9. Kelvin Coleman "Identify, protect, detect, respond, recover." 

On this episode we talk about coronavirus and the cancellation of HIMSS 2020, recap the HIPAA March 2020 Breach Report, the Walgreens data breach and more. We also chat about the impact of the human element of cybersecurity with Kelvin Coleman, Executive Director of the National Cyber Security Alliance. 

Rather read?

Rick Kuwahara: Hey, Olena, great to be here again.

Rick: Yeah, one of the fallouts from the coronavirus has been a cancellation of a lot of big conferences this year and it's happening all over the US, and it's not something that in the big picture is that big a deal, but it does affect a lot of people.

So HIMSS 2020...so HIMSS conference is one of the largest, is probably the biggest healthcare conference of the year, was cancelled at the last minute on Thursday and was supposed to start on March 9th.

So a lot of sponsors were pulling out ahead of time and they felt, with their medical advisors that they put together, that it was in the best interest for public safety, just to not have the conference because thousands of people do actually attend that conference. They fly into Orlando and it's a real big deal.

We always have our presence there as well. So it's a last minute curveball. And as of now, there's no refunds for anything. So it was a sunk cost for a lot of people, even for us, just for flights, hotels, the tickets, some minor costs.

I know it's bigger, for people who have sponsored and it doesn't look like they're trying to reschedule it either. So it's a side effect of the corona virus.

And again, not that big a deal in the big picture of things, but this does... It will actually have eventual economic impact. That's what a lot of people are saying, a lot of these large conferences, tourism, a lot of the travel industries really becoming affected, and that affects the local economies wherever these conferences are gonna be held.

So, it's something to keep an eye on, for sure.

Rick: Yeah, it's something... I know at Paubox we're being very careful now as far as making sure that we're watching our expenses if there is a downturn in the economy. Just gotta be prepared for worst case scenario, prepare for the worst and hope for the best.

Rick: Yeah, and I think, we'll cover that a little bit in the predictions. But even like Alaska Airlines, I just got an email not too long ago. They're trying to reassure people that it's okay to travel to certain places and I don't know how genuine that is. [chuckle]

They're trying to minimize the effect on their business, but yeah, well, I mean, it's something to keep an eye on. And I think by the summer, which we'll cover in predictions, but hopefully that we'll get past a lot of this phase of rapid spread.

Rick: Definitely, we'll talk about that in the predictions, yeah.

Rick: Yeah, so we always look back at the previous month.

So in this report we're looking at what happened in February and laptop breaches ranked first again this year with over 650,000 people affected and email breaches were second with almost 500,000 people breached and network servers came in third. So, typically, that's like a hack on a server that got 64,000, so a huge drop-off and we know email is always the number one threat factor with a number of attacks.

It's just the size of the attacks. Laptop breaches were big for this month and in all, just everything combined, it was a crazy month with over 1.2 million people having their PHI compromised.

Really, it tripled the January number. So even though laptop breaches had the most people affected, email had 17 reported breaches versus just two for laptops. But the laptop breaches were huge, the biggest one was caused by the Health Share of Oregon where they had a breach where a laptop was stolen and that was really the bulk of the 650,000 people who were affected.

Rick: Yeah, they call them a mobile... I mean, laptops, handhelds are combined together as mobile devices. But in this case, it was a laptop that was stolen.

Rick: I think for sure we all just gotta... It shows people have to make sure that their laptops and equipment are encrypted and secure.

So even if it is stolen, people can't get into it. And have some way to remotely wipe the laptop if it is lost or stolen as well, 'cause that adds just another layer of security.

So this could have been prevented if those two safeguards were in place, that even if a laptop was stolen, one, hacker would have a difficult time getting in because the hard drive would be encrypted. And two, as soon as they found out, they could have remotely wiped it, prevented anything from happening.

Rick: No. Well, the encryption part is for some computers. A lot of them have a way to encrypt the hard drive just natively, but you need to have some sort of third party to wipe it. Like for Paubox, we use Jamf which allows us to again, if a device is stolen or lost, that we can wipe the hard drive of the computer.

Rick: Yeah, another pretty big deal. This report came out from Verizon. It was of Verizon's 2020 Mobile Security Index, and pretty alarming, has showed that two-fifths of healthcare organizations faced a mobile device compromise last year.

So again, mobile devices could be cell phones, iPads, or even laptops, just anything that can be... That's considered mobile. And actually 38% of healthcare respondents said that they face compromise, which was a significant increase from the previous year, which was 25%.

And the issue with this is that a lot of healthcare organizations just are basically ignoring mobile security for the sake of efficiency, increasing the risk that something could happen, like stolen laptop, for example.

If you have a big organization, it's hard to kind of know where are... How many devices are out there, who has them, are they encrypted? It takes a lot of oversight.

And rather than have that complication, a lot of people just ignore it.

And the study showed that about 37% of healthcare organizations are actually not fully prepared when it comes to mobile security.

Beyond the hard drives it's things like making sure that people don't go on insecure WiFi hotspots where there's a lot of WiFi snooping and things that can happen that way and even monitoring the type of apps that are being used.

So if you have a phone and you download a chat app or something, is it being used for work where there's PHI that's being involved? A lot of organizations just aren't keeping track.

Rick: Yeah, don't do anything that would require... That may have sensitive data. It's better not to go on, because if you have a laptop, for example, that has sensitive information on it, and you're on an unsecure WiFi network, it's pretty... You'd be surprised how easy it is for a hacker to just get on.

And they don't necessarily have to be the most technical people either, there are kits and things that make it unfortunately pretty easy to do. So definitely, if you're not on a secure WiFi network, don't use it for anything, especially if you have a device that has sensitive information on it. You don't want to do anything that could compromise that.

Rick: Well, definitely for these healthcare organizations or the larger ones, it's definitely the employees, especially the more remote ones.

When there is a mobile device that is being used, like a laptop, again, it could be considered a mobile device, was being used for work and there's PHI on it and it's being used remotely, that extends what's called the endpoints of the security of the network. And it definitely makes it more vulnerable.

So employees, especially remote employees are definitely the largest vulnerability in healthcare, as that human factor.

And the way to do it, to kind of address that, is just training, training and more training [chuckle], along with getting the right systems and programs in place like we had talked about before being able to remotely wipe hard drives; it's a combination of both.

You can't rely 100% on the technical part; you definitely still need to be training employees and keeping them up to date.

Rick: Okay. Providence St. Joseph Health is definitely a winner.

There's a great article recently about how they are trying to use analytics and automation to really get the right conversations starting for patients to get the best outcomes.

And how Providence St. Joseph Health is doing that is by having conversations started with people about their end-of-life choices, which is really a tough place to... It's kind of a tough conversation to have. But starting discussion early really does mean that it can set up people to have the best care possible when they do reach their end-of-life stage.

So how they're doing this with analytics and data is they can actually look at their medical system, identify people who are kind of approaching this time of life where they should be preparing.

So for example, people who are over 65; they don't have any advanced directives on file. They can pull that segment out and then send them personalized videos and email to educate them on the importance of setting up directives, and help start that conversation of planning their end-of-life care.

Dr. Matthew Gonzalez, the Chief Medical Officer at Providence St. Joseph Health, he says that these practices are working. The rates of email opened and the videos watched suggest that this new method of engagement using patient data is catching on where you see an increase of people who watch their videos, an increase of people who start advanced care directives.

It's really important to show how much room there is for healthcare organizations fo focus on people-centered care by using their patient data.

And this type of personalization and care, it doesn't necessarily have to be through something complex, like videos.

We've launched Project Orca, which allows people to send PHI and use their data to send out these type of marketing emails that engage their patients. And in the end, that really helps the patients get involved in their care, and it can help the health outcomes for everyone.

Rick: Right, yeah. And that's just one use case, so lots of ways that you can do that, so it's great to see how they're using it. They're using their patient data, and it's a good example of what other people can do.

Rick: Well, unfortunately, there's always a lot of these to choose from, but we pulled out a couple of examples that I think might be relevant for people.

I mean, a big one was Walgreens. It seems like they're always having problems.

So they recently reported a data breach from their personal mobile messaging app that there was an error that allowed personal messages to be viewed by other customers, so if you can imagine your personal messages on the Walgreens app that could be about your care, your prescriptions, and that was able to be viewed by other customers.

So they exposed data... I think this happened earlier in January, and the exposed data included customer names, prescription numbers, drug names. They don't really know right now how many people were impacted by the security incident, which in and of itself is not very good.

Hopefully they would have a number by now. But to give you an idea, that Walgreens app is downloaded over 10 million times on the Google Play Store alone.

Rick: Yeah, and it walks a fine line between what's covered by HIPAA and what's not, because the app itself might actually not fall under HIPAA because it's a consumer app, it's not... Walgreens is not necessarily providing care, so there's this gray area now that's coming up between privacy.

What is HIPAA-covered data? When does it change? Because the data itself might be the same, right?

It's still your prescription information, but just because it's on Walgreens app makes it not PHI, versus if it was your hospital giving it to you, then it is PHI. So there's a lot of room for improvement in clarifying who is responsible for this and this privacy.

Rick: Well, another one is... We hear about ransomware all the time. This time the Maze Ransomware was used to hack and affect an accounting firm.

So the accounting firm BST, they were affected by a malware that actually compromised patient data from a physicians group, one of their clients.

So the accounting firm was the one who fell victim to a ransomware attack, yet because they did have personal health information that they did access with this healthcare client, it actually did affect a lot of people's... A lot of people's personal health information became compromised as well as their financial data.

Like names, date of births, medical record numbers, a lot of that was affected. And it kinda shows how wide the breadth of the HIPAA industry is.

This is an accounting firm who's handling PHI on behalf of their client. So, this just goes to show how wide and the breadth of the HIPAA industry is, and the amount of people who are touching PHI is more than just the healthcare organizations.

It's everyone... Well, not everyone, but it's a lot of people. And if you are handling patient data, it goes to show just how you have to care for it and really make sure that it's secure and take the steps necessary to protect that data.

Kelvin: Rick, I think for two primary reasons. One is I've always thought the human piece isn't as exciting or sexy as other parts of the technology ecosystem. 

And what I mean by that is, I generally break the technology ecosystem down to three parts, products, processes and people. 

We're very excited about new products that come out and shiny toys that we can implement and we have to develop these great products to help us out and processes of course. 

You and I both know of some people who get very excited when it comes to processes, when talking about recovery of data or processes to help mitigating these challenges. 

Those things are very exciting, but the people part of it maybe not as exciting and so you don't have as many resources going towards people.

And we do know upwards of 80-85% of breaches come through some human error, some human action that resulted in a breach. Yet, according to studies, probably around 15% or so of training and awareness budgets go towards the human being, the actual person. 

That seems to be out of proportion there. And I think as we've talked about before, more needs to go into human training, just actually training your employees.

Now that's one reason. The other reason why it's been so difficult to tighten up the human threat factor is because as human beings, we're somewhat unpredictable. 

The products, the processes, we kinda know where they're going go and how they're going do things, but human beings are very curious. 

Sometimes we want to see what's on the other side of that link. 

Not out of a malicious intent or anything of that nature, just curious. 

And so, until we're able to also dial that back a bit and tell people, “Well, back in the day being curious would probably get you something interesting to see, but being curious today can cripple your organization.” 

And so I think those two factors are the biggest challenge, in terms of just working and training around people, even though it may not be as exciting as the products and processes. And again, we're just curious as a species. We want to know what's on the other side of that link.

Kelvin: Two areas. One is just understanding the urgency of them, of the small business, addressing this issue. 

And what I mean by that is sometimes they don't even realize that it's just as important for them to protect, secure their system and network, than it is for the Fortune 500. 

And many times, and you've heard this Rick, where they'll say, "Well my business isn't that big and we're not that important. I don't think a bad actor would come after us." 

Well, you hold PII, personally identifiable information, on your customers and you hold financial records, you hold other vital information that bad actors can use. You are just as valuable of a target. 

In fact, maybe more target rich for bad actors because you don't have the robust system up that you need. And so one area is just helping small businesses to see that urgency.

The other thing that we have to help small businesses with the most is identifying the right resources to help them deal with the challenges. 

What will work for a Fortune 500 may not necessarily work for a small and medium sized business and we need to help them to identify the proper resources to again, help mitigate that challenge. 

Now some of the resources, not all, but there are some very low-hanging fruit resources that they can take advantage of and we make sure they understand that too. 

That this does not have to break the bank, but there is some wisdom to “an ounce of prevention is worth a pound of cure” type of thing. 

And so we try to encourage these businesses to look at the NIST framework. 

Why? Identify, protect, detect, respond, recover. 

Just start there, those five very simple steps. You don't have to be overly technical to look at your system and say, "What assets do I have, what information do I have in my network for my customers?" And then you can go from there in terms of how to protect that.

So urgency is one thing. Helping them to see the urgency of protecting their information and by the way, they're not... I'm not saying they're callous or they're not serious about it at all. 

I think sometimes they just think they're not important enough for the bad actors to come after and we help them to understand that they are a target, so that urgency is certainly one part we help them with. 

And identifying the resources is the other part we help them with. So those are the two biggest problems that we deal with as it relates to small businesses.

Kelvin: That's exactly right. And we know the majority of businesses are small and medium sized businesses. And so why wouldn't a bad actor go after these folks? 

Kelvin: You know Rick, not as difficult as one would think. 

And I say that because we have to give privacy and security consideration on the front-end of innovation. 

It's much easier to build in security and privacy in the beginning than to try to “unbake the cake” in the end. 

And so when people talk about the difficulty of privacy as it relates to innovation and slows down innovation - I don't think so.

I take the opposite view in fact. I think it can actually help to speed up innovation responsibly, because you know you have security and privacy baked in and then you don't necessarily have to, again, go back and try to undo those things. 

Because it's just so much simpler to be able to say in the beginning, "Hey, this piece is already there," as opposed to when you get down the road a bit and someone points it out, now you're trying to make it fit into your scheme or into that particular enterprise and it just won't work as well. 

And so for me, it's a balance between innovation privacy. If done in the beginning, not as difficult as you would think, and again, much easier to do it at the onset than it is down the road.

Kelvin: Great question. 

It has become so much more important these days, so much more visible these days to people, particularly as it relates to policy leaders, politicians, leaders overall. 

I think this issue has become one where years ago, it was one of a set of challenges, right? You had the cybersecurity challenge, and the physical challenge.

Now people have to appropriately integrate it into all of the things that they deal with. 

Because when you talk about physical security, there's a cybersecurity aspect to it. 

When you're talking about emergency prep, there is a cybersecurity aspect to it. 

And so instead of it being one of several separate things, it's been, again, appropriately baked into everything. And so that's really changed. 

I think the importance of identifying people who can actually do the job has changed as well. 

I know when I was in government at the White House as well as the Department of Homeland Security, the intel community got special... and I know the Department of Homeland Security in particular, got special consideration in terms of hiring. 

Instead of going through the normal bureaucracy, they were able to offer better incentives in terms of pay to cybersecurity experts.

Because, of course, you're competing with the private sector and you want to get great folks in government as well. 

And so, for Congress to say, "Yeah, you need that hiring authority to do that," I think that speaks volumes to the fact that people understand this is a national security issue and we can't tackle it in a way that we've done other things in the past. 

And so what I've seen change in the last several years, is cybersecurity has become so much more visible, so much more important to people outside of the technology area.

Where's it gonna go? 

I think it's just going to do more of the same. It's going to become even more important as, again, we start to connect more things to the network. 

Now, obviously we're talking about autonomous cars, smart homes, smart cities, we're talking about things that years ago we only thought of being as sort of a dream. 

Now they're not just a possibility, they're probabilities that will happen. 

And so we're going to need those experts to help protect those systems, protect those networks. 

So what we've seen in the last several years in terms of more visibility, more importance, we're definitely going to see that in the next several years, it's going to become even more visible and much more important.

Rick: No problem, it was really fun talking with Kelvin. He's super passionate about what he's doing, so that was a fun one. And people will be able to find that full interview on our blog.

Rick: Yeah, as we mentioned and your friend mentioned, there is precedent that when there is warmer weather that viruses do worse, they have a hard time spreading.

So prediction is that the coronavirus will die down as the weather warms up and we start getting into May and June. So we'll see right now that even where the virus is spreading it's in a lot of these colder climates and areas.

But infectious disease experts say that the factors that cause other viruses to retreat during the summer months, and there's a reason why flu season is during the winter, it could also have the same effect with the coronavirus.

So common cold is the most prevalent in the winter and spring and the flu also fall in winter. So there is hopefully some end in sight, just naturally when the weather warms up that we'll see the spread of the coronavirus start to end.