This week on the HIPAA Critical Podcast, Hoala Greevy shares some breaking news regarding a 35-page report that reveals 150,000 Americans may have had their healthcare information compromised. Paubox makes the Inc. 500 list, and we chat with Juli Ann Quinn from RSABill, Inc. about the impact of COVID-19.
Rather read?Here’s the full transcript of this episode.
Olena Heu: Hi guys and welcome to another edition of the HIPAA Critical Podcast coming up on the show! We have the Inc. 500 list and some great news to tell you about the third annual Paubox SECURE, a report that came out today called “No Need To Hack When It's Leaking”, and another encrypted interview this week with Juli Ann Quinn from RSABill, Inc. that you don't want to miss. So please welcome my co-host this week, Hoala Greevy!
Hoala Greevy: Mahalo, Olena. Great to be here.
Hoala: Yes, that's right, Olena.
So for the first time since launching Paubox in 2015, we submitted an application to the Inc. 5000 list. The list from inc.com is a ranking of the 5000 fastest-growing private companies in America.
Its rankings are based on percentage revenue growth over a three year period.
They do that, you know, we did have to send tech like tax returns, and I think we had to get our CPAs to sign off on it.
And long story short, I'm pleased to say that we ranked number 320, which puts us in the Upper 6% of the list, which also puts us in the Inc. 500 list. So pretty excited about that! I think, have some good morale boost for the company.
And I just like to say Mahalo to our Chief Operating Officer, Rick Kuwahara, for getting the supporting documentation submitted on a tight deadline.
It kind of came out of left field and we got it all done in, I think, a week or something. That's fantastic. Such an honor.
And so they have a list of the 5000 fastest growing and then they also have a list of 500.
So we made the Inc. 500.
And for us, it reinforces some things we firmly believe in here in Paubox, and it's basically three things, right.
So, one, the total addressable market for what we're doing, HIPAA compliant email, is indeed humongous.
Number two, there will continue to be immense opportunities and work ahead for us.
And three, we're just not stopping. We're still very much just getting started.
Hoala: Oh, thanks.
Hoala: Yeah, that's right. Olena. It'll be from October 21 through October 22.
Its naturally going to be an online virtual conference just like everyone is doing these days in COVID.
And we've got half a dozen top-notch speakers lined up. And we're getting more of them and filling out the schedule.
And we're pleased to announce that HITRUST will once again be a strategic sponsor of ours this year.
And for more information, you can just go to PauboxSECURE.com to get more information on this year's conference.
Hoala: Yes, it will be our first virtual one, the other two we held in first in San Francisco. And so we're just like everyone else being forced to learn how to how to do something on virtual and online.
So looking forward to it, I think we can put together some valuable content for our customers and attendees. So very much looking forward to October 21 and 22.
Hoala: People in security and healthcare or healthcare enthusiasts in general, I believe we do a survey at the end of our first two conferences, and if I'm not mistaken, 100% of respondents said they did find value from attending our conference, so I do highly encourage people to again.
So, I woke up this morning to a text from one of our advisers, Eric Nakagawa, also an early investor in Paubox. And he sent me a link to a Reddit thread posted this morning that outlined how a PDF entitled “No Need To Hack When It’s Leaking” came into being.
And in a nutshell, this Reddit thread and subsequent report focuses on leaks of protected health information via GitHub. And this researcher's journey into finding and eventually helping protect for 100 to 100,000 to 200,000 individuals who had records stored there.
And so, in a nutshell, what happened is, GitHub is a place where tons of companies store their source code. GitHub makes sure that the branches and versions get taken care of so that you don't have to do it internally.
You can just have GitHub, post your code, you paid in a small fee per year. And you can grant access to your code for your developers, or even make your code public to the internet.
So, this researcher, I hope I get pronunciation, right, Jelle Ursem, a security researcher in the Netherlands. What he did was, he did some like basic poking around and he found two errors that 9 U.S. healthcare entities had mistakes in.
And so the first error was is this practice of storing the login credentials, that your code needs to access data, storing those login credentials i.e. username and password in the code, rather than separating them out of the code as a configuration option, that the code reads from a separate file, basically.
So that's Mistake number one, the credentials are stored in the code.
Then mistake number two is in GitHub, you can have your code marked public or private, so private, you know, only you and your developers can see and check out the code. Public, anybody can download the code and use it or fork it for their own use.
And so these 9 healthcare entities, in addition to embedding hard-coded login credentials, also mark that code is public.
So in other words, username and passwords are there on GitHub for anyone to see, and apparently, he started finding these things within 10 minutes of searching.
Looping this back to HITRUST and which is why we're so tightly aligned with HITRUST, because we really like what they're doing. And it validates our approaches to security. So when we went through our recertification process this year, which is in itself is a journey, one of the many hundreds of controls we had to prove was that we do not co-mingle, user login in our source code.
So, we had to test that we're not doing this and then document that we're not doing this. So this is part of our HITRUST. This is why it rang a bell to me when I read this morning.
And then, in addition, this practice also breaks one of the rules behind the 12-factor app. Specifically rule number 3, separating config from code. And if you want to learn more about the 12-factor app, it's just 12Factor.net number 12 factor dot net.
Anyhow, long story short, it's a 35-page report. And it focuses on 9 U.S. head healthcare entities whose sum total exposes at least 150,000 individuals protected health information.
And that's probably only the tip of the iceberg. I'm pretty sure there's a whole lot more.
Hoala: Yeah, for sure. I'm sure this is gonna get picked up. I'm sure it's gonna hit. I mean, it's a Monday. I'm sure it's gonna get more news from for sure.
Hoala: It's a popular service that developers use and almost every startup that I know uses, including Facebook and the biggest companies you can think of, and they use it as a place to store their source code.
So if you've got a team of 5, 10, hundreds of developers, you know, it's a place where they can store the code, check out the code, merge the code. And it just makes shipping code, you know, you have a source of backup version control, things like that.
Most of the internet, well, at least these companies I know of are GitHub users. And then Microsoft bought them, I think, a year and a half ago, for a lot of change.
Hoala: Yeah, and what's freaky is, you know, you could have a business associate, like a vendor of yours, that's, you know, has side projects of theirs. Where they're trying to make some interpretations of your data, for example, and they could be the source of the leak.
So it's not just the healthcare organization itself. It's also the vendors that use it.
HITURST is just a great thing. To invest your company's resources in because it proactively addresses things like this.
Juli Ann Quinn: Yes. So we're in Southern California and we've been hit pretty hard. We're actually, in our state, in our second wave. And we had, I believe, the third week of March, we were told, shut down. You know, it was a government everybody stay in place mandate.
So we had to quickly adapt to working from home.
I have a huge office and we set it up. And it's new. We hadn't even been here a year and set it up so that we had this wonderful collaboration and synergy in what I call the war room, which is where all 25 employees were in teams and pods, but not cubicles.
We have this very open concept of, like I said, collaborating with one another because everything's changing annually, so carrier-specific that they have their own little rules.
And it's like, oh, well, now this insurance has started doing something different. So we're able to share that with all of the team which then helps all of our clients to immediately start making that change.
Where if you are doing your own, say in-house billing, it might take you four months, six months to figure out why are they now doing something different? I don't get it and I'm on the phone and I'm appealing and I can't get a straight answer.
We are getting that much sooner because of our many clients and team collaborating on what happened this week that we work on on a Monday through Thursday schedule of what the team's our tasks are and then on Friday we meet and say: What happened this week? What are you seeing? What are any trends or changes that we want to be a step ahead of and share with our other teammates and report back to our clients?
So coronavirus, all of a sudden, has us all working at home. So we had to suddenly change our template and our workflow of being disconnected, but knowing how important it is to have that collaboration and communication, how are we going to address that?
So I think we were very successful considering it was a fire drill and in the initial phases, but now we have developed those protocols to be able to work-from-home and not lose our communication with one another.
Juli Ann: Yes, well, and we did start transitioning back a couple of weeks ago with all the new protocols as recommended by CDC and also to accommodate you know, employees’ comfort levels.
So it's, it's changing constantly. I don't know if we're going to get another stay-in-place. Our governor keeps hinting that if things don't improve, we might be back there. So we're in a situation that we feel comfortable working in the office or not working in the office. So we've got both systems going side by side right now.
Juli Ann: Um, I would say that it's definitely our personal “white glove” treatment. We act as though we are the doctor's billing department.
Yes, we have a template for success. However, each office is unique and we want them to feel comfortable that we're interacting with their patients in the same tone as they would if they had one of their employees talking to the patient. We want to respect their way of dealing with their customer.
We represent them so it's a balance of us doing a great job. We know how to do the billing side, but we want to also be part of their team.
So that's what makes us very different from other billing services.
And just our results speak for themselves on our performance. There are benchmarks for evaluating your billing and collections. And I incorporate every month and our month-end reports to our clients. What our great is. How are we doing? How is your database performing?
And, and we are accountable to that. And I'm very transparent to show them and proud to show them that we're right in the A grade where we're supposed to be.
Juli Ann: We've seen so much change just in the last 10 years, it's going to keep evolving very quickly. Telemedicine was a byproduct of COVID-19.
And I say that because we had telemedicine before, but it's actually was very restricted, very limited as to which providers in which patients being served were eligible for those services and where I am in Orange County really did not apply to any of our practices. It was designed for, you know, rural, underserved areas that that type of thing.
So, because of this emergency, HHS declared, we want to keep medicine available, and keep patients and doctors safe. So, we're going to open up all services all providers can access telemedicine during this emergency.
And the doctors love it, the patients love it. It works. It makes sense. I think the insurance companies will love it.
When this emergency is over, it's going to, in my opinion, be now a normal tool available. And so that's going to be the first thing we see.
And then there's going to be more technology, you know, tech, new technology is every three months, six months, and medicine, and I'm not sure why, has always been a little bit behind than all the other industries when it came to technology advances in the delivery of medicine now, not in the research side.
But in the provider delivering medicine to the patient, we've always been the old school, come sit down, you know, let's have a consultation, let me examine you. Those are so important, but I think technology is going to help us to take medicine to the next level.
Hoala: Thanks, Olena. Aloha.