hold this meeting in a virtual way? Save travel time, that kind of thing? This goes for our employees. Then also the individuals that we serve. How do we engage folks or the people we're working with?
We use some virtual meeting spaces to connect with our employees. And so they can see their supervisor and have that interaction because they aren't in the office like they used to be. Trying to create that engagement, keep the communications flowing in a little different way.
Then looking at that, too. The individuals we serve are a lot of older folks or folks that just don't get out of their homes as much. They were isolated already, before 2020 and then it magnified that isolation.
You have the challenge of the technology on top of that. So trying to find those resources and those ways to engage folks. Whether it be with us, or with their families or their friends or supports, we've just found that to be something very important.
Hannah: Yes, I agree. I noticed on your organization's website that y'all are very, who you serve oriented. Then also the people you serve. So like you said, the caregivers, the family members, those things, so you'll do work to educate them on best practices or keep them up to date with cybersecurity as well.
Beth: I guess as much as we can. There's a lot of information out there to engage with. We have developed different programs and different types of outreach so that we can engage with people that we're serving, and keep offering them resources. A lot of resources help them walk through that. This can be a challenge.
Hannah: I imagine that does sound really rewarding. It really sounds like you, your organization, and your team are trying really hard to make sure that the people you serve with their lives are much easier and healthy and happiest they can be. To learn how Paubox products, like ExecProtect, can keep your company ahead of bad actors, please visit paubox.com/blog. Details are linked in the transcript. You can listen to every episode of HIPAA Critical on paubox.com or subscribe via Apple Podcasts , Spotify , iHeartRadio , Stitcher , Amazon Music , or wherever you listen. Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.