Proactive Cybersecurity in Healthcare with Joe Gellatly #inch360'24

3. Joe Gellatly
===

[00:00:00] Welcome to the cyber traps podcast. I am Jethro Jones. Your host. You can find me on all the social networks at Jethro Jones. The cyber chaps podcast is a proud member. Of the be podcast network. You can see all of our shows at two B podcast. dot network. And today on the show we have. A special interview from the inch 360 conference.

That's the inland Northwest cybersecurity hub. They put on a conference each year and I have the great fortune of being able to go. Go to that conference. And interview a bunch of people. So that's what you're going to hear on this episode. I hope you enjoy it. And if you want. To learn more about inch 360, go to inch 360 dot O R G.

All right, welcome to the Cybertraps podcast today. Uh, we are here on the beautiful Gonzaga campus for the Inch360 conference and we have Joe with us from MedCurity. Joe, why don't you start out by telling us about what MedCurity is and why you started [00:01:00] and what it does.

Of course. Thanks, Jethro.

So MedCurity serves healthcare. We have hospital and clinic clients across the country and we help them assess their risk, especially when it comes to data breaches. So, we find the high risk areas and help them monitor and manage that risk all year. And the intent, of course, is to reduce the occurrence of healthcare data breaches and help them just really, uh, serve up and firm up their privacy and their security programs, uh, for these healthcare organizations.

And why

did you see that as an area that needed support? It seems like there are laws to prevent that stuff from happening. So, you know, that should be taken care of, right?

Yeah, there are laws. They are and they're actually they hold up pretty well. They're good laws. HIPAA has been around for a couple decades, right?

But it actually is still very relevant. And often when you dig into the failures that cause a data breach, there were. Very clear requirements just in the generic language in HIPAA that would have [00:02:00] potentially, prevented that from occurring. So, but what we saw is that, of course, healthcare organizations are focused on patient care, on provider retention, on billing, everything else.

This was always priority five or six for them, and they know it, right? So I had conversations. I've been in health care for a while, had conversations with executives that would say, This is what wakes me up at night because this is what I don't get to work on during the day And I know could put us under if something happens here.

So, uh, so working in this area I found that a lot of the measurement and tracking and documentation was done on spreadsheets We tried a couple tools trying to find something that worked well, but it was clearly an opportunity for a platform, software platform and a team of experts that could help them.

give visibility to where their risks are, to keep their compliance straight. They had something to show the federal government if something occurred, say, Hey, here's everything we were doing to try to prevent a breach. but ideally practical steps to take to limit the risk of a breach for these organizations.

We needed to put it in front of them, have it something they could look at all year and see improvements as they invest [00:03:00] in this area.

and it's important for them to Uh, be able to show the government that they are putting things in place, because most people don't think about this, but there are insurance policies and there are things that quote, unquote, take care of the financial burden that comes from these kinds of things.

Can you talk a little bit about that and help us understand how that kind of stuff works? Because nobody really talks about that much. Sure.

Yes, absolutely. So the couple pieces there. So the opposite civil rights enforces HIPAA. So when we're talking about healthcare specifically, the OCR will come and investigate after a data breach.

And they will ask for your security risk analysis, which is were you on a regular basis, Looking at your risks and working to lower them. So where are you protecting patient information to the extent that you can? And so we help them capture that data and document it. But 90 percent of the time that there's a big penalty, we see these penalties that are issued by the federal government against [00:04:00] hospitals or healthcare entities.

90 percent of the time they didn't do an SRA in the last couple of years. They weren't able to present that. So the OCR has made that very clear. They want to see that. Cybersecurity insurance. critical at this point. But again, the insurance providers are the carriers. The providers are saying we want to see proof that you're doing the basics.

You're fulfilling your responsibility to protect patient information. And so same thing. Those are the areas we look at together with them. And we find gaps. There's always something to work on, and it's always a journey, but helping them document and always work on the highest risk areas as we continue.

I appreciate that. And, and that's an area where having a security risk assessment, can, like you said, seem like a low priority, like we need to make sure our patients are taken care of first and then maybe we can get to that. And, um, in today's day and age, it seems like you really need to make sure that that's happening because that's part of how you take care of your patients.

What do you say to that?

the mission for us is to bring [00:05:00] clarity and competence to their privacy and security programs. And clarity comes first because it is this unknown area for a lot of entities. And the, unfortunately, a very common pathway to working with us comes from a breach occurring.

Many of our customers have experienced a breach. They had to do the press release, they had to do the letters to the patients, and they had to do the very expensive cleanup afterwards as well. And And then they've got the federal government saying, Hey, where's your, where's your security risk assessment?

Prove that you were working on this. Where are your policies? Where's your training program? All of that. So it is something that, comes up sometimes out of necessity because of an event. But we do work with groups that are very proactive. They say, okay, it's a, it's a requirement under HIPAA. I will do this, but also it helps me invest.

proactively, which is a lot less expensive than reactively after an event. And, um, so we love that. We love getting to work with organizations that are just looking to do the right thing and have a real clear picture of their risk. So they're not over investing, you don't want to be a small clinic spending [00:06:00] tens of millions of dollars on a really advanced cybersecurity tech, right?

So part of the art of this is finding the right level of investment, the right level of risk acceptance, and risk mitigation as an organization.

Well, I'm glad that you went there because that's another thing is there, there are a lot of things that you could do that would completely protect you. But they may not be feasible for cost reasons, they may not be feasible for technical ability, they may not be feasible for a number of different reasons.

And so how do you make those decisions about how much risk to allow and you know, for example, like, I go to a, I take my daughter to the doctor, and the doctor comes in and swipes his badge to gain access to the computer and logs out as soon as he leaves, and there's never a time where that computer is open with anything, that I could access sittin in there.

And, and that may make sense at a specific hospital, but it may not [00:07:00] make sense at another clinic that I take my kid to. So how do you, how do you determine that and make those decisions?

Such a great question, and it plays into our daily conversations with our customers. With the example that you give, access to a workstation.

So can we invest in a badge system, a single sign on system, a system that locks when our eyes aren't looking at the screen, and we look away and it locks, like we see great solutions. But if you're not there where the investment makes sense yet, then you're going to just train staff. We lock our computers when we walk away, we unlock them when we come back.

And eventually you reach a size where maybe the, if it's physician owned, they say, I'm tired of entering my password this often, but I know I need to. So I'm going to invest in badges now to make this more efficient. So it ends up looking like a maturity curve of an organization. Uh, we spend a lot of time looking at that because we get to work with groups all over the country.

So we can say, Hey, in the one to 50 employee range, you know, this is a little more at risk for you. This is a things we could solve without a major investment. [00:08:00] Almost across the board, there's a first step we can take. Maybe it's more training related. Maybe it's more manual. Maybe you have vendors sign in because you're on a piece of paper because we're not buying a vendor management system yet.

So in almost every area, we have a starting point and then you have this evolution as you grow, as the budgets change and you're looking at risk along the way. We have some national standards. We have some other Elements we can work in to try to evaluate where you are on that scale, but when it comes down to a bit of a dark, dark joke or a way to look at this, but there's a joke that you've got a, you don't have to outrun a bear that's chasing you, right?

You just have to run faster than the person next to you. And it feels like that in cyber security right now. We just don't want to be an easy target. we, we can't invest or necessarily afford all the latest tech. But we don't want to be an easy sitting duck. And so, just knowing, relative to the size of your organization, how do we start putting controls in place?

Well, and I like your examples there, that you You know, it could be something that is a, a paper and pencil kind of a thing, that that is a piece of security, and, [00:09:00] somebody could easily lie on that and write down a different name or whatever, and there, you know, there are always ways to get around anything that you put in place, and so being able to know what all those options are, and what is possible, and, and what is acceptable, and especially for your size and investment level and all that.

I think that's really valuable. And that's something that I think a lot of other organizations need to think about as well. And you know, HIPAA is unique because you're dealing with people's health information. Schools are unique because you're dealing with kids educational information. but even businesses that aren't serving those two industries still need to think about that stuff as well.

so in closing, how can people learn more about Medicurity and what you all do?

Well, you can find us at MedCurity. com and we're happy to talk about, answer any questions in this area. We, we love serving the communities we serve and so if there's just general compliance questions or security questions, we're happy to talk to anybody.

But MedCurity. com and of course we're on LinkedIn. We've got a great newsletter that [00:10:00] comes out with every two weeks with security updates and awareness because we want to support our, our customers and having education to share with their staff, right? So if you don't invest. at least feed you information you can disperse.

So, um, those would be a couple of ways to get a hold of us.

Excellent. Thanks so much for being part of the podcasts and for part of INCH360. Appreciate it.

Proactive Cybersecurity in Healthcare with Joe Gellatly #inch360'24