1
00:00:00,000 --> 00:00:05,540
Did you know that the most popular non-chocolate candy is Skittles?

2
00:00:06,860 --> 00:00:08,860
Yeah

3
00:00:10,020 --> 00:00:12,020
Because I buy so many

4
00:00:15,500 --> 00:00:23,320
Makes sense I think we're talking about candy. I think it's candy or candy bar, you know what your favorite candy or candy bar is

5
00:00:23,320 --> 00:00:30,460
Okay, Matthew, we're ready. Yeah. Yeah, I'll go into it. Um, so there's this Australian

6
00:00:30,860 --> 00:00:34,720
this Australian calling it a candy bar is a little iffy because

7
00:00:35,740 --> 00:00:40,940
There's nothing else to it, but chocolate and caramel, but it's called a curly whirley. They're amazing. I

8
00:00:41,980 --> 00:00:43,980
Highly recommend you try them

9
00:00:44,320 --> 00:00:48,360
My partner gets them for me every Christmas as a pack of ten

10
00:00:48,360 --> 00:00:52,560
Just that I have some and they last me maybe three days. So

11
00:00:53,920 --> 00:00:59,600
Quick Google search says you can buy them on Amazon, but you also be advertised for hair product

12
00:01:00,360 --> 00:01:05,160
Yeah, you can't it like I thought that you to begin with and this is a bit of a tangent

13
00:01:05,160 --> 00:01:09,860
But I thought that she was doing this whole like she'd found like an international shipper that was getting them from Australia

14
00:01:09,860 --> 00:01:15,020
And then I found out that were just on Amazon, but it's still a really nice gift and I really appreciate it

15
00:01:15,020 --> 00:01:18,340
And it's made by Cadbury who knew yeah, oh

16
00:01:22,900 --> 00:01:24,700
Who's next?

17
00:01:24,700 --> 00:01:27,340
I'll go I don't really eat candy bars

18
00:01:27,460 --> 00:01:32,800
So I'm gonna go with the craziest one that I can come up with and I'm gonna tell you the curly whirley is a way better name

19
00:01:32,800 --> 00:01:34,800
But it was what you recall it

20
00:01:36,780 --> 00:01:38,780
That's it, it's all I got

21
00:01:38,780 --> 00:01:45,460
Information don't actually sell those very it was gonna ask like are they making those anymore?

22
00:01:45,460 --> 00:01:47,460
But I didn't want to call you out

23
00:01:48,060 --> 00:01:53,660
I got a report from a friend that there was a quick trip near Green Bay that actually had watching McCulloch's

24
00:01:53,660 --> 00:01:55,660
And she bought eight because that's all they had

25
00:01:56,140 --> 00:02:00,100
And she put them in there her freezer to try to pace herself

26
00:02:00,620 --> 00:02:02,540
You can buy a whole

27
00:02:02,540 --> 00:02:07,860
What does this say it there's one on Amazon that's 44 bucks for a pack of 36

28
00:02:07,860 --> 00:02:11,260
That's a yes, they started the yeah, sorry make go

29
00:02:11,900 --> 00:02:15,740
The discovery is part of the fun. Oh, sorry

30
00:02:16,460 --> 00:02:18,460
There's a who's it what's it as well?

31
00:02:20,220 --> 00:02:22,220
I've never heard of that one

32
00:02:25,860 --> 00:02:27,860
All right, I'm one of oh

33
00:02:27,860 --> 00:02:32,780
I was gonna say I'm one of them that's like in the plane plane Jane category and

34
00:02:33,460 --> 00:02:37,340
Snickers, it's just good. It's just you know just hey

35
00:02:37,340 --> 00:02:39,340
I'm gonna have one of them quick and easy

36
00:02:39,860 --> 00:02:42,980
Good to go. Oh, that's me. What about you Kelsey?

37
00:02:43,820 --> 00:02:47,060
That's a great question as I'm like, yeah, I'm boring and I have food intolerances

38
00:02:47,060 --> 00:02:54,380
But if historically if I was gonna risk having stomach pains my great-grandma used to have a Hershey's chocolate bar every single night

39
00:02:55,140 --> 00:02:58,580
Before bed and then my grandma did the same thing and then my mother did the same thing

40
00:02:58,820 --> 00:03:03,860
So I'm trying really hard to not follow the trends, but if I did just a plain chocolate bar every night would be

41
00:03:04,340 --> 00:03:06,340
I'm here for it

42
00:03:06,340 --> 00:03:08,340
What about you and

43
00:03:10,220 --> 00:03:16,660
There I think there's ones I don't care for but I like I like coconut so I like mound or was it

44
00:03:17,980 --> 00:03:19,980
No, I'm a joyous. Yeah

45
00:03:20,540 --> 00:03:24,300
I'm singing the song to the thing in my head. I

46
00:03:25,340 --> 00:03:28,900
Love take five because I like the salty

47
00:03:30,260 --> 00:03:31,860
Caramel

48
00:03:31,860 --> 00:03:39,580
But I'm like Tara too. I give me a sticker. It's great. These are reasons. I don't keep these things in my house

49
00:03:43,100 --> 00:03:45,100
I've been liking

50
00:03:46,060 --> 00:03:51,500
Twix as I get older like I like the crunch. I never liked it as a kid, you know, but

51
00:03:52,740 --> 00:03:57,660
Yeah, or Snickers. I'm in the Snickers family too. I love it

52
00:03:57,660 --> 00:04:04,340
So today on our tech for business podcast, we started off talking about chocolate because we're talking about healthcare

53
00:04:06,020 --> 00:04:10,520
Kelsey Tara and myself are joined by Todd our COO and CISO

54
00:04:11,100 --> 00:04:14,740
Matthew our GRC analyst and our GRC specialist

55
00:04:15,180 --> 00:04:20,940
If you've lifted listen to the podcast before I'm sure you've heard us talk about healthcare and cybersecurity

56
00:04:21,100 --> 00:04:26,260
So today we decided to dive right into best practices for healthcare

57
00:04:26,260 --> 00:04:28,260
and I'd like to start off

58
00:04:28,860 --> 00:04:30,620
just about a

59
00:04:30,620 --> 00:04:35,980
Little bit about maybe why we're talking about this and why we're focusing on healthcare and we're not focusing on

60
00:04:36,540 --> 00:04:40,020
Other industries why this is so important here in today

61
00:04:41,020 --> 00:04:42,580
someone wants to

62
00:04:42,580 --> 00:04:44,580
dive into the weeds of that one

63
00:04:49,540 --> 00:04:52,020
I think the reason it's come so high

64
00:04:52,020 --> 00:04:57,220
to the top of how we manage it and how we help our customers manage it is

65
00:04:57,940 --> 00:05:04,940
Everything is digitized now and being able to protect it in all forms. It's not just about having a

66
00:05:07,380 --> 00:05:13,420
File cabinet in the back of a clinic somewhere it is who has access. How can you transport?

67
00:05:13,420 --> 00:05:18,500
How can you transmit? How how can you effectively protect people's data and

68
00:05:18,500 --> 00:05:25,260
And that's that's not anything new but for a lot of especially for long established

69
00:05:26,180 --> 00:05:33,860
Entities that have healthcare or even new where it hasn't always been a requirement to manage it that way. It really is is

70
00:05:35,060 --> 00:05:37,060
Becoming much more significant

71
00:05:40,420 --> 00:05:45,900
So what's what's happening in the healthcare industry, I mean

72
00:05:45,900 --> 00:05:51,220
You know you think about they have access to personal information and all the the HIPAA laws

73
00:05:51,220 --> 00:05:57,020
So I would assume that they they have all of their stuff together and that

74
00:05:58,060 --> 00:06:04,380
They're doing a great job about being protected, but here we are today talking about it. So that's clearly not the case

75
00:06:05,020 --> 00:06:07,020
so what is

76
00:06:07,180 --> 00:06:09,180
What is sort of

77
00:06:09,180 --> 00:06:11,060
Putting these healthcare centers at risk

78
00:06:11,060 --> 00:06:13,620
Yeah, I mean the one things that I'll add to it is

79
00:06:14,420 --> 00:06:20,460
Everybody's at risk. I to your point how you opened it up is why are we talking about healthcare itself is a great question

80
00:06:20,460 --> 00:06:27,460
And there is really a good important reasons for it, but everybody is at risk health care is important because they do have very specific data

81
00:06:27,460 --> 00:06:32,220
And it's very specific to individual. So it's very identifiable and no surprising

82
00:06:32,220 --> 00:06:38,180
They have two acronyms for it PHI and PII once healthcare information or health information

83
00:06:38,180 --> 00:06:43,180
The other ones identifiable information both persons of themselves and they have a lot of it and I

84
00:06:43,820 --> 00:06:48,820
I think we've done this before on previous podcasts, but just for clarity's sakes when you're talking healthcare

85
00:06:49,060 --> 00:06:53,340
It's not just a hospital. It's not just a clinic. You're talking about eye care

86
00:06:54,220 --> 00:06:59,780
That can be your LASIK teams or it can be the clinic. That's taking a look at your eye and helping you with glasses

87
00:07:00,380 --> 00:07:05,300
It's a chiropractor your living senior living is a fantastic example of

88
00:07:05,300 --> 00:07:15,300
And so it crosses a lot more than most people would tend to think and yet every one of them still has the PII the PHI and so that's why it's a very important thing

89
00:07:16,700 --> 00:07:21,900
And it's also the reason why they're heavily under attack. I was looking for the statistic and I couldn't find it off the top of my head

90
00:07:21,900 --> 00:07:23,900
So I'll take a look when Matthew starts talking here, but

91
00:07:25,300 --> 00:07:30,300
They are one of the most heavily attacked industries out there and the reason is just that right?

92
00:07:30,300 --> 00:07:38,300
There's a lot of information that they have exactly um pod they they've they can go back and listen to our podcast on the

93
00:07:39,300 --> 00:07:42,300
On the other reports that we've done this year if they want to suppose but um

94
00:07:44,300 --> 00:07:46,300
You just spot on that

95
00:07:46,300 --> 00:07:52,300
Healthcare data is worth a lot because while we think of it as the appointments that we go to and things like that

96
00:07:52,300 --> 00:07:56,300
It includes so much personal data that it sells for a lot

97
00:07:56,300 --> 00:08:02,300
And so higher profit for the people who are committing this crime is going to result in more attacks

98
00:08:04,300 --> 00:08:09,300
It's everyone who has patient data whether they're storing it for someone else whatever it is

99
00:08:09,300 --> 00:08:16,300
It's also going to impact people who sign business associate agreements with these places. So if you're storing this data at all

100
00:08:17,300 --> 00:08:24,300
You're impacted so while there is a lot of it that is they are a high risk high value of the data

101
00:08:24,300 --> 00:08:26,300
Are a high risk high value client

102
00:08:27,300 --> 00:08:29,300
Or a high risk high value target

103
00:08:30,300 --> 00:08:35,300
There's also the fact that the scope of who is considered the healthcare industry is really large

104
00:08:36,300 --> 00:08:40,300
So there's more attack surface more likely to get pulled into it

105
00:08:41,300 --> 00:08:43,300
As for

106
00:08:43,300 --> 00:08:45,300
Why they're at risk as well

107
00:08:45,300 --> 00:08:47,300
There's a number of things to go with that

108
00:08:47,300 --> 00:08:52,300
But it's best to remember that not everyone is at the same point in their compliance journey

109
00:08:52,300 --> 00:08:58,300
Which is a phrasing that I've heard and use a lot and I've very much tried to take on board as helpful for me

110
00:09:00,300 --> 00:09:10,300
Because I started out with helping new doctors who are going into private practice with the software that we're using

111
00:09:11,300 --> 00:09:16,300
So because of that that kind of guideline of there isn't anything in place where can we start there

112
00:09:16,300 --> 00:09:21,300
Is a really nice place to begin in let you really focus on making sure you're meeting the guidelines you have to

113
00:09:22,300 --> 00:09:29,300
Most organizations are not in that place. They've already got a ton of things in place. They've already got software they're using hardware they're using

114
00:09:30,300 --> 00:09:37,300
Sometimes it's hardware that they've had to reuse because of certain situations that mean it's maybe not as up to date as they would like it to be

115
00:09:38,300 --> 00:09:43,300
All of these things increase the risk, but they also increase where you are in your HIPAA journey

116
00:09:43,300 --> 00:09:53,300
So personally I think the number one thing is just it's becoming a focus as we go into in some of the other podcasts you can listen to

117
00:09:54,300 --> 00:10:02,300
Finds are increasing. They're also seemingly on the rise in general for not meeting HIPAA guidelines

118
00:10:02,300 --> 00:10:16,300
So there's there's a real incentive to make sure you are meeting them. There's a real incentive to make sure that they're being met within the scope of how you can meet them and without jumping too much into the next topic I want to go to

119
00:10:17,300 --> 00:10:22,300
Thinking about where your risks are

120
00:10:22,300 --> 00:10:32,300
That I mean that kind of seems where we're going is you know

121
00:10:33,300 --> 00:10:35,300
It's going to telegraph my play

122
00:10:36,300 --> 00:10:39,300
So

123
00:10:40,300 --> 00:10:45,300
I believe we've spoken about risk assessments previously on the podcast

124
00:10:45,300 --> 00:10:54,300
Even if we haven't I'll try not to go into it if there is any desire for them I can and we'll talk about them at length at the drop of a hat

125
00:10:55,300 --> 00:11:02,300
Risk assessments are a great place to start and probably what I'd call the first best practice to dig into

126
00:11:02,300 --> 00:11:18,300
It's about knowing your environment top to bottom and knowing the environment of knowing the current risk scenarios. So what is most affecting healthcare industry at the moment?

127
00:11:19,300 --> 00:11:27,300
Is it ransomware? Is it people falling for phishing scams? Is it credit gift card scams? What is it that's impacting the business the most?

128
00:11:27,300 --> 00:11:36,300
How could your organization fall for that? What systems do you have in place that would stop that? And at what point do you worry about

129
00:11:38,300 --> 00:11:47,300
Your system not being secure enough versus the potential loss you would have if someone were able to get in through that system

130
00:11:48,300 --> 00:11:53,300
Very roundabout explanation, but a risk assessment is definitely the first place I would start

131
00:11:53,300 --> 00:12:02,300
And the main reason for that is that it will give you the best overview with a security mindset of your environment

132
00:12:04,300 --> 00:12:10,300
Yeah, I think you make an excellent point. As you were talking through in the previous statement before we had the pause

133
00:12:11,300 --> 00:12:17,300
You were getting into how everybody's at a different spot in their journey and as you were going through it it kind of triggered a memory for me

134
00:12:17,300 --> 00:12:26,300
Which is one of my neighbors, he lives a couple of houses away from me, recently opened up an oral surgery clinic and so as he was doing that

135
00:12:27,300 --> 00:12:32,300
He's now the sole proprietor. He's responsible for everything and so he's at the very beginning of this journey

136
00:12:33,300 --> 00:12:40,300
And the question for him is where do I start? Well, Matthew just laid it out. It is a risk assessment. There is another thing that you can kind of do too

137
00:12:40,300 --> 00:12:46,300
For him it was a little bit less concerning just due to the fact that he's such a small organization

138
00:12:47,300 --> 00:12:55,300
But what is very very important is when it comes to all security practices as you start to get into the actual implementation of them is you can't protect what you don't help

139
00:12:56,300 --> 00:13:01,300
So you need to find out another assessment is what assets do you have. Is it your computers? Is it your applications?

140
00:13:01,300 --> 00:13:12,300
Etc. Etc. If you can't figure out what all those are you stand no chance in protecting them. Well, but the downside of course is that the bad guys can figure it out and they can figure it out very very quickly

141
00:13:13,300 --> 00:13:14,300
Exactly

142
00:13:15,300 --> 00:13:24,300
Just quick tangent there. It is far easier to scout a network you're already inside than it is to try and figure out what you have

143
00:13:24,300 --> 00:13:31,300
Because when you're looking for vulnerabilities versus looking for an explanation of what's in place those two things are very different

144
00:13:32,300 --> 00:13:40,300
And if someone hasn't gone through and documented what they were doing to begin with if someone hasn't been very clear about the purpose of each server you have on site

145
00:13:41,300 --> 00:13:47,300
It's very easy to get lost as to what they're doing especially as a conversation that happened previously goes

146
00:13:47,300 --> 00:13:59,300
Sometimes people are using joke names for their servers. Sometimes they're using the planets the the moons of Jupiter. Sometimes they're using Disney characters

147
00:14:00,300 --> 00:14:06,300
These are fun and definitely when you're connecting to them every day it's a nice little

148
00:14:07,300 --> 00:14:14,300
It's just a sense of joy every night again when the names pop up but it doesn't help from a security standpoint to know what that service doing

149
00:14:14,300 --> 00:14:23,300
So risk assessments really help you get everything back together especially if you've had multiple people build it out whether you're contracting or you've had multiple internal IT stuff

150
00:14:24,300 --> 00:14:31,300
That risk assessment gives you not just a technical overview but a business overview of what your attack vectors look like

151
00:14:32,300 --> 00:14:33,300
Where are you most vulnerable?

152
00:14:33,300 --> 00:14:47,300
And then we move on to being able to talk about acceptable risk. So at what point are you saying it is okay for us to not resolve this issue right now because we have protected it by doing x, y, z

153
00:14:47,300 --> 00:15:05,300
I would add to that risk assessments are not only the best start but they are so important that so many of the industries have built them into requirements annually for their

154
00:15:05,300 --> 00:15:23,300
Their auditing and controls. There is a requirement to have a HIPAA security assessment risk assessment annually as you mature through your and that's really impressing upon everyone

155
00:15:23,300 --> 00:15:34,300
Not the severity but the importance of what you need to have and how you need to be aware of where your requirements are

156
00:15:35,300 --> 00:15:46,300
Exactly. I like to think of it as well from the, because I tend to come to things from the technical side of things so knowing where the network is and what it all looks like and what everything is doing is huge

157
00:15:46,300 --> 00:15:52,300
But when you come from the business side as well, what's the potential loss if something goes wrong here?

158
00:15:53,300 --> 00:15:56,300
And as such, are you spending enough money on your IT at the moment?

159
00:15:58,300 --> 00:16:12,300
Remembering that when you're putting this risk assessment together, the person who's putting it together may have the mindset I used to have which is just I'm putting together a technical analysis of the network and where I think the damage could be done the most

160
00:16:12,300 --> 00:16:20,300
Well, that's great, but unless you can define what those potential damages are from a business perspective, it just looks like a wish list

161
00:16:21,300 --> 00:16:37,300
By monetizing it and you can find those numbers online. You can find them in the reports that we've gone over on these podcasts. We cover a lot of those numbers, but the I triple C has information Verizon puts out a yearly cybersecurity report which has a lot in there as well

162
00:16:37,300 --> 00:16:43,300
And reviewing those and getting those numbers is part of that review, part of that risk assessment.

163
00:16:44,300 --> 00:16:45,300
It should be anyway.

164
00:16:45,300 --> 00:16:57,300
It should be definitely because this isn't just like I said, a technical review. It is a business review that you should be taking to leadership of the organization to the board if there is one.

165
00:16:57,300 --> 00:17:10,300
You want buy-in from the whole team. There's so much that goes into it and it is a big undertaking, but it's a big undertaking because it is a business evaluation and a technical evaluation of your current environment.

166
00:17:11,300 --> 00:17:15,300
So right out the gate, just a huge first best practice.

167
00:17:16,300 --> 00:17:24,300
Yeah, well, I think I got a little one in there too, but one of the things I was going to do is you're kind of trying to pivot off of that a little bit.

168
00:17:24,300 --> 00:17:31,300
When I said in specifically you should include that the reason why I said that is because we're going to have people all over the map when it comes to maturity.

169
00:17:32,300 --> 00:17:38,300
And if you get stuck or you're overly concerned of, well, how am I going to figure out what that assessment of value is?

170
00:17:39,300 --> 00:17:45,300
It shouldn't be the last step that you take and you stop and go, okay, that's it. I can't go any further because I don't know the answer to this question.

171
00:17:45,300 --> 00:17:57,300
The reason why I bring that up is because we do a lot of assessments for a lot of companies, a lot of industries, etc. And as you're going through that, I'll use the FFIC, which is not healthcare specific.

172
00:17:58,300 --> 00:18:06,300
It's finance specific, but that particular assessment actually considers the monetary assessment as part of a middle area and intermediate.

173
00:18:07,300 --> 00:18:08,300
So you actually have to take a while to get there.

174
00:18:08,300 --> 00:18:15,300
So the reason why I'm mentioning that is because I think the things that we were talking about at the beginning are the information.

175
00:18:16,300 --> 00:18:27,300
And this is really where the risk for healthcare comes into play specifically is not only do you need to know what assets you have on the network, the data itself is the specific asset that we're talking about.

176
00:18:28,300 --> 00:18:34,300
In that scenario, you need to know what your data is. Where do you save it? Is it in your location? Is it physical files?

177
00:18:34,300 --> 00:18:42,300
If so, what do you do? Do you lock the doors? Do you lock it in a file cabinet? Do you have people sign in when they come in? Do you have video cameras up?

178
00:18:43,300 --> 00:18:50,300
Physical, right? Is it something that you outsource to a cloud? This is a little bit more of mitigating how do you mitigate the risk?

179
00:18:51,300 --> 00:18:55,300
If it's in a cloud, somebody else is theoretically protecting it, but then how do you protect it, which we'll get into in a little bit.

180
00:18:55,300 --> 00:19:05,300
But then the next step is once I understand what kind of data I have, it's paper, it's data on a logless storage, it's in the cloud, then you get to decide how important it is.

181
00:19:06,300 --> 00:19:16,300
And this is where Matthew is getting at. What is the value of that? If I lost it, this would be the assessment you could easily do no matter your maturity is, if I lost that information, how much does that hurt?

182
00:19:16,300 --> 00:19:24,300
And you could probably put a pretty quick number to that most organizations and go, and not so much, I could probably get away with probably not even needing that.

183
00:19:25,300 --> 00:19:32,300
So then the risk is very, very small or that would put me out of business that and that value is, we'll say my business is worth a million dollars. That's a million dollar risk.

184
00:19:33,300 --> 00:19:35,300
Okay, we can now move forward on the rest of the risk assessment.

185
00:19:35,300 --> 00:19:52,300
I'm going to stay on data just real briefly before I be quiet for a little while again is as you figured out what it is and how valuable it is. One of the other things you absolutely have to do, and this is Cora HIPAA, is you need to define how long you're going to retain that data.

186
00:19:53,300 --> 00:20:00,300
And once you've gotten to the point that you're not going to, and I'll let it end and Matthew tell you what that number is, what are you going to do with it?

187
00:20:00,300 --> 00:20:05,300
And the answer is you better get rid of it because if your policy says I'm not going to stick it around, you better not have it.

188
00:20:06,300 --> 00:20:07,300
Yeah.

189
00:20:08,300 --> 00:20:11,300
Have a policy and follow it to the letter.

190
00:20:14,300 --> 00:20:19,300
Exactly. There's a quick thing you mentioned there with the length of time data should be kept for.

191
00:20:19,300 --> 00:20:29,300
The specifics of this I won't go into, but suffice it to say that the HIPAA documentation doesn't explicitly give a number.

192
00:20:30,300 --> 00:20:37,300
But the consequences of the HIPAA documentation does give a number. So that number is seven years.

193
00:20:38,300 --> 00:20:39,300
Which is a lot.

194
00:20:39,300 --> 00:20:41,300
Okay, so to get curious, that's a lot.

195
00:20:41,300 --> 00:20:49,300
It is. I think it's for a full six years, I think is the exact language. So we just say seven as a way of having that cut off.

196
00:20:50,300 --> 00:20:55,300
And specifically, it's about how, when was that information last shared?

197
00:20:56,300 --> 00:21:03,300
So it's not about when did the last patient visit occur, it's when was that information last shared, and that's what you've got to track.

198
00:21:03,300 --> 00:21:13,300
So keeping everything to do with that, which most EHR softwares will do, they'll track this is when it was last accessed, this is when it was last, an email was last sent out from it, etc.

199
00:21:14,300 --> 00:21:19,300
Keeping the whole patient file includes that information in a lot of cases.

200
00:21:20,300 --> 00:21:26,300
If you're sending email, if you're sending HIPAA data via email, you better be tracking those emails for seven years.

201
00:21:26,300 --> 00:21:35,300
And if an individual who sends HIPAA data via email leaves, you've got to keep those emails for those full seven years so that you can track what was sent out.

202
00:21:36,300 --> 00:21:42,300
So I'll stop there because we can dig into this so deeply. It's one of my favorite topics on here.

203
00:21:43,300 --> 00:21:50,300
But seven years, try and keep all your, don't try, keep all your data that includes patient information for seven years.

204
00:21:50,300 --> 00:21:59,300
Yeah, one other thing that I'll throw on there, and I'm sorry if I interrupted you, Ann, is not only do you need to make sure that you're doing that, to me, there's kind of like the subset of that.

205
00:22:00,300 --> 00:22:05,300
And it's actually more important that I'm making it when I call it a subset is you need to monitor those files too, right?

206
00:22:06,300 --> 00:22:10,300
So you'd actually enable the say, when was the last time I shared it? You actually have to know what that is.

207
00:22:11,300 --> 00:22:14,300
So you need to monitor the access of the file, the sharing of the file, etc.

208
00:22:14,300 --> 00:22:24,300
But even on a deeper level on that is hypothetically, if you're doing that and a bad actor was actually trying to mine your data, you would see that that potentially could be right this very minute.

209
00:22:25,300 --> 00:22:34,300
And if you weren't expecting that, you should have the monitoring tools be able to alert your team, whether it's you specifically your security team or a partner, that would be also incredibly important.

210
00:22:35,300 --> 00:22:37,300
And I'm sorry if I interrupted, but go ahead, Ann.

211
00:22:37,300 --> 00:22:49,300
So having the, this goes back to the policy part, having the ability to you get to make your own rules within the confines of the requirement.

212
00:22:50,300 --> 00:23:02,300
Things I would almost recommend is moving the data to a specific spot with that control to, I say a C drive on a computer that is absolutely not true.

213
00:23:02,300 --> 00:23:13,300
But if this is a record that was accessed now, but it is likely they will not need it anymore, move it to that pile or controlled area.

214
00:23:14,300 --> 00:23:22,300
Just little things that work for you and your operations in general to make it easier for yourself long term.

215
00:23:22,300 --> 00:23:35,300
That may not look like the example I described, but just trying to not have to revisit things in six full years, not seven.

216
00:23:36,300 --> 00:23:46,300
And you make a really good point about something that we saw recently that I want to touch on here as briefly as I can.

217
00:23:46,300 --> 00:23:54,300
It's very easy to think of these things as static, right? We have to keep this for seven years. Okay, that's cool.

218
00:23:55,300 --> 00:23:59,300
But as Ann said, it's not, we have to keep a full active backup of this for seven years.

219
00:24:00,300 --> 00:24:03,300
You can archive things, backup the archive and keep that.

220
00:24:04,300 --> 00:24:07,300
It doesn't have to be, you obviously need to make it accessible, right?

221
00:24:08,300 --> 00:24:11,300
So don't just do one backup that you then put in a lockbox and hope it survives.

222
00:24:12,300 --> 00:24:14,300
Have a couple backups, be thorough.

223
00:24:14,300 --> 00:24:19,300
But the goal here is to ensure that data is accessible if necessary.

224
00:24:20,300 --> 00:24:23,300
It's not that it has to be part of your full active system all the time.

225
00:24:24,300 --> 00:24:30,300
Otherwise, things start ballooning and I'm sure we've all seen, especially patient data balloon in size significantly.

226
00:24:31,300 --> 00:24:35,300
You can pivot with what you're doing with something.

227
00:24:35,300 --> 00:24:48,300
If you, just as a quick example that came to mind, if you are a PCI customer who does take credit card information but doesn't need a credit card reader and the credit card reader is sent to you,

228
00:24:49,300 --> 00:24:58,300
you can send that back and not have to follow all of the PCI requirements that would be included if you did have a PCI reader on site.

229
00:24:59,300 --> 00:25:03,300
Those pivots can save you a lot of time and money and make things easier.

230
00:25:03,300 --> 00:25:09,300
So work within the confines of what those rules are to give yourself the ability to pivot as well.

231
00:25:11,300 --> 00:25:13,300
I'm going to transition back a little bit.

232
00:25:14,300 --> 00:25:17,300
I know we were talking about what is it, why is it important, etc.

233
00:25:18,300 --> 00:25:19,300
And then we started to get into what we're doing about it.

234
00:25:20,300 --> 00:25:26,300
And we did talk very heavily about figuring out what you're going to protect, how important that is with our risk assessments and whatnot.

235
00:25:27,300 --> 00:25:29,300
And now what are you actually going to do about it?

236
00:25:29,300 --> 00:25:38,300
And I want to bring this up now specifically because there are two things that I tell companies if you do nothing else do this, and I think should we probably even have a podcast on it.

237
00:25:39,300 --> 00:25:46,300
If you do nothing else do this, and those two things are, you absolutely need to multi-factor pretty much every damn thing on the face of the planet.

238
00:25:47,300 --> 00:25:50,300
And you should also have endpoint detection and response.

239
00:25:51,300 --> 00:25:53,300
And I know I have podcasts on both of those topics too.

240
00:25:53,300 --> 00:25:59,300
If you do absolutely nothing else, and again, one, two, three of those podcasts exist, if you want to go get them, go get them.

241
00:26:00,300 --> 00:26:02,300
You should be looking at MFA, you should look at EDR.

242
00:26:03,300 --> 00:26:06,300
The other stuff is fantastic too, but you do need to do these things in every healthcare.

243
00:26:07,300 --> 00:26:11,300
I don't care if you're senior living in, you think that this is a burden of entry that I cannot achieve.

244
00:26:12,300 --> 00:26:14,300
That is incorrect. You absolutely can achieve it.

245
00:26:15,300 --> 00:26:19,300
We can get into the profitability of senior living or something along those lines later.

246
00:26:19,300 --> 00:26:29,300
But if you look at it, the typical resistance we see is that the nurses have to dispense medicines and so on and so forth, and therefore it's inconvenient.

247
00:26:30,300 --> 00:26:34,300
Great, I understand it's inconvenient, but there are tools that allow you to overcome that.

248
00:26:35,300 --> 00:26:42,300
If you go into the clinic, you go into the hospital, those doctors are extremely expensive and they don't want to type in their 15 character password.

249
00:26:42,300 --> 00:26:48,300
And you know what, they don't, but they still have multi-factor on their devices. You can get there from here.

250
00:26:49,300 --> 00:26:50,300
It does exist and it's incredibly frictionless.

251
00:26:51,300 --> 00:26:52,300
So I will not accept your answer.

252
00:26:53,300 --> 00:26:55,300
Oh, sorry, I'll get off my soapbox.

253
00:26:59,300 --> 00:27:05,300
I would say that the most important thing to do right now is be aware and educated on your requirements.

254
00:27:05,300 --> 00:27:12,300
That doesn't mean that you have to read, I mean, I love to do stuff like that and read thick manuals looking for all the detail.

255
00:27:13,300 --> 00:27:24,300
But in every requirement, whether that's HIPAA, FDIC, financial, there is always a summary document of what's important, what to protect.

256
00:27:25,300 --> 00:27:28,300
And obviously that moves right back into the risk assessment.

257
00:27:29,300 --> 00:27:33,300
But ignorance is neither bliss nor an acceptable answer to not following.

258
00:27:33,300 --> 00:27:45,300
And it is difficult to say, well, I just didn't know, but those days are kind of going the wayside.

259
00:27:46,300 --> 00:27:53,300
It's not acceptable to say you've had a clinic for 10 years or even two days and you don't know that you have HIPAA requirements.

260
00:27:53,300 --> 00:28:07,300
We find an easy way to do that and communicate to all those affected, which would be all of your staff, what is specific and measurable to them and why to Todd's point.

261
00:28:08,300 --> 00:28:12,300
Do you think a doctor will type in a 15 character password?

262
00:28:13,300 --> 00:28:20,300
No, but there is a way, but stressing the importance and the implications of not is just as important.

263
00:28:20,300 --> 00:28:25,300
Yeah. Two things briefly as brief as I can be.

264
00:28:26,300 --> 00:28:28,300
I know I keep saying that today, but it's how I'm feeling.

265
00:28:29,300 --> 00:28:36,300
Firstly, I think we'll try and have the summary of the security rule, the HIPAA security rule in the brief.

266
00:28:37,300 --> 00:28:39,300
So if you're listening now, it should be there for you.

267
00:28:39,300 --> 00:28:53,300
And two, there is so much that goes into what the best practices are and we've really touched on, I would say, probably two of them in this, the main one being that risk assessment followed by the MFA.

268
00:28:54,300 --> 00:29:07,300
And the reason we focused on the risk assessment is that as you start doing it, as you get through it, you'll see all of the rest of these items come up because a risk assessment is exactly the reason the rest of these items exist.

269
00:29:07,300 --> 00:29:09,300
Some of them may not be relevant to you.

270
00:29:10,300 --> 00:29:20,300
So reading through that security rule and trying to implement everything without knowing what you have is basically blindly running around the house, seeing if all the doors and windows are locked and then forgetting you have a spare room.

271
00:29:21,300 --> 00:29:25,300
It's very likely you're going to miss something significant.

272
00:29:25,300 --> 00:29:37,300
So start with that risk assessment. If you aren't thinking about MFA already, you 100% need to be and speak into someone about getting it implemented in whatever way can be done to streamline the business.

273
00:29:38,300 --> 00:29:41,300
But a risk assessment leads to everything else.

274
00:29:41,300 --> 00:29:56,300
And as you do the risk assessment, as you read the summary, you'll see how you can implement and update what's in place to make it more secure and to give yourself a better chance of not being breached or impacted by some of these events you're hearing about in the news.

275
00:29:56,300 --> 00:30:14,300
Yeah, now as I think we're probably closing out the podcast at this point too. So I had a couple of things that I'd add to that is as Matthew's talking about that ultimately what that leads to from my perspective is this also tallies off of what Anne was saying is you can't say I didn't know therefore I'm fine.

276
00:30:15,300 --> 00:30:21,300
That is not okay. That will not work for you. So you do your assessment, you start to figure out all the things that you knew you potentially have risks around.

277
00:30:21,300 --> 00:30:32,300
You need to build a plan. That's a long term process, right? And then after you've started to build that out, we refer to this as a security or a cybersecurity incident response plan.

278
00:30:33,300 --> 00:30:40,300
You should have a process that tests the plan. The only way to get better is to test it, right? You build the plan. Now you need to test it.

279
00:30:40,300 --> 00:30:52,300
And then the last item that I'll throw on here is we threw a lot at you in 30 minutes. I know that happens. If it doesn't make sense, there's people out there to help. If it's us, if it's others, go find the help that you need or read through the documentation.

280
00:30:53,300 --> 00:30:56,300
If you're like Anne, you love that anyway. So go do that too. That's always an option.

281
00:30:57,300 --> 00:31:04,300
I want to back Anne up here. I love reading that documentation as well. It's such a fun time. And I'm not joking.

282
00:31:04,300 --> 00:31:24,300
Well, it sounds like a lot of reading. So not for me. I'd probably reach out to CIT or like you said, anybody, there are people out there who could help you. Any last closing thoughts? This topic is so big and it might be something we need to come back to in the future.

283
00:31:25,300 --> 00:31:27,300
Anything else you want to share?

284
00:31:27,300 --> 00:31:45,300
Yeah, just yes, it's a big undertaking. It is not expected you'll get this done in a week. It's not expected you'll get it done in 12 hours. Give yourself time. Come up with a plan. Cut it up into bite sized chunks. Work with other people on your team.

285
00:31:45,300 --> 00:32:01,300
If you need someone to guide, we can help with that. Others can help with that. But don't think of it as a big thing that needs to be done. Break it down into small chunks that are possible. It is possible to get through it in six months to a year. It really is.

286
00:32:02,300 --> 00:32:10,300
But don't give yourself a timeline until you've read through it all. You've started to break it down like that. Take a breath. You can get that.

287
00:32:10,300 --> 00:32:39,300
I love it. That's kind of a beautiful way to end. Thank you, Todd, Matthew and Anne for joining us today. If you have questions, you need help. You want to know more about risk assessments or you need help testing, please reach out to CIT at info at CIT-net.com or head out to our website CIT-net.com slash podcast and join us next week with an all new episode.

288
00:32:40,300 --> 00:32:46,300
.