Bonnie and Ryan “Redhawk” McPherson, the co-hosts of popular radio show Atlanta’s Most Trusted Advisors, recently sat down with Donna Grindle to talk about data security. Donna is a Certified HIPAA Privacy and Security Expert (CHPSE) and her company, Kardon Compliance, works with businesses and medical organizations to provide complete data security and HIPAA compliance solutions. She began by talking about recent security breaches that many in the Atlanta area have heard about.
Donna: There’s a prolific hacker that found ways into several different medical practices using vulnerabilities that they stumbled upon. And they started holding things for ransom, not ransomware. They would actually say, “Look I’ve got this data. I’m going to release it. It was medical data. It hit all over the U.S. There’s some in Oklahoma, Missouri…. It’s largely orthopedic groups. Athens (GA) Orthopedic hit the news in August. And just last week, there was a story on WSB about the Peachtree Orthopedic too.
Bonnie: Is that a common way for hackers send a ransom letter like they’ve kidnapped somebody?
Donna: It’s happened before. There must have been like 18 practices or so that were involved in this. Some of them were small with around 3,500 patients. But these were two of the largest ones, and we just happened to be right at ground zero of it.
Ryan: And these are small practices who probably thought that this was not important to them. Or maybe they did or didn’t have the resources or the know-how to do that. So that’s maybe where you step in and educate and inform them about how important it is.
Donna: Yes, I do. We try very hard to educate people. We have a weekly podcast, “Help Me with HIPAA” where we educate people on concerns of data breaches.
HIPAA Isn’t Just for Doctors
Bonnie: And it impacts more than just medical offices too. I’ve always been fascinated by the fact that business associates also have to comply with HIPAA. And business associates are anybody that has access to the information for medical offices, so your health information, your social security number, anything like that that needs to be protected by a medical office. Think about it, an HR firm, a law firm, an accounting firm …anybody like that also has to be HIPAA-compliant. I think a lot of those businesses have no idea.
Donna: KPMG’s just put out a report, and their study shows that business associates just aren’t prepared to meet these guidelines. They were particularly looking at HITRUST cyber security framework. And that’s just like a stepping stone to meeting your HIPAA requirements.
Bonnie: Do you think it’s just because they don’t know they need to be compliant or that they are playing the odds and assuming that no one’s going to come after me?
Donna: People think they’re doing what they’re supposed to do, and they have no idea. In fact, I speak often at events. And I have just heard recently somebody say, “Someone saw you at a conference and said that I needed to talk to you because they were shocked. Everything you were saying, they weren’t doing. Yet, they thought they were doing HIPAA properly.”
Ryan: So no one was there to look over their shoulder and tell them they weren’t.
Donna: Well, they don’t understand what it really means in a lot of cases. There’s a lot of assumptions. And there’s the technology piece and the privacy piece and the breach of notification piece. So it’s a lot bigger than people realize.
Identifying the Need
Ryan: So we know that a business may need help once they’ve been breached. How does the business know when it’s time to call someone like you to do a safety check or look at their systems to make sure they’re working, ideally before they are breached. You don’t want to wait until you’re attacked and then set up your defenses. So what are some of the pain points a business may be experiencing to they know it’s time to call you?
Donna: We’ve started hearing from law firms primarily because their clients are saying, “Hey, I want to know you’re going to protect my data. Tell me that you’re going above and beyond, and about the efforts that you’re making, so I can trust you.” And outside medical, that’s going to start happening, and that’s going to begin to grow. I can assure you that the more you hear about your information and you think about the business information that law firms have and accounting firms…. So we get a lot of that.
And you’ll actually start to realize people are requesting this from you as well as, of course, medical providers. A business associate is anyone that in order to provide services to the medical industry, requires persistent access to patient information, known as protected health information in the law. If they require that in order to do their job, then they’re business associates. So if you fall under that, you need these kind of services, or you have to be doing it yourself. And then, of course, there’s the fear, uncertainty and doubt. But I don’t use it in marketing. I just tell people, “Listen to the news, and you’ll know you need me.”
Paper Counts Too
Donna: It’s not just about electronics. It’s about paper too. We say, “Don’t forget about the paper.”
Bonnie: That’s part of what we wanted to talk about today. It’s just the idea of protecting your documents, whether they be electronic or paper for any business. A big thing with accounting firms is the effort to create a ‘paperless environment.’ But I have yet to see a truly paperless environment at any firm whatsoever. I guess part of the challenge is knowing what documentation you need to keep for a period of time, how to store it, and the things that you have to store onsite versus offsite. As you work with your clients how do you talk to them about protecting their documents and what they need to do?
Donna: Well, the shredding companies, they come in, and they have to lock the bins. People are putting the paper in there all day so that you can shred it, right? If you leave it unlocked, what’s the point of shredding it, because I can just get it whenever I want. And let’s just say that cleaning companies can go in there, and they’d just grab a stack every night. Andyou can sell that stuff for a lot of money.
Ryan: Yeah, corporate espionage, it’s real, ladies and gentlemen.
Donna: Identity theft. Medicare fraud.
Ryan: All that. And identity theft is everywhere now, not only online but at the workplace, at home. And there are cases where people are finding pharmacy records in a dumpster. And then you don’t even know you’ve been breached. So this affects us all. No matter how young or old or where you live, you need to take precautions in protecting your identity.
Donna: And the pharmacy should have never put them there, because they’re required by law to securely dispose of things. But then there are other cases where they think they’re securely disposing of things, because they have a service. And then the service lets them down.
Bonnie: I was actually talking to the person who was going to be our second guest today but wasn’t able to make it. He runs one of those services, and he was talking about how in some cases the business puts the boxes in the van, and it drives away. And the business owner feels confident that that information is being shredded, when in reality, it’s being dumped in a land fill somewhere.
Donna: Yeah, the cheapest way.
Bonnie: Therefore, all that information is out there and available. So vetting and getting referrals and looking up comments and references on any company that you’re using is very important, I would think.
Donna: We encourage everybody to vet anybody that you’re going to give access to confidential information. If it’s for shredding, then you should make sure they take their work very seriously. And we do that for all businesses associates. Ask them questions so you can understand their compliance and security programs. And if people start pitching a fit, that’s a big red flag.
Bonnie: Or “You don’t really need that proof” or anything like that.
Donna: “I don’t know why you are asking me this. No one else does.”
Bonnie: Well, maybe it’s because no one else is looking into it as much as they need to.
Donna: That’s right.
Risks are Everywhere
Ryan: And what we’ve learned from past shows about cyber security is that you could be a soft target. For example, evildoers will come into your flower shop. And then they’d use that as a launching point to go out there for more information. Whether you’re paper or internet-based or a medical practice, you need to take precautions for sure. You help all businesses? Or do you have any particular businesses you like to work with at Kardon Compliance?
Donna: Well, our core business is healthcare, the covered entities that provide care and payment and the business associates that support them. There’s a new law that’s going to go into effect January unless somebody stops it. It’s basically a HIPAA-like law for the state of New York for financial firms. So law firms, financial firms, they’re going to start seeing this. And there’s the definition of the critical infrastructure. And health care is part of that. And financial and power. There’s a huge list of those. And there’s actually a National Cyber Security Framework that was published in 2014 for all these companies to standardize their cyber security planning.
We can take any company that wants to be part of the cyber security framework. So if you’re a law firm and you have power companies or you work with the Department of Defense or you have health care or any of those other things, as a law firm, you might not be a part of it. But your clients are part of it. And then you need to follow those same rules. The Office of Inspector General just came out with a report that was quite critical of the enforcement of HIPAA, because they’re not forcing people to do these things. And one of the points that they made is the National Cyber Security Framework should be merged in with HIPAA.
And with health care, one of the questions I get is why do people want this data? They’ll go in, and they’ll grab all 500,000 patients they can get on a database. And then they’ll sift through that looking for important things and different ways they can use it. Let’s say you’re a pediatrician, and unbeknownst to you, the grandfather of three of those children you treat is the CEO of a major defense contractor, and they’re trying to hack into that defense contractor. Well, if people aren’t serious about security, what’s the likelihood of them having a password that involves their grandchildren’s name and date of birth?
Ryan: Probably about 88%. People commonly use stuff like their pet’s name or their kid’s name for passwords. So you don’t know who you’re connected to. We’re all out there on so many channels. And they’ve already got more information from another breach here and sell it. And before you know it, they’ve got a full profile on you.
Donna: That’s a big piece. We were talking about paper here. But you need to destroy digital files properly as well. There was a piece recently on 60 Minutes, I think, CBS News where they went into a reseller of copiers and they bought just random copiers to see what was still on them. They got tons of medical records, because people are copying medical records, and they’re sitting on the hard drive. They actually have one where they opened it up, and there was a piece of paper still in the thing. All of those had tons of data on them. And there’s a whole warehouse full of them. They just randomly picked them and got all of that.
Bonnie: Wow, so refurbished computers is probably a goldmine… I can’t even imagine all the information that’s on those things.
Donna: Yeah, there’s nothing that tortures me more than somebody saying, “I got rid of that computer.” How?
Bonnie: So how do you know that your digital files have been properly destroyed. I’m a Mac person, so just dragging them to the trash and emptying the trash is not sufficient, I would imagine. So where do you find out this information? Or how can you learn this?
Ryan: Well, you can follow Donna. She’s a speaker and a blogger. And she is also a podcaster. So, yeah, tell us how we find that all out.
Donna: Well, on “Help Me With HIPAA,” we discuss a topic like encryption or how to vet a business associate and all of those kinds of things. So every week, there’s a 30, 45-minute conversation. And it’s me and my co-host being goofy most of the time. Many people say, “I cannot believe I’m learning about HIPAA and actually laughing while I’m doing it.” We usually record a couple of weeks in advance. I was just listening last night. The sound engineer had finished editing our scary HIPAA stories Halloween episode, where we go through a haunted HIPAA house.
We teach you those things, and we often have links to resources there to help you learn. There’s definitely a lot of links that we offer based on the particular episode, so whenever you want to you can go and search our podcast. We just released our 75th. There’s a lot of topics there. And then, of course, having a cyber security awareness program at your office is really important. And there’s a lot of ways that you can build them: you send an email or every time you have a staff meeting, somebody talks about security awareness and understanding phishing, spear phishing versus this other thing.
But when it comes to things like properly shredding the computer files, it’s going to depend on how the systems are configured and what security is in place. So it’s important to have someone that understands those things even in a small business.
Bonnie: So training is part of this and making sure that anybody that works at the pharmacy knows not to just dump the records in the dumpster or whatever that might be.
Donna: It’s the people, people; that’s what we say.
Ryan: It is the people, people for sure. But no matter what your industry, you’re Joe’s Tire Shop or you are a medical supply company, you need to take precautions. And you need to check in. How often should a business be reassessing their infrastructure or their security? A couple of times a year, or is this a monthly thing?
Donna: I use the standard that they put in the HIPAA language, which I think is appropriate for everybody. That says you should do a risk assessment, a risk analysis of what can go wrong in my company, at least annually. Now, the law doesn’t force you to do that. But I believe at least annually, but you should also do it anytime there’s a major change in your business. I’m going to put in new computers. Okay, how am I going to secure those? How am I going to get rid of the ones that I’ve been using to make sure I’m not putting it in a refurbish bin? I need to evaluate that. Or move into a new office, we’re expanding our office. Like in a doctor’s office, we’re adding a new provider. We’re adding new accounting. How does that change our workflow? And how do we not leave a hole in our security? So you should do that. Whenever there’s a major change, think about security. And then at least annually, sit down and think it through. And then we say, what would you do if there was a fire at your office tomorrow? You come in, and everything’s gone. What do you do? And you start from there.
Ryan: That brings up another point. What about the employee who leaves who maybe had access to all of these records or passwords? Do you have to then go change your system?
Donna: Yeah, we recommend that you have a termination checklist. You have an onboarding checklist to make sure you don’t over-share the security with the new people. You don’t want to just give them the keys to the office and the alarm code the day they start.
Ryan: Checking in whenever there’s changes not only in personnel, but in the workflow, and then checking annually if your business is growing and all of that along the way.
Donna: Yup, just rethink it all the time.
Planning for Catastrophe
Donna: You know, in small businesses often, technology is, “Hey, when did we buy that computer?” “Three years ago. It should still be working.” And so often, what happens is you just use it until it dies. And you’re not actually evaluating what’s going on with that equipment. And imagine if I took all of your computers out of your office, Bonnie, just took them away. You can’t use them. How long would it take you to rebuild your office and get everybody functioning again where you would feel like you’re under control if I just took them away? Even with your backup, and even though you understand it and you prepare for these things.
Ryan: Well, you would have to go buy all new computers. You’d have to get them all plugged in and updated and ready to work. Is that something you think you could do internally? Or would you have to turn to a third party to help you rebuild? Because business still has to go on. You know, you can’t let your clients know. This is all internal, and you just got to do it.
Donna: There are cases where that’s happened Everything was gone. So it does happen. When you’re doing disaster recovery planning, think of the worst possible thing that could happen and don’t assume it won’t. You have to tell the public. You have to tell the people involved. And you have to tell your customers when you’re a business associate. And that’s why business associate breaches are so massive. According to the HIPAA law, any time there are breaches of over 500 patients in a single breach, you have 60 days to report it to all of the patients in writing. You have to do a press release. And that’s when we get to hear about it in the news. And then you also have to notify the Department of Health and Human Services. And then they post it on their website. That’s why they call it the “wall of shame.” Although, you know, HHS, Health and Human Services, they don’t want us to call it that. But come on. Its catchy.
Ryan: If your office is on there, that’s probably not a good place be. But maybe you then rectify the situation. You put better security in place. You know, you’ve gone through the pain of being breached and being shamed on the wall. So maybe those are the ones you trust more, as opposed to ones who’ve never had these troubles. Because you’re going to be possibly breached at some point if you’re a business. Identity theft is on the rise, so you have to be prepared personally and professionally.
Donna: They say there are two types of businesses, the ones that know they’ve been breached and the ones that don’t.
Ryan: Yup, so which one are you, ladies and gentlemen? You can call Donna Grindle at Kardon Compliance to find out if she can help you or perhaps knows someone who can, making sure you’re shredding your documents, cleaning your hard drives, and storing those computers and files properly. So let’s get some coordinates for you. What’s the best way if somebody wanted to reach out you and your company to find you?
Donna: Well, you can go right to the website. There’s a little contact click. That’s a great way. And you can call us at 678-292-5001. And you can always email us firstname.lastname@example.org. And you can hit me on helpmewithhipaa.com. Pretty much, you’d find me on Twitter @KardonHIPAA, @HelpMeWithHIPAA, on LinkedIn. I’m everywhere.
Ryan: All right, we encourage you to check out the podcast as well.
Every business owner should be taking the risk of data breach seriously, whether your office is fantastically high-tech or takes a totally old-school approach to records management. To learn more, you can contact Donna or listen to the topics that interest you on her collection of podcasts. And of course, you can hear more details if you listen to the entire episode on the RadioX website.