Speaker 1: You're listening to Your Practice Made Perfect. Support, protection, and advice for practicing medical professionals, brought to you by SVMIC.


J. Baugh: Hello everyone, and welcome to today's episode of Your Practice Made Perfect. My name is J. Baugh, and I will be your host for today's podcast. Today, we're going to be talking about cybersecurity in the healthcare arena, and to help us with this topic, we have with us Robbie Morris. Robbie, welcome.


Robbie: Thank you so much, J. Thanks for having me.


J. Baugh: Well, it's good to have you here. I know that this is a topic of concern to many of our listeners, and so we're glad that you're here to help us work through some of the issues with such an important topic. Before we get into the subject itself, why don't you tell us a little bit about yourself?


Robbie: I am a 20-plus year healthcare IT engineer, sysadmin, documentation, compliance, cybersecurity professional. I have been doing cybersecurity since before it was a thing. What I do currently is I'm a senior security manager for governance risk and compliance for C Spire. We are a large telecommunication company based out of Mississippi, but I'm in the business services unit, so I head up our HIPAA practice, essentially  auditing practice. I've worked throughout ambulatory hospitals, ambulatory surgery centers, long-term care, been in regulatory compliance for that entire time throughout the journey.


J. Baugh: We're certainly glad to have you here, especially considering that you've got 20 years of experience and you've dealt specifically with cybersecurity in the healthcare arena. Before we get into healthcare arena issues specifically, let's talk about it in a little bit broader context. Why is it so important to be prepared for cyber breaches?


Robbie: Obviously, everyone's heard of and hopefully not been impacted by ransomware. That's up 400% just in two years on infections and attacks.


J. Baugh: Wow.


Robbie: They're all just variants of the same code execution. Oftentimes, in healthcare with biomedical devices, some of those devices don't even have security controls, so literally anything that can be connected to a network and reporting up vital sign information from a patient, or logging that automatically into an EMR as such, that might not even have security controls in it. Now you have PCs that are connecting to the internet, potentially clicking on malicious phishing emails, that are bringing in some kind of threat actor along with the code that's impacting the same biomedical devices, so it can turn, it can get really, really serious really, really quick.


I'm not even talking about people's access to patient records. It's one of those things that once it has occurred, it might not manifest itself until a user's like, "Hey, my computer is running slow." Well, at that point, they could be in your environment six months, nine months, and you've not even known what's going on and what they've done. Not even talking about the regulatory compliance and the fine aspect of that, but it really does just get really, really serious, very, very fast.


J. Baugh: I think that's one of the reasons that we hear about it so much in the media, is because it is such a serious topic, and it's something that really does affect all of the different industries. Not just healthcare, but it affects a lot of industries as well in a lot of different ways. Tell us a little bit about what makes cybersecurity in the healthcare arena different than it would be for any other industry that someone might be dealing with when it comes to cybersecurity issues.


Robbie: Healthcare, it's a huge target for a multitude of reasons. Billing, number one, and that's a huge deal. X-rays or blood results, things that are health-related; those have a dollar, a street value that someone can absolutely monetize. Where there's money to be made, there are going to be bad people trying to take advantage of those opportunities, whatever the medical setting is. It's very collaborative in nature. If there's a lab test, that there's another physician referral - whatever that case may be - it's present in all of those environments.


Consequently, you have a connected environment. Oftentimes, they can jump from one environment to another environment, really easy. When you jump from one network or one device to another, what they attempt to do is to gain access and compromise as many as possible in a short amount of time. In that healthcare environment where you have patient records on a file server, perhaps, or in the EMR or other billing system. Whatever it may be, and maybe that's all outsourced, and maybe you've got all these different network connections. Well, these threat actors can jump from device to device using the legitimate tools on the device that's installed already there.


J. Baugh: In the healthcare industry, when it comes to cybersecurity issues, you not only have the importance of the information, which is pretty obvious. But then you also have the interconnectivity of the information from device to device, user to user, that sort of thing. Then on top of that, you not only have the importance of the healthcare information, but then you have, like you said, billing and other financial information as well, so it makes healthcare entities a real target. I know you have experience with HIPAA-required healthcare security risk analysis. Tell us exactly what that is and how it affects healthcare providers.


Robbie: An SRA is the acronym that always gets attached to that. That is a review of an organization's processes, procedures, and controls. Maybe it's bringing on a new billing vendor, so you're going to build an application interface from your EMR to that billing vendor. Well, what happens if someone decides that that billing vendor's not the right vendor anymore? That the application connection gets disconnected? Well, you need a process in place to make sure those kinds of things don't fall through the crack, because invariably what you would be doing is sending all of this patient added to you no longer do business with, so that is a direct violation.


But in going through an organization, when you think about there's employees, there's employee handbooks, there's business processes and procedures, of course, all the technical, the technology controls. An SRA, a risk assessment, literally looks at all of that. Just like within a lot of cases, if you don't have it documented, then it's not being done. A risk assessment is literally at a review of that type of documentation that can span all of those components. When you think of HIPAA, there's a privacy rule, and the privacy rule was directly responsible for defining the standards to protect that patient information. It created the environment that you've got to protect. It defined all those definitions.


Of course the security rule, and the security rule is your technical safeguards. It said, "The first part of the rule said here's what you got to protect, and at a minimum, here's some of the things that you have to do to protect it." Now, the way the law was written is kind of specifically, there are some components that are called addressable. And the definition of that is, well, we're not telling you exactly how to do it, but you've got to do it because every environment can be so different. The law was not intended to be exactly point A to point B telling you what you're supposed to do. A risk assessment literally walks through all of those components. What I do and what's different now than it has been historically, we follow the Office of Civil Rights. Every federal agency has got their own law enforcement group called the Office of Civil Rights. That's who does the investigations for Health and Human Services now.


They have published protocol of what they're going to ask you when they come in. So literally, from a practice - and it doesn't matter what the size of organization - the care setting that you're in, there is no excuse from the federal level when you look at that and go, "Well, we've told you for 20 years what to do, and we've told you how we're going to come in and ask you these things." When you look at that SRA breakdown, it can be mind boggling, but the analogy, how to eat an elephant?” Well, I wouldn't, but if I did, one bite at a time.


So looking at all those components, pulling all the documents in the SRA. And then checking did you satisfy that particular portion of the requirement? Yes or no or maybe? Or it's not applicable, because it could be a couple of those things, but you just walk through that whole hierarchy in your organization what that looks like.


J. Baugh: You mentioned earlier about the importance and the propriety of the Electronic Medical Records. There's a lot of information in a patient's EMR, and most people do not want that information made public, right? They expect that to be kept private by their healthcare provider. With that being such an important part of cybersecurity, how does a practice ensure that they're following all the necessary precautions that they need to follow in order to keep that information secure, because that is exactly what patients expect from their providers?


Robbie: Don't overcomplicate the technology you're using with your user base. What do you do to ensure that people are following all the rules? Well, conduct an SRA, because if that's done thoroughly - a thorough SRA - you're going to know what you're not doing correctly and where the gaps are, and performing cyber testing. If you don't know what the bad guys - how you're susceptible to them - the one way to solve that is to do a test, be that a penetration test, a social engineering, like a phishing simulation.


There are a number of things that you should do to just take the litmus test of where your environment sits and examine all that use of the technology in your organization. Training and testing is just huge. Phish testing, I mean, that's just so simple because everything now can look so legitimate, but it's not. And it can be done really easy to set that up on a schedule of just continuously pinging on your users to make sure they're not falling vulnerable to those things.


J. Baugh: You also made a good point about documentation, because that's something that we preach to our healthcare providers a lot is documentation, when it comes to providing medical care to your patients, but it's also important to have documentation about the security efforts that you make. Because someday, someone may be asking about that, and you can't create that after the fact. You've got to have that beforehand so that you can provide it to someone who might be taking a look at what's going on. 


You mentioned that you've been doing this now for about 20 years or so. What are some of the experiences that you've had, maybe some examples that you could share with our listeners, that would let them know what some of the real life security issues are?


Robbie: Sure. Organizations that allow people to have their own device that access their email from their phone, and then they go to the phone store when it's time to upgrade, drop the old phone, get the new phone, didn't wipe the old phone. The email's on the old phone, which means you just left patient information on the retail store counter.


Coke machines have a network connection now. Well, these machines can be plugged into the same network where important valuable information is stored. We've seen devices that are shipped from the manufacturer that don't have the admin passwords changed. It's their default passwords, so that means however many hundreds, thousands or millions of devices they manufactured, there's as many logs and handbooks that went with that that said, "Oh, by the way, here's the password to my device."


Sometimes, it's just overlooking things. Sometimes, it's people making mistakes, clicking on something. I've seen organizations have their accounts payable systems compromised and payments released from their home system to pay the bad guys. Not even the ransom, no. They're just directly transferring money to their account. This can go on for a period of time, again until it manifests itself. A lot of different types over the years that I've seen.


J. Baugh: With all of these different issues being out there that we've talked about, how do you properly plan and prepare a practice - a medical team - how can you properly prepare those people for the types of threats that we've talked about?


Robbie: Just like continuing education for clinicians, we've talked about phish testing. You train, train, train your end users. Training to be consistent throughout the culture of the organization in that security culture, not just when people are hired. It should be an ongoing thing because the technology evolves, so changes. As that does, so should your training. Back to the basics, the firewall, making sure you got the antivirus and all the things are up to date. Disaster recovery plans. Conduct user reviews with your HR department to make sure that everybody that's got an active profile is actually still involved here. Of course, make sure that your processes, your business process, you're documented and up to date.


J. Baugh: The people who are listening to this podcast are from a variety of different sizes of practices. We have some practices that are very large, and they are able to hire someone or maybe a team of people to work on their IT issues that they have within the group. And then we have some listeners who are with much smaller practices, and they don't have the resources. If I'm not able to keep an IT person on my staff, what advice would you give to be able to outsource those IT issues to a firm that would be able to help me with those issues?


Robbie: Given the fact that I do perform risk assessments for a living, documentation is paramount. That is something that when you're looking at hiring someone. It's like going to hire a builder. If you're going to hire a builder to build onto your house, you're going to look at pictures of what the work they've done. You're going to talk to the people that they've worked for.


J. Baugh: Yes.


Robbie: You're going to do some due diligence around those people. You do the same thing with your IT vendor. You ask to see the documentation examples, because if you ever decide to change vendors, then are you going to be locked in to the people that they're the only ones that know anything about your environment? No, not if there's documentation, because you hand that off in the transition. I would always recommend avoiding long-term contracts, not just in IT, but in life, whatever that is. I don't like being locked into something forever. I would absolutely talk about the IT support company's ability to be proactive, not reactive in their support.


J. Baugh: Oh, that's very important. Yes.


Robbie: Right, because you think about that, it's like it's a firefighting thing constantly if you're reactive. Well, if you're proactive, you've got some controls in place. You're looking at logs, you're doing those things. That's way different from vendor to vendor, group to group. I would also say experience in the same industry because if you don't understand the challenges that come with being in the healthcare environment, then maybe you don't understand the actual enormity of the job that you've got and the importance of that. I would absolutely make sure they've got cybersecurity expertise, because if they don't have some degree of security services that they offer, then you're not hiring the right people.


J. Baugh: Right. That's such an important issue that you need to take care of that with the firm that you're hiring, to not only look at IT within the organization, but also cybersecurity issues that come along with that.


Robbie: A lot of insurance companies make requirements on “Have you complied with the law to date?” So, that's a very important component of making sure that people have got this experience, make sure that their response times are defined. Because that's another element, "I can't get in touch with our guy." And transparency. I think that that's just a general rule of thumb of doing business with somebody you trust.


J. Baugh: Yes. As we bring all this to a conclusion, what are some last minute tips or advice that you would like to leave our listeners with?


Robbie: I've mentioned training, I've mentioned performing SRAs. Those are huge things. I would identify in any given environment - whether it's 10 users or a hundred users - identify the user population and the risk levels of the people that are using devices. Again, if you're only connecting with a mobile, an Android or an iPhone, you don't have the logs that you should have like you would on a Windows machine. That's a higher risk because you can't look at logs. I would identify the user population in my environment that has the highest risk of unauthorized access.


Absolutely use complex passwords, and change them often. "Letmein" and "password1" are not good passwords. You'd be shocked at how many people still use very simple things like that. "Oh, I've got to change so often, no, so I'm going to make it simple." No, no, no, because there are really easy programs to use that can guess your password, literally, and you can just launch it against something, and it can guess "password1" in about 30 seconds. Again, training end users because they are your first line of defense. And people do make mistakes, and people do overlook things. Understanding what your environment looks like at a high-level, identifying folks, and taking the steps necessary to help keep everybody safe.


J. Baugh: Well, we've heard some great advice and some great information here that hopefully will be of help to our listeners when it comes to cybersecurity in the healthcare arena. Robbie, we want to thank you for being here today.


Robbie: Thanks so much, J. I appreciate that.


Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect, with your host J. Baugh. Listen to more episodes, subscribe to the podcast, and find show notes at SVMIC.com/podcast. 


The contents of this podcast are intended for informational purposes only and do not constitute legal advice. Policyholders are urged to consult with their personal attorney for legal advice as specific legal requirements may vary from state to state and change over time.