00:10:11 - 05:10:11
Jerrod Bailey 00:03
Welcome, everyone to the risk management and patient safety podcast presented by Medplace. We're excited to bring you conversations with top risk and patient safety thought leaders from organizations across the country, please subscribe to get the latest news and content. And if you found value from this episode, please share it with your colleagues to create some meaningful dialogue in your community. Also, if you're interested in participating as a guest, please email us at speakers at Medplace.com. My name is Jerrod Bailey. I'm going to play host today. I'm the CEO of Medplace. And I'm joined today by Tim Walsh,
Tim Walsh 00:41
Thanks for having me.
Jerrod Bailey 00:44
So Tim Wash is the Chief Technology Officer at Medplace. And his purview is really sort of everything technology here, including building the product and the platform that that drives the different services that we do. But Tim, I guess as part of that, you have security as a responsibility. And that's really what we want to unpack today. So we just want to unpack the topic of cybersecurity within healthcare. So there's been some headlines, there's always headlines, it seems like with, with security breaches going on in healthcare, some of the ones that, that we've noticed this week were the New Jersey dialysis center and neurosurgery, neurosurgery practice, that face some cyber-attacks, we saw some things going on at the Taylor Regional Hospital, East Tennessee Children's Hospital, both recovering from cyber-attacks themselves. So I don't know what do you think what, what's, what's going on right now? And what are what are you thinking about being responsible for security within healthcare? And like what are you seeing some of our clients and hospitals and carriers like, what are they sort of wrestling with these days? That was a really a lot of questions all at once. What do you think? What are your thoughts as to all the security at once?
Tim Walsh 02:03
Yeah, but I think the way I, the way I and a lot of other security people think about security is it's a little bit of a weird analogy, but kind of like a not like a nut that a squirrel would find. And so the way this analogy works is that the harder the nut is or the harder it is to crack. The last effort a squirrel is going to put into kind of going about and trying to get the meat out of the nut. And so attackers usually work in a very similar way that a lot of times they're just probing the internet, they're probing areas that could be high risk, or areas that could be under invested in. And so my background, actually, I previously did work with PCI in the higher education space, also with startups. So making innovation securely, making sure things that are changing and, and all the ducks in a row that's happening. And something that is similar with both of these is that a lot of times hackers will target schools and hospitals, because they know that there's sometimes under investments of IP resources, or there's if things that are happening, that are still being rolled out, that are going to take some time, especially when they find out about some type of vulnerability, they move really quickly. And they try every night, they see what's weak, what they can kind of get into quickly.
And so that's really, a lot of our kind of approach to designing and security as a whole is how can we kind of create the most secure hardened outer layer of our application and what we do and make sure that it doesn't seem in any way, shape, or form, like an easy target, because that's usually where hackers will kind of continue to Let's investigate.
And then we actually partner with some best in class provider providers, such as Heroku. And we have a security partner, silence sector that can actually do simulations of these attacks, and let us know, hey, this is how far an attacker could actually get. And so being really proactive. And so this is coming from more the tech Silicon Valley type startup world where that's, that's all we think about a security in tech and things like that. And I know for a lot of hospitals, that's not how they're kind of built and how they run.
Jerrod Bailey 04:17
Sometimes they've even had that resource or that expertise in house. A lot of times
Tim Walsh 04:21
You have an IT staff is responsible for many, many things. And that might include security in some capacities across different people. And so what I saw in some of my previous work is the universities were previous are often targeted, because they, they had a similar profile of hospitals, they had a smaller IT staff with a lot of responsibilities. Um, sometimes they're even responsible for making changes and so they have access to things there. And so, a lot of times, hackers and malicious parties will kind of just look for just that. What's that profile, someone who were able to get into, and then they'll find similar people and so you'll see that with, I believe it was the New Jersey dialysis center. they mentioned that there's more attacks happening on the smaller groups now and less attacks happening on the enterprises. And that kind of follows up that line of thought that the attackers would probably see now that there's IT initiatives and cybersecurity programs happening in some of these bigger groups. And so they're having less success. And so they're kind of pulling away and looking for different nuts to crack.
It's another trying all these smaller centers and all these kind of local facilities and saying, alright, what can we get there what couldn't get out of a lot of times, with hackers, they don't actually know what their end goal is, they're just looking for what they can get access to, and what they can do from there. And so they're, they're trying everything and anything, just seeing what threads they can pull on. And just making sure you take making sure they can't pull on anything is a great way to start building your program, and, and making sure that they don't look at you as kind of an easy target. Yeah,
Jerrod Bailey 05:58
Okay, well, well, that's hard for small hospitals, clinics, and others who don't have the resources. We can like just like talk about things that that are accessible, or things that they might consider, or maybe just like talking about some best practices that we use, that we think might translate to those who don't maybe have a lot of IT resources. So I don't know, what do you think? Is there any, like, tips, or things that from the best practices, and maybe we can focus on some of the stuff? Like, we may go interactions of like when you have to share information externally, because we obviously, we're doing a lot of external peer reviews, a lot of external case reviews for claims purposes, and things like that. So how, how a company opens up their and shares PHSI, with third parties may be the place to go. But I don't know, what do you think where you want to start? Yeah.
Tim Walsh 07:05
So I think, yeah, for us, what we've done and what I think a good starting point is having really locked down and really defined file sharing and access and purging procedures, I think that's where we've seen a lot of both potential issues on the HIPAA compliance side in terms of not maintaining good compliance, not adhering to the principle that if you don't need access to this anymore, you shouldn't be purging, or you should be making sure that you don't have that access, you're not exposing yourself when that's not longer a function of what you're doing.
And I think the other piece there is making sure that there's a we call admin place, how we kind of manage the files, kind of like a file lifecycle. So we both think about when the files come into the practice, or to come into the review, when they're utilized When access is needed. And then when a relative when a reasonable purging lifecycle should take place when a file should be removed, so that that way, we're kind of maintaining a small footprint as possible. We're kind of maintaining us compliance standard. And so even for smaller organizations, where maybe you're only sharing a few files every couple of weeks or it's in different ways, just having a process around that so that it's easy to keep track of how that's being managed. We use partners, again, for this. So we use Box and use Ambra, to help with uploading directly into the cloud and viewing directly in the cloud.
Which I know that's another hurdle that some groups have to get over, which is just how can you both receive and manage the files securely, but then also share them with others and make sure they can access them securely, and both Ambra and Box have a built into their platform secure sharing, and viewing and even expiration functionality. So this link only works for a week or only works for 60 days and setting standards and erring on the reasonable side of how long you should have access is a good starting point a lot, a lot of systems can be set to false, so you can kind of set it and forget it and just know that every 60 days, you're encouraging.
Jerrod Bailey 09:12
Yeah, I mean, I would say that the way I see imaging studies shared the most even today is DVDs and CDs get created and sent out in the mail to people and that if you want to just stop that practice you can look into tools like Ambra, they've got individual accounts that you can get that you can people have to authenticate in order to actually view these things in the field through the browser. They don't have to download them.
I think best practices there as far as just how you're creating access, but then being able to automatically revoke access. I know, some even some carriers that have done 10s of 1000s of case reviews with doctors all around the country for years for decades. That's a lot of PHSI floating around machines, people's laptops, and it doesn't, you don't need to do that anymore, And there's, there's all these tools that you can just store sort of stop that practice automatically and never have to worry about that. And then automatically, if you're purging, you're doing other things. Now, some of this stuff is not part of HIPAA. Right? HIPAA has sort of the guidelines, and we've all sort of been conditioned to like, if I'm checking all those boxes, then I'm safe. But we're still seeing hospitals and others end up in headlines for these different practices. So, any advice, there is HIPAA the place that we should still be?
Tim Walsh 10:43
So we definitely HIPAA is definitely in the top of mind as a compliance framework for us. But we also think about other frameworks as well. So how are under other industries, setting kind of their standards and, and how that applies across kind of the whole cyber industry. And so we also look at the PCI standard, I have some background there kind of in finance, I mean, that's a good set of standards for really any product vendor to look at. And so that's what we've done. That's what I know a lot of other vendors in the tech space have done is look at kind of what's a what's a reasonable, but maybe better standard that we could kind of adhere to now. And then that way, we're kind of ahead of the curve. I know for a lot of groups, a lot of hospitals, a lot of it.
Organizations, having a strong cybersecurity education program is actually a very powerful defense line. A lot of these attackers, they get in on a very, it's kind of a domino effect of attack. So they'll get one piece of data from one really low-level attack, and then we'll use that and kind of keep leveraging what they have to gain more and more access. And some of these can start with something as simple as a phishing attack or an account compensation. And then from there becomes a very problematic vulnerability. And so making sure that everyone in your organization has also been properly educated and understands what to look for. And what not to do. It's a almost counterintuitive one, because it seems too easy. But a lot of times people's laptops getting stolen as the start of an attack people's accounts, having six characters and that no special characters, no phone number, or certain numbers, just a really basic, it's my cat's name something like that password. And then things kind of start to snowball from there. Yeah. So the making sure from both really across the board was the one of the small things you can do and one of the big things you can do.
And we've kind of oriented around the cybersecurity roadmap, in addition to all of our other roadmaps, so we're updating our products, kind of, in its own roadmap. But then as an organization, we have a set of goals and standards, we're looking to hit at certain timelines, some of those are a year or two out. And so just making sure we can kind of move in that direction. And that might be helpful for smaller groups today, there's not resources, or there's not an ability to change everything, but we can start moving some of the pieces, and then we can start kind of getting those things set up. We're looking for vendors to help.
Jerrod Bailey 13:16
There's some things that that we've been doing from just remote in how you how you just sort of manage security from an awareness and education perspective that I think are really necessary. Like, every week, I think everybody's seen this, it seems really common like, the, hey, the CEO just texted me saying and my employees will get it look like a text that things think that looks like it's coming from Jerrod, right? It's coming from a number that they wouldn't actually even recognize, but it says something to the effect of, hey, I need you to call me back right away. And then and then they, they, the attempt is to lure you into then taking some kind of action, and you're giving up a password or buying a gift cards, and all sorts of things that it's just very, very common, because you can automate the entire thing, right? And we have a Slack channel, where if anybody gets one of those texts, or one of these phishing attempts, they'll post on Slack channel, just as an alert, and then other people say, Yep, I saw it, too. I saw it too. And now within a couple of minutes, we've got a general awareness of there's something going on, and somebody who may not have been paying attention is getting some reinforcement that they need to have their head on the swivel. But also, you just like getting together every month as an entire company and going through a security audit. What does that look like? And how viable is that for a company to do? Right? Yeah
Tim Walsh 14:47
Well, we do have it and so yeah, so what is so pretty viable? I think at a certain scale, obviously, that becomes probably not once we get to maybe 50 100. People have to rethink that. But I think similar to we talk about ourselves as being a product company, so everyone in the company works on the products, it doesn't matter what your role is or your function, we want your input and your feedback and your hand kind of in the in the mix as we're building the product. And we think similarly about security in the sense that every employee, and everyone who works for your organization is part of your security team. And so you can either bring them into that, and you can make it kind of a group activity, or you can say, Hey, there members of the team don't know, and they're vulnerable, and they can potentially fall into these attacks. The tricky part about this is usually the people who have all their time and energy dedicated to security are not the people who are going to fall victim to security attacks, So I didn't even get a text message about the CEO texted because they usually don't go after they weren't that they're not going to go for the CTO because they know I know, sense of urgency is number one, asking for you to do something or asking you to log in or send money.
So I know all the kind of red flags, but they're going to look for as an operator who's very busy they've got a full book day, they've got a bunch of calls, they've got a bunch of reviews that they're managing, they've got a they come into the office, and from that moment of time they leave, they're heads down, busy getting things done, those people they want to kind of throw off the rhythm, some attacks, make them think that this is just part of their workflow, just part of the normal and, and so one of the easiest things to do for these is just check authenticity. And that's why phone numbers have become such an easy are such a hot area of, sorry, a hot vector of attack, is because there's really no way to authenticate a phone number there's even attacks, they're very complicated, but you can get a phone call from your own phone number, where it looks like your phone number is actually calling you. It's very strange.
But that's why a lot of the internet's move to browsers and URLs and email-based communication, because all of these things have what's called an SSL in the mix. And SSL is have another agency involved to kind of distribute that and say, Hey, we've verified that this website is actually owned by this group that this is not malicious, and that there's a safe organization to work with. If you're ever on a website, that looks strange, I always look at the URL always double check that the base of the what's in the browser looks the same that it doesn't say if you think you're going to Facebook to login, make sure it actually says Facebook, when you're logging in, it doesn't say something else that's a very common attack is just copy Facebook's login page, and then send it to someone say please log in, and then you've accidentally sent your password to that person.
Jerrod Bailey 17:46
Yeah, yeah. It's just a ton of social engineering. And that's kind of where the battle is sort of being waged most commonly right now. I know when we get together and do our monthly all hands security stuff It's pretty simple, but it's effective. It's what are all of our systems that we've got that we collect PII or Ph I right, and you want to you want to know which one has which in? Who has access to the systems? And how, how has that changed? How are those resources or systems changed in the last month? Right? Just asking those three questions is really powerful. It's like, oh, because the IT guys don't always know what's going on, you're you could have a team member that could say what, actually, I had a contractor work with us that just left but they had access to name the system, And in that probably wasn't on it is radar, we should probably revoke access and you make it a working session, where you're looking access and things like that, just that basic, best practice can probably be done across teams within the company. And then if there's tasks or actions for it to take they can be aggregated there, they're bottled up. So I'd like to, I'd like to think that it's, it's scalable, but it's definitely best practice. And I think you shouldn't be shy about keeping all of your employees involved with that. It just keeps their awareness sort of Top of Mind. It doesn't have to be well once you get into a rhythm that that session could take 30 minutes. So
Tim Walsh 19:20
I like the rhythm we have of both going through personnel. So who's who has access? And then systems? So what access do we have someone could be given to, but there have been a couple of times that we've thought of something kind of going through both of those approaches. And then we even have the third category, which because we maintain our own application and our own product. We'll talk about system changes there that making sure those are all documented. But yeah, documentation is always key. And, and I think that meeting is a great approach to just make sure everything has been accounted for in the past month and make sure we're kind of making progress on our roadmap.
Jerrod Bailey 19:57
Yeah, it's great. I think some of the other things I think about when it comes to security, and again, I'm thinking more of like how information is exchanged external externally, because I see, I see a lot of breakdown there. But like just some best practices, I think that are probably worth mentioning is we'll work with a lot of teams that are working with physicians externally, or nurses that are providing some kind of review of different types of things that they're giving them some set of charts and medical records. And in often you don't, that person isn't usually even contracted properly, like legally sort of contracted. And then there's very often not like a BA involved and, or something like that because it's already hard enough to get a physician to give you their time, somebody that's not employed by you to get their time get on their calendar, to actually require contracts and things like that can be particularly difficult.
So it's a best practice for you're not using a vendor or like a Medplace, or somebody else that's serving as the go between as making sure that gets done, it might be a harder thing to solve. But you get certain things into Docusign. And make it really easy to deliver those things, you'll find you get a lot better uptake, when it's just a tap and in your, you're now sort of properly protected from a legal perspective. So yeah, if you're not using DocuSign, or some kind of electronic signature platform, you could put in your and you're having trouble or know that you're not getting these doctors to properly engaged as a contractor. That might be some low hanging fruit to implement,
Tim Walsh 21:40
get a lot more of the file sharing providers are going into the digital signing space, just because they're seeing such overlap in the workflows. So Box just rolled out a product like this, where if you already have some files stored in, in your Box environment, you can also incorporate signing workflows. So I know for a lot of groups that it's an immediate win, because they're, they're storing a lot of these things already. we did that before they're signed or after they're signed in Box. And so this kind of just closes that loop. That Box
Jerrod Bailey 22:09
was like a consumer brand, are we supposed to be afraid of those things or what
Tim Walsh 22:15
that so Box they have, they have the consumer brand, that's kind of their Foothill kind of end of the market. And then they have a number of enterprise offerings. So we use kind of their HIPAA compliant offering, they used to have a DICOM solution, which they've now deprecated. But they have a couple of offerings that offer levels of both file security and storage and things in the kind of that feature set, as well as different controls around what the type of the document is, they have enough some that allow for call tagging and qualifying files as being high risk, or having tax information, things like that. So depending on what your workflow is, Box has figured out how to make a lot of money on solving these problems. And so that's a great partner to work with, they've spent a lot of money and energy and resources and in building out this really Secure Enterprise stack. And they're one of the biggest nuts to crack kind of in the in the security spots. So they've got really spent a lot of money maintaining that.
Jerrod Bailey 23:18
Yeah, so they're spending a lot bigger budget to shore up these issues than a lot of the like a small clinic could ever know.
Tim Walsh 23:26
But they're doing it for everybody, as opposed to Wow,
Jerrod Bailey 23:29
that's great thing, another area of security that people don't think about is with automation. Automation. In my mind, if it's done properly, it shores up security holes, specifically around the social engineering stuff. So the more that you're requiring humans to do things, either they're making mistakes, or they're not, for example, looking at a validated URL before engaging with a website and giving them a password and things like that. The more you're automating things, I think the more opportunity you have to shore things up, have really good examples, what you mentioned earlier, just like you're purging policies and what your vendors purging policies are So I think that's a big problem that we hear is not knowing what questions to ask the vendor that you're engaging with, that are now taking responsibility over let's say, your ePHI. And if your vendor doesn't have automation around that, if you're not automating any that part of your relationship with the vendor, you might find out that you're amassing a large mountain of data risk somewhere sitting someone's cloud, that they're not paying attention to you're not paying attention to. I don't know if there are any, like questions that we should be asking our vendors when we're engaged with them or when we're, if we're if we're sort of questioning whether they have a lot of access I don't know any anything come to mind that you'd want to ask?
Tim Walsh 25:02
I think it's become pretty common for vendors to provide what's called Security white paper. So kind of a, this is what we do kind of almost like a brochure of how they're secure. If you think about a lot of brick and mortar businesses, this is pretty common, they have almost like a pamphlet that says, hey, this is what we do is just how we provide this level of quality and assurance for you go to a Firestone you look at like a thing about tires, it's got a whole bunch of information, something similar like that, that you can kind of qualify we're a company who we manage files, we manage, maybe tax information, and we manage this, that and the other thing, you should have really well defined reasons why you're taking that information, how you're securing it, how you're maintaining access as long as needed. And then what the end of that lifecycle looks like this is again, I have a little bit more background, or I came from a background of PCI. And so this is also something we talked about the file, purging and things like that, they also have to maintain a sense of kind of financial record purging. And so I know for them, one of the harder to manage standards is, there's a general standard of seven years of maintaining a financial record. So you don't want to purge it any sooner than that. So making sure you've got a good system to track it and, and management
Jerrod Bailey 26:20
Stay within the policies of purging or not purging.
Tim Walsh 26:24
and then also evaluate for your business. Well, do we actually want to adhere to seven? Or do we have a reason to go beyond that? If we do, can we actually defend it? If we stick to that as a standard. And so I think a lot of times these kind of best practices, one of the kind of balancing factors is how accessible it is. So you gave a good example, kind of the file purging, and that's really mapped to a workflow that already exists. So we kind of design that sounds kind of almost secure by design. Another one that we a lot of people listening are probably seeing is IP whitelisting. And blacklisting is another kind of approach to this. And that's actually usually a little bit more of a high friction workflow, where a group will say, Okay, we only want these URLs to come in, or we think these ones might look malicious. And then that one usually leads to a lot of confusion, because people don't know what's going on, why can't I access the site what's happening there. And so that one is a little harder in terms of a one year rollout, because you need to both inform users, this is what we're allowing, this is why, and then this is the appropriate way to request an exception we're working with a new vendor, we need to add them. This is all okay, this isn't attack or anything like
Jerrod Bailey 27:36
ideally, you're also adding vendor specific URLs, not sort of broad access to larger applications and
Tim Walsh 27:47
things like that, exactly. You want to go to think about what represents you and your integration with the workflow as opposed to the broader uses which someone else could compromise and maybe use to do something malicious.
Jerrod Bailey 27:59
Great. Well, I heard a lot of good stuff here today, just how teams work together on their cybersecurity policy and just sort of raising awareness across all of them. getting Bas and other things signed with smaller vendors, even as small as a contractor physician doing work for you, using tools like Ambre, to be able to share out inbox for that matter to be able to share out HIPAA sensitive information to third parties without actually giving them any information, we can revoke that back. I don't I miss any other tips for every one of those big ones. The only
Tim Walsh 28:39
other one we touched on was if you can restrict download, that's one that we found to be very helpful. So kind of in line with this, Sharon, if you can share an only browser based link or a resource that is just inherently more secure. And then inherently the file purging is all on you as opposed to both parties because once they download it now you have to verify with them that they've purchased as well.
Jerrod Bailey 29:03
Great. Well, Tim, appreciate you joining me today. So it's always good to kind of unpack especially since it's top of mind for everyone it's getting it's getting worse the arms race continues to escalate. Right? So we all have to be top of mind with cybersecurity. If you guys heard anything that you thought was interesting that you'd like us to unpack? Let us know in comments or reach out to us at Medplace if you'd like to come and join us in this conversation and unpack some of the security implications for risk managers and hospitals and others in the healthcare space by all means, reach out there as well. But otherwise, thanks for joining me, Tim. And we'll see you on the next one.