Listen to learn about the top 5 cybersecurity threats to the healthcare industry.
HHS recently launched its new 405(d) website to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the healthcare sector.
Donna Grindle of the “Help Me with HIPAA” Podcast sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics. And I'm very excited today to talk to, Donna Grindle with, Kardon and also the Help Me with HIPAA podcast and various other things.
I'm gonna let her tell you all about herself and about this great new program. It's actually not super new, but, it's really starting to gain momentum, which is the four zero five d program that the, the the US government is putting together HHS to help people who really need to figure out how to do this and where to get their start. Dono, welcome back. I am so excited to talk to you again.
For people who, are unfamiliar with you, I would love for them to understand your background, experience, kind of why HIPAA is something that you're so passionate about. So so if you could just kinda give us a rundown on how you got to here in your career, that'd be terrific.
Awesome.
Thanks for having me. And you that was very nice way to say, how does anyone get that excited about HIPAA?
Kind of a little bit. Like, some people don't even know that it's actually a really cool cybersecurity field.
Mhmm. Yeah. So tell me about it.
Well, as as I often say when I'm doing course training classes with folks, I got my start well into the previous century.
That makes it sound so long ago. Right. Well Kinda was.
It kinda was.
You know, back when computers were this whole thing that you had to explain to people why you were even going into computers.
And then, I somehow stumbled into working in health care, for a software company starting in nineteen ninety seven.
So, so what you're saying is you've been in this field for a while now?
Yeah. Yeah. I've been doing this for a while. It was, I wrote software to do, private practice management kind of stuff, so billing and all that. But my my my key thing was, electronic claims.
Okay.
And and all kinds of data integration because I I had my one other gig before that was writing those cutting edge, ACH transactions.
Mhmm.
So they're like, oh, you're doing this?
And and what a lot of people don't know is that that, transactional claims is actually the foundation for HIPAA. People think that HIPAA is just the privacy related to, health health information, but it's it's actually not.
Yeah. HI doesn't even stand for health information.
Privacy, none of that is in there. I mean, the original, well, in nineteen ninety six when it was signed and then you have people that'll talk about HIPAA, that they were doing a notice of privacy practices in nineteen eighty six ninety six, and I'm like, that's impossible. We didn't have them then. Didn't exist.
Didn't exist. We didn't have them until the two thousands. So there's a lot of history, I think. Maybe I should do a history class on on HIPAA. But because I was in that electronic claims world when they started talking about HIPAA, a key element of the administrative standards were and still is, data standards. Yep. So ANSI, h l seven, all of that stuff comes out of those standards.
And and ICD, most people don't know when we switched to ICD ten Mhmm.
That was under the HIPAA transaction code set standards.
Right.
And so a lot of what I was doing related to just that part.
And, I as a, you know, as a wee child, I So you were six years old when you were working?
Uh-huh.
I started I started I was one of those.
But I I had, you know, over the years, moved into other roles and not just the developer, but that is still to this day.
I can like, the minute somebody's talking about how they're moving data from here to here and what different standards they're using.
And I you know, it's like, I wanna take a a a some time off so I can go spend time learning fire.
I just that a f h I r part. But but those are the new standards.
And so that was really my thing. But by the time the company that I worked for, which back in the day, it was a company called Millard Wayne. It was it's a whole funny story. There's a lot of stories with that. But they were part of a big roll up in the mania stuff.
I was VP of the company when that happened.
And, you know, I'm a kid from a small farm.
I'm not suited well for a lot of things and middle management in a huge roll up of like, I think there were, like, twenty different companies that were all together, and I'm like, I'm not suited for this.
Nightmare job. Yeah.
Yeah.
I learned the hard way that it was also mine.
And, so I went out on my own and, and officially formed the company Carden. It was Carden Group is the official company name.
K a r d o n.
I am the Don.
But, that's do?
Like, it's it's all related to the health care industry and data and security. Yes. So so tell me a little bit more about what Carden does.
Yeah. So that's what when I went out on my own, I was doing this data consulting and helping people get data from point a to point b, and I was loving it.
And and, you know, like anything else, you evolve with the times.
And so I was consulting with, you know, okay. Well, all of these different because that was the beginning. Mhmm. You know? Is two thousand three is when the privacy rule came into play. Yeah.
And that's when we finally started seeing notice of privacy practices.
Yes.
And so I was advising people on a good bit of that because I was already in there learning things.
I'm used to reading those things, you know, manuals and guides and out guidelines and and then putting them into practice. It was just a normal, you know, progression for me because that was a need.
Mhmm.
And then in two thousand five, the security rule comes into play. So that added even more of a need because I've always been, you know, across the board in IT.
You know, I could build a network and and and write code and and all of those things.
So I was just doing it all. And and I've slowly then progressed into, having a small business managed service provider company, and then it was really doing that and just, you know, a little consulting and and trying to decide what I'm gonna do next.
Mhmm.
And then high-tech came out, which totally changed all the rules because it put teeth into HIPAA Yeah. Which had never been there. Because when I'm teaching people to do I always love the question of, well, what happens if I don't do this security stuff?
Your patient's data gets exposed. Yeah. But what happens to me?
Because Yeah.
What's the the driver behind why I should put time and money into HIPAA?
Well Basically High-tech.
It's a big fat messin'.
Yeah. Until high-tech, it really wasn't anything that that people were motivated to do.
There was no enforcement.
Right. Now there were a few good companies that actually took it to heart and said this matters. We care about our patients' data. There are still great companies out there that that's the driving force behind what they do is caring about the patient.
Yeah. Yeah.
It's my favorite. But for those who just wanna talk about bottom line, high-tech said, hey. Here's how we're gonna hit your bottom line. And so occasionally, I'll get people say, alright.
Hey. We we wanna look at HIPAA, but can we also look at HITECH? I'm like, well, those two are now inextricable. That is not Yeah.
It that you're not talking about two different things.
Changes to HIPAA.
Exactly. Exactly. So can you evaluate me for just HIPAA? That's not a thing anymore.
High-tech applied some real, real consequences to the HIPAA rules.
Yeah. Yeah. And it made it tougher. Yeah. Right? You know, it, like, locked things down and said, finally, oh, business associates, you really are liable.
Yeah.
You you are separate and equally liable.
Mhmm.
And, by the way, the work you do makes you a business associate, So avoiding signing a contract means nothing.
Mhmm. Yeah. It defined who is responsible for patient data, and it and it doesn't let you wiggle out of it just because you're not gonna sign an agreement. It's tough. You're gonna if you're gonna handle patient data for, a covered entity, then you are a business associate regardless. And if you don't sign the paper as a business associate, that means you're you're already in violation and could already, you know, get some of these, consequences. So so, I'm I love that that high-tech got put into place and put teeth into things because it it it gives it makes the decision making.
Am I gonna spend money on the security control or am I not? You sure are.
Well, you know, but the thing is it's still that people go in there, and they're like, oh, there's this that's the whole thing. To most people, what they heard when high-tech came out was million dollar fraud.
Oh, yeah.
Yeah. That was really all they heard. And, really, that's not it. No. No. That's the that's, like, so far down the road of what you should be worrying about today.
But, thankfully, it was in place by the time things really did. I remember some well, now the other little caveat there is is that high-tech was signed in two thousand nine, but it's still not all of it fully implemented.
Well, the and the so is here's where where it's different.
Mhmm. Laws and regulations take time to put into place. Right? This isn't a standard.
There there's standards like NIST is a standard and CIS and p PCI is a standard. There are standards that, people can follow, but then the law is like, hey. Lawmakers are gonna use kind of high level language, and then the rulemaking kinda solidifies that. But then to really know what it is, it has to people have to violate it and then and then we get to hear about why settlements were big or small. You know, what what are the things that that are actually being looked for before those those, fines or settlements, get put into place. Right?
Oh, it's it's it's so you know, when I I try to teach business owners because I spend a lot of time trying to educate the business owners that this isn't about regulations. This isn't about what this is is business risk management.
Yeah.
This is what it is. And and we say, focus on protecting your patient data, your business information, your employee data, all of those things. And then you use regulations like, you know, the PCIs and the high-tech and the HIPAA, whatnot, to prove you're doing the bare minimum.
Exactly. Yeah. And do you know a lot of organizations have a pretty good handle on business risk management? There's some that just don't have it yet. But but this is, you know, farther down the road on that. But where they still continue to struggle is third party risk management.
And and what HITECH did, it was allow a pathway to really evaluate the business associates that that, a covered entity is using as part of their third party risk management program.
Well, not just that, but it also made it clear that the subcontractors of the business associates were business associates. Yeah. And that the subcontractor you know? And so the the tail continued until there was no PHI in sight.
Right.
And so you could be three or four links down that tail and not realize you're in it.
Yeah.
Just to finish on the whole carding thing, I eventually, decided I was either getting out of health care altogether or had to go all in on HIPAA. Mhmm. I was going through that, and I explained as, you know, do like a good business owner and hire a business coach and say, you know, this is my challenge because I know the industry has not done this. They're not prepared. They don't understand. They're resistant. They they fight every step of the way.
So this is gonna be a mess.
Yes. I know.
I am uniquely qualified to handle it. Yeah. It's gonna be a mess. And the business coach said, so what you're telling me is this big thing that everybody's gonna need that you can do Mhmm. In ways other people can't because of your background and all these different things, and you think you shouldn't do that.
So, uh-huh.
So you don't head first. This is the thing that you just And you know, not only do you have that business, but I wanted to mention you have a podcast, the Help Me With HIPAA podcast. I personally listen to it every episode. You and David Sims do just a fantastic job on that.
And so anybody in in in the health care that cares about security in in the HIPAA space, they should be listening to you. Because if this is not something that is just you go and read the regulation and then you're done, there's constantly something coming out, and you're always talking about what is at the forefront of that.
Yeah. Our thing is, you know, twofold is HIPAA is not about compliance. It's about patient care. Yeah.
And we are about to this this year, we're at, we started so we're seven years every single Friday. So we're about to record in April, we'll come out with our three hundred and fiftieth episode.
And there are some things that are we need to go back and get rid of that old stuff, but who's got time for that? Yeah. But, most people do. They're surprised that it's not boring.
It's not. It's actually interesting and funny.
No. People can't believe it. That's what most I cannot believe I laughed out loud at HIPAA.
Yeah.
But we are trying to educate and not make it a techie discussion, but also, you know, it's techie people need that information too.
They do. Yeah.
And non techie people need the technical information that is not explained in technical terms. So we try very hard, always to do that and that, you know, the regulations are not what we're worried about.
To us, again, it's the regulations are just the bare minimum Right.
Right.
When it comes to security. So we are now more often talking general topics with a HIPAA tilt because, you know, e even my company, which we do, help people build and manage privacy and security programs.
Mhmm.
And we're getting amazing stuff outside of health care that you didn't even know companies did that.
Right.
You know? And they're small companies. You know? You start to get a thousand employees, and that's not what we're geared for.
You get under five hundred. You you know, we're we've got some really good stuff, you know, but not the big corporations.
So we try to treat it like it's something small businesses have to do, and we've always been targeting that and what we've built.
But now, you know, there's the four of us, and everybody has a a piece of the puzzle.
Yes.
You know, we got two nontechnical people, two technical people, and in different backgrounds, but they all fit together really nicely. So it allows us to be that adviser for all different types of companies.
Mhmm. Do you know, I actually got asked about that by one of my my senior, leaders here.
What what is up with you talking to Donna Grindle again? Are we not direct competitors? And I say, no. Because what you do in helping small businesses build their program is not something we do.
Mainly because, I don't have the appetite for that. So I I am really good at going in and, evaluating an organization, especially the bigger organizations. You know, the bigger the organization actually and the more technical focus they have, I'm happier there. And so I'll go in and I'll evaluate where they're at against, the regulations and some basic standards that that are are associated with that.
And I'll I'll give them a report and walk away and and understand that they're gonna have go through their processes for fixing it. But a small company that needs that help, that real engagement on building that, that is that takes a a certain, patience level that I I just admire in you because I don't want to do that. And and so when people come to me and say, hey, we need help building this program. I say, I know exactly who can help you with that.
If you want an evaluation and a report so that then you can, you know, do your thing, you know, based on other you know, your full security program, that's what I do. And and not just me, but, I mean, I I say I say I, but I recognize that there are, like, twenty five auditors on my team. Right? It's not just me.
Yeah.
That's exactly so, I mean, we would come, in and, you know, yeah, we we do them because so many people come to us, and that's that's what they think they need.
Yeah.
And then they get it, and now and they're like, there were a lot of people who cried Yes.
When we gave them. And and and literally had somebody say, I look horrible in orange. Please tell me.
You know? And, you know, there's all of this stuff. So this goes back to, like, twenty twelve, and we were we were still thinking, well, you know, we'll do some of the MSP. Mhmm. And and this will just be an MSP that's really good at this.
But over time, by twenty sixteen, I'm really out of the MSP business. By twenty eighteen, we've gotten rid of all of that. Mhmm. And now everything we do, we've got the podcast. We do the HIPAA boot camp. We're about to do our very first privacy security boot camp, which is your fault.
And I'm so excited about that.
I'm excited. So for for people who don't know, I was gonna mention the boot camp. This is something that that you bring people in and have very intensive training on HIPAA, but there's going to be something very special this year. It's gonna happen in in Louisville, Kentucky.
Louisville.
And so I'll make sure that the the links are there if you're interested in. But it is a limited set of people that are because, again, you're still going intensive, you're still focusing one on one and and taking and making that, you know, expanding it. But but really making it, growing from the boot camp. I think it's Anyone in HIPAA, especially if you are a decision maker, especially if you are in IT and need to know why you have to satisfy certain things and then you can kind of tailor your program for that. That is the thing that needs to happen. So, and I I'm really excited that that you're doing that.
And we'll talk about more more about that after it happens because, yeah, they have invited me to go help with that. So, the, but but the thing about these these trainings is is that you have to have a real focus on you want each person that you cut in contact to to to learn and grow and be able to to do better the next time. And also, not go to jail, like you said.
That's that's the scary thing about regulations as opposed to standards is, you know, if you have to do for again, for example, PCI, one of the worst thing that happens is maybe they're not gonna let you, process credit cards anymore. If you can't meet the standards, then it's a big problem. But that is a far cry from if you don't meet the standards, you could go to jail.
That's Well, yeah.
HIPAA's, does have a a referral to the Department of Justice element that has been used. And if you are found to have had malicious intent with your violations I mean, it there's, you know, there's all this legal copyright stuff, but malicious intent is the bottom line.
Mhmm.
If you knew what you were doing was wrong and you knew you were you know, then the question becomes what was your intent. And, like, in so many things, if they believe they can show malicious intent, you can get up to ten years in prison, and I think it's a two hundred and fifty thousand dollar fine or something like that. So, yes, there is that element, and people have gone to jail.
So I would say that the folks who are listening to us now, probably not the ones that wanna do malicious intent.
No. Probably. But probably actually trying to do their best. So so don't panic. That's just some it can happen, but only yeah. Malicious intent is a it's a different it's not like, oh, well, we tried and and still had a breach.
Although if you try and still have a breach, you're gonna have OCR come knocking at your door and figure out why. You know? We're gonna have a conversation.
You have to show that you don't have malicious intent is basically what you're doing Yeah. That you you are trying.
And so we spend a lot of our time when we come into a group and maybe I mean, even if they had just had your assessment, if it's fairly recent, we can work with that Mhmm.
And, you know, add our little secret sauce to it.
But build that plan and then help them work the plan. Yeah. And that's the thing is you go, see you next time. Yep.
And we say, let's work the plan.
Plan. And but, actually, you know, some and some groups want that. Some groups wanna know, tell me what it is. We have a a cybersecurity program in place to meet these things, but that takes a larger organization.
It's typically not your your your smaller organizations. Your small to medium businesses are typically not that. Right? They need help because they don't know why they're not meeting the things.
That that comes into another venture that David and I do. David, my cohost, David Sims, he's a a a managing partner. He's co owner in Security First IT, an MSP in the Charlotte area, and my cohost on the podcast, and we do the podcast and the boot camps together.
And we're working on a a we have a project that's kinda gotten away from us, and we're totally rebooting it. We're, like, any minute now, hopefully, got all the reboots ready.
So, hopefully, you guys don't have a falling out because you've got so much good going on for the people in the HIPAA community.
Yeah. Well, you know, we've been at this for so long. We live in we're work spouses.
But you live in very separate areas.
Yeah. We're we're very much alone, very different.
Well well, so so the other thing now is David involved the the reason that I asked you on this show, and and we haven't even talked about it yet, is four zero five d.
Yeah. So well, let me finish. We did HIPAA for MSPs.
Okay.
So HIPAA for MSPs dot com. You can go there. And what a big piece because you were just talking about having your own cybersecurity Yeah. Crew, you know, internal.
Most of everybody else is gonna have an MSP. Yeah.
Yeah. And MSPs need to understand more than they do today.
Right. There are a lot of managed service providers, even managed security service providers that don't understand the the specific needs of HIPAA. And so groups that are relying on an MSP, if they personally don't know enough about HIPAA to be able to put into the contract, put into their agreements, here's what what I need you to do and here's how I need you to do it, The knowledge has to go has to be somewhere.
So if it doesn't rely Yeah.
Internally to the organization, it has to be with the MSP. So, but you have to know enough about HIPAA to know if you can rely on your MSP or not. Right?
So so Even even when you do here's my favorite example.
And I'm I'm I'm sure that when I tell you this, you'll be like, you it's probably happened to you. You go talk to you're talking with a business owner of small business, and you go, do you handle disaster recovery? And they say, yeah. IT does, meaning my managers spread it. They handle it. What you know, you have a business continuity, disaster recovery, and so IT handles it. You go to IT and say, what's the DRBC?
And they go, we just do the backup.
Right. And a lot of people don't know that there is a Yeah. A wide gap between having a backup and being able to fully recover from a disaster.
And so it's these kinds of gaps in understanding that, that That's where we fit.
Exactly. That and you help kind of put those things together. So, oh, so four zero five d.
Yes. Just moving on. I know that was like a real hard turn in this direction, but, you know, some days are like that.
Not really because it goes back to health care being the worst.
Yes. So why did they develop four zero five d? You know, they had HIPAA.
They've got HIPAA.
Where does the make four zero five d come from?
Where in that why does this is this just another standard? Tell me about four zero five d. What was the need for it? Who's putting it together? How are you involved? I know that's a lot of questions at once, but I believe in you, Donna. Yeah.
Let's see if I can keep them in order. But the cybersecurity act of twenty fifteen.
Yes.
And it had all of these elements in it primarily focused at, in the first part, building a cybersecurity program for the government, which they basically didn't have one.
Yeah.
And it created the, cybersecurity infrastructure security agency, eventually came from that. There's a lot of other things that came from that.
CISA, you know, that's that's the piece that helps all industries.
But in that law, there was one sector sectioned out. No others nothing besides government and and federal programs to build something, which we didn't have back then.
Mhmm.
And we're still trying to build it. You know? It's huge.
And then health care. Health care was down here under this miscellaneous four zero five area Mhmm. Which required an evaluation of health care cybersecurity standards because health care was such yeah. Under such attack already.
And, you know, twenty sixteen is when it got in my, like, time frame in my mind, twenty sixteen is a turning point where it got really bad. Right. That's where we really started seeing the ransomware attacks and and all of those things.
So had we been doing all the HIPAA stuff prior Right.
We'd been way ahead of the curve. Clearly, that didn't happen. Nope. So so under four zero five, there were several elements, and item d was to create these recommendations.
They're not, they're not a regulation. They're not a requirement, but it's to align cybersecurity efforts in health care excuse me.
Aligning those cybersecurity elements in health care to try to get this disparate sector Mhmm.
Which is, what, like, a third of the economy depending on how you calculate it.
And it's so it's massive.
And to try and say, hey.
These are the things that we should be worrying about in health care for cybersecurity.
It has nothing to do with HIPAA. It has nothing to do. It's completely optional.
So it was a pretty big task Yeah. To come up with something that's completely optional, meets the requirements of the whole sector, can adapt to all the different sizes and types.
I I had to laugh because on the HHS site where it was talking about the four zero five d effort, one of the things that they said was, volunteers from private industry and government have been working tire tirelessly together to put this to and I was like, no. I I'm pretty sure Donna's a little tired.
Well, yeah. I I started in twenty nineteen working with the group that came out in twenty eighteen, came out with the, hiccup guide, which was the first thing that came out of this.
And it's the health industry cybersecurity practices.
Right.
Yeah. And that's what HICP.
But it has a big long title because Yeah.
But hiccup is cute. Let's just call it that.
Yeah. So HICC everything now is HICC something.
Mhmm.
Yeah. Health industry cybersecurity, we got p for the practices.
We got HICC ticker for technical crisis response we're working on.
There's HicksCRIM Mhmm.
For supply chain risk management. Yep. So we keep going there.
Yeah.
To me, I look at Hiccup, and I tell any business they can use this.
Right.
I don't care who you are. Mhmm. Because it's not health care specific in the recommendations.
It's health care specific in the examples it uses Mhmm.
And some of the reasoning behind it. But the concept of the original where we all started was five threats and then ten recommended, per call you know, mitigating practices.
Right.
Those are the ten practices that will mitigate if we worry about these five threats and do these ten things, we're all gonna be better off.
Right. And and I actually looked up the the five threats so that people know, it I know them off the top of my head. Do you?
What excellent. What are the five threats, Donna?
Listen to your pop quiz. I seriously am doing this often.
I believe it. I know. Every time I talk to you, I'm like, how do you remember these things? I barely remember my kids' names.
It's probably because I don't have kids. I can remember them.
There is so much truth to that.
Yeah. I I don't I always say that my siblings that had children, I'm a very good aunt Mhmm. But I am aging much slower than they. So you you got email phishing phishing, which we also kinda roll in social engineering Mhmm. Ransomware, theft or loss of devices Mhmm.
Insider malicious or nonmalicious loss of data Right.
And then connected devices.
That's and and I can't think of an industry that doesn't have to deal with those five things.
Well, we just recorded an episode of the podcast that'll come out in a couple weeks, that we reviewed a study released by ConnectWise saying these these are the opportunities for managed service providers. And it was talking about what are these and we go through that. And by the time we go through it, we're like, five threats. It covers it it's the five threats.
Yeah.
It's absolutely the five threats.
So if every business focused on those five Mhmm.
And and don't go down tons of rabbit holes, say, I need mitigations for this, this, this, and some things go across all of them.
Right.
So it was really, you know, a great solution. And then the hiccup guide, there's a main guide that tries to be, let me explain to everybody what we're doing.
Mhmm.
It's a general, not technical guide at all. It talks about each of those five threats and why they're a problem and explains what they are.
It's, you know, it's it's intended for anybody to pick that up and learn about those things. So, again, any business could use that.
Right.
It I mean, it's talking about health care, but that at least makes it most people have had health care.
They've experienced our health care system.
So you've got that, and then we have the ten practices. And, of course, you know, because there's a standard with the subpractices.
But there are two different technical guides that take you through those.
Right.
So you got technical guide one, which is for the small entities, and technical guide two, which is for everybody else.
Now you can mix and match and pull things out of there. And one of the things that's often said by everybody on the task group is if you've got nothing, I don't care what size you are. Go to small.
Do that first. Exactly. Start somewhere.
Right. Don't don't try to do everything. Just go to small because you should be able to implement those fairly quickly, and then that'll give you the foundation to do everything else.
Right. It doesn't mean stop.
It means No. No. Never stop. Never stop. So here's another question I'll get asked is, well, I've done some four zero five d, so we should be good for HIPAA. Right?
No.
No. No. This is this is to help. There's so many organizations that haven't even started that it can be extremely overwhelming. And in the end, doing something in cybersecurity is better than doing nothing. And so this will put your feet on the path.
But it is not The other thing is end of the path.
If you're not even if you're not even looking for the path Yeah. That's where the problem is.
And and then this kinda gives you a road map.
And and it's all cross reference to the NIST cybersecurity framework Right.
Which, you know, now it it got lost in COVID, but the NIST privacy framework came out February twenty twenty Mhmm. Which is why no one No one talked about it.
Everybody was busy thinking about other things.
Yeah. And I think, eventually, it'll come back around because my vision you know? And I'm always, where do we need to plan for?
Mhmm.
And the NIST cybersecurity framework is built into everything we've been doing for years.
Yep.
And then we were in the process of adding and and and including the hiccup references.
Hiccup's already in there. It's just add the references to what we're doing.
Yeah.
Because of the way we build things. And and, we don't just do HIPAA policies and procedures and check the box.
Right.
We say you've got business decisions to make. Mhmm. And then we write the policies and procedures, and we do that not only based on HIPAA requirements, but also how you actually have a privacy and security program.
Right. And and it's pretty common for me when I'm when I'm auditing a company and saying, alright. Your security practices should give me your policies, and then I'll read it. And it has nothing to do with how they actually do things because, you know, I'll go look at configurations.
I'll I'll observe processes and and, you know, hook it all together, make sure that that things are are taken care of. And and when their policies have nothing to do with how they actually get things done, then you know there's a disconnect there. And so you've you always gotta go back and say, alright. How do you actually do this?
Is this policy how you want somebody to do it and they're just not doing it? Or did you get a set of policies that you just stuck your name in and didn't double check and modify for you? Right? So there's there's, you know, that that complete disconnect on what is a policy for.
It's not just it's not just boring reading. It's No. It is what what you are supposed to do. Not how you're supposed to do it.
That's the procedures. But policy is what you're supposed to do and probably why you're supposed to do it.
The intent.
Yes. The intent. Exactly.
And the procedure is how you execute that intent and document that you are following that intent.
Exactly. Yep.
Yeah. So it it's exactly those things, and, obviously, policies and procedures are one of the ten practices. Yeah. Having written policies so that you do it the same way every time regardless of who's doing it.
You know? Yeah. That's the key.
Some people will say, well, we have an unwritten policy. We have unwritten no. No.
There's no such thing.
There's no such thing. Stop it.
Yeah. Document your things. And as much as I mean, it's painful.
Documentation is hard and it's not fun. It's not It feels like it's taking away from other things. But it's important because it makes people either understand what are the decisions we're making or go to the decision makers and say, I need you to make a decision on this because, as the person you've designated to write this policy, I don't have the power to say this is how we're going to do things. So I need to understand what you want done. I'll put it in this policy and then you get to approve it. So there's there's a very much the business side is needs to be involved in the development of policies and procedures even if it's technology related.
That's the business risk management side.
Exactly.
And then the IT side is is the procedures.
Yep.
Right? And so we try to break those apart. You can't just say IT write my policy.
No.
No.
And, so all of this is is why we have the boot camp. Yeah. You know, people people leave our boot camp, and I guarantee you, they know two things. If they know nothing else, they know three things. They know how to spell HIPAA.
They know you have to document everything.
Mhmm.
And they know that training is without the documentation and training, everything will fail.
Yeah. Yep. Exactly.
So nothing else matters if you're not doing those two things.
Trem tremendous use of time, and and really valuable, for any organization that that deals with health care.
Anything, though. If you you wanna have a a formal cybersecurity program again, I'm dealing with businesses who don't you know, I've got one group that I just had to help them do their, cybersecurity assessment for Lego, the toys.
The toys?
K. So everybody's gonna need to do these things, and that's why I say hiccups there for everybody.
But the real kicker is the high-tech amendment that came out in January twenty twenty one. It was signed on January fifth.
I don't know why no one's paying attention to it either.
It was signed on January fifth, and on January fifth, that high-tech amendment created a recognized security practices concept Yeah.
That said, well, these things are optional.
But if you can prove Mhmm. Through documentation Gotta prove it.
That you if you you've got to prove it. If you through documentation that you've been following these for the previous twelve months, then they have to take that into consideration when it comes to enforcement and audits.
Right. Yeah. And they do. We don't we see that.
All the details yet.
Right. We see that over and over again because the great thing about, this this HIPAA, you know, thing is that when someone does have a breach and when there is a settlement, we get to hear the details about it. We get to hear why. What went wrong?
Why did this happen? And and that we don't get this chance in in a lot of the breaches out there. We don't get this insight. And so health care, offering this transparency can can really give us insight into how do we correct, these cybersecurity errors in, in other industries as well.
So it's all out there. People just need to read.
Yeah. And so we now have our own website, which we didn't have because that amendment included this cybersecurity framework and the four zero five d.
Yeah.
And then there's and others if you can prove that they but the ones it mentions, which in my lawyer friends always say, I'd rather you do the ones it mentions so I don't have to add an argument that this is what it should do. And this cybersecurity framework and the four zero five d guidelines Mhmm. Are both part of the law that says these are recognized security practices. So, yes, they're optional, but it's a carrot, not a stick.
Yeah. So with this four zero five d website, when did that go live?
We just launched it, a few weeks ago.
Okay.
Right around the beginning of the year. So it's four zero five d dot hhs dot gov.
Okay. And we'll make sure that that that link is in in the show notes as well.
But And it's got links because we're now doing more than just the hiccup guides.
You can go there and download a litany of training and tools that we have available free free for free free I mean Free is great.
Podcast is free, and we'll give you triple your money back if you're unhappy.
But there's freely available things. Like, you can go download a, you know, a one page document. It's front and back, but you know, so it's PDF.
For each of the five threats, you can go download an executive summary document for the small entities and the medium and large.
Mhmm.
You can download what we call our SBARS, which are situation they're new. Situation basically, it says this is a big thing that just happened.
Now I have to go look it up because I'm intrigued. SBAR.
Well, I know I remember SBAR. It's new.
But what it is is like the log four j. And we take that and and evaluate the situation. Here's what this situation is. I'm not on this group. Otherwise, I would sure. I would, like, remember what is this. Sure.
I'm in other groups, and I couldn't take on in that way. But but what it does is it looks at those complex things, defines the situation.
It, defines, you know, what what's going on, what the options are, and then the r stands for recommendation.
Great.
It's the b and the a.
I got nothing on which I'll get you to crap on that.
The nice thing about about these is it's a good place for businesses can can, download these things, read the information, and it's at a level where it it provides them a way to talk to their technology people about what needs to be in place and why. Or sometimes that language is is hard to to find. You know? How how does how does the business talk to the tech side of things and vice versa? And and these, the documentation that I found on four zero five d, actually is super supportive of that.
So, I recommend it to people.
That's our intent. Yeah. That's why the technical volumes are there for the people who can have those technical conversations.
Yeah. Great.
But, you know, the SBAR tries to tie the two together. We have regular four zero five d posts where we're all writing articles and and providing, different kinds of reference and information about the task group and what we're doing and Right. How, you know, you can use some of these things. I'm currently involved.
We have all of these different groups. I'm on wave one, and we're we're doing some really cool stuff. And then there's wave two, and we're hopefully going to be able soon. We don't know when.
I feel certain it'll be this year, an update to the technical volumes.
Great.
And and potentially a little to the we're not changing the five threats. They're still But, you know, adding more detail and and adapting to the changes. I mean, twenty eighteen to now, you know there's a lot of change.
There are. Yeah.
So we're doing that. We're building, you know, the HIC ticker, which came out during COVID, is getting updates. There's an a resource management one that that's a team that's working on it. And, and then I'm in the ambassador group as well. So, trying to do things like this.
I'm so happy that you that you took the time today.
I am so happy that you agreed to put up with me again. And because it's a roll of the dice.
You don't know what you're doing here.
I mean, I'm gonna make you buy me a whiskey later. But the Okay. Honestly, I could talk to you for for quite a few hours, but I think this is a good time to to wrap it up and and send people make sure that that that that the links are there so they can go find out more information.
And, I think that that what you offer is just tremendous. The the four zero five d program as well, as as what you do personally for your your podcast and your and your boot camp. But, again, thank you, Donna. And I hope to talk to you again in the near future.
Oh, you will certainly have to suffer for that. Thank you.
Alright. Bye bye. Thank you for joining us again today on on the SecurityMetrics podcast. I hope you got a lot out of it.
I sure did. Donna Grindle is fantastic. Please look her up and also go take a look at the four zero five d program. I think there'll be a lot of value in it for you.
Take care.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
