Listen to learn about the effect that the COVID-19 crisis is having on healthcare IT security policies and procedures.
In this episode, Meagan Elguera (Corporate Communications Manager) sits down with Jen Stone (Principal Security Analyst, CISSP, CISA, QSA) to discuss:
Resources:
https://www.hhs.gov/sites/default/files/ocr-bulletin-3-28-20.pdf
SecurityMetrics HIPAA Guide: https://www.securitymetrics.com/lp/hipaa/hipaa-guide
SecurityMetrics PCI Guide: https://www.securitymetrics.com/lp/pci/pci-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hey, guys. Welcome to the Security Slopes podcast. We are coming to you from the Silicon Slopes in Utah.
This is Megan. I'm here with my co host, Jen. Hi, Jen.
Hello, Megan. I'm so excited to be here today for our very first podcast.
Me too. And I am excited because I get to interview you about many interesting topics in the security world, including things like HIPAA security.
Which is one of my favorite topics.
I know. You are quite the expert. And No. I thought this would be a good topic for today, especially in light of what's going on with the COVID nineteen coronavirus.
Yeah.
It's really hitting the health care system.
And it sucks. It's this whole COVID thing is it's not just bad for the health care system. Well, I mean, if you're trying to do security on top of a crisis situation, it's really tough. So I think it's important topic for today.
Right.
So we just wanna say that we are taking all the precautions we can as a podcast.
And as you can see, we're distancing ourselves, and we're trying to be compliant with those recommendations.
So Yeah.
We might even be more distant. I'm in our office podcast studio today, but we're actually setting something up in my home office. So in the future, not only are we gonna be distanced like this, I might actually be staying at my home. So, yeah, keep an eye out for that. Could be fun.
Jen is gonna be our host and our guest today. She's my cohost and a guest.
So, I mean, that's kinda weird. Right? That's Yeah.
With the crisis, I mean, we wanna, you know, we try wanna get a third person, but we also wanna limit everything. And she's, like, two in one. She's a host, and she is a security expert. Jen, do you wanna just start by giving us a little background into your security?
Yeah. So I've been here at SecurityMetrics for, I'm gonna get this wrong. Is it four years now? Is it I don't know. I started in IT back in the nineties. And when I moved to security from IT operations, it was the best thing I ever did. I have more fun at this job.
Love security. It's like, solving a new problem and getting to see new systems and new people every week, remotely now.
But it's, I find it a lot of value in it as well because, the more virtual our world gets, the more potential there is for security issues. And, what I really like about what I get to do is, talk to people who are not other security professionals, although I love them too. But a lot of the merchants, a lot of the, practice managers, a lot of, health care providers that also have to be security people, they don't they are great at their jobs, but they don't know computer security. And expecting people to be, security experts, it's unrealistic.
So, my favorite thing is to try to break it down so that it makes sense and it doesn't have to be super technical, but you can know enough to ask the people who are are putting the security in place for you the right questions to make sure if they're doing the right things or not or are aware of some some security concerns that might be, specific to their industries. So, yeah, it's a it's a super important job and and something that I enjoy a lot. So happy to be here.
Brilliant. That's awesome. So I think in some ways, you're sort of like a translator for a lot of people.
And we just really need that, I think, right now. I think communication and miscommunication are just so crucial, especially with security.
And now we're talking about health care, you know, actual people's lives are concerned.
Yeah.
So, anyway, regarding health care and security, we can jump into that unless you have any other tidbits you'd like to share.
I mean, I got chickens last night. Can we talk about that before security?
We can always talk about chickens.
Megan, I got little chicks. I got, like, twelve little baby chicks last night, and they all survived the night. I was so happy.
So some of us come to IT from different directions.
My undergraduate degree was animal science. I was always a farm kid, but, computers are awesome. So this is this is my career path. But it's as much travel as I usually do for business, I can't usually have creatures at home.
And so now that, you know, at least for the foreseeable future, we're not doing that kind of travel for a while. I was super excited to get back to my roots and get some chickens. I'm looking for a milk goat too. So, you know, it it it could it could turn into a tiny little farm.
I'll keep you posted on the chickies. Do you wanna talk about HIPAA security, though? Because I think that's why people actually are following this.
So Well, if we have to move on from chickens, then I have a list of questions that I would love to get into.
And I think our list would be helpful for our listeners.
So first of all, let's start with the basics. What is HIPAA security? What does that even stand for?
Oh, okay. So HIPAA security is a law that, I'm not gonna give you all the the the gruesome details. We can get really deep into exactly how HIPAA happened and what what, all the the details are about. I mean, maybe in a future podcast, but let's just kind of look at it high level right now.
HIPAA Security that we look at so HIPAA, as a law the parts that we care about are, privacy, security, and breach. There's a lot of other stuff that have to do with HIPAA.
The it's a it's a pretty broad law. But as a security professional, I really have a narrow focus on HIPAA, and that's the privacy, security, and breach rules. So the privacy rules is like what you're allowed to do with people's personally identifiable information related to health. And that's called PHI, protected health information. It's information under the law that is is protected by the law. Okay?
So, the security rule is specific to electronic PHI, so ePHI.
So we have privacy says how you're supposed to use the information or not use the information or disclose or not disclose the information. Right? Depending on different things. It's the privacy of people's health information and demographics related to their health information.
The security rule is ePHI, electronic PHI, has to be protected in different ways from the physical.
And the reason is that electronic information is easier to scoop up and use and fraudulently in a lot of different ways than maybe the physical is. There's there's I don't know if maybe not easier is the right word, but there are, technical security rules that are specific to electronic information. So that's what the security rule under HIPAA is about, protecting ePHI.
Okay.
That makes sense? Cool.
So who has to comply with these? I'm assuming there are requirements related to the law and, as far as the, like, entities that have to comply with them. Right. Who does that include?
So in general and we can also, in a future time, get really deep into it. But from a high level, we usually talk to covered entities, business associates, and health plans. A covered entity is, anyone who does the actual treatment and sends electronic billing information.
There's specific electronic transactions that happen that make a covered entity a covered entity. And so these covered entities are the ones that that definitely have to comply with all of the privacy, security, and breach rules.
Some of the rules are specific to business associates. But in general, covered entities need to assume that all of the privacy, security, and breach rules apply to them. And then there's the business associate. That's what I just talked about. They're like they're like service providers. They're people and companies that that help out the covered entity in a way that means they're going to interact with ePHI.
So covered entities have specific rules. Business associates also have specific rules, and those specific rules are all about how they protect information and who they report to.
So when if there is a breach, for example, covered entities have to report in a certain way to certain people in certain organizations.
And if there is a breach by the business associate, they have to also respond and report in in specific ways to specific people. So those are the two biggest groups that we deal with, as an as a company. Health plans, for sure, have to to fall under this.
But, we're gonna talk a little bit less about them because they're they're pretty big, and they have a lot of pretty good, lawyers and their own IT guys to help sort this out, where maybe a practice manager or a physician who's trying to make sure they comply with a HIPAA security rule, they might not have the resources that these other groups have. So that's kinda who our targeted audience is going to be today is some of the smaller groups who might outsource their IT, who might, be doing a lot of the work themselves.
So Got it.
So these are the everyday health care practices, doctors, any any any place that takes private information related to people and their health.
Right. And then bills using certain it's kind of so that's the super nerdy part.
And we don't have to get into that, but there's the way you send that information and you could, like fraud could happen because of the way you send these transactions.
That's a lot of the focus of of this law.
So in in addition to doctors, dentists, chiropractors, massage therapists, there's a lot of groups that if they bill in a certain way, they could fall under HIPAA.
Okay.
Got it. So I think what is on a lot of these health care providers' mind right now with COVID nineteen and coronavirus, in addition to taking over our lives in general, our personal lives, our working lives Yeah. It's affecting businesses.
But there's also that security aspect because many healthcare entities have to be open. They have to be staffed.
Yeah.
They have to be running. They have to be able to get their information.
So is this crisis affecting the security of these places?
Absolutely.
And like you said, so the health care providers have to be open. They have to be helping people who need help.
But maybe their IT service providers are scaling back. Maybe they're not on-site as much. So there's a lot of reasons why, security might be more affected by this COVID nineteen than, than without it.
So one is lack of the security personnel on-site or scaling back some of the bigger projects that they might have. And so that gives an opportunity for the vulnerabilities in systems to be exploited by by the bad guys. So that's one way that this could be affecting them. Here's another.
Phishing scams, where you open an email and click on something that you shouldn't click on or or open a a an attachment. These thing these phishing scams usually prey on a sense of urgency or fear anyway.
We're all under this COVID nineteen thing, and and there is so much anxiety about it. If you get an email that says, martial law was instituted in the United States, everybody's going to freak out because, you know, that's kind of a fear. That's kind of something that that is on people's mind. How is the government going to be treating it?
So then all of a sudden, our our fears and anxieties are amped up, and we're like, well, I'm going to click on that and find out for sure what's going on there. And then suddenly, you're off, you know, into getting inform or giving information or giving access to to a group through that phishing scam. So it's important to remember, even though we're all anxious and this is something that's gonna really trigger people, the the understanding that we need to stop and think twice about situations where in the past, we would just either go, oh, that's clearly phishing, or, I you don't have to know now about something that comes unsolicited into your inbox.
Right? Yep. So so that phishing scam is made worse because of this because anxieties are higher.
Yeah. And that one of the things I heard or saw circulating around and heard about was, like, the fake COVID nineteen map.
Yes. Yes.
The well So many people clicked on, and I know people Yeah.
I heard I heard friends who said they got, like, a virus from it on their computer.
Yep. Yep. That's that's for sure. And and the tricky thing about that coronavirus map is they actually use the real Johns Hopkins map visuals, so it looked like the real thing.
But it was an app that actually was it took that and made a bad thing out of it and then allowed malware to get into people's systems.
So Wow. So so people are like, well, then how do I get the information if I don't if I can't go get it, you know, and I can't trust anything?
Here's how the you can still get the information, but kind of reduce some of the potential vulnerabilities, reduce the risk around around that. And that is, alright. You want the Johns Hopkins coronavirus map? Go to the Johns Hopkins website. Go directly to the source of the truth first and then search from there. So so find these things from in a more direct path where you know that the website is good rather than getting a third party, app or or some third party website giving you information like this.
Okay. That's a good tip. Yeah.
So this is kind of a lot for the healthcare system Yeah.
In the security space alone.
Do you know of any other situations, like, we'd wanna be aware of, as I mean, most of us are patients ourselves Sure.
Or know someone who works in health care.
Right.
Well What should we look for in the for as far as security is concerned?
So one of the really cool things right now is that telehealth has been around and it has gotten started. There are a lot of places oh, and telehealth is like, I think it's a weird name for it, personally, because we don't really use tele phones anymore. But it's that theory. Like, you are remote and you're finding out getting health advice remotely, they're calling that telehealth.
Okay? So if you want to be able to get, treatment, what they're saying now is don't go into the hospital. Don't go into your doctor if you think you have coronaviruses because I think is the what I've been reading. They're saying, hey.
There are these hotlines set up. You call there. You do some screening. Do you do some remote stuff first before they they take those next steps.
And in the past, that's been really here's why it's dangerous.
Yeah. Anytime you can remotely access information, you automatically have a higher risk than if you're doing something in person. Right? Because if you can, from your computer, log in somewhere and get to information about yourself on a database, depending on on the protections between you and that database, somebody else could do that too from a completely different country who has not your name, who's, like, is not even related to you. They can be like, oh, I think I could figure out what her credentials are, and I'm gonna log in and get that information. And then there's a lot of fraud. We can talk about the the details of what types of fraud people use, but but there's a lot of it.
Yeah.
So so that's why Yeah. I've heard you talk about that before. And so we're social distancing.
Mhmm.
Many people have to quarantine themselves. And if they're saying, like, kinda stay away, like, if you're sick and you can't and you also are trying to avoid the telehealth, then what what should they do?
So a lot of groups know that they don't have a lot of security in place to handle this right now, but they're but they're being told to do it anyway. And, fortunately, the Office of Civil Rights at the Department of Health and Human Services here's how we abbreviate that because that's a mouthful. OCR at HHS. OCR is the enforcement arm of HHS for HIPAA security. Does that make sense?
So the OCR released an email about this, just recently. When was it? I've got it on my laptop. Hang on a second.
Okay. So March seventeenth, which was yesterday from us taping. I don't know when you're listening to this or or watching it, but, the email I got is from yesterday, my time. Now we're all time travelers. So and it was about empowering medical providers to serve patients remotely. And it's called the notification of enforcement discretion for telehealth remote communications during the COVID nineteen nationwide public health emergency.
I love how they name their stuff. It sounds so official. So they're they're like, okay. Look.
We're going to exercise enforcement discretion. In other words, they're not going to immediately go after people and fine them if, during this time of crisis, they're doing telehealth and information gets out. And then, you know, how do we normally go after a breach? So exercising discretion, though, does not mean they're going to be like, free for all. Anybody can do anything.
Security still matters. And so they're gonna give a little bit of advice in this email about, how to use it. So a covered health care provider that wants to use audio or video communication technology, can use any non public facing remote communication product that is available to communicate with patients.
So what does that mean? So non public facing I had to read this a few times because non public facing probably means a little different something to a security professional than it does to, I think, what they're talking about. So let in order to not get that confused, let's read through a little bit because public facing to a security professional just means if you can go somewhere on the Internet and log into it, that's public facing. Right?
But they're using it in a slightly different way. They're saying and they give examples. Under this notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. It's pretty wild that they're actually naming specific applications, I gotta say, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance.
So in other words, look, it's a good faith provision. We get that these are not entirely secure. We get that there are vulnerabilities. But here's a list of things that we know about that you could probably use, and we're all gonna try and get through this together.
This does not mean just go willy nilly and just try to be, like, insecure.
So providers are encouraged to notify patients that these third party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
So does that I mean, does that make sense?
Like So, like, entities that are gonna use these third parties, like, what are your can you boil them, like, your best advice for them during this time?
Yeah. So don't just start it up and use it. Poke around a little bit. And if you have an IT person on staff or that you can call, ask them to go through the settings with you because there's always configuration settings that that well, not shouldn't say always, but usually, there's configuration settings that allow you to increase some security and and have a little more privacy definitions around what you're using. So at least look at that before you start using these third party things.
Okay. Now we know that there are some things that are just really not secure out of the box, and they name those in here too, which is, again, pretty wild. Under this notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing and should not be used in this provision of telehealth covered by health care providers or by covered health care providers.
So, they they they name some specific things that we know have some vulnerabilities that we know are are not going to be the best choice.
And the nice thing is that the whole list that they just did of things that you can use, those are free. You can there are free versions of things. So it it takes and allows communication without a strong added burden of, application costs. Right?
But Don't add your doctor on TikTok.
Yeah. Do not add your doctor on TikTok. That's a that would be wild. Okay. So, here here's the here's the the the real juicy part is and what I would say try and do this if possible.
Covered health care providers that seek additional privacy protections for telehealth, that should be everybody, while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements in connection with the provision of their video communication products. So that was kind of a dry sentence. And what they're saying is, there's companies out there that really work towards HIPAA compliance, that they get thirty part third parties in to assess their their applications and make sure that they can be as secure as possible and are willing to enter into business associate agreements, which is important because it means they're going that extra step of we recognize and take seriously your the privacy concerns that you have, and we're going to make every effort to to help with that.
The list below includes some vendors that represent that they provide HIPAA compliant video communication products and that they will enter into a HIPAA, BAA. So you know what the my favorite word there was in that sentence was rep represent. Because HHS OCR is not gonna say, hey. These guys are good.
They're gonna say, hey. These are the ones that say they're good.
Mhmm. Mhmm.
Hopefully, they are. Skype mention another Oh, I'm sorry.
Go ahead. Oh, sorry. You mentioned another acronym, BAA.
Oh, sorry. Yes. So a business associate needs to enter into a business associate agreement with a covered entity. So a BA is a business associate and a BAA is a business associate agreement. Is that Okay. Makes sense?
It's like a third party contract type.
Yeah. Yeah. Yeah. Yeah. Totally. A third party contract saying, hey. We too will keep EPHI private.
So here's that list of of groups that say publicly that they are HIPAA compliant and that they are will are willing to enter into a BAA. And that is Skype for business, Updocs, VC, Zoom for health care, Doxy. Me, and Google g Suite Hangouts Meet. So, and then when they go on to say, hey.
OCR has not evaluated these. Again, this is, you know, self evaluation. This is the list that we found in these times of crisis. We're gonna give you a helping hand by actually naming applications we think you should try.
So, that's how the the, OCR, HHS are are trying to help out with the telehealth, problem.
Okay. Wow. Well, that is a lot to take in, but it does help alleviate fears, I think, and also help us all keep security in mind still even if you're in a rush or panicked.
Yeah.
You know, we can still be as secure as as we can, and we can all just work together, keep working together and get through this. So Right.
This seems like a good place to end. Okay. If it is for you. Absolutely. Anything else you wanna add? Make sure our listeners hear at this time.
No. I think we're going to try and put out some pretty regular podcasts that that should help people, not just about security in in the health care world, but, for PCI.
We do have a lot of experience with CIS and NIST, various, assessments, standards, and, regulations, different things. So, hopefully, that'll be valuable to people who are looking for information.
Yeah. I think this will be great. And before we go, if our listeners do wanna know any more about you personally or about HIPAA Security, where should they go?
Okay. So I'm on LinkedIn and Instagram. I do a lot of, original content there, and I link to the SecurityMetrics blog and original content. So we put a lot a lot of free information regarding security.
You could find me on LinkedIn, Jen Stone. There's probably several of us, but I'm the one in the black and white picture. I don't know if that helps. Anyway, search, try and find me.
And then We those.
Yeah.
What else? Oh, we could probably also put it in the yeah. In in the podcast notes. We also put out, a HIPAA compliance guide that I was a strong part of.
Do you have one of those with you right now? Hey. I have a producer here that can maybe hand me our HIPAA compliance guide.
Thank you, Hunter.
We have this guide. Thanks, sir. Super I'm gonna hold up here.
You can get this downloaded as a PDF off of SecurityMetrics site. I am super proud of this because I helped create this. So, it's, like, two hundred and seventy pages or something.
Lot of good information on HIPAA compliance, privacy, security, and breach rules are in here.
So Awesome. So is that free? Is the download free or is it does it cost?
The download is free. It costs something to buy the actual book.
Okay. A free download and we'll link that as well in our notes.
The, but the book oh, the book itself is fifty nine ninety nine. It's a great book, though. You should get it.
Alright. No. But get the get the download. Go to go to www.securitymetrics.com, and you can find it there.
Okay.
Well, I think that's it for tonight, from Jen and from me, Megan.
This has been the security heat slopes, and we will see you next time. Bye.
.svg)
