Episode 56 of HIPAA Critical features an interview with Sara Sosa, Director of Information Services at Vista Care.
Hannah Trum: I'm Hannah Trum and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders. Information security and technology are two industries that change at a rapid pace, but the core principles stay the same. Protect your endpoints, secure your data, train your employees. Because what works today isn’t always relevant next year or even tomorrow. But things that are considered the ABCs of cybersecurity generally apply in every work location. My guest today is proof of that. Sara Sosa is currently the director of information services at Vista Care , an organization dedicated to helping individuals overcome barriers and live their fullest life. Sara began her career in information technology after she joined the military and before her current role. I’ve had the opportunity to speak with Sara before during a customer success interview she participated in earlier this year. Today we discuss her unique career background, issues her small team faces in the middle of a work-from-home culture, and how email encryption fits into Vista Care’s infosec stack. Hi, Sara, thank you so much for joining me today. I think you have an extremely interesting background and a story about how you got into information technology. Can you give everyone a little bit about your background in information technology and how you got to Vista Care?
Sara Sosa: Sure. So I started my IT journey with the military, where I was taught a wide range of topics in the IT field from hardware and software to CCNA and security plus training.
Afterward, I was part of a CASH or a Combat Support Hospital, where we provided technology out in the field. We worked with the JNN, which is the joint network node. We set up VSATS, basically satellites, and we monitor and maintain operations in the field.Hannah: That is a very busy day.
Sara: Yeah, it was, definitely. Kept us busy as a team. Fast-forwarding to about five years later, I started with Vista Care. And over the course of three years, I worked hard to grow with the company.
I've worked tirelessly with the help of my amazing team to restructure that department in a way that not only keeps our data and devices protected, but it also enhances our support for our staff who do by far the most important job, which is providing the best care to our individuals.Hannah: Definitely. Well, I'm glad that you mentioned that you have been restructuring your department and working really hard. I know that we have talked previously about how you work in a really small department. So it can be very time-consuming when you're working with employees to set up remote connections to solve any issues. What kind of cybersecurity risks are you and your team seeing?
Sara: So the most prevalent security risk within the company is definitely the attempted phishing attacks. Of course, phishing attacks can lead to ransomware malware on company equipment and a breach and sensitive data which is any company's nightmare.Hannah: Yes. Especially in healthcare.
Sara: Yeah. So thankfully, we've got methods in place to safeguard our data and our employees.Hannah: How does your organization tackle endpoint security, especially when you are setting up remote connections for employees that are working from home or not in the office?
Sara: So we've explored and implemented several solutions.
A few would be managed devices within the company to ensure updates are pushed out and devices restricted to company sign-on. MFA is a big one that most definitely take advantage of, and then an endpoint protection software to consistently monitor the devices for breaches or security issues.If a security risk occurs, you want to take action in real-time to isolate the issues or resolve them. Hackers are not going to wait for you and they're not going to wait for you in an office. Hannah: Absolutely not.
Sara: We're gonna have a system in place that can keep you protected from cybersecurity attacks and pick up on things that you don't.Hannah: I have had the pleasure of talking to you previously about Vista Care’s experience with Paubox. Can you explain how email encryption fits into Vista Care and into your cybersecurity stack?
Sara: We have email protection in place to recognize spoofing questionable attachments on unauthenticated emails to ensure everything that comes our way and is safe and secure, which helps with phishing attempts, or the attempted ones.
But when it comes to sending emails, Paubox is there for us to ensure from point A to point B, our communications are secured with the best security practices. That you guys pride yourself on not just being HIPAA compliant, but HITRUST certified, which is a big deal for us when it comes to communicating about our individuals.Hannah: When we were discussing Vista Care, we talked about how you're a small department and the ease and simplicity of Paubox really helps you and your team because y'all don't have the time to troubleshoot all of these problems that people have with portals and password-based email encryption services. What experiences did you learn from the military and from your combat support at the hospital headquarters that translates into how you work now and how you lead your team?
Sara: Now, one thing I've been able to take with me from when I was attached is how to quickly react to situations that arise. Having a quick response time isn't only relevant, just you know in the help desk, general IT troubleshooting realm but with security and access to systems as well, when there's a security threat. You want to be responsive and be really effective in mitigating the risk.
The other key takeaway that translates into what I do now is the team aspect. That's obviously really huge in the military.Hannah: Yes.
Sara: No matter who you are, what you do, you're not as effective as you are on your own as you are when you have a team behind you. Together as a team you complement each other in ways that develop a strong foundation and a strong line of defense and offense within an IT department.Hannah: Definitely. How does your team assess the need for new cybersecurity technologies?
Sara: In my opinion, the best way to assess the need for new technologies is to analyze the data and reports you receive on a regular basis. And where your strong points are, where your weak points are, and just continuously adopt new strategies, implement fixes or enhancements and systems in place.
Something as simple as staying up to date on the latest threats and vulnerabilities. An informed team is an effective team. So constantly monitoring and understanding new threats is the key to remaining protected.Hannah: I agree. Have the last 18 months and the pandemic COVID-19 shifted how you approach cybersecurity and how you assess the need for new technologies?
Sara: So I've been in my current position for almost a year.Hannah: Okay, so about the last year?
Sara: I think I could speak for everyone in the past year, 18 months. It's definitely driven more cybersecurity attacks with the obvious shift in the remote workforce and reliance on technology to accommodate it.
We've seen ransomware attacks on larger companies and corporations. I feel that's a reminder that no matter how large or small your company is, it's worthwhile to invest in more impenetrable systems. Definitely protect your company's assets physically and virtually.Hannah: Part of that is also employee education and cybersecurity training, especially with organizations like yours that need to keep PHI or protected health information secure. What kind of security training does your organization participate in?
Sara: We definitely have the HIPAA training in place. We're actually working to develop an enhanced training program for both annual training focused on cybersecurity and quarterly newsletters from our department to focus on the importance of recognizing cybersecurity attacks and what you should do if you feel you're a victim of an attack.We also like to include real-world examples such as failed attempts directed at our own organization. Hannah: Oh, that's a great idea.
Sara: That it's a real issue. And it is happening. It isn't just happening to the large businesses, we can be a target too. Anyone is a target.Hannah: Absolutely. Your grandmother can be a target. These bad actors are just looking for any possible way, and they don't care who it is.
Sara: Absolutely. Everyone in business and your personal life. I=nforming staff not only helps protect the company, but it protects the employees as well, which makes it that much more important to spread awareness.Hannah: Yes, I totally agree. I'm going to kind of throw you a curveball question, but it's in the same vein. You work in information technology and security, how do you bring what you learn in your career home to protect you and your family?
Sara: There are some simple things.
A good example is multi-factor authentication. A lot of different systems require it, but even something as simple as your own email account, or making sure that your smart home devices are on a secure network and you're not sharing things out publicly.Hannah: I agree. I think those are really great. I think the secure network for your smart devices. I don't think a lot of people think about that. But they're very easy to hack into. And they're very probably, you probably have Bluetooth on, and they're very easy to connect to a rogue Bluetooth. That's a good tip that I don't think many people think about.
Sara: Yeah, I think it's definitely something to keep in mind. Especially the more we grow, you no longer have three devices on your internet, you're suddenly at 20 devices. And if all of your smart light bulbs and Alexa or Google devices, it's just important to be mindful of everything you really do have out there and connected.Hannah: And then you can add kids into the mix. Kids are clicking on things. And so it's just better to be proactive than reactive at home and in the office.
Sara: Absolutely. And there are things that they have out there, where they do make it easier for an end-user to configure it and have that contact filtering even to restrict what kids are going on to as far as sites.
Little things like that might seem a little punitive or micromanage in the household, but it really does help keep you more secure.Hannah: I don't think that there is a level of micromanaging or help when it comes to cybersecurity and the internet because there are bad things out there, you know?
Sara: Yes, okay.Hannah: Sara, thank you so much for joining me today. Do you have any last-minute cybersecurity recommendations or anything you'd like our listeners to know?
Sara: I want to say thanks for having me on. I would make sure that awareness is there, all of the time. You analyze emails that you get, make sure it's from the right sender, and just take those extra steps to stay secure.
Because it's not just company information that's at risk. It could be your banking information or social security numbers for your family. And it's important to be mindful of all of these things in your day-to-day life.Hannah: That is great advice. Well, thank you again, Sara. I really appreciate it. And we'll talk soon.
Sara: Okay, sounds good. Thank you.Hannah: To read more about Vista Care’s experience with Paubox or for resources on HIPAA compliance, infosec in healthcare or email encryption, head to paubox.com . If you didn’t hear - Paubox continues to lead the HIPAA compliant software space according to G2 Grid’s Fall 2021 report. Head to our blog for more information. You can listen to every episode of HIPAA Critical on paubox.com or subscribe via Apple Podcasts , Spotify , iHeartRadio , Stitcher , Amazon Music or wherever you listen. Thank you for tuning into another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.