Have you ever wondered how you may be leaving yourself open for a data breach? Well, in this episode, that is what we will be covering. We’re going to give you an overview of the biggest threats in Healthcare right now and provide examples of how you may be vulnerable to a threat actor. Aaron Collins, System Administrator for the Developmental Center of the Ozarks, will discuss these topics in greater detail.
Aaron: Well, thanks a lot for having me.Sierra: Let's get started. So Aaron, can you provide some background on the developmental center of the Ozarks? Essentially, who you guys are, where you're located, and who you all serve?
Aaron: We are a nonprofit in southwest Missouri. We serve infants, children, adults with developmental disabilities or physical disabilities, or developmental delays.
We do this by providing therapies, education, and habilitative programs. We try to promote personal growth by teaching skills to integrate into the community and fully lead productive lives.Sierra: Okay, great. Thanks so much for the background there. I know that you are well versed in building HIPAA compliant environments and handling everything technology-related; what is the biggest challenge or mission you have currently?
Aaron: Currently, the biggest challenge and mission is how the technology landscape is evolving. It's evolving at a fast pace. You're constantly reading through news and articles and looking at the latest, greatest stuff that's available.
You've always got your staff asking you questions. “Can we use those? Can we use that?” Putting all of that together and trying to make something that is friendly and simple for the user. Can they get their job done efficiently? I think that's been the most significant thing right now.Sierra: Okay, great. And how is your company evolved from when you first started? How long have you been with the company?
Aaron: Well, I've been here for seven years. When I started, we were doing a lot of our work on paper. There was such a burden of paperwork, and moving that over into a digital environment built a considerable change.
Now that we've got things moved over into a digital environment, we see many of these efficiencies starting to happen and having people get their job done in a much more effective way without having to do all the paperwork. That's been a significant change.Sierra: You mentioned that you're trying to stay abreast of all the emerging technologies. I feel you there in marketing; it’s the same thing. Every week, I research the new platforms, the latest software, whether it's intent, data marketing, automation, gifting platform, etc. I am definitely with you there. We all need to stay abreast of the latest technologies and innovations.
Aaron: Right. I see a lot of information come across, whether in Becker's Hospital Review or through podcasts. That's helpful for following those leads every single day.Sierra: Yeah, it makes sense. And Aaron, onto the next question, How has COVID changed your approach to IT security?
Aaron: Oh, well, it's drastically changed it.
If you look at the trends as far as breaches or the types of hacks that have been happening over this last year, it's really boiling down to training your staff.
Lots of staff training and on password security, clicking links, and so many of these attacks are mainly caused by email phishing.
Especially when you're reading about the people that have gone through a HIPAA crisis, it’s almost always caused by some type of email phishing attack.
So coming up with the right solutions to help block some of that and train staff on what to look for when it comes to their inbox. That's been a big, big thing for this year.Sierra: That's huge. Before I was in the healthcare space, I wasn't super aware of phishing scams—you people impersonating the CEO at companies. The education on these phishing emails are coming in what they look like; it’s huge.
Aaron: It’s huge. Sometimes you need to ask yourself, “Why is the CEO contacting me in the first place? They are the CEO. This doesn't relate to my job function at all.” Some common sense things can help you out there.Sierra: That's true. “Why are they sending to my Gmail when they always talk to me on Slack or my Paubox.com email address?” Aaron, how has COVID changed your IT stack? You talked about this a little, but can you elaborate on this?
Aaron: Pre-COVID, we have many things in place, that we're there if we ever had an emergency scenario, like if a tornado hit, or there was an earthquake. How would we be able to have people working remotely and being able to get their job done? So, it wasn't changing the IP stack. It was more of expanding what we already had available to us.
Of course, it has come with its own set of issues regarding training and getting people up to par on using this type of technology. Now that we have done that, we went through a point where we were looking to make a pivot.
We realized that some of our off-site locations are no longer necessary in the middle of doing that. That's another expanding the way we use our current IT stack.Sierra: Okay, great. What are the most significant threats that you're seeing from your customers and clients right now?
Aaron: I don't know. Any other way to say it other than themselves? Your human nature.Sierra: Human error.
Aaron: Yeah, human error. We talked a second about email phishing attacks; I could throw that into human error. I can't blame it all on people.
But when it comes down to making your password, something simple as that, many people will refer to a date or some type of information that they have already publicly put out on social media.
I would suggest people use a phrase. For instance, not necessarily your favorite actor’s name or something. I would throw a phrase out there because they're very long and challenging to crack. It's not something I could search on Facebook and find out about you and uses your password.Sierra: Right? That makes sense. The more we can take user errors out of the equation and make things more automated and streamlined, the better.
Aaron: That comes by creating something simple. If your users have to go through a 28 step process to do their job, that's not simple, right? There's a lot of room for user error there. Creating something straightforward and easy to use is always going to be the best solution.Sierra: Great, great point. Are there any upcoming trends that we should be aware of?
Aaron: As far as trends go, some would go back into email security.
Also, I would be looking at the supply chain exploitations rising. We recently had one of those in the news last week. That's something that people need to be aware of. Start taking note, looking at their system, in your IT stack; you may have many software components. Those software components are needed to be updated regularly.
Well, if you have a lot of software components, you have a lot of updates coming in. So there's a bigger area for your supply chain attack to occur. If you can eliminate some of that stuff, reduce your size, have a smaller footprint, it's a lot easier to manage that way.Sierra: Great point. Where do you see the security compliance or healthcare industry going in the next ten years?
Aaron: I'm thinking it's going to be stricter. When we look at the types of things that have happened over the last three to five years, I see room for improvement when it comes to writing the rules and regulations. Unfortunately, that means they're going to get stricter. I don't see anything like depreciating and disappearing. I see more stuff being added.Sierra: You touched on this a little bit, but how do you keep up with industry trends or best practices? I know you mentioned some podcasts, and you mentioned that you've read a lot and research. Do you have any industry trends or best practices specifically for finding solutions and new practices for meeting HIPAA requirements for search email database or network security?
Aaron: One of the things I like to do is listen to this podcast.Sierra: Yes!
Aaron: I get a lot of good information from this podcast. Every time I get online, I see news related to what I'm searching for. I like to click on that news and read it. Of course, if it's from a trusted source. I am I will not go to the National Enquirer for my information on this. I do like the HIPAA Journal and Becker's Hospital Review.Sierra: Yeah, I agree with you. I read those, too. I have alerts sent from a bunch of different sources to my email. I get alerts on all breaches, anything about phishing. I spend a fair amount of my day reading articles to stay current on the information. Last but not least, what do you do to de-stress and relax?
Aaron: I'm really big into analog photography. On the weekends, we'll load up large format cameras and will go out and do nature photography. Landscape photography usually involves a grueling hike.Sierra: Y'all have a lot of good scenery for that.
Aaron: We do. We've got a lot of amazing hiking trails. All of the Ozarks regions have a lot of excellent developed hiking trails.Sierra: I'm very jealous. I'm in Texas, but I love hiking. There's not much I can experience here in Dallas. So I'll need to explore after COVID and restart my hiking journey.
Aaron: Excellent.Sierra: Aaron, thank you again for your time today. I enjoyed getting to know you better. And listeners, thank you again for joining the HIPAA Critical podcast. For more resources on this topic, please read our HIPAA Breach Report for December. In this report, we analyze HIPAA breach reporting submitted to the US Department of Health and Human Services and summarize the types of PHI breaches affecting 500 or more people. In addition, we have a few blog articles to reference. First is “ Business Email Compromise: How To Protect Yourself. ” This is an excellent resource for protecting yourself from email attacks and giving examples of what to look out for. For more info on how Paubox can help you with your email security needs, please refer to our blog, “ Why You Should Choose Paubox .” As a reminder, you can listen to other podcasts at Paubox.com or subscribe via Apple Podcasts, Spotify, IHeartRadio, Stitcher, or Amazon Music. Thanks again, and see you next time. SEE ALSO: HIPAA Compliant Email: the Definitive Guide