Listen to learn about the work of 405(d) and how it can help your organization.
HIPAA can be a daunting topic. Organizations often wonder where to start when implementing security or what kind of training is most effective.
Donna Grindle of Kardon and the “Help Me with HIPAA” Podcast sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to to discuss:
Resources:
Donna's "Help Me With HIPAA" Podcast HHS Website
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hey, everybody. Welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at Security\Metrics.
And this is the first episode of season four, which is I mean, wow. I'm so excited about being able to do this for another year with you. So if you've been part of the group that's been following along for a while, thank you so much for coming back. I'm always excited to hear from you.
Appreciate your messages and suggestions. And and so it's always great to have that kind of interaction with people. If you're new to SecurityMetrics podcast, let me give you a rundown of what it is that we do. Cybersecurity is broad and it is deep.
And then you add compliance and on top of that, and then there's so much more information there. A lot of people have all of this on their plate and it can be super overwhelming. Some listeners only have one very specific thing on their plate. This piece of compliance for this specific type of of, standard or maybe you're in in IT and you have to to secure things in a certain way.
But for a lot of us, we have to kinda know a lot about a lot, which is a lot to ask. So this podcast is kinda focused on that. Everybody. We talk to everybody in the cybersecurity and compliance space.
So if there is an interest, if there's a need, I'll bring people in to talk to, who have specific expertise either on a tool or, a specific type of compliance or, a standard so that we can altogether kind of learn something. Some of the episodes will not be for you because they don't really apply to you. Some of them will be a hundred percent for you. So I hope whoever you are that you're able to follow along and enjoy the conversations that we have.
So with that said, very excited about this first episode. I have someone coming back who I wanted to have back at the end of season three, but, things happen. I had like this flat tire and there was snow and I don't know. So, but she's agreed to come back and talk to me today.
Donna Grindle, she's with, Carden Carden and, the Help Me with HIPAA podcast knows all about privacy, security, specifically starting with HIPAA. So I would like to welcome now Donna Grindle. Donna, so excited to have you be back on the show. Thank you for joining me.
Oh, you know, I get excited to come chat with you anytime, Jen, whether we're recording it or not.
Exactly. Exactly. So a a lot of people who who follow along SecurityMetrics podcast, they know you because you've been on before. I've talked about your podcast before. But for people who are kinda new to to the SecurityMetrics podcast, I I just think we should let them know. So Donna is one of the the two cohosts for the, Help Me with HIPAA podcast.
And if you are in the HIPAA space, you need to follow them.
This is I've listened to every single episode that you've put out and a couple of more than once because Oh, wow.
There's so much to, HIPAA. Not just do am I doing IT security right in the health care space, but what does the law say and where are the gotchas? And and you guys, always talk David Sims is is your cohost, and and the two of you talk about all of the gotchas in ways that are it's super entertaining, actually.
Yeah. Because usually, one of us has had to participate in somebody gotchas.
Yeah. Yeah. Exactly. How long have you been doing that, to help me with HIPAA podcast now?
Oh, wow.
This year is, oh, seven year we started in twenty sixteen. So the first one came out May twenty sixteen. I can't do the math.
That's it.
So so if people, you know, are looking for information on how do I know what to do, there is so much free content right there that We always say, it's free.
Free. And if you're unhappy with it, triple your money back.
Well, I've been always been super happy with it. So I and I'm happy that the way I We'll go listen. But, tell me a little bit more and and listeners a little bit more about, you know, who you are and and what you do, your organize the organization you're part of, so that people kind of have a background on on who you are.
I am the founder and CEO of Carden.
Yeah.
I'm the dawn of Carden. But we do nothing but help people build and manage privacy and security programs.
Yeah.
And we obviously, the HIPAA space is where I started in health care, writing electronic claims software decades into the previous century. You know? I mean, we're just we're just gonna go with that. Yeah.
It's been a long time. So, you know, and there I have a nice lean and mean team, but we develop systems, and we're here. We get your program built, and then we're here to deal with all of the, holy crap. What does that mean?
Or did anybody know this was happening? Or this did happen.
Now what do I do? Yeah.
You know, and we have tons of services, everything from our ongoing Cardan Club membership with Murphy the Hippopotamus as our mascot.
And and we do a lot of training and consulting, everything from being your breach coach to help you figure out all the pieces and parts, just to doing workforce training. So we we hit all of the pieces and parts, crossover with you guys just a touch.
Little bit. Little bit.
But, But ours is more of that deep dive, let me hold your hand.
I will not do the deep dive, let me hold your hand. I that's that just makes me I, honestly, I don't know if it's an ADHD thing or if it's just a personal preference, but I find that I am much better at, I'll go in and I'll assess exactly where you're at right now. I'll even, write up in my report recommendations of what people can do to close those gaps.
But then people who want that deep dive, the deep dive training, the deep dive, development of that program, I always point them in your direction. So even though there's a little little overlap, I think that it's more a complimentary thing than than a in in any way, a, conflict thing.
So Yeah.
My idea was we were just gonna do assessments, and then people cried when we left. And, Yeah.
I feel really bad when that happens.
See, but I'm not I'm not lying. People think I'm just joking, but that is absolutely true because you're telling them all these things that need to be done. Mhmm.
And we help them actually do it Yeah.
And figure it out.
And, no, I am not going to take over as your compliance officer, but I will be the adviser Yeah.
To your compliance program.
And so that's a really important niche of our industry that that is, needs to be filled. A lot of people don't know where to go for that. And so it's really great having Carden be there Yeah. For people like that.
So so, as, you know, part of your interest and like you said, it's not just HIPAA anymore with you. It is privacy and security, which is Yes. An a logical branch off of HIPAA because HIPAA is a privacy based, regulation. Right? So if you understand the concept of privacy and how security and privacy, work, together, then really you can apply it in any any case where privacy and security are are required. So it totally makes sense.
Yeah. We're geared for a small or medium enterprise. You know? Mhmm. And, you know, so we have some that are nonhealth care clients that we built in, yes, cybersecurity framework based program.
Right.
So that they could address the requirements from their clients who are big businesses who were saying, I'm not letting you touch my data until you prove you're doing some of this.
Right. And that's a a lot of times where some of the smaller and medium sized businesses start down the path of of getting a formal program in place. Somebody else is telling them, yeah. No.
Business is not going to happen without that. And and it it's becoming more and more important. Or people will get hit by a a ransomware or some kind of a a breach, and then they realize, oh, now I know why it's important. But we don't want people to wait that long.
We want people to to get in shape before then so that they don't have to worry about those potential issues.
So Yeah.
We always say that, you know, we get clients who have had a data breach and they're dealing with it, but we would prefer to meet you before then.
Right. It's better to not be in crisis on first meeting.
But, yeah, that's our big thing, and and you're gonna be part of our next big training event. We're really excited to have you there.
Oh, yeah. This is actually we should mention that. So, I am super stoked about it. We should I mean, not just mention it.
We should actually talk about it in more detail because people who have stuck with us this long through this episode are probably wondering, well, what kind of training is out there? And we have this, you've done a a HIPAA boot camp for a lot of years. But the one now you've said, okay. Let's get serious.
Make it big. Make it deep dive. Make it important. Tell me about the Prisek boot camp.
Yeah. I should tell you what I'm gonna have you do.
Oh, no.
Because it's just rolling the dice. Right?
So we our HIPAA boot camps were becoming so popular that we had to figure out how to supersize or scale them.
Yeah.
And that's hard to do when you're got, you know, one or two people trying to teach everything to a large room full of people. Sure. And these aren't conferences. Nope.
These aren't come to an exciting place and run around half the day. Yeah. These are sit down. Your eyes will be glazed over every day, but, boy, are you gonna learn stuff.
Yeah. You'll you'll get to a point where there's so much information coming in that it'll be hard to retain it all. And I know that you occasionally have people that come back repeatedly.
Oh, we have several people that have been to several of them.
Yeah.
And the big thing, though, is we try. We understand that we're we're we're turning a fire hose of information on you. We know that. We'll throw the fire hose up on the screen. Name it and claim it. Go ahead.
Yeah.
But we make a point of stopping after a session and saying, okay. Make a few notes about this session.
Mhmm.
Make sure you do it. What is your big takeaway?
What is the thing that you need to remember to deal with Yeah.
When you return?
And then at the end of the three and a half day event Yeah.
We sit down and say, have you made a plan?
Right.
We don't just say, hey. We're done. Bye. No. The end of it is meet with your instructors, build your plan. We we give you, you know, the forms and everything.
Mhmm. And, let's come up with what you're gonna do in the next quarter, the next quarter, the next quarter that you learned.
And I think this targeted indirectivity makes it so much so you and I have both been to a lot of trainings, and some dude is up there just talking at you and won't even take questions. And at the end of it, you're just think, well, I could have just watched that on YouTube. Right? Yeah.
But this is not that. This is this is much more, interactive. It's not just for HIPAA people. It's for anybody in privacy who have privacy and security or privacy or security on it.
But as a matter of fact, can you just, off the top of your head, tell me the the types of roles that come to this training?
Oh, yeah. We we have attorneys. Mhmm. We have tons of different technical folks. We've had anybody from forensics, IT folks to owners of managed service provider companies, obviously, practice administrators, compliance officers. We have some groups that send everybody on their compliance team Yeah. At one time or another.
And what it does is it gives you such a big overview, but we want all those different people.
We want the technical people at the same table with the nontechnical people Mhmm.
Because everybody's on the cybersecurity team now.
If we don't learn to talk to each other and understand Mhmm. The needs of the other side Right.
Struggle because we don't often understand each other's language. We can use the same words, but we may might be using them in a slightly different way on the business side as opposed to the IT side or or and even in compliance, we might use words that are slightly different from the cybersecurity efforts. And so understanding each other's language, I think, is a really big step towards having a comprehensive program in any organization.
And we do we do a lot of those kinda exercises, and we try to include things that are humorous Yeah.
And and not, I actually had somebody that came one time and said out she was on her way to the, boot camp, and that at that point, we were doing three days. And she's talking to a friend. She tells me the whole story. Talking to a friend and saying, I have no idea how you could talk about HIPAA for three days.
And about halfway through the first day, she throws her pen in the air and says, well, I've done that wrong my entire career.
She's a hoot.
And There is a lot to it.
That's for sure.
Yeah. And by the third day, she was just excited about all that she had learned, and and we get a lot of that. I'm exhausted, but excited.
And we're also gonna have times where people can actually meet each other. Being able to network with people and have somebody where you're doing your job and you're like, I'm not sure. But I met this person at the boot camp and I I think I'm just gonna call them and just chat about it. Right? And so Oh, yeah. So these these conversations with with, you know, colleagues and peers, I think is some of the real value out of it. But also, the bourbons and breeches session, I'm I'm really looking forward to that.
That's the most I I'm most juiced about that one. Now granted, we have over thirty different sessions or so, that we're doing.
But the bourbons and breeches happy hour is how to end the first full day when you really are glazed over.
And I will be pairing a bourbon tasting with a Breech story.
Well, everybody who's asked me about training so far, you know, in the last six months, you know, I've got I need to do training. I need to do HIPAA training. I need to do privacy training. What do you recommend? It's this. This is what I recommend.
This is this is the way to go.
So, thank you for explaining that.
Oh, we should probably tell people Let's just do one quick piece though so that you understand all the topics.
Yeah. So the first half day, we call it the scrim day. Supply chain risk management.
Mhmm.
That's all we're talking about that day.
Yeah.
The next day is you got to prove it day, and we talk about documentation and why that's so important.
We start with, here's some of the questions you'll have to answer if things go wrong Yeah.
And and move on from there. Then the next day is risky business day where we just talk about risk management and risk analysis and risk assessments. And then the last day is Murphy's Law Day, and you know we're doing disaster recovery business continuity.
I will to break it down and keep you on task Yeah. For each day and have a theme to make a little fun from it.
So I like how much, risk is addressed in in this session because, really, that's where it all starts. For for anyone Mhmm. Who is, needs to to meet HIPAA compliance, it really all starts with a risk assessment. And very few few people know how to do a successful risk assessment. So people will definitely come away from from this session knowing what is what is an actual risk assessment. It's not just a vulnerability scan.
No, please. No.
I get that so many times. But so it's going to be great, and I hope people join us.
Where can they go to find out more about the, price sec boot camp dot com, p r I s e c, because I don't like saying privacy and security five thousand times.
Prisek's insensible.
Yes.
Prisek boot count dot com, and there's a lot of information there.
We're gonna have, we have an OCR investigator there to explain how those work. We'll do q and a. Trying to get some other of my four zero five d HHS buddies there. Yeah.
And and we've got other partners like you that are gonna be there to, advise and entertain.
Alright. Well, you you offered me a really good segue into my next topic, which is four zero five d. Look at you. Reading my mind.
I'm a thinker.
So a surprising number of people in the health care, security space have not heard of four zero five d. So can you kinda give us a rundown on that?
Yeah. And and, you know, it's one of my jobs now is to be an ambassador for four zero five d, so thanks for that segue.
But this came from the cybersecurity act of twenty fifteen.
And it had all of these things about trying to reevaluate cybersecurity across all these different government entities.
One industry vertical was called out, and that was health care.
Yeah. Why?
I don't know. Maybe because of all the data breaches.
Yeah. It's because of all the data breaches. Unfortunately and I've put a lot of thought into this. Why is it that health care gets hit so much? And and it's because it's one of the most complex ones to secure just because of the nature of the business. You know, that's, I think, one aspect. So, I I'm not without empathy for people who are in this space.
Oh, no. And the only thing I wanna know is are you trying?
Yeah.
I don't have empathy for those who don't try.
Right. Yeah. For sure.
I will help you fix it, but you've got to start trying.
Do you know and the HHS, the OCR, you can tell they kinda feel the same way because when when we find out that someone's had a breach or an issue of some kind and OCR investigates it, settlements seem to be directly related to what kind of effort they put in to preventing the breach in the first place. So it's Mhmm. It's not just a good idea because it's good for patients. It's good for the health care industry. It's good for your business. You know, it it it's good for if things go wrong.
Well and, you know, we do things privacy and security isn't just about confidentiality. Yeah. It's about integrity and availability.
Right.
And if you can't trust the records Mhmm. Or you will never have access to the records again, patient care and patient safety is severely impacted.
Yes. Yeah.
So that's the bigger Yeah.
I think that's one of the reasons why it's harder to to meet that because availability for example, a lot of people are very familiar with PCI compliance. PCI does not have an availability aspect to it. The the the payment brands don't care if you can't get to that card. As a matter of fact, they don't want you to get to that card number. Availability?
Get that get out of here with that. Right? So Yeah. But that's a different thing than in health care. If you can't get to patient records, then, lives are at stake.
So Absolutely.
And and that's the driving force between what we do under the four zero five d group now.
Because its original mission, there were several sections, but it was, you know, get a finger on the pulse of what's going on and then give us some ideas how we can improve it, but it has to be across this very complex industry as you said. Mhmm. And and to me, it's three things. The complexity of the industry.
We've got legacy systems. We've got diagnostic equipment you do not wanna mess with. We've got multiple EHRs talking to each other, paper flying, and, you know, god forbid you take away the facts in health care. You know?
It's, it's just where people legitimately use faxes all the time, and other industries go on those.
Those machines still exist?
So they show amazing. And, so you have that complexity level, and then we're data rich. Mhmm.
Yes.
Debt rich and cybersecurity poor.
Yes. And and the amount of money the bad guys can make off of health care information is is very makes it a very tantalizing target.
Well, because they know that the confidentiality, integrity, availability, literally people's lives depend on it.
Mhmm. Yeah.
If you're gonna hold something for ransom Yeah.
Or demand payment Yeah.
Hey. You want your information before people die? This is a well known way to get money out of people. And cybersecurity, the the bad guys there have found the way.
So, so That's what that's what four zero five d is all about.
Great.
And we published a, health care health industry cybersecurity practices, and it has some other thing that I never remember because I just worry HICP hiccup.
Hiccup. Yeah.
And and it's the intent is there's stuff that are, it's layman terms. The main guide explains the concerns, breaks everything down into five threats.
And if we deal with these five threats and vulnerabilities, if we did a good job just trying hard Yeah.
To do something with these, we feel like we'd be much more secure. And that's phishing, social engineering kind of stuff because we know that's where they come in.
Yep.
Ransomware, that's where they're really causing major problems. Yeah. And and the industry can be just brought to its knees with that. Right.
Lost or stolen devices, that still happens, although we're much better.
But it still happens because a lot of times, these old legacy systems. Yeah.
And then, insider issues.
Mhmm.
Abuse of privileges, whether it's accidental or on purpose is huge.
And then the last thing is connected devices because you've got all of these different things. You know?
The doctor goes to one of those meetings and sees those cool gadgets, which I personally love going to Yeah. Look at all those cool gadgets, and I'm running around, you know, crazy.
But then they wanna put one on the network. Yeah.
Okay. Now what security does it have? How do we know how it's gonna get patched? How we're gonna do and all of those things combined, if we handled those and did better at them Yeah. And then we laid out ten recommended practices with associated subpractices because those are more like the framework parts. And those go into technical guide.
Yeah.
You know? Regular people talk in the main one, and then technical guides for, small Mhmm. Entities, medium entities, and large entities.
And then we've now started adding all the supplemental information, additional training videos.
There's posters to explain the five threats and, I I mean, just a litany of information that's already out there. And I can tell you, hopefully, by the time this thing is published, there's gonna be a bunch more out there, and you're gonna see a lot of discussions about what we've just released.
That that I'm looking forward to that.
That's going to be really and because so many especially small and mid but even big organizations struggle with this too.
Where do we start? Right? Where does that's the question. Where do we start? And in in the health care, industry, the answer is the the the things that four zero five d is putting in the hiccup, guidance, I think, is really going to give a lift to the industry.
Well, you know, and it's part of recognized security practices.
It's actually mentioned in the new recognized security practices law Mhmm.
Between this cybersecurity framework and the four zero five d program hiccup. If you can prove you're doing those things for the previous twelve months, OCR is obligated to take that into consideration, which I say they're doing that anyway.
Yeah.
But but now it gives you the very specific guidance.
Now can you prove it?
Yeah. Exactly. So, you know, a lot of people don't know about the new law that talks about the the recognized security practices. Can you give us a high level kinda brief on that?
Well, that was it.
That's it. That's the whole thing.
There's not a lot to it, really. It just simply says that if you can prove that you have been following these recognized security practices, and it specifically mentions the NIST cybersecurity framework, the four zero five d promulgated, you know, the legal terms. Yeah. Yeah. The stuff coming out of four zero five d.
Sure.
And then there's other if it is a regulatory requirement for something else.
Oh, yeah.
So So it has to be a regulatory requirement.
Right. And so what I liked about that is in your explanation, if you can demonstrate some good faith things, which is really what we keep coming back to. And I like that I like that we we have a law that talks about, hey.
Get started. Do something. Because a lot of the past laws have have been have felt so overwhelming to some groups that they're like, well, we're just gonna get breached.
Insurance will pay for it, but that's going away too.
Yeah. It's it's it's yeah. It is not good to to kinda be like, meh, not sure where to start. Yeah.
So four zero five d really, really helps kind of give people a a leg up on that. And so I hope if people are in this space and haven't heard of it, it's a great resource, to to go look up.
Yeah. You go to four zero five d dot HHS dot gov.
Easy peasy.
Yeah. Look. If we've said four zero five d a hundred times, hopefully, and then it's part of h h s dot gov, you're good to go.
Right? At some point, people will go, you know that four zero five thing d thing? I'll bet it's part of h h s dot gov.
Yeah.
We we we all wanted to have, like, a much better name, but we're now like a, you know That's what it is.
Four zero one k, a five o. We're just part of, that now, so just go with it.
Yep. Yep. Yep. So, okay. Great. So, basically, the the last kind of piece of information I wanted to cover with you is this. If you could give somebody who didn't know where to start with it, maybe they're a small practice, maybe they're a new practice, and they say, I don't know where to start.
What where would you guide them?
So we we take that approach, and it really is gonna be very dependent on the type of entity. Right? Because we we deal with startup business associates and startup practices Mhmm. That come to us, and we we've had enough of those cases, or we have practices that have been around a while that really need to start over.
Yeah.
Let's just go with that. It'd be easier to start over than to rebuild what you have. Let's just start over.
Yeah.
And it's just like anything else. You know, the whole how do you eat an elephant?
Yeah.
You know?
One bite at a time. And then always remember the other piece of that is that perfect is the enemy of done.
Yes.
Yeah. So it doesn't have to be perfect. Mhmm. What you have to do is get started.
So if you came in, we would say, look. Do a security risk analysis. Just very bay. I'm not gonna ask you if you're doing any of the things because we know you're not.
Yes.
I'm not gonna ask you the assessment part that looks at what protections you have in place. Mhmm. Let's just start with the ones you need to have. Yes.
And we start building your policies as procedures for all, you know, privacy, breach notification, and, of course, security. We just start building them after we do that risk assessment or risk analysis, really.
Because that yeah.
Well, because the risk you know, we kinda use those words interchangeably because Yeah. We have a way to HIPAA does.
HIPAA uses those words interchangeably in an odd way. And so I've kind of thrown my hands in the air. So anybody who's a purist out there, I know.
So We teach we teach the difference at at, Price Tech Boutique. We'll teach you a way to we'll teach you a lot of things about how to remember the different parts of risk management.
Yeah.
Because really and truly, privacy and security, like you said, it's all about business risk management.
Yep. That's it. That's exactly what you're doing.
Is business risk management.
If you haven't started with the risk piece, well, first of all, you don't know what your scope is. You don't know how the threats can potentially impact your scope. You don't know how to to assemble your policies and procedures. How do you know what to follow if you don't even know what it is that what your what it applies to? And then procedures, well, how do you how do you do things in these, you know, in in the environment that you set out that is your that is your scope that we're looking at. So so there is a a step by step way of looking at things that helps people build their understanding instead of grabbing policies and procedures off of the Internet, filling them out that has nothing to do with how their business or practice actually does things.
So so really, it's more about thinking ways to think about how risk exists in your specific environment and what you're going to do to minimize it. That's all HIPAA is.
That that is really what it is, you know.
And like David Sims, the The famous cohost.
Cohost.
But he always says, I do risk analysis every day when I decide to tell my wife something that I know she's not gonna lie.
And yet he's still in trouble with her all the time.
Yes. He is.
So he's Maybe he's not very good at implementing the risk analysis results. No. Sorry, David.
He just figures out how to mitigate the risk that he knows he faces.
Do you know all of us we do all, though, analyze risk in every moment of every day just in the day that we're trying to get everybody to see.
Instead of this overwhelming scary thing, security risk analysis is Yeah. Think of it. You do it every day, and then we break it down to you also do many risk analysis in your business every day. So we want to change the mindset.
Yeah.
And that is everything to do with, well, don't look at it the way you've always looked at it. Try a few different approaches Yeah. And then tie back in to what you already know because we've gotta find new ways to communicate the importance of privacy and security in every business.
Exactly. I love that you said communicate because I was just going to say, if you can, present what the risk is to the decision makers in the business Mhmm. In in a way that they can take that information in, then they can assess, how much, you know, how much does this risk, need to have priority against this risk and the finances that we have internally in the organization and the people and and how do we address it from a business perspective.
You know, just because you know exactly what those risks are from maybe a cybersecurity or a process perspective, doesn't mean that the business understands them sufficiently to put money and people towards mitigating them. Right? So Exactly.
And you don't just start doing whatever IT tells you to do. Please do not.
Yeah. No.
That's such a bad idea.
They need to participate in that risk analysis. Yes. You know, I got a hundred dollars to spend across all of these things. Now I'm gonna break it down to where am I gonna spend that.
Yeah.
And it it can't always be the latest and greatest toy that'll make things easier.
Yeah. Yeah. I had a You know? I had a a gentleman in he was a sysadmin recently that I spoke to who was pretty worked up because he had done, participated in some risk analysis activities.
And there was something that he really wanted taken care of that the business wasn't putting money towards.
And I said, look, you need to find a way to put it in their language. So if they really understood where you're coming from on this and if you really are correct that it is the risk that that you think it is, you need to find a way to communicate that. And I I love this price at, boot camp is coming up because all of the people sitting at table have different languages, different you know, different, meanings for the words that they're that they're using. They have different perspectives on, from IT and and the law and business. So just having those conversations with people who have different perspectives is going to kinda help tune your brain into, oh, I hadn't thought of looking at it in this way before, or here's the language they used. I can use that with the people back home.
Right. You're not telling your children what to do. You're trying to you're doing marketing. Yeah. Everything in privacy and security program is you know, those of us running it, we're doing the work.
But to get others involved, it's all in marketing.
Yes. Absolutely. Absolutely.
So we have little catch phrases we use and little things that we do to try and and bring that into the discussion.
Mhmm.
So here here's my one big thing about that communicating thing and the overall risk management under security is I always use Donna's three rules of security.
Three rules. This is pretty easy.
Number one, security is not convenient. Yep. Just accept it. Yep.
If it were, you wouldn't run around looking for your car keys on.
Right.
I mean, that alone I mean, you know, where where do we put the key?
Yeah. Yeah.
If you don't have a key ball or a key hook, and then you do it because security is not convenient.
Mhmm.
So it's always going to be inconvenient. Right. However, rule number two is security is not optional.
Right.
You know, I can't just leave the keys in the car if I actually want to secure the vehicle.
Right.
You know?
I can't just say, oh, well, I don't wanna look for it because it's inconvenient, so I'll just leave them in the car.
Yeah.
You're either gonna be locked out or the car is gonna be gone. Yeah. Well, unless you live out in the booties where I grew up. Right.
Which I got trouble for not leaving the keys.
But but that comes back to to risk and I wanna hear number three in a second, but that comes down to a risk analysis. Right? So just because some, massive organization has to secure things in certain ways and you too want to be secure but you're a tiny company with a different, data flow, you might not use what they're using because Exactly. They might live in the middle of Manhattan and you might live in Podunk, South Dakota, which I would love to move there actually.
So South Dakota is one of my favorite places but so I didn't mean that in any way insulting. But but we're talking teeny tiny town in the middle of nowhere as opposed to Manhattan. Right? So doing that risk analysis of what's happening in your situation, you know, that that affects all of these decisions.
So I love that. Number one, it's not convenient. Number two, certainly not optional.
But, Yes. And and IT folks are really good at those two parts of the room, and everybody else tends to not accept them that much.
Yeah. Yeah.
But the third one is exactly the opposite because the third one says security can't prevent me from doing my job and caring for patients.
Yes. That that's where you get the tricking it. How do we balance all of these things?
Yeah. So, yeah, you you all three must be met.
Mhmm.
So everybody sit down. IT folks don't just say no. You're no longer the department of no. You can't be that anymore. Yeah.
You have to say, okay. You wanna communicate instantly with each other, but I can't let you do that with a standard SMS on your phone because it's not secure. Yeah. So I'm gonna have to get you to agree to use this app.
No. It's not convenient, but it's also not optional. Yeah. But it will let you do your job.
C satisfies all those three. And and look, I've heard you say this multiple times on your podcast and still needed to hear it again, which mean which is why I keep telling people, keep going back for training. Keep keep going back for for learning. Right. Listen listen to those podcasts again and and come to the boot camp.
Yeah. I'm the one that walks around with it in my head all the time. Everybody else is gets to live normal lives.
That's a weird way to live, Donna. But, I mean, I agree. Yeah.
There's so much more weird about me than you know it.
I cannot wait for this in person thing in March. I think it's gonna be great. And and unless peep in case people missed it, I'm gonna be one of the people there helping and and speaking. And and so if you wanna come meet me, come and meet me. We'll go hang out. We'll have some bourbon. It'll be great.
Oh, yeah. Bring it. Alright. Oh, and if you're not a bourbon drinker, don't worry. You know we got you.
Yeah. We have sparkling waters of all kinds. So Yes.
We do.
We we have all kinds of options. We are not one to leave anyone out that wants to participate in a privacy and security discussion.
Exactly. Exactly. So, hey. Thanks again for coming and joining me.
Any last thoughts before we we wrap this up?
Yeah. Come to the boot camp. Yeah. If you can't come to the boot camp, definitely listen to the podcast.
Definitely.
If you're an MSP, we have HIPAA for MSPs. Go check that out. Our mission is to help IT, outsource IT companies, MSPs, understand their obligations, but also their clients' obligations better to build something that, again, everybody's on the cybersecurity team. Yeah. Everybody's got to work together, and we've gotta do more of that.
It's got to permeate everywhere.
Yep.
So HIPAA for MSPs, that's a great organization we're building, and we also the official announcement is already out probably by the time this comes out, that we are now, partnered with the American Institute for Healthcare Compliance, the first and only HIPAA certification by the third party certifying organization for, MSPs and HIPAA.
That's HIPAA MSP.
That's excellent.
And, yeah, we partner with them to help build it. We've got training, that we're doing, which you could get at the boot camp. Yep. And, so we got that. We got card and club. We've got all of these other ways. So there's free, free for free free.
Mhmm.
And we're not gonna go to the FTC for sale.
So we we've got free, affordable, and and we're there to build these things for these reasons. And we're very passionate about what we do. So don't ignore it.
You know? One bite at a time Mhmm.
And it doesn't have to be perfect.
Love it. Well, thank you so much, and I will have you on the show again.
I love it.
Alright. Thanks, Donna. Bye bye.
Alright. Bye.
Thanks again for joining me on this episode.
Very excited about all of season four. We have some great guests lined up. Even if they're going to talk about something that isn't specifically for you, I hope you'll join us anyway. I think that you'll find a lot of good value in in the information that you learn and maybe learn a little something about, you know, somebody that you work with understands so you can kind of gain that understanding.
If you've found value today in what you've heard, please share this. Share this with your colleagues. Share this with somebody who who is in your field or in a field that's similar to yours. Would love to have more people listening and spread this this word to as many people as we can reach.
Thanks.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
