1
00:00:00,000 --> 00:00:05,040
Well, this morning I got my groceries delivered because why not?

2
00:00:05,040 --> 00:00:08,200
I'm lazy and I can have them delivered to my door, which then made me think about the

3
00:00:08,200 --> 00:00:16,580
question of what's everybody's favorite currently favorite at home meal.

4
00:00:16,580 --> 00:00:20,640
As I thought of that question, I then went, hmm, that's a great question, but I did make

5
00:00:20,640 --> 00:00:26,520
a very good sweet potato and wild rice kind of salad mixture that I said I was going to

6
00:00:26,520 --> 00:00:28,820
keep for three meals and then eat all in one day.

7
00:00:28,820 --> 00:00:29,820
So there's that.

8
00:00:29,820 --> 00:00:33,520
What about you, Todd?

9
00:00:33,520 --> 00:00:40,000
I would say in case anybody's curious at the timeline, we're coming into spring here at

10
00:00:40,000 --> 00:00:43,000
the time of this recording and I am all about summer.

11
00:00:43,000 --> 00:00:49,200
So my current go-to is chicken piccata from Aina Garten.

12
00:00:49,200 --> 00:00:52,920
Do you drink that with a little bit of wine and wear your scarf while you cook?

13
00:00:52,920 --> 00:00:53,920
Of course.

14
00:00:53,920 --> 00:00:55,920
No other way to do it.

15
00:00:55,920 --> 00:00:56,920
I love it.

16
00:00:56,920 --> 00:01:00,280
What about you, Ann?

17
00:01:00,280 --> 00:01:09,080
As Todd mentioned, the spring into summer, anything that comes off the grill right now,

18
00:01:09,080 --> 00:01:19,160
that's just, it was broccoli cauliflower and chicken thighs this weekend and on repeat.

19
00:01:19,160 --> 00:01:25,760
It tastes so good and so, like, it should be way warmer than it is.

20
00:01:25,760 --> 00:01:26,880
But that just sounds delicious.

21
00:01:26,880 --> 00:01:30,880
I had the exact same thought that I was like, I get a grill out because, yep, got cauliflower

22
00:01:30,880 --> 00:01:31,880
in the grocery.

23
00:01:31,880 --> 00:01:32,880
Love it.

24
00:01:32,880 --> 00:01:33,880
Going to steal that.

25
00:01:33,880 --> 00:01:35,680
What about you, Matthew?

26
00:01:35,680 --> 00:01:42,880
So mine's not, like, related to the season because I will eat this whenever and request

27
00:01:42,880 --> 00:01:51,480
it whenever, but my partner is a wonderful cook and makes a lasagna that changes my day

28
00:01:51,480 --> 00:01:54,040
every time I know what's going to come up.

29
00:01:54,040 --> 00:02:00,280
So the lasagna every time, but there's so many to think of, like, this wonderful, like,

30
00:02:00,280 --> 00:02:04,480
sun-dried tomato pasta that they make as well that is, yeah.

31
00:02:04,480 --> 00:02:07,760
But I'm going to go lasagna as the top.

32
00:02:07,760 --> 00:02:10,400
Because it's almost always on my mind.

33
00:02:10,400 --> 00:02:14,960
Like, even when I'm just thinking about other things, I'll get distracted thinking about

34
00:02:14,960 --> 00:02:16,600
that lasagna.

35
00:02:16,600 --> 00:02:18,120
It's the life-changing lasagna.

36
00:02:18,120 --> 00:02:23,280
And now, even though I'm dairy-free, I kind of really want lasagna, so thank you for that.

37
00:02:23,280 --> 00:02:24,920
What about you, Ariel?

38
00:02:24,920 --> 00:02:29,160
Oh, when you said grill out, I was like, that's got to be it.

39
00:02:29,160 --> 00:02:36,200
You know, like, traditional brats, burgers, mostly because I don't grill, so my husband

40
00:02:36,200 --> 00:02:37,200
does that.

41
00:02:37,200 --> 00:02:38,400
And so I get to sit back.

42
00:02:38,400 --> 00:02:41,640
I can enjoy someone else making food for me.

43
00:02:41,640 --> 00:02:42,640
That's the best.

44
00:02:42,640 --> 00:02:43,640
I love it.

45
00:02:43,640 --> 00:02:44,640
That's the life.

46
00:02:44,640 --> 00:02:45,640
Yeah.

47
00:02:45,640 --> 00:02:49,880
You're going, food always tastes better when somebody else makes it for you.

48
00:02:49,880 --> 00:02:51,960
That would be, like, the overarching.

49
00:02:51,960 --> 00:02:58,320
Everything coming from the grill I did not make, so it tastes all the better.

50
00:02:58,320 --> 00:02:59,480
I love that.

51
00:02:59,480 --> 00:03:04,640
Which in a completely unrelated topic of what are we talking about today, we're talking

52
00:03:04,640 --> 00:03:05,960
about HIPAA.

53
00:03:05,960 --> 00:03:09,200
And can you afford a $10,000 HIPAA?

54
00:03:09,200 --> 00:03:10,320
Fine.

55
00:03:10,320 --> 00:03:15,040
So we're sitting down today with myself, Kelsey and Ariel, as part of the marketing team here

56
00:03:15,040 --> 00:03:16,040
to moderate.

57
00:03:16,040 --> 00:03:22,200
And then we have Todd, our COO and CISO, Matthew and Anne, who are both GRC analysts over in

58
00:03:22,200 --> 00:03:23,840
our security department.

59
00:03:23,840 --> 00:03:31,560
And we're putting it off to them to start it off with, what is HIPAA?

60
00:03:31,560 --> 00:03:32,560
What is it?

61
00:03:32,560 --> 00:03:33,560
What is it?

62
00:03:33,560 --> 00:03:34,560
We may never know.

63
00:03:34,560 --> 00:03:36,560
It is an acronym.

64
00:03:36,560 --> 00:03:40,160
It is yet another acronym, which is why I'm here.

65
00:03:40,160 --> 00:03:43,600
Because if we weren't talking about acronyms, then I wouldn't have a job.

66
00:03:43,600 --> 00:03:45,600
We wouldn't have a job.

67
00:03:45,600 --> 00:03:54,880
So HIPAA is all about the healthcare information.

68
00:03:54,880 --> 00:03:57,680
I've forgotten it's not protection, is it?

69
00:03:57,680 --> 00:04:01,680
It's a Portability Act.

70
00:04:01,680 --> 00:04:03,920
Portability and Accessibility Act.

71
00:04:03,920 --> 00:04:04,920
Accountability Act.

72
00:04:04,920 --> 00:04:05,920
Accountability.

73
00:04:05,920 --> 00:04:06,920
Oh, look at that.

74
00:04:06,920 --> 00:04:11,000
This is what I get for not memorizing it and just memorizing the acronym.

75
00:04:11,000 --> 00:04:16,240
You guys have heard it about it a lot, everyone has heard it.

76
00:04:16,240 --> 00:04:18,600
The spelling of it sometimes gets a little bit confused.

77
00:04:18,600 --> 00:04:27,800
It is HIPAA as our, or my, messing up of the acronym just then worked.

78
00:04:27,800 --> 00:04:33,640
The short version is it's about protecting and securing healthcare records, physical

79
00:04:33,640 --> 00:04:41,520
and digital, and ensuring that that information is stored and accessible at the same time.

80
00:04:41,520 --> 00:04:45,680
You can't just look it away in a vault and never look at it again if someone requested

81
00:04:45,680 --> 00:04:49,200
it needs to be available and you need to secure it the whole way through that chain

82
00:04:49,200 --> 00:04:51,720
from start to finish.

83
00:04:51,720 --> 00:04:54,000
That's the short version, I suppose.

84
00:04:54,000 --> 00:04:57,000
Did I miss anything?

85
00:04:57,000 --> 00:04:59,840
Apart from the acronym?

86
00:04:59,840 --> 00:05:02,440
I mean, I think you nailed it pretty well.

87
00:05:02,440 --> 00:05:06,800
It does largely impact the healthcare industry specifically.

88
00:05:06,800 --> 00:05:08,440
You will see it in some other cases too.

89
00:05:08,440 --> 00:05:12,600
I mean, if you look at any kind of, it's specific for health information is really what it's

90
00:05:12,600 --> 00:05:18,560
designed to help with, but most organizations do have some sort of compliance with it because

91
00:05:18,560 --> 00:05:22,160
most most organizations will do HR.

92
00:05:22,160 --> 00:05:25,760
And if you're handling the HR, you're going to have identifiable information that is going

93
00:05:25,760 --> 00:05:28,680
to be very, very heavily protected.

94
00:05:28,680 --> 00:05:33,160
So it is something that you're going to see across the board as Matthew said, when you

95
00:05:33,160 --> 00:05:38,640
get to the acronym, most people I think spell it HIPPA instead of AA.

96
00:05:38,640 --> 00:05:39,640
Why don't know.

97
00:05:39,640 --> 00:05:41,440
We'll dig into this a little bit.

98
00:05:41,440 --> 00:05:42,440
Like hippo.

99
00:05:42,440 --> 00:05:43,440
That's what I was thinking.

100
00:05:43,440 --> 00:05:44,440
That's probably it, right?

101
00:05:44,440 --> 00:05:49,760
As you're typing it, you might as well just go with hippo and replace it.

102
00:05:49,760 --> 00:05:55,040
We can probably dig into this a little bit deeper as to what that compliance looks like.

103
00:05:55,040 --> 00:05:59,480
I'll let Ann chime in briefly before we dig into the weeds.

104
00:05:59,480 --> 00:06:07,840
Oh, really, it's for covered entities and their business associates primarily.

105
00:06:07,840 --> 00:06:14,120
That doesn't mean or excuse everybody else from taking protection measures, but a covered

106
00:06:14,120 --> 00:06:20,480
entity is one that would have process generate a record.

107
00:06:20,480 --> 00:06:27,520
And a business associate is someone like CIT where we have collateral access to the records,

108
00:06:27,520 --> 00:06:35,840
maybe not direct and managing those relationships and how that information is accessed or transmitted

109
00:06:35,840 --> 00:06:37,680
appropriately.

110
00:06:37,680 --> 00:06:41,280
Yeah.

111
00:06:41,280 --> 00:06:44,560
And there's a lot of ways to do it.

112
00:06:44,560 --> 00:06:50,920
If you are storing electronic health data, if you're storing PII and you're unsure, it's

113
00:06:50,920 --> 00:06:56,640
a great basis for ensuring the safety of that data.

114
00:06:56,640 --> 00:07:01,040
Even if it's not even related to healthcare information, if you just want to ensure your

115
00:07:01,040 --> 00:07:07,280
data, the data you're storing about customers, anything is safe, it's a great baseline for

116
00:07:07,280 --> 00:07:08,280
it.

117
00:07:08,280 --> 00:07:09,280
Awesome.

118
00:07:09,280 --> 00:07:13,200
So, we kind of covered what is HIPPA.

119
00:07:13,200 --> 00:07:14,840
What does it look like?

120
00:07:14,840 --> 00:07:20,640
Right, we have the lovely clickbait title of, Can you afford $10,000 in HIPPA funds?

121
00:07:20,640 --> 00:07:23,520
What is a violation of HIPPA then?

122
00:07:23,520 --> 00:07:31,840
So violations of HIPPA are ways in which it's being knowingly or with malicious intent or

123
00:07:31,840 --> 00:07:36,360
not, broken or ignored.

124
00:07:36,360 --> 00:07:40,600
The federal government made it very clear that health information is protected.

125
00:07:40,600 --> 00:07:44,120
That's where the HIPPA idea comes from.

126
00:07:44,120 --> 00:07:50,440
And so to ensure the safety of that data, I think it was back in 1996, they, realizing

127
00:07:50,440 --> 00:07:56,200
that computers want a fad that were going away, created this to ensure as much of that

128
00:07:56,200 --> 00:07:59,640
data is stored safely as possible.

129
00:07:59,640 --> 00:08:02,960
Back then, we obviously didn't have as much power or as much of the things that we can

130
00:08:02,960 --> 00:08:06,320
do with them now, but they were still aware of what was happening and how much of it was

131
00:08:06,320 --> 00:08:08,240
being digitized.

132
00:08:08,240 --> 00:08:14,480
So, the goal was to create a system and ensure everyone and healthcare providers, hospitals,

133
00:08:14,480 --> 00:08:20,240
et cetera, were following a pattern that kept that data safe, no matter what type of computer

134
00:08:20,240 --> 00:08:26,680
they were using, no matter how often they were using it, what they were using it for.

135
00:08:26,680 --> 00:08:30,480
The computerization of that information was what was being protected.

136
00:08:30,480 --> 00:08:34,080
Now, they included a lot of stuff about physical information.

137
00:08:34,080 --> 00:08:36,960
They did expand it, but that was the basis of it.

138
00:08:36,960 --> 00:08:45,600
So violations come from intentional or malicious, as well as unintentional or non-malicious,

139
00:08:45,600 --> 00:08:53,440
yeah, violations of that act, whether they are from not getting to something in time,

140
00:08:53,440 --> 00:08:58,600
something wasn't prioritized, and that was the thing that happened, that went wrong.

141
00:08:58,600 --> 00:09:04,360
It's about, was that data inaccessible?

142
00:09:04,360 --> 00:09:05,480
Was it stolen?

143
00:09:05,480 --> 00:09:07,960
Was it impacted by a ransomware event?

144
00:09:07,960 --> 00:09:11,240
These are the types of things that can occur.

145
00:09:11,240 --> 00:09:19,680
Violations come from knowingly, for the most part, knowingly, choosing not to do something

146
00:09:19,680 --> 00:09:25,520
about a fault that you know exists, or choosing to try and be ignorant of those faults in the

147
00:09:25,520 --> 00:09:29,560
first place, which is the big one.

148
00:09:29,560 --> 00:09:35,240
Yeah, I smiled when Matthew said that.

149
00:09:35,240 --> 00:09:38,480
There is a little bit of a phrase out there that says, ignorance is no excuse when it

150
00:09:38,480 --> 00:09:41,120
comes to compliance, and that's, it's 100% true.

151
00:09:41,120 --> 00:09:45,080
You can't go into a situation where you say, well, I didn't know.

152
00:09:45,080 --> 00:09:46,160
It doesn't matter.

153
00:09:46,160 --> 00:09:49,840
If you are in a compliance industry, you are required to know.

154
00:09:49,840 --> 00:09:54,680
Somebody within your organization does need to know the rules, the guidelines, the compliance,

155
00:09:54,680 --> 00:09:55,680
etc.

156
00:09:55,680 --> 00:10:01,560
I'll try not to tension into that too far, just because I naturally do.

157
00:10:01,560 --> 00:10:02,840
There's always help out there, right?

158
00:10:02,840 --> 00:10:03,840
There's always help.

159
00:10:03,840 --> 00:10:05,040
If you need help, find the help.

160
00:10:05,040 --> 00:10:07,920
But if you don't know what those are, you're going to either have to get yourself up to

161
00:10:07,920 --> 00:10:10,960
speed or find somebody that can help you get there.

162
00:10:10,960 --> 00:10:13,280
Even at a basic level, right?

163
00:10:13,280 --> 00:10:20,000
It's not, there's no expectation that you would be the person applying permissions,

164
00:10:20,000 --> 00:10:26,120
or you're regulating keys if it's in the physical set, something like that, but knowing what

165
00:10:26,120 --> 00:10:33,080
and how is always key to add on.

166
00:10:33,080 --> 00:10:36,320
Ignorance is not bliss at all.

167
00:10:36,320 --> 00:10:40,680
You can't put your head in the sand and be like, oh my gosh, look at this.

168
00:10:40,680 --> 00:10:42,680
Look what I found.

169
00:10:42,680 --> 00:10:44,880
Let's put this here.

170
00:10:44,880 --> 00:10:52,320
I say that with all the just intended, but it really is pretty serious.

171
00:10:52,320 --> 00:11:02,080
I'm not quite to the, there's a lot of different variables associated with the fines of willful

172
00:11:02,080 --> 00:11:09,040
or unintentional negligence, I guess.

173
00:11:09,040 --> 00:11:12,360
But they are significant.

174
00:11:12,360 --> 00:11:20,240
In no way do they look at, well, I really didn't try, but you didn't try not to either.

175
00:11:20,240 --> 00:11:21,240
Yeah.

176
00:11:21,240 --> 00:11:22,960
It's like parenting.

177
00:11:22,960 --> 00:11:28,560
Things come back full circle to parenting in my station in life right now.

178
00:11:28,560 --> 00:11:32,560
So, well, you didn't try not to hit your brother either.

179
00:11:32,560 --> 00:11:37,280
It's kind of, did you try to protect it?

180
00:11:37,280 --> 00:11:40,720
No, I didn't know I had to, but you didn't try not to.

181
00:11:40,720 --> 00:11:41,720
Yeah.

182
00:11:41,720 --> 00:11:42,720
Exactly.

183
00:11:42,720 --> 00:11:50,400
There's a, those of you who've listened to our FTC podcast know about the qualified individual

184
00:11:50,400 --> 00:11:52,520
that's really pushed through heavily in that.

185
00:11:52,520 --> 00:11:57,640
And that comes through with HIPAA as well, because there's a HIPAA privacy officer.

186
00:11:57,640 --> 00:12:04,760
And that person is, they're in charge or they're the data owner effectively for those

187
00:12:04,760 --> 00:12:06,640
EPA child locations.

188
00:12:06,640 --> 00:12:12,680
So the electronic personal health information, knowing where that information is, knowing

189
00:12:12,680 --> 00:12:17,320
what it looks like, making sure they're aware of what the HIPAA rules are, that's what it

190
00:12:17,320 --> 00:12:18,320
comes down to.

191
00:12:18,320 --> 00:12:20,560
You should have one, you should define one.

192
00:12:20,560 --> 00:12:25,560
And that person should be making sure at all times that they're thinking about this and

193
00:12:25,560 --> 00:12:28,800
keeping track of it like I am with lasagna.

194
00:12:28,800 --> 00:12:37,920
Can you expand on the difference between data owner and data custodian for those that don't

195
00:12:37,920 --> 00:12:38,920
know?

196
00:12:38,920 --> 00:12:39,920
No.

197
00:12:39,920 --> 00:12:40,920
No?

198
00:12:40,920 --> 00:12:41,920
Okay.

199
00:12:41,920 --> 00:12:42,920
Yeah, I can.

200
00:12:42,920 --> 00:12:47,440
I just thought it was kind of pertinent.

201
00:12:47,440 --> 00:12:50,880
You used it, so I thought it just to make sure that it kind of expanded on it, whatever

202
00:12:50,880 --> 00:12:51,880
it is.

203
00:12:51,880 --> 00:12:56,160
So typically the way it looks like in most organizations is an oversimplification is

204
00:12:56,160 --> 00:12:59,840
the people that are in charge of it, they essentially become the owner.

205
00:12:59,840 --> 00:13:04,520
So in a lot of organizations, if you're looking at HIPAA data specifically, most people are

206
00:13:04,520 --> 00:13:07,000
going to turn their heads and look at HR and they're going to go, you're the ones that

207
00:13:07,000 --> 00:13:11,520
are in charge of that kind of information from a benefits perspective.

208
00:13:11,520 --> 00:13:17,000
The custodian would be the person or persons that are in charge of making sure that they

209
00:13:17,000 --> 00:13:18,640
do the right stuff with the data.

210
00:13:18,640 --> 00:13:22,480
So for example, it was mentioned that the data needs to be encrypted.

211
00:13:22,480 --> 00:13:25,760
So there would be somebody in a security team potentially that would go, all right, we're

212
00:13:25,760 --> 00:13:30,000
going to review all of the sensitive records and we're going to make sure the appropriate

213
00:13:30,000 --> 00:13:31,800
security controls are in place.

214
00:13:31,800 --> 00:13:34,120
So we're going to review and make sure that the drives are encrypted.

215
00:13:34,120 --> 00:13:37,400
We're going to make sure that the access is correct.

216
00:13:37,400 --> 00:13:41,680
And again, kind of differentiating between the two, the owner is the one that defines

217
00:13:41,680 --> 00:13:43,600
what that access looks like.

218
00:13:43,600 --> 00:13:47,760
They're the ones that say, Matthew can have access to that and cannot.

219
00:13:47,760 --> 00:13:51,600
And then the custodian applies those security controls to it.

220
00:13:51,600 --> 00:13:54,840
Sorry, I didn't mean to derail you too much, but I did kind of want to ask if you could

221
00:13:54,840 --> 00:14:01,120
kind of expand on that individual that you kind of highlighted to and kind of go, who

222
00:14:01,120 --> 00:14:04,600
is that and what additional responsibilities do they have?

223
00:14:04,600 --> 00:14:11,480
To add on to that, I think that data owner, if you will, is not necessarily a lot of people

224
00:14:11,480 --> 00:14:16,160
think that's the individual whose information it is.

225
00:14:16,160 --> 00:14:21,800
While that might be part of it, it is not entirely the scope of what that definition

226
00:14:21,800 --> 00:14:22,800
hits.

227
00:14:22,800 --> 00:14:23,800
Yeah.

228
00:14:23,800 --> 00:14:31,760
And to tie in with what Todd said, at a previous organization I worked as the data custodian,

229
00:14:31,760 --> 00:14:37,920
we had our HR was the data owner, our head of HR.

230
00:14:37,920 --> 00:14:44,280
And so basically as part of the custodian pulling the admin information to confirm who

231
00:14:44,280 --> 00:14:48,040
had access, check all that information, then refer that back.

232
00:14:48,040 --> 00:14:53,760
And again, this is a lot of technical information sometimes converting that into language that

233
00:14:53,760 --> 00:15:02,720
it's not just here's a read, write, read, edit output from a NTFS record for you to read

234
00:15:02,720 --> 00:15:07,000
through and explaining what it actually means, who actually is in there, what they can and

235
00:15:07,000 --> 00:15:08,400
cannot do.

236
00:15:08,400 --> 00:15:12,280
That's kind of that custodian's job in this case to ensure that it's fully understood

237
00:15:12,280 --> 00:15:18,120
by that privacy officer or the data owner what is happening and what it looks like contextually

238
00:15:18,120 --> 00:15:21,480
within the organization.

239
00:15:21,480 --> 00:15:25,040
If it is a smaller organization and you do have someone who is technical, they may be

240
00:15:25,040 --> 00:15:26,440
the same person.

241
00:15:26,440 --> 00:15:30,760
You know, it's contextualized around the size of your organization, but do keep that in

242
00:15:30,760 --> 00:15:37,080
mind that there is segmenting that gives you two people who are reviewing things.

243
00:15:37,080 --> 00:15:38,600
Less things are going to be missed.

244
00:15:38,600 --> 00:15:41,640
More things may be caught that otherwise wouldn't be.

245
00:15:41,640 --> 00:15:45,320
Do try and segment those roles when possible.

246
00:15:45,320 --> 00:15:47,760
Yeah.

247
00:15:47,760 --> 00:15:51,800
One thing I want to mention on this as well is that it's not just cybersecurity issues

248
00:15:51,800 --> 00:15:55,440
that get violations and fines.

249
00:15:55,440 --> 00:15:59,040
A lot of the times when people hear about it, they hear about, you know, such and such

250
00:15:59,040 --> 00:16:03,720
got hit with ransomware and didn't report it.

251
00:16:03,720 --> 00:16:12,360
Not reporting a breach when you've had one within 30 days is a big deal with HIPAA.

252
00:16:12,360 --> 00:16:17,040
And it will get you fines, but that's not the only thing that'll get you fines.

253
00:16:17,040 --> 00:16:25,560
Employees reading healthcare records that they don't have any right to view that aren't

254
00:16:25,560 --> 00:16:29,200
related to patients they see is a big one.

255
00:16:29,200 --> 00:16:35,200
Failure to encrypt your data, which Todd mentioned previously.

256
00:16:35,200 --> 00:16:40,040
Not disposing of data correctly, physical or digital data.

257
00:16:40,040 --> 00:16:46,040
Organizations have been fined for going out of business, not destroying their data correctly,

258
00:16:46,040 --> 00:16:53,280
and therefore having patient data that hasn't been destroyed, they've been fined additionally

259
00:16:53,280 --> 00:16:56,920
after they've gone out of business for that.

260
00:16:56,920 --> 00:17:03,760
This also includes civil and criminal fines and types of violations.

261
00:17:03,760 --> 00:17:10,920
So it's not just being fined by the government, it can be by the individuals who are impacted,

262
00:17:10,920 --> 00:17:16,440
because requesting access to their data and you not being out of provided within a timely

263
00:17:16,440 --> 00:17:22,400
manner, timely manner in quotes here, because I believe that's their actual language, is

264
00:17:22,400 --> 00:17:28,240
a violation of HIPAA and you can and will be fined for it if a patient is requesting

265
00:17:28,240 --> 00:17:31,080
this information and you can't provide it.

266
00:17:31,080 --> 00:17:32,880
Why can't you provide it?

267
00:17:32,880 --> 00:17:34,520
Was it lost?

268
00:17:34,520 --> 00:17:35,720
How was it lost?

269
00:17:35,720 --> 00:17:40,880
What were you failing to do to that data to keep a copy safe?

270
00:17:40,880 --> 00:17:42,360
There's a lot of options.

271
00:17:42,360 --> 00:17:44,480
Anything coming to mind for anyone else?

272
00:17:44,480 --> 00:17:48,640
Yeah, I mean, I think you're on the right track.

273
00:17:48,640 --> 00:17:50,360
There's a lot of stuff that goes in with it.

274
00:17:50,360 --> 00:17:53,400
One of the things that you mentioned too is this isn't always a security or a technical

275
00:17:53,400 --> 00:17:55,120
thing that goes into it.

276
00:17:55,120 --> 00:17:59,720
When it comes to data retention, there are policies that are required for organizations

277
00:17:59,720 --> 00:18:04,120
that are compliant with HIPAA and it specifies what data you need to have and how long you

278
00:18:04,120 --> 00:18:05,640
need to keep records of it.

279
00:18:05,640 --> 00:18:10,840
So when you get into destroying the data correctly as well, that also is part of that life cycle

280
00:18:10,840 --> 00:18:14,280
and it includes making sure that you don't hang on to it too long.

281
00:18:14,280 --> 00:18:18,520
Most people tend to err on the side of well, just keep it.

282
00:18:18,520 --> 00:18:22,560
Well the downside of keeping it is that you've increased your exposure.

283
00:18:22,560 --> 00:18:27,120
So if you have a policy that says you need to destroy it within 12 years, you better

284
00:18:27,120 --> 00:18:29,080
get rid of it.

285
00:18:29,080 --> 00:18:33,160
But I think more often than not, what we typically see is a lot of people don't retain the data

286
00:18:33,160 --> 00:18:37,600
as long as they're supposed to and that can be problematic as well.

287
00:18:37,600 --> 00:18:41,800
Earlier somebody had mentioned that there are a variety of different penalties and a

288
00:18:41,800 --> 00:18:42,800
minor correction.

289
00:18:42,800 --> 00:18:48,800
Kelsey had mentioned $10,000 fines for HIPAA and HIPAA actually has a variety of different

290
00:18:48,800 --> 00:18:56,120
tiers and it can scale up dramatically and it's up to about $100,000 per month and somebody

291
00:18:56,120 --> 00:18:57,960
could be fine with it.

292
00:18:57,960 --> 00:19:04,720
And while there are ranges within the tier and I'll let Ann and Matthew expand on this,

293
00:19:04,720 --> 00:19:09,920
you can have multiple tiers impact you simultaneously so you may not just get hit with a singular

294
00:19:09,920 --> 00:19:11,360
fine.

295
00:19:11,360 --> 00:19:14,960
But can either one of you or would either one of you kind of run through the tiers so

296
00:19:14,960 --> 00:19:17,880
everybody has an understanding of what that looks like?

297
00:19:17,880 --> 00:19:24,640
Well I would say not even the tiers but it is very often on a per record basis and keep

298
00:19:24,640 --> 00:19:34,680
in mind that while HHS does want to know about all breaches, they don't typically get

299
00:19:34,680 --> 00:19:45,880
involved unless it's over $250 or $500 and then if they are and that is exponential, that's

300
00:19:45,880 --> 00:19:54,680
500 records times that fine until remediation or resolution has occurred.

301
00:19:54,680 --> 00:19:55,680
Exactly.

302
00:19:55,680 --> 00:20:03,440
So it's $100,000 on our other title is a nice gateway line in the sand.

303
00:20:03,440 --> 00:20:14,480
It can just go so wrong so fast and I guess this would be the conclusion part of this

304
00:20:14,480 --> 00:20:20,360
is if you were to be in the middle of this, you want to find resolution to this as quickly

305
00:20:20,360 --> 00:20:26,560
as humanly possible because it will be costly to you.

306
00:20:26,560 --> 00:20:28,480
Not just monetarily in fines.

307
00:20:28,480 --> 00:20:38,360
But also reputationally that might be an unrecoverable business incident to your reputation.

308
00:20:38,360 --> 00:20:42,840
Most definitely.

309
00:20:42,840 --> 00:20:43,840
Completely agree.

310
00:20:43,840 --> 00:20:45,040
We've seen it.

311
00:20:45,040 --> 00:20:52,120
There's definitely places I haven't gone because I follow this list and I've seen maybe multiple

312
00:20:52,120 --> 00:20:56,640
complaints come up or something like that.

313
00:20:56,640 --> 00:21:00,560
From the tier list and breaking down what Anne was talking about with where they come

314
00:21:00,560 --> 00:21:04,200
from, I'm not a lawyer.

315
00:21:04,200 --> 00:21:08,360
So there's some things in here I want to cover really quickly because this is the only way

316
00:21:08,360 --> 00:21:14,000
I can think about this and it's called men's rare and basically it's the intent behind

317
00:21:14,000 --> 00:21:15,000
the action.

318
00:21:15,000 --> 00:21:24,880
So was someone aware mentally of what they were doing and with intent?

319
00:21:24,880 --> 00:21:33,280
We discussed this right at the very start about whether ignorance has done an excuse.

320
00:21:33,280 --> 00:21:37,000
So if you said I'm not going to worry about HIPAA as a medical practice, we're just going

321
00:21:37,000 --> 00:21:44,800
to do what we do, that would put you the system is based and the tiers are based on how much

322
00:21:44,800 --> 00:21:49,560
of your intent was based around HIPAA.

323
00:21:49,560 --> 00:21:53,440
And so if you're saying right out the gate as a leader of a company, I'm not going to

324
00:21:53,440 --> 00:21:59,160
worry about HIPAA, I just want to start getting everyone working and making money.

325
00:21:59,160 --> 00:22:05,840
That is you ignoring HIPAA and that has malicious intent for the fine system here.

326
00:22:05,840 --> 00:22:09,480
So the four tiers are based around that.

327
00:22:09,480 --> 00:22:13,240
So were you making reasonable efforts and just hadn't gotten to something yet?

328
00:22:13,240 --> 00:22:15,600
Do you have a full team in place?

329
00:22:15,600 --> 00:22:20,720
Maybe you've done a full risk assessment and you're getting through your list of items,

330
00:22:20,720 --> 00:22:25,720
your plan of action and you get hit with ransomware that got in through something that was lower

331
00:22:25,720 --> 00:22:28,480
on your list than you're already at.

332
00:22:28,480 --> 00:22:34,080
That would count as you guys doing a reasonable action, doing everything you can and just

333
00:22:34,080 --> 00:22:37,960
you won't, you've misprioritized, right?

334
00:22:37,960 --> 00:22:41,160
It was you put in as much effort as you could.

335
00:22:41,160 --> 00:22:45,760
The second tier is a lack of oversight in which you're basically not doing all of those

336
00:22:45,760 --> 00:22:46,760
items you could.

337
00:22:46,760 --> 00:22:49,360
Maybe you didn't do a risk assessment, you were just kind of getting to things as they

338
00:22:49,360 --> 00:22:54,920
came up and that one's the fine numbers increase exponentially there.

339
00:22:54,920 --> 00:22:59,460
In tier one, the minimum violation cost is $127.

340
00:22:59,460 --> 00:23:03,000
When you get to lack of oversight or that tier two, it's $1280.

341
00:23:03,000 --> 00:23:07,840
So about 10 times what the one before is.

342
00:23:07,840 --> 00:23:12,160
And tier three and tier four tie in with what Anne said.

343
00:23:12,160 --> 00:23:15,800
So tier three and tier four, malicious non-compliance.

344
00:23:15,800 --> 00:23:18,440
So you've intentionally said that doesn't matter.

345
00:23:18,440 --> 00:23:24,680
You've ignored some part of it, whether it's encryption at rest because you don't have

346
00:23:24,680 --> 00:23:29,680
a system that can do it and you decided you didn't want to upgrade the hardware or you're

347
00:23:29,680 --> 00:23:34,280
intentionally sending patient information in an unencrypted way.

348
00:23:34,280 --> 00:23:39,600
Those are examples we, I have seen.

349
00:23:39,600 --> 00:23:43,000
And the difference between tier three and tier four is how quickly you rectified the

350
00:23:43,000 --> 00:23:44,000
issue.

351
00:23:44,000 --> 00:23:48,280
Were you able to resolve it like Anne said within 30 days or did you keep it going for

352
00:23:48,280 --> 00:23:50,360
more than 30 days?

353
00:23:50,360 --> 00:23:56,560
And this is where the fines really start to rack up because there are people on the wall

354
00:23:56,560 --> 00:24:03,560
of shame, which we will be posting in the podcast links, which is a link to all the

355
00:24:03,560 --> 00:24:09,600
organizations who have been fined and have had violations that are paying millions of

356
00:24:09,600 --> 00:24:17,280
dollars in fines because it took them two, three plus years to resolve an issue.

357
00:24:17,280 --> 00:24:24,920
So the minimum penalty for a tier four violation is $63,000.

358
00:24:24,920 --> 00:24:29,360
The minimum for a tier three is $12,000.

359
00:24:29,360 --> 00:24:30,360
What was that in?

360
00:24:30,360 --> 00:24:31,360
For one.

361
00:24:31,360 --> 00:24:32,840
Yeah, for one, exactly.

362
00:24:32,840 --> 00:24:38,840
For one record that is impacted by this.

363
00:24:38,840 --> 00:24:42,400
And so those fines grow exponentially.

364
00:24:42,400 --> 00:24:48,240
My favorite part about tier four is that the minimum and maximum violation is the same

365
00:24:48,240 --> 00:24:50,000
penalty.

366
00:24:50,000 --> 00:24:57,560
They basically said we will be charging you $63,000 per violation after that 30 day mark.

367
00:24:57,560 --> 00:25:01,440
There was a cap on that though.

368
00:25:01,440 --> 00:25:02,760
The bright side is there is a cap.

369
00:25:02,760 --> 00:25:05,280
You get capped out at about two million per year.

370
00:25:05,280 --> 00:25:06,280
Exactly.

371
00:25:06,280 --> 00:25:10,200
So anytime it is more than two million, you know that this organization has had this issue

372
00:25:10,200 --> 00:25:16,200
going for more than one year, which in its own right on the wall of shame is great to

373
00:25:16,200 --> 00:25:22,120
see because you can see how long it took someone to resolve something past that initial 30

374
00:25:22,120 --> 00:25:23,120
days.

375
00:25:23,120 --> 00:25:29,680
So again, those tier systems are based on intentional and active awareness of HIPAA and

376
00:25:29,680 --> 00:25:33,560
whether or not you're intentionally doing anything to try and work on your system to

377
00:25:33,560 --> 00:25:40,560
better where you currently stand and choosing not to do anything because it's quote unquote

378
00:25:40,560 --> 00:25:46,920
too much is going to give you fines, big fines.

379
00:25:46,920 --> 00:25:47,920
Don't do that.

380
00:25:47,920 --> 00:25:53,880
Yeah, there's a couple things I wanted to throw on that real briefly is I think the

381
00:25:53,880 --> 00:25:56,000
wall of shame is a really important thing.

382
00:25:56,000 --> 00:25:59,080
And I know it could potentially have this negative connotation that makes it seem like

383
00:25:59,080 --> 00:26:02,160
it's a fear inducing thing.

384
00:26:02,160 --> 00:26:03,320
But and hit on it, right?

385
00:26:03,320 --> 00:26:06,800
There are things that sometimes can be more than just monetary there.

386
00:26:06,800 --> 00:26:07,800
That is a reputational hit.

387
00:26:07,800 --> 00:26:09,760
That is a major problem.

388
00:26:09,760 --> 00:26:13,600
You're not only being hit with a fine, but somebody's pulsing it and that somebody is

389
00:26:13,600 --> 00:26:17,600
the US government is saying how bad you screwed up.

390
00:26:17,600 --> 00:26:20,760
And so it's completely available.

391
00:26:20,760 --> 00:26:24,000
All you have to do is Google HIPAA wall of shame and it'll be the top hit on there.

392
00:26:24,000 --> 00:26:26,520
So it's incredibly easy to find.

393
00:26:26,520 --> 00:26:30,680
And then it's got all the information that Matthew mentioned on it.

394
00:26:30,680 --> 00:26:35,120
And when he mentioned the risk assessment piece, there used to be I want to back up

395
00:26:35,120 --> 00:26:36,120
briefly.

396
00:26:36,120 --> 00:26:37,720
There used to be the same that HIPAA had no teeth.

397
00:26:37,720 --> 00:26:40,400
HIPAA really wasn't something that was heavily enforced.

398
00:26:40,400 --> 00:26:41,400
Go look at the wall of shame.

399
00:26:41,400 --> 00:26:44,240
There's a lot of people that will tell you that is absolutely incorrect.

400
00:26:44,240 --> 00:26:46,520
HIPAA has teeth, HIPAA hurts.

401
00:26:46,520 --> 00:26:48,760
And it can put the people out of business.

402
00:26:48,760 --> 00:26:51,360
So it's a big deal.

403
00:26:51,360 --> 00:26:54,040
That risk assessment that Matthew had mentioned is important, right?

404
00:26:54,040 --> 00:26:58,240
So what you're looking at is what is the risk to the business and easily we can quantify

405
00:26:58,240 --> 00:27:00,520
this by the amount that it would cost to.

406
00:27:00,520 --> 00:27:03,960
So as you're looking at it, you're saying, well, that potentially is a high risk.

407
00:27:03,960 --> 00:27:05,320
What is the impact on it?

408
00:27:05,320 --> 00:27:09,280
And we can look at impact in this particular scenario on the cost, right?

409
00:27:09,280 --> 00:27:14,240
And if I can say that the risk of not encrypting data that I'm going to send across the wire

410
00:27:14,240 --> 00:27:20,120
is potentially up to $2 million per year, I know what I can put in place to mitigate

411
00:27:20,120 --> 00:27:25,080
that and still save myself hundreds of thousands of dollars and do the right thing, if you

412
00:27:25,080 --> 00:27:26,080
will.

413
00:27:26,080 --> 00:27:28,160
So that's kind of what you should be thinking about as you go on.

414
00:27:28,160 --> 00:27:29,160
What is the risk to me?

415
00:27:29,160 --> 00:27:30,160
What is the impact?

416
00:27:30,160 --> 00:27:33,040
What is the likelihoodness and what is the cost that it's going to be if something like

417
00:27:33,040 --> 00:27:34,320
that does happen?

418
00:27:34,320 --> 00:27:38,920
And then you can figure out whether you should start to put in a tool, a policy, a procedure,

419
00:27:38,920 --> 00:27:39,920
whatever the case may be.

420
00:27:39,920 --> 00:27:44,040
I know I jumped ahead a little bit there on one of the next steps, but I just kind of

421
00:27:44,040 --> 00:27:46,360
really wanted to emphasize that this is no joke.

422
00:27:46,360 --> 00:27:51,680
This is incredibly important for organizations that fall under this compliancy.

423
00:27:51,680 --> 00:27:57,600
I may have been misremembering this, but I think the title of this podcast is something

424
00:27:57,600 --> 00:28:04,120
that I actually said in either a different podcast or in a conversation with Ann.

425
00:28:04,120 --> 00:28:12,080
In relation to an organization saying, and this was a hypothetical saying, they didn't

426
00:28:12,080 --> 00:28:15,880
want to pay for a new employee.

427
00:28:15,880 --> 00:28:18,000
You don't want to have a new employee.

428
00:28:18,000 --> 00:28:19,520
You think you've got the team you need.

429
00:28:19,520 --> 00:28:24,840
You know IT people internally are expensive and outsourcing can be expensive as well.

430
00:28:24,840 --> 00:28:30,360
Okay, well $100,000 in fines a month, up to $2 million a year.

431
00:28:30,360 --> 00:28:35,680
Is that less than the cost of hiring the staff you need to complete the work and get your

432
00:28:35,680 --> 00:28:40,200
HIPAA compliance on track?

433
00:28:40,200 --> 00:28:42,240
Is that what you have?

434
00:28:42,240 --> 00:28:46,280
And that ties in with what Todd was talking about because, well, now that we know what

435
00:28:46,280 --> 00:28:49,960
these fines are and what the violations look like, what can we do?

436
00:28:49,960 --> 00:28:52,840
Well, firstly, you need a HIPAA booklet.

437
00:28:52,840 --> 00:28:56,000
And as soon as you start putting that together, you're going to see that right at the top

438
00:28:56,000 --> 00:28:59,360
of that list is a risk assessment.

439
00:28:59,360 --> 00:29:03,720
Having a risk assessment, finding the things that are high risk, ensuring you have the

440
00:29:03,720 --> 00:29:09,400
right team in place to begin working on it, and then getting that HIPAA booklet together

441
00:29:09,400 --> 00:29:12,360
and training your team on what the system...

442
00:29:12,360 --> 00:29:14,360
Education, education, education.

443
00:29:14,360 --> 00:29:18,000
Exactly.

444
00:29:18,000 --> 00:29:23,400
If you've listened to one of our most recent podcasts, you'll know that probably going

445
00:29:23,400 --> 00:29:26,680
to get this number wrong because it's off the top of my head.

446
00:29:26,680 --> 00:29:36,000
80% of all security incidents are still caused by individuals, whether it's malicious or

447
00:29:36,000 --> 00:29:40,040
non-malicious, doing something that they think is fine.

448
00:29:40,040 --> 00:29:44,160
If we go with the non-malicious, they're clicking on a link in an email, they're falling for

449
00:29:44,160 --> 00:29:48,640
fishing, they're doing things unintentionally that cause a problem.

450
00:29:48,640 --> 00:29:52,640
Now that is a training issue.

451
00:29:52,640 --> 00:29:56,960
And the HIPAA compliance booklet and the risk assessments let you find out where these

452
00:29:56,960 --> 00:29:59,400
flaws are and do their testing.

453
00:29:59,400 --> 00:30:02,400
It is a knowledge base.

454
00:30:02,400 --> 00:30:09,640
So me talking about policy and documentation again, surprise.

455
00:30:09,640 --> 00:30:10,720
It's what it comes down to.

456
00:30:10,720 --> 00:30:14,680
If you have that documentation, if the team is trained on it, if the leadership is trained

457
00:30:14,680 --> 00:30:24,240
on it, you will mitigate your risk significantly and therefore mitigate those fines because

458
00:30:24,240 --> 00:30:29,200
having them in place, being aware of them and working on them can drop you from a tier

459
00:30:29,200 --> 00:30:33,160
three to a tier two.

460
00:30:33,160 --> 00:30:39,160
Being so aware of what you plan to do and just as an example, a medical clinic I know

461
00:30:39,160 --> 00:30:48,280
who was working on moving to a new service system had an outage because of it.

462
00:30:48,280 --> 00:30:53,200
We'd already purchased, and this is a previous employee, we'd already purchased the hardware,

463
00:30:53,200 --> 00:30:54,520
they had their outage.

464
00:30:54,520 --> 00:31:00,520
We pushed that migration up, replaced their old servers with the new servers, got everything

465
00:31:00,520 --> 00:31:01,520
spun up.

466
00:31:01,520 --> 00:31:06,520
They were down for about seven to eight hours I think in the end rather than the close to

467
00:31:06,520 --> 00:31:09,880
three or four days it probably would have been for us to get the replacement hardware

468
00:31:09,880 --> 00:31:14,960
in for their old systems.

469
00:31:14,960 --> 00:31:19,000
That alone resolves an issue for them quicker than it would have been because they were

470
00:31:19,000 --> 00:31:23,720
prepared for something even if we had to push that timeline up.

471
00:31:23,720 --> 00:31:31,120
Those are the things that can keep you under a 30 day neglect tier.

472
00:31:31,120 --> 00:31:33,600
Being prepared is going to make it that you're ready for this.

473
00:31:33,600 --> 00:31:35,560
Maybe you've quoted out how much it's going to be.

474
00:31:35,560 --> 00:31:39,360
Maybe you've got it in your budget and it's just pushing it up earlier.

475
00:31:39,360 --> 00:31:44,680
The less surprises there are in your regular working week, the less there's going to be

476
00:31:44,680 --> 00:31:51,320
when something breaks that as well.

477
00:31:51,320 --> 00:31:53,320
I kind of sprang through that last part.

478
00:31:53,320 --> 00:31:54,320
Sorry.

479
00:31:54,320 --> 00:31:57,640
I was going to say, I'm just watching Todd and Anne you're going, anything else to add

480
00:31:57,640 --> 00:31:59,840
to it because I was like, I understood it.

481
00:31:59,840 --> 00:32:04,280
I think it's better that anything else Todd or Anne before we wrap up.

482
00:32:04,280 --> 00:32:09,000
The one thing that I would add is rehashing some of the stuff we already said.

483
00:32:09,000 --> 00:32:11,680
In case it wasn't clear, the HIPAA guidelines are for everybody.

484
00:32:11,680 --> 00:32:16,400
You can be a Fortune 5 company or you can be a chiropractor down the street.

485
00:32:16,400 --> 00:32:18,760
You're still under the same regulation.

486
00:32:18,760 --> 00:32:22,560
When we talked about that aspect of ignorance is not an excuse.

487
00:32:22,560 --> 00:32:23,680
This is what it's getting into.

488
00:32:23,680 --> 00:32:28,520
When you don't have the expertise and you open up that HIPAA booklet and you're working

489
00:32:28,520 --> 00:32:32,680
through it and you go, I don't have the slightest idea what that means, that's too bad.

490
00:32:32,680 --> 00:32:34,800
You're still held by that compliance.

491
00:32:34,800 --> 00:32:36,800
You're going to have to find somebody that can help you through that.

492
00:32:36,800 --> 00:32:40,720
There are, as I mentioned at the very beginning, there are people out there that do it.

493
00:32:40,720 --> 00:32:43,560
Obviously we do, but there are plenty of people out there.

494
00:32:43,560 --> 00:32:46,920
Find the help when you need it because it is really important and there are things to

495
00:32:46,920 --> 00:32:47,920
do.

496
00:32:47,920 --> 00:32:51,240
It's risk that's easily mitigated at a pretty inexpensive cost.

497
00:32:51,240 --> 00:32:58,040
I just wanted to wrap the entire conversation around that with that little bit of information.

498
00:32:58,040 --> 00:33:03,560
I was going to say for those people listening, there's a lot of smiling and nodding going

499
00:33:03,560 --> 00:33:04,840
on in the background.

500
00:33:04,840 --> 00:33:10,360
Yes, but 100% as Todd mentioned, we're here to help even if you're not listening somewhere

501
00:33:10,360 --> 00:33:14,560
near us, you're in Minnesota, if you're somewhere else and you're going, hey, I still want to

502
00:33:14,560 --> 00:33:19,560
get connected with somebody, you can still reach out to us at info at cit-net.com.

503
00:33:19,560 --> 00:33:22,680
Even if we can't help you, you can certainly get you connected to somebody else who can

504
00:33:22,680 --> 00:33:26,760
or if you just want to talk with one of these people, as you can tell, we love to talk.

505
00:33:26,760 --> 00:33:28,320
We will talk anytime.

506
00:33:28,320 --> 00:33:34,840
Or you can of course put a question into our website at cit-net.com backslash podcast.

507
00:33:34,840 --> 00:33:38,880
But as always, thank you Todd, thank you Matthew, thank you Anne, and thank you Ariel for sitting

508
00:33:38,880 --> 00:33:56,280
with us and we'll be back next week with yet another episode.