June 25, 2025 • 25 mins
In this episode of the MGMA Insights Podcast, host Daniel Williams sits down with Rana McSpadden, a medical practice consultant from SVMIC, to dive deep into the critical world of cybersecurity for healthcare organizations. With rising threats and sophisticated hacking techniques, this episode provides medical practice leaders with essential strategies to protect their patient data, maintain operational continuity, and build a culture of digital security. McSpadden will speak more on this topic during the upcoming 2025 MGMA Leaders Conference.
Key Takeaways:
- [06:08] - Cybersecurity as a Whole-Organization Responsibility
- [07:30] - Evolving Cybersecurity Threats to Medical Practices
- [16:45] - HIPAA and Cybersecurity Compliance
- [18:40] - Practical Protection Strategies
- [20:41] - Insurance and Financial Preparedness
- [21:35] - Emerging Cybersecurity Trends to Watch
Resources:
- HHS Voluntary Cybersecurity Program - visit here
- OCR Security Risk Analysis Initiative - read here
- Connect with Rana McSpadden on LinkedIn
- 2025 MGMA Leaders Conference - register here
Additional Resources:
Email us at dwilliams@mgma.com if you would like to appear on an episode. If you have a question about your practice that you would like us to answer, send an email to advisor@mgma.com. Don't forget to subscribe to our network wherever you get your podcasts.
Podcast Sponsor Boost Lingo
This episode is brought to you by Boost Lingo, the language services platform behind MGMA Translate, interpreter delays and high agency fees, strain budgets, and staff morale. Boost lingo on demand fixes both tap once and a qualified medical interpreter joins in about 13 seconds. Video or phone on any device. No steep learning curve. It just works. Tap, connect, care. Choose from 14,000 interpreters covering over 300 languages. Fully HIPAA compliant. Your staff will love the ease and your patients will too. Plus MGMA members save 20%. Visit https://boostlingo.com/mgma/ to see it in action today.
Podcast Sponsor MGMA Analytics
Are you making decisions based on gut instinct—or on real data?
With MGMA Analytics, you get the benchmarking and business intelligence tools to drive smarter strategies.
From provider compensation to operational costs, MGMA Analytics gives you access to the most trusted data in the industry.
So whether you’re adjusting staffing, setting salaries, or planning for growth, make your next move with confidence.
Visit MGMA Analytics to learn more.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Daniel Williams (00:53):
Well, hi, everyone, and welcome to the
MGMA Podcast Network. I'm yourhost, Daniel Williams. I'm a
senior editor at MGMA and soglad to be here with you today.
What we're gonna be doing heretoday is talking to one of our
speakers at our leadersconference that's gonna be
coming up in Orlando, September28 through October 1 is when the
(01:15):
conference is. It's gonna be inthe, what is it, the happiest
place on earth there at Disney.
We're not going to be physicallyat Disney, we're going to be
right around the corner, and Iexpect many of our speakers and
guests will probably stop by.Today we have Rana Spadden. She
is going to be one of thosespeakers at our show, and she is
(01:37):
a consultant with the MedicalPractice Services Department at
SVMIC. Reyna, we were movingheaven and earth here trying to
get connected today. Sometimestechnology is so amazing, and
sometimes it just kind ofimpedes us from communicating.
We even made a joke that we wereready to get the Dixie cups and
(01:59):
strings out if we had to. SoRana, welcome to the show.
Rana McSpadden (02:03):
Thank you so much. And I think it's really
fitting that we had so muchtechnology issue, and we're
sitting here talking today aboutcybersecurity.
Daniel Williams (02:11):
Exactly. That's a great point. So bring us up to
speed then. I talk to so manypeople from your organization.
Are you located where, inTennessee, or are you somewhere
else?
Rana McSpadden (02:25):
I am in Tennessee, but I am not out of
our Brentwood office. I I am oneof our remote employees.
Daniel Williams (02:30):
Oh, okay. Where do you call in from?
Rana McSpadden (02:32):
Difficult Tennessee.
Daniel Williams (02:34):
Are you pulling my leg here?
Rana McSpadden (02:36):
I am I'm not pulling your leg. No. If you you
can Google Difficult Tennessee,and it it's a small little
sleepy community, but we'rehere.
Daniel Williams (02:44):
That is so remarkable. With a name like
that, how did it get its origin?Certainly, y'all all know this.
Right? Or do you have any ideahow the town got that name?
Rana McSpadden (02:54):
So the legend goes that when they were trying
to name the area, the communitykept coming up with different
names and sending them into thepost office so that we could get
our zip code. And the postoffice kept saying, oh, There's
already a town in Tennessee withthat name. There's another town
with that name. So somebodywrote on there, this is
difficult, and capitalized thed. And so the post office said,
(03:17):
yeah.
That's about right. So DifficultTennessee.
Daniel Williams (03:21):
I know the state a little bit, so I know
where Brentwood is. Where isdifficult in relation to
Brentwood, which is a a suburbof Nashville, right, or a a part
of Nashville?
Rana McSpadden (03:33):
It is. Yes. A suburb of Nashville. I am about
an hour and a half Northeast ofNashville. So Okay.
Oklahoma.
Daniel Williams (03:40):
So are you in the Smokies or where
Rana McSpadden (03:43):
No. No. I'm not that Northeast? Okay. I'm still
in Middle Tennessee.
I'm still in pretty much ruralareas.
Daniel Williams (03:50):
Well when you get a name like Difficult, it's
not like Manhattan or something.So I figured it might be a rural
community. So even moreimportant to really be talking
about cybersecurity and the kindof services that might be
available to people. Even thoughI'm in Denver and you're in
(04:13):
Difficult Tennessee, we had aheck of a time getting connected
today. So Rana, it is so cool toget to talk to you.
So let's go a little bit intoyour background then. What
brought you into the healthcareworld in the first place? What
was that little spark that gotyou there? Tell us about that.
Rana McSpadden (04:31):
Well, I kind of fell into it actually. So back
when I was in high school, mythen boyfriend, now husband's
mother, she ran a radiologybilling company, and they were
in the process of changingbilling systems, and they just
needed some data entry people.So I went in, started working
for them. It was almost supposedto be temporary, And here I am
(04:53):
twenty some odd plus odd yearslater still in health care and
enjoying every minute of it fromthis perspective.
Daniel Williams (04:58):
That's so cool. So I know that SVMIC does a lot
of things. So what is your rolethere? How would you define that
to our audience?
Rana McSpadden (05:08):
So I'm one of the medical practice
consultants. So with SVMIC, weare a professional liability
provider for our policyholders.And one of the benefits to being
a policyholder of our company isyou they have access to our
consulting services, and ourconsulting services are value
added. So they can call in withall kinds of questions about
(05:29):
billing and coding. They giveOSHA.
I'm making I'm working really,really hard. I'm not making any
money. I'm barely making itwhat's going on. I'm needing
help with contracting myinsurance company. I'm needing
some help with credentialing.
They can call in and get ourservices value added to their
policy.
Daniel Williams (05:47):
Okay. Now you're going to be talking about
cybersecurity. You alreadymentioned that at our Leaders
Conference. We'll get to that,but let's just talk about
cybersecurity and some of thephilosophy or ideas you have
around it. I have some noteshere that a lot of people think
it falls squarely with an ITdepartment.
(06:08):
You have a different approachthere. Talk about all the people
that are involved with it, thestakeholders, etcetera.
Rana McSpadden (06:15):
Sure. So a lot of when when you go to a lot of
conferences and you talk tosomebody that's talking about
cybersecurity, they're from thenetworking side. They're from
the computer side of it. AndI'll be honest, I have no idea
anything about networking. I amnot a networker when it comes to
computers.
But I come from it from thebusiness side of it. And what
(06:35):
the practice needs to bethinking about as a whole,
because, really, cybersecurityis a whole system. It's it's all
the staff. It's leadership. It'sthe physicians, of course IT
too.
Everybody has to work togetherin order to ensure that they are
doing their part to secure theelectronic data of their
(06:56):
patients.
Daniel Williams (06:58):
Okay. I'll tell you in real time, this is such
an important topic to everybodythat works anywhere because
there's all those differentaspects of how people try to get
into, you know, somebody'snetwork. At MGMA, our IT team
sent out something to us today,and because there's some
(07:22):
phishing scam that's going outand they showed us a picture of
it. They said, do not click onthis. So when you think about
cybersecurity, what are some ofthe common threats that you're
seeing out there?
What would you like to sharewith our audience about that?
Rana McSpadden (07:38):
Well, of course, ransomware is really one of the
biggest threats, and that's onethat we always hear about. But
the real threat is is how theyaccess our systems in order to
launch that ransomware. And,generally, it's through
weaknesses in our systems andgeneral just phishing emails,
phishing phone calls, phishingtexts, trying to gain access
(08:00):
using our credentials. Theytrick us by sending us a link
saying, hey. Click here.
We need you to log in to yourcloud system because your
password's about to expire.
Daniel Williams (08:10):
Yep.
Rana McSpadden (08:11):
I heard. That's the that's the big one that
catches catches a lot of ofindividuals. Here at SPM, I see
they actually our our ITdepartment actually will phish
us to test to see are we payingattention. And one of the
phishing tests that actuallycaught a lot of us was it looked
like it was coming from one ofour policyholders
Daniel Williams (08:29):
Yep.
Rana McSpadden (08:30):
Saying, hey. I need you to click on this link
to see what's going on. And itcaught a lot of our employees.
So, they're getting reallysophisticated with these
phishing emails. We are nolonger in the days of broken
English and misspelled words andall that kind of stuff.
They're using AI to write thesethings. They're even using AI to
(08:52):
prick somebody when they callin, making them think that it's
somebody that they know orsomebody that they work with.
Right now, I'm actually evenhearing we've actually had two
instances where physicians havefallen for a phone phishing scam
where the threat actorspretended to be DEA agents. The
creativity
Daniel Williams (09:12):
Yeah.
Rana McSpadden (09:13):
Of these threat actors is amazing. You just
can't keep up with them. That'sthe problem. Everything's
changing so quickly and sooften, there's just there's no
way to truly keep up witheverything that's coming down
the pipeline.
Daniel Williams (09:24):
You make so many good points here, and
there's so many things I wannafollow-up with. I'll just share
a couple of them. It's the levelof it's the evolution of it, the
sophistication because forever,it seemed like. It was, hey. I'm
with the royal family inNigeria.
You know? And it's like, okay.That maybe in the dawn of email
(09:47):
that might have gotten somebody,but at a certain point that so
then they're mimicking your yourboss, like this CEO at your
company, or like, boy, I betterrespond to that. I don't get an
email every day from my CEO,meaning, Yeah, this isn't your
CEO, this is somebody else. Butyou brought up something else
(10:08):
that really got my attention,and that was you didn't say just
email, you said text too.
And very recently, some botsomewhere has gotten my cell
phone number. And so I'm gettingcell phone text messages that
are from the Department of MotorVehicles, the DMV. They even got
(10:31):
the state right, it's Colorado,that's where I am. It's a
Colorado DMV, you've gotsomething going on, you ran
through a tollbooth orsomething, or we got a a charge
here for you that you gottarespond to. And I'm going, this
doesn't it doesn't pass thesmell test, you know?
(10:53):
But it's when they'reinfiltrating the text as well,
that seems a little morepersonal now at this point in
our lives than an email does. Sowhat would you say to that?
Because you did you were kind ofbringing that up first. That's
the more sophisticated versionof how they're getting after us.
So what's going on there?
Rana McSpadden (11:11):
It's I mean, really, we have to be suspicious
of everything
Daniel Williams (11:14):
Mhmm.
Rana McSpadden (11:14):
And just be super vigilant. Because, you
know, for me, if I'm if I get atext and it's from the
Department of Motor Vehiclessaying that I have unpaid tolls
Right. Well, for me, I I live ina state where we don't have
tolls, so that's not a big iffyfor me. But, you know, I got one
recently from Florida. Mhmm.
(11:35):
Florida. And had I beentraveling through Florida, I
could have easily followed forthat. But it's important to know
that if you receive somethinglike that, it feels kinda weird,
whatever, don't call the phonenumbers on in the email or the
text or whatever. Go online,find those phone numbers, and
then call them directly. TheDMV, DEA, all government
(11:58):
agencies, they're not going tocall you and say, hey.
You know, you've got unpaidfines. You've got you you didn't
show up to jury duty, and nowyou gotta pay a whole bunch of
money. The DEA is not gonna callyou and say, your EEA number has
been used across state lines,and now we're gonna come for you
if you don't pay these penaltiesor help us whatever. You have to
(12:19):
go with gut feelings,unfortunately. It's sometimes
it's hard to know exactly when,but I if if something doesn't
quite feel right, I always justignore that source and go to the
direct source.
Daniel Williams (12:32):
Mhmm. You use that term vigilance. So we were
talking about it in a lot ofcases from an individual
perspective as a person, butwhen you're an individual who is
representing a medical practice,I'm sure some of the practices
still are at play here, but areyou seeing trends then that a
(12:54):
medical practice may see so wecan alert our listeners here,
things that they should bethinking about that are
prevalent?
Rana McSpadden (13:03):
Unfortunately, I'm not getting a whole lot of
those calls from ourpolicyholders. I hear a lot of
the aftermath.
Daniel Williams (13:09):
Ah.
Rana McSpadden (13:09):
What happens, they've been hit with
ransomware. Part of if you're apolicyholder through us, we we
do provide a certain level ofcyber liability insurance. So
when those calls come in, theygo straight to, that that
insurance company for them tohandle because we we are kinda
hands off with that. We don'twanna be the ones really telling
(13:30):
them what to do from that pointbecause we're not the experts.
Daniel Williams (13:33):
Yeah.
Rana McSpadden (13:33):
We're we're gonna pay the But, really, it's
the biggest thing that we'rehearing that I'm hearing so
really is just they justchecking flagging emails.
Really, that's where they'recoming from. Or system
weaknesses where I'm hearingactually a lot, especially with
some of these smaller groups.They don't have the funds as of
some of these larger groups tobe able to pay for large and
(13:56):
expensive firewall systems. Sotheir systems are weak, and so
hackers are able to access theirsystems through unpatched
security systems, throughwebsites because they they may
have open sourcing in that.
So the biggest thing is is dowhat you can to close off those
those systems, gettingvulnerability scans, getting
(14:17):
penetration testing, becausethose are those are white hat
hackers that are professionalsthat are are going to hack into
your system and see where yourweaknesses are. The big the
biggest thing is do what you canto protect yourself Yeah. And
then train your staff.
Daniel Williams (14:32):
Yeah. You are gonna be talking, as we
mentioned earlier, at thatleaders conference in Orlando.
You're gonna be talking aboutcreating a culture of
cybersecurity. You were gettingto it a little bit there about
getting into helping the teamsand everything. But what does an
overall culture of cybersecuritylook like in an organization?
Rana McSpadden (14:54):
Well, with any culture, it's it's in the bones
of the the in the practice andthe entity. It's part of your
mission, it's part of yourvalues. And really to develop
that culture, If you want yourstaff to do something, the
leadership has to head thatcharge. They're the ones who
have to show. I take thisseriously, and you should too.
(15:19):
Actually, a perfect exampleseveral years ago, I was at one
of the MGMA conferences, Ibelieve. Where was where were
we? We were in Vegas. And our myCEO actually had gone to that
that meeting with us. And he satnext to me in a cybersecurity
presentation, and I was sittingthere watching him just turn
(15:41):
white.
Because at that point, he hadn'treally thought about
cybersecurity. So he came homefrom that meeting and
immediately made sure that ourIT department was implementing
all kinds of cybersecurityeducation and going well into
making sure that there's no waythat somebody can hack into our
systems and teaching our staffmembers what to watch for with
(16:04):
phishing, giving them ways tonotify, hey. I've got an email
I'm not sure about. Can you takea look at it? And so it was
definitely a top down mentality.
He started that we have to dothis, and so it just infiltrated
into the company. And that'sreally what any practice needs
to do. They need to haveeverybody involved needs to know
(16:26):
and show the seriousness ofcybersecurity so that staff
understand their role in thecybersecurity of the practice as
well, and that they feel likethey have a responsibility too.
Daniel Williams (16:39):
Right. Now in researching you and looking at
your background, you've alsoworked with compliance topics
like HIPAA and OSHA. So when wethink in terms of cybersecurity,
how are those other compliancetopics similar? How are they
different? How would youdescribe that?
Rana McSpadden (16:58):
It's just another piece into the
compliance puzzle. And actually,with cybersecurity, it is a
requirement under the HIPAAsecurity rule. So, yeah, it's
kinda tucked in under HIPAA, butit should also be a piece of its
own. And it's become such a hugething that several government
agencies have produced multiplecybersecurity tools for entities
(17:20):
to use. HHS actually has avoluntary program out there
right now for cybersecurity tobolster healthcare security.
Daniel Williams (17:29):
Okay. Got a couple more questions for you
before we sign off then. Forpeople who are interested in
your topic and are planning tobe in Orlando, what's something
they can expect from thatpresentation? What's something
they can take away from it?
Rana McSpadden (17:45):
I'm hoping to show how important it is to take
this seriously. And a lot of,again, a lot of smaller groups,
they don't, they feel like theydon't have the resources
available, and and they may nothave the money available. But
there are still things that theycan do to protect their systems.
And I'm my goal is to not reallytalk about the types of threats
(18:06):
that are out there. It's reallymore about how to recover Oh.
Well, prevent and recover
Daniel Williams (18:12):
Okay.
Rana McSpadden (18:12):
From those those events. Because we're in a day
and age now, it's no longer ifsomething's gonna happen, it's
when it's gonna happen. So it'sbest to already have a plan in
place so that when whensomething does happen,
hopefully, it's something small,you're not trying to sit you
know, you're sitting there withyour scratching your head trying
to figure out what to do next.You already have at least a
basic plan in place that you canthen adapt from for any nuances
(18:35):
that come through.
Daniel Williams (18:37):
Okay. We're still several months out from
that leaders conference. So whatare some things that our
listeners right now can dotoday? Maybe taking a step or a
couple of things they can do toprotect themselves.
Rana McSpadden (18:50):
One of the first things that I wanna recommend is
that they look at their securityrisk analysis, make sure it has
been updated recently and often.HHS and the OCR, they are
cracking down right now. Theywith with earlier this year,
they launched a risk analysisinitiative, and they're imposing
penalties, they're penalizingentities that suffer breaches.
(19:14):
And during the investigationprocess, they find that they
didn't have a thorough andsystem wide security risk
analysis. So that's the veryfirst thing I wanna recommend is
anybody do.
Go check your security riskanalysis, make sure that it is
thorough and system wide. Next,look at your training program.
What are you educating yourstaff on? If you're only
(19:34):
educating staff on generalHIPAA, you're not catching the
cybersecurity. So make sure youdo have some sort of
cybersecurity education.
And in addition to cybersecurityeducation, have routine
reminders throughout the yearof, hey. Don't don't forget.
Look for this kind of stuff, orthis is what we're looking for,
know, whatever's going on. Justit's some sort of reminder on a
(19:55):
routine basis and make sure youdo document that kind of stuff.
And then the last thing I'mgoing to recommend well,
actually, a couple other thingstoo.
But the next thing is look atyour recovery plan and your
response plan. Have something inplace, at least, you know, a
very basic thing. And when I sayrecover not only recover, but
(20:17):
response plan, is also includein there how are we going to
continue seeing our patientswhen and if we lose access to
our electronic data. Because alot of physicians and nurses are
coming out of school and havenever charted on paper charts,
And they fully rely on that EHR.So having some basic education
(20:38):
for your clinical staff on howto at least document that visit
with that patient so that you atleast got continuation of that
documentation in the future.
Daniel Williams (20:48):
Okay.
Rana McSpadden (20:49):
But and I said, I did talk about vulnerability
scans earlier as well. But alsolook into making sure that
you're you've got enough cyberliability insurance, that you
have a open line of credit incase of an emergency, and have
business interruption insuranceas well and have more than just
the minimum policy limits onthose as well. I have seen
(21:10):
several physician groups thathave exceeded their policy
limits, and they are now havingto pay out of pocket as a result
of the ransomware or incidentthat they have, plus the
following class action lawsuitsbrought on by the patients. So
(21:30):
yeah. Yeah.
Very scary out there.
Daniel Williams (21:32):
Yeah. I said that I was gonna only gonna ask
you two more questions, but Ithought of something else
because you are on top of thistopic. This is something that's
of top of mind to you. What'ssomething that's caught your
interest, whether from apositive side or a negative side
that's going on in cybersecurityright now? What's a trend or
(21:54):
something else out there thatgoes, woah.
Let's pay attention to this.
Rana McSpadden (21:58):
Honestly, recently, the TSA's notification
about plugging your electronicdevices into public facing USBs
purging stations. You know,several years ago, I heard about
that on episode of CSI, and Ijust thought it was like
Hollywood magic. You know?Because I never even thought
about it. And now to see the ana government agency warning
(22:19):
about it, I'm like, okay.
That's that's something realthat we have to watch for. So
that was actually reallyshocking when when that came
out. So again, be suspicious ofeverything. I
Daniel Williams (22:32):
think that is the theme of the day, be
suspicious of everything. Sothat is a good example of life
imitating art. I mean, you seeit on a CSI episode, and there
it is. Rana McSpadden, I justwant to thank you so much for
joining us today.
Rana McSpadden (22:52):
Thank you so much for inviting me. I really
enjoyed this.
Daniel Williams (22:56):
Yeah. It's been so much fun and not difficult at
all. Not difficult. No.Difficult Tennessee.
I'm gonna look it up on a map,and it's just been a pleasure to
talk to you.
Rana McSpadden (23:08):
It's been a pleasure for me as well.
Daniel Williams (23:10):
Alright. Well, that is gonna do it for this
episode, everyone. Let's justrecap a couple of things here.
Raina's session at the MGMALeaders Conference in Orlando,
it's called Leading theImplementing Effective
Cybersecurity in Healthcare. TheLeaders Conference is going to
be September 28 through October1.
(23:31):
Do you know what day you'retalking there?
Rana McSpadden (23:34):
I am 8AM on Monday morning.
Daniel Williams (23:36):
Bright and early. You don't wanna do
cybersecurity like at four inthe afternoon. Your brain might
that's where you gotta do someleadership pep you up kind of
stuff. You gotta be focused withthat caffeine, that coffee, or
whatever in your system at eightin the morning. So that's
fantastic.
I I cannot wait to meet you inperson, Rana.
Rana McSpadden (23:54):
I can't wait to meet you too.
Daniel Williams (23:56):
Alright. Well, until then, thank you everyone
for being, MGMA podcastlisteners, and please just be
suspicious of everything, y'all.So until then, thanks for
listening.
Well, hi, everyone, and welcome to the
MGMA Podcast Network. I'm yourhost, Daniel Williams. I'm a
senior editor at MGMA and soglad to be here with you today.
What we're gonna be doing heretoday is talking to one of our
speakers at our leadersconference that's gonna be
coming up in Orlando, September28 through October 1 is when the
(01:15):
conference is. It's gonna be inthe, what is it, the happiest
place on earth there at Disney.
We're not going to be physicallyat Disney, we're going to be
right around the corner, and Iexpect many of our speakers and
guests will probably stop by.Today we have Rana Spadden. She
is going to be one of thosespeakers at our show, and she is
(01:37):
a consultant with the MedicalPractice Services Department at
SVMIC. Reyna, we were movingheaven and earth here trying to
get connected today. Sometimestechnology is so amazing, and
sometimes it just kind ofimpedes us from communicating.
We even made a joke that we wereready to get the Dixie cups and
(01:59):
strings out if we had to. SoRana, welcome to the show.
Rana McSpadden (02:03):
Thank you so much. And I think it's really
fitting that we had so muchtechnology issue, and we're
sitting here talking today aboutcybersecurity.
Daniel Williams (02:11):
Exactly. That's a great point. So bring us up to
speed then. I talk to so manypeople from your organization.
Are you located where, inTennessee, or are you somewhere
else?
Rana McSpadden (02:25):
I am in Tennessee, but I am not out of
our Brentwood office. I I am oneof our remote employees.
Daniel Williams (02:30):
Oh, okay. Where do you call in from?
Rana McSpadden (02:32):
Difficult Tennessee.
Daniel Williams (02:34):
Are you pulling my leg here?
Rana McSpadden (02:36):
I am I'm not pulling your leg. No. If you you
can Google Difficult Tennessee,and it it's a small little
sleepy community, but we'rehere.
Daniel Williams (02:44):
That is so remarkable. With a name like
that, how did it get its origin?Certainly, y'all all know this.
Right? Or do you have any ideahow the town got that name?
Rana McSpadden (02:54):
So the legend goes that when they were trying
to name the area, the communitykept coming up with different
names and sending them into thepost office so that we could get
our zip code. And the postoffice kept saying, oh, There's
already a town in Tennessee withthat name. There's another town
with that name. So somebodywrote on there, this is
difficult, and capitalized thed. And so the post office said,
(03:17):
yeah.
That's about right. So DifficultTennessee.
Daniel Williams (03:21):
I know the state a little bit, so I know
where Brentwood is. Where isdifficult in relation to
Brentwood, which is a a suburbof Nashville, right, or a a part
of Nashville?
Rana McSpadden (03:33):
It is. Yes. A suburb of Nashville. I am about
an hour and a half Northeast ofNashville. So Okay.
Oklahoma.
Daniel Williams (03:40):
So are you in the Smokies or where
Rana McSpadden (03:43):
No. No. I'm not that Northeast? Okay. I'm still
in Middle Tennessee.
I'm still in pretty much ruralareas.
Daniel Williams (03:50):
Well when you get a name like Difficult, it's
not like Manhattan or something.So I figured it might be a rural
community. So even moreimportant to really be talking
about cybersecurity and the kindof services that might be
available to people. Even thoughI'm in Denver and you're in
(04:13):
Difficult Tennessee, we had aheck of a time getting connected
today. So Rana, it is so cool toget to talk to you.
So let's go a little bit intoyour background then. What
brought you into the healthcareworld in the first place? What
was that little spark that gotyou there? Tell us about that.
Rana McSpadden (04:31):
Well, I kind of fell into it actually. So back
when I was in high school, mythen boyfriend, now husband's
mother, she ran a radiologybilling company, and they were
in the process of changingbilling systems, and they just
needed some data entry people.So I went in, started working
for them. It was almost supposedto be temporary, And here I am
(04:53):
twenty some odd plus odd yearslater still in health care and
enjoying every minute of it fromthis perspective.
Daniel Williams (04:58):
That's so cool. So I know that SVMIC does a lot
of things. So what is your rolethere? How would you define that
to our audience?
Rana McSpadden (05:08):
So I'm one of the medical practice
consultants. So with SVMIC, weare a professional liability
provider for our policyholders.And one of the benefits to being
a policyholder of our company isyou they have access to our
consulting services, and ourconsulting services are value
added. So they can call in withall kinds of questions about
(05:29):
billing and coding. They giveOSHA.
I'm making I'm working really,really hard. I'm not making any
money. I'm barely making itwhat's going on. I'm needing
help with contracting myinsurance company. I'm needing
some help with credentialing.
They can call in and get ourservices value added to their
policy.
Daniel Williams (05:47):
Okay. Now you're going to be talking about
cybersecurity. You alreadymentioned that at our Leaders
Conference. We'll get to that,but let's just talk about
cybersecurity and some of thephilosophy or ideas you have
around it. I have some noteshere that a lot of people think
it falls squarely with an ITdepartment.
(06:08):
You have a different approachthere. Talk about all the people
that are involved with it, thestakeholders, etcetera.
Rana McSpadden (06:15):
Sure. So a lot of when when you go to a lot of
conferences and you talk tosomebody that's talking about
cybersecurity, they're from thenetworking side. They're from
the computer side of it. AndI'll be honest, I have no idea
anything about networking. I amnot a networker when it comes to
computers.
But I come from it from thebusiness side of it. And what
(06:35):
the practice needs to bethinking about as a whole,
because, really, cybersecurityis a whole system. It's it's all
the staff. It's leadership. It'sthe physicians, of course IT
too.
Everybody has to work togetherin order to ensure that they are
doing their part to secure theelectronic data of their
(06:56):
patients.
Daniel Williams (06:58):
Okay. I'll tell you in real time, this is such
an important topic to everybodythat works anywhere because
there's all those differentaspects of how people try to get
into, you know, somebody'snetwork. At MGMA, our IT team
sent out something to us today,and because there's some
(07:22):
phishing scam that's going outand they showed us a picture of
it. They said, do not click onthis. So when you think about
cybersecurity, what are some ofthe common threats that you're
seeing out there?
What would you like to sharewith our audience about that?
Rana McSpadden (07:38):
Well, of course, ransomware is really one of the
biggest threats, and that's onethat we always hear about. But
the real threat is is how theyaccess our systems in order to
launch that ransomware. And,generally, it's through
weaknesses in our systems andgeneral just phishing emails,
phishing phone calls, phishingtexts, trying to gain access
(08:00):
using our credentials. Theytrick us by sending us a link
saying, hey. Click here.
We need you to log in to yourcloud system because your
password's about to expire.
Daniel Williams (08:10):
Yep.
Rana McSpadden (08:11):
I heard. That's the that's the big one that
catches catches a lot of ofindividuals. Here at SPM, I see
they actually our our ITdepartment actually will phish
us to test to see are we payingattention. And one of the
phishing tests that actuallycaught a lot of us was it looked
like it was coming from one ofour policyholders
Daniel Williams (08:29):
Yep.
Rana McSpadden (08:30):
Saying, hey. I need you to click on this link
to see what's going on. And itcaught a lot of our employees.
So, they're getting reallysophisticated with these
phishing emails. We are nolonger in the days of broken
English and misspelled words andall that kind of stuff.
They're using AI to write thesethings. They're even using AI to
(08:52):
prick somebody when they callin, making them think that it's
somebody that they know orsomebody that they work with.
Right now, I'm actually evenhearing we've actually had two
instances where physicians havefallen for a phone phishing scam
where the threat actorspretended to be DEA agents. The
creativity
Daniel Williams (09:12):
Yeah.
Rana McSpadden (09:13):
Of these threat actors is amazing. You just
can't keep up with them. That'sthe problem. Everything's
changing so quickly and sooften, there's just there's no
way to truly keep up witheverything that's coming down
the pipeline.
Daniel Williams (09:24):
You make so many good points here, and
there's so many things I wannafollow-up with. I'll just share
a couple of them. It's the levelof it's the evolution of it, the
sophistication because forever,it seemed like. It was, hey. I'm
with the royal family inNigeria.
You know? And it's like, okay.That maybe in the dawn of email
(09:47):
that might have gotten somebody,but at a certain point that so
then they're mimicking your yourboss, like this CEO at your
company, or like, boy, I betterrespond to that. I don't get an
email every day from my CEO,meaning, Yeah, this isn't your
CEO, this is somebody else. Butyou brought up something else
(10:08):
that really got my attention,and that was you didn't say just
email, you said text too.
And very recently, some botsomewhere has gotten my cell
phone number. And so I'm gettingcell phone text messages that
are from the Department of MotorVehicles, the DMV. They even got
(10:31):
the state right, it's Colorado,that's where I am. It's a
Colorado DMV, you've gotsomething going on, you ran
through a tollbooth orsomething, or we got a a charge
here for you that you gottarespond to. And I'm going, this
doesn't it doesn't pass thesmell test, you know?
(10:53):
But it's when they'reinfiltrating the text as well,
that seems a little morepersonal now at this point in
our lives than an email does. Sowhat would you say to that?
Because you did you were kind ofbringing that up first. That's
the more sophisticated versionof how they're getting after us.
So what's going on there?
Rana McSpadden (11:11):
It's I mean, really, we have to be suspicious
of everything
Daniel Williams (11:14):
Mhmm.
Rana McSpadden (11:14):
And just be super vigilant. Because, you
know, for me, if I'm if I get atext and it's from the
Department of Motor Vehiclessaying that I have unpaid tolls
Right. Well, for me, I I live ina state where we don't have
tolls, so that's not a big iffyfor me. But, you know, I got one
recently from Florida. Mhmm.
(11:35):
Florida. And had I beentraveling through Florida, I
could have easily followed forthat. But it's important to know
that if you receive somethinglike that, it feels kinda weird,
whatever, don't call the phonenumbers on in the email or the
text or whatever. Go online,find those phone numbers, and
then call them directly. TheDMV, DEA, all government
(11:58):
agencies, they're not going tocall you and say, hey.
You know, you've got unpaidfines. You've got you you didn't
show up to jury duty, and nowyou gotta pay a whole bunch of
money. The DEA is not gonna callyou and say, your EEA number has
been used across state lines,and now we're gonna come for you
if you don't pay these penaltiesor help us whatever. You have to
(12:19):
go with gut feelings,unfortunately. It's sometimes
it's hard to know exactly when,but I if if something doesn't
quite feel right, I always justignore that source and go to the
direct source.
Daniel Williams (12:32):
Mhmm. You use that term vigilance. So we were
talking about it in a lot ofcases from an individual
perspective as a person, butwhen you're an individual who is
representing a medical practice,I'm sure some of the practices
still are at play here, but areyou seeing trends then that a
(12:54):
medical practice may see so wecan alert our listeners here,
things that they should bethinking about that are
prevalent?
Rana McSpadden (13:03):
Unfortunately, I'm not getting a whole lot of
those calls from ourpolicyholders. I hear a lot of
the aftermath.
Daniel Williams (13:09):
Ah.
Rana McSpadden (13:09):
What happens, they've been hit with
ransomware. Part of if you're apolicyholder through us, we we
do provide a certain level ofcyber liability insurance. So
when those calls come in, theygo straight to, that that
insurance company for them tohandle because we we are kinda
hands off with that. We don'twanna be the ones really telling
(13:30):
them what to do from that pointbecause we're not the experts.
Daniel Williams (13:33):
Yeah.
Rana McSpadden (13:33):
We're we're gonna pay the But, really, it's
the biggest thing that we'rehearing that I'm hearing so
really is just they justchecking flagging emails.
Really, that's where they'recoming from. Or system
weaknesses where I'm hearingactually a lot, especially with
some of these smaller groups.They don't have the funds as of
some of these larger groups tobe able to pay for large and
(13:56):
expensive firewall systems. Sotheir systems are weak, and so
hackers are able to access theirsystems through unpatched
security systems, throughwebsites because they they may
have open sourcing in that.
So the biggest thing is is dowhat you can to close off those
those systems, gettingvulnerability scans, getting
(14:17):
penetration testing, becausethose are those are white hat
hackers that are professionalsthat are are going to hack into
your system and see where yourweaknesses are. The big the
biggest thing is do what you canto protect yourself Yeah. And
then train your staff.
Daniel Williams (14:32):
Yeah. You are gonna be talking, as we
mentioned earlier, at thatleaders conference in Orlando.
You're gonna be talking aboutcreating a culture of
cybersecurity. You were gettingto it a little bit there about
getting into helping the teamsand everything. But what does an
overall culture of cybersecuritylook like in an organization?
Rana McSpadden (14:54):
Well, with any culture, it's it's in the bones
of the the in the practice andthe entity. It's part of your
mission, it's part of yourvalues. And really to develop
that culture, If you want yourstaff to do something, the
leadership has to head thatcharge. They're the ones who
have to show. I take thisseriously, and you should too.
(15:19):
Actually, a perfect exampleseveral years ago, I was at one
of the MGMA conferences, Ibelieve. Where was where were
we? We were in Vegas. And our myCEO actually had gone to that
that meeting with us. And he satnext to me in a cybersecurity
presentation, and I was sittingthere watching him just turn
(15:41):
white.
Because at that point, he hadn'treally thought about
cybersecurity. So he came homefrom that meeting and
immediately made sure that ourIT department was implementing
all kinds of cybersecurityeducation and going well into
making sure that there's no waythat somebody can hack into our
systems and teaching our staffmembers what to watch for with
(16:04):
phishing, giving them ways tonotify, hey. I've got an email
I'm not sure about. Can you takea look at it? And so it was
definitely a top down mentality.
He started that we have to dothis, and so it just infiltrated
into the company. And that'sreally what any practice needs
to do. They need to haveeverybody involved needs to know
(16:26):
and show the seriousness ofcybersecurity so that staff
understand their role in thecybersecurity of the practice as
well, and that they feel likethey have a responsibility too.
Daniel Williams (16:39):
Right. Now in researching you and looking at
your background, you've alsoworked with compliance topics
like HIPAA and OSHA. So when wethink in terms of cybersecurity,
how are those other compliancetopics similar? How are they
different? How would youdescribe that?
Rana McSpadden (16:58):
It's just another piece into the
compliance puzzle. And actually,with cybersecurity, it is a
requirement under the HIPAAsecurity rule. So, yeah, it's
kinda tucked in under HIPAA, butit should also be a piece of its
own. And it's become such a hugething that several government
agencies have produced multiplecybersecurity tools for entities
(17:20):
to use. HHS actually has avoluntary program out there
right now for cybersecurity tobolster healthcare security.
Daniel Williams (17:29):
Okay. Got a couple more questions for you
before we sign off then. Forpeople who are interested in
your topic and are planning tobe in Orlando, what's something
they can expect from thatpresentation? What's something
they can take away from it?
Rana McSpadden (17:45):
I'm hoping to show how important it is to take
this seriously. And a lot of,again, a lot of smaller groups,
they don't, they feel like theydon't have the resources
available, and and they may nothave the money available. But
there are still things that theycan do to protect their systems.
And I'm my goal is to not reallytalk about the types of threats
(18:06):
that are out there. It's reallymore about how to recover Oh.
Well, prevent and recover
Daniel Williams (18:12):
Okay.
Rana McSpadden (18:12):
From those those events. Because we're in a day
and age now, it's no longer ifsomething's gonna happen, it's
when it's gonna happen. So it'sbest to already have a plan in
place so that when whensomething does happen,
hopefully, it's something small,you're not trying to sit you
know, you're sitting there withyour scratching your head trying
to figure out what to do next.You already have at least a
basic plan in place that you canthen adapt from for any nuances
(18:35):
that come through.
Daniel Williams (18:37):
Okay. We're still several months out from
that leaders conference. So whatare some things that our
listeners right now can dotoday? Maybe taking a step or a
couple of things they can do toprotect themselves.
Rana McSpadden (18:50):
One of the first things that I wanna recommend is
that they look at their securityrisk analysis, make sure it has
been updated recently and often.HHS and the OCR, they are
cracking down right now. Theywith with earlier this year,
they launched a risk analysisinitiative, and they're imposing
penalties, they're penalizingentities that suffer breaches.
(19:14):
And during the investigationprocess, they find that they
didn't have a thorough andsystem wide security risk
analysis. So that's the veryfirst thing I wanna recommend is
anybody do.
Go check your security riskanalysis, make sure that it is
thorough and system wide. Next,look at your training program.
What are you educating yourstaff on? If you're only
(19:34):
educating staff on generalHIPAA, you're not catching the
cybersecurity. So make sure youdo have some sort of
cybersecurity education.
And in addition to cybersecurityeducation, have routine
reminders throughout the yearof, hey. Don't don't forget.
Look for this kind of stuff, orthis is what we're looking for,
know, whatever's going on. Justit's some sort of reminder on a
(19:55):
routine basis and make sure youdo document that kind of stuff.
And then the last thing I'mgoing to recommend well,
actually, a couple other thingstoo.
But the next thing is look atyour recovery plan and your
response plan. Have something inplace, at least, you know, a
very basic thing. And when I sayrecover not only recover, but
(20:17):
response plan, is also includein there how are we going to
continue seeing our patientswhen and if we lose access to
our electronic data. Because alot of physicians and nurses are
coming out of school and havenever charted on paper charts,
And they fully rely on that EHR.So having some basic education
(20:38):
for your clinical staff on howto at least document that visit
with that patient so that you atleast got continuation of that
documentation in the future.
Daniel Williams (20:48):
Okay.
Rana McSpadden (20:49):
But and I said, I did talk about vulnerability
scans earlier as well. But alsolook into making sure that
you're you've got enough cyberliability insurance, that you
have a open line of credit incase of an emergency, and have
business interruption insuranceas well and have more than just
the minimum policy limits onthose as well. I have seen
(21:10):
several physician groups thathave exceeded their policy
limits, and they are now havingto pay out of pocket as a result
of the ransomware or incidentthat they have, plus the
following class action lawsuitsbrought on by the patients. So
(21:30):
yeah. Yeah.
Very scary out there.
Daniel Williams (21:32):
Yeah. I said that I was gonna only gonna ask
you two more questions, but Ithought of something else
because you are on top of thistopic. This is something that's
of top of mind to you. What'ssomething that's caught your
interest, whether from apositive side or a negative side
that's going on in cybersecurityright now? What's a trend or
(21:54):
something else out there thatgoes, woah.
Let's pay attention to this.
Rana McSpadden (21:58):
Honestly, recently, the TSA's notification
about plugging your electronicdevices into public facing USBs
purging stations. You know,several years ago, I heard about
that on episode of CSI, and Ijust thought it was like
Hollywood magic. You know?Because I never even thought
about it. And now to see the ana government agency warning
(22:19):
about it, I'm like, okay.
That's that's something realthat we have to watch for. So
that was actually reallyshocking when when that came
out. So again, be suspicious ofeverything. I
Daniel Williams (22:32):
think that is the theme of the day, be
suspicious of everything. Sothat is a good example of life
imitating art. I mean, you seeit on a CSI episode, and there
it is. Rana McSpadden, I justwant to thank you so much for
joining us today.
Rana McSpadden (22:52):
Thank you so much for inviting me. I really
enjoyed this.
Daniel Williams (22:56):
Yeah. It's been so much fun and not difficult at
all. Not difficult. No.Difficult Tennessee.
I'm gonna look it up on a map,and it's just been a pleasure to
talk to you.
Rana McSpadden (23:08):
It's been a pleasure for me as well.
Daniel Williams (23:10):
Alright. Well, that is gonna do it for this
episode, everyone. Let's justrecap a couple of things here.
Raina's session at the MGMALeaders Conference in Orlando,
it's called Leading theImplementing Effective
Cybersecurity in Healthcare. TheLeaders Conference is going to
be September 28 through October1.
(23:31):
Do you know what day you'retalking there?
Rana McSpadden (23:34):
I am 8AM on Monday morning.
Daniel Williams (23:36):
Bright and early. You don't wanna do
cybersecurity like at four inthe afternoon. Your brain might
that's where you gotta do someleadership pep you up kind of
stuff. You gotta be focused withthat caffeine, that coffee, or
whatever in your system at eightin the morning. So that's
fantastic.
I I cannot wait to meet you inperson, Rana.
Rana McSpadden (23:54):
I can't wait to meet you too.
Daniel Williams (23:56):
Alright. Well, until then, thank you everyone
for being, MGMA podcastlisteners, and please just be
suspicious of everything, y'all.So until then, thanks for
listening.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.