July 15, 2024 • 22 mins
From sophisticated plots by cybercriminals to unintentional data breaches from internal staff, healthcare organizations are facing more, and more severe, threats to protecting their sensitive data. In this episode, Richard Guttman, AlayaCare's Chief Legal Officer, shares insights into the current state of data security and privacy in the home care industry, including common threats, actionable prevention strategies, how to stay compliant with regulations, and helpful resources to elevate your cybersecurity preparedness and ensure the safety of your data. Richard digs deep into how organizations can fortify their defenses by mapping data flows, implementing the minimum necessary use principle, setting precise roles and permissions, using audit logs to meet regulatory standards like HIPAA and GDPR, and more.
Episode Resources
- Webinar: Ensuring data security and privacy in home-based care
- Blog: 5 proactive steps to improve the security of your home-based care data
- Guide: Evaluate the security and performance of your home-based care software
- How AlayaCare delivers best-in-class security and performance standards
- Security Center: Security & Privacy at AlayaCare
If you liked this episode and want to learn more about all things home-based care, you can explore all our episodes at alayacare.com/homehealth360.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Richard Guttman (00:00):
If you have a data breach, it doesn't matter
necessarily that you intended toprotect the information.
You tried really hard.
There's a lot of liability thatproviders are seeing at the end
of the day, so everything we'regoing to talk about today, that
you can do to reduce your risk,is a worthwhile investment.
Erin Vallier (00:33):
Welcome to another episode of the Home Health 360
podcast, where we speak tohome-based care professionals
from around the globe.
I'm your host, erin Valliere,and today I am joined by a very
amazing colleague of mine,richard Gutman.
Richard is responsible for thelegal risk and compliance
functions at AlayaCare.
He leads a small team ofin-house and external
professionals who support keyaspects of AlayaCare's business
(00:55):
and operations, includingintellectual property,
commercial contracting andstrategic partnerships,
regulatory matters, privacy anddata security, corporate finance
, mergers and acquisitions.
Richard brings over 20 years ofexperience in building and
developing innovative andhigh-growth technology companies
, including serving as SVP ofLegal and Compliance at
(01:19):
PointClick Care, which is one ofthe leading EHR providers in
the long-term care space.
Welcome to the show, richard.
Richard Guttman (01:28):
Thanks, erin, it's great to be here.
Erin Vallier (01:30):
Well now, I know I can't reach you sometimes
You've got too much to do.
I'm happy that you're heretoday and you could spare a
moment to share with thelisteners some very important
information about cybersecurity,because it's a hot topic these
days.
Healthcare seems to have atarget on its back, and you can
tell that by all of the hackingand ransomware that is going
(01:51):
around these days.
Richard Guttman (01:52):
It's taking more and more of my time and my
team's time, and certainly thoseof us who've been in the EHR
EMR space are becoming fastexperts in security, privacy and
compliance.
And, yeah, I look forward tosharing some of my learnings,
(02:13):
certainly in the last 10 or 12years in this area, with your
listeners.
Erin Vallier (02:17):
Yeah, can you start by giving us an overview
of the current state ofcybersecurity in the home care
industry, and particularlyconcentrating on electronic
medical records, or EMRs as welovingly call them?
Richard Guttman (02:31):
The EMR provider is really at the center
of an ecosystem of information,and so the records in the
systems that companies likePointClickCare and AlayaCare
manage are growing all the time,whether it's through interfaces
to other systems or regulatorydatabases or increasing use of
(02:55):
clinical records.
There is so much informationthat is being safeguarded, so
the focus is massive, both interms of those bad actors who'd
like to leverage thatinformation for financial gain.
We'll talk a little bit aboutsome of those high risks.
(03:17):
Not only that, but thoserecords are now at the center of
litigation like negligence andmalpractice, personal injury and
also investigations.
Government agencies that areinvestigating perhaps fraud or
other regulatory violations areseeking out these records.
(03:39):
So the focus has never beenhigher on what is in the EMR.
Erin Vallier (03:46):
Sounds like a lot of pressure.
What are some of the commoncybersecurity threats that home
care agencies face and how dothey differ from those
encountered in other health caresectors?
Richard Guttman (03:58):
We can talk about that for a little bit,
because I mentioned kind of thebad actors.
Because I mentioned kind of thebad actors, that's what we read
about in the newspapers when wesee that you know, a large
health insurance provider hasbeen hacked and millions of
records have beenmisappropriated.
So that is the primary area wesee that in is kind of
(04:20):
ransomware, external attacks.
Ransomware, external attacksthat's where an offshore
criminal organization isactually operating and trying to
get records out of a systemthat they can lock down and that
they can offer to exchange fora ransom.
Often that starts much earlierin the process with what you'll
(04:41):
hear phishing attacks, which arethese social engineered
attempts to get people who havelegitimate access to share their
passwords and user IDs and oncethey have this information then
they have much easier way intothe system.
Then we have a whole category ofrising risks that are
(05:03):
associated with a home careagency's own employees.
Just Grunt told people who haveleft the organization and kept
their usernames and logins canbe a risk to an organization by
the email that was sent with thewrong patient's information or
the database access that wasgiven by mistake from one agency
(05:30):
to another.
So we have a whole series ofinnocent, unintentional mistakes
that lead to a data breach.
And just like we say, you know,you've heard in the
transportation space, you knowif you speed, it's what we call
an absolute liability offense.
It doesn't matter that youdidn't mean to speed, if you
(05:51):
speed you're guilty.
Erin Vallier (05:52):
I didn't see the sign officer.
Richard Guttman (05:54):
In the data space it's exactly that way.
If you have a data breach, itdoesn't matter necessarily that
you intended to protect theinformation.
You tried really hard.
There's a lot of liability thatproviders are seeing at the end
of the day, so everything we'regoing to talk about today that
you can do to reduce your risk,is a worthwhile investment.
Erin Vallier (06:15):
Sounds like it.
It's a very complicated problemthese days, and anything from
the well-orchestrated criminalsto a well-meaning employee that
just happened to make a mistake.
So I'm excited to learn more.
And these orchestrations, man,they're getting very clever.
I've seen some phishing emailsthat I just swore I got.
(06:37):
Like that really looks real, soyou got to be careful.
So where do you start if you'refeeling overwhelmed by this
task of securing your EMR andother sensitive data that you're
responsible for?
Richard Guttman (06:50):
Well, I think there are some really basic
starting points that a home careagency can use, and they're not
different than largerorganizations, whether they're
EMR providers or infrastructureproviders.
I think the best place to startis to draw a map of the data
that you have in your system,and this does not have to be
(07:14):
technical and it does not haveto be complicated.
You simply need to draw a mapof the data that's entering your
system and leaving your systemand who has access to it in your
organization while it's inside.
We draw these data maps.
Computer companies, technologycompanies, make them very
(07:36):
technical and sophisticated, butif you're a home care agency,
you can draw a picture that hasa home care worker entering a
home, gathering data from apatient around a visit or
medication.
You can have that informationbeing uploaded from a cell phone
into a computer that's goingback into a repository.
(07:58):
Draw that map and look at allthe points that health records
are being captured and wherethey're moving around in your
ecosystem.
Erin Vallier (08:09):
Awesome.
So bring out your best stickfigures and draw a map to
understand every point wherethere's information exchange.
I presume that is a point ofweakness or a possibility where
something might happen to beintercepted.
Am I catching that right?
Richard Guttman (08:26):
Yeah, absolutely.
You can put a circle aroundevery interchange between your
organization and a third-partysystem, whether it's the mobile
cell phone provider, or whetherit's the software company that's
providing you the system that'srunning on your phone company
that's providing you the systemthat's running on your phone, or
(08:47):
with a clinical labs agencythat's uploading data into your
system so that you can evaluateit.
All of those are potentialvulnerability points and that's
where you need to lookholistically at what can you do
around your people, yourprocesses and your technology to
reduce the risk at that point.
Erin Vallier (09:08):
Okay, well, let's dig in there.
What's the best way to prepareand prevent that cyber attack
from happening?
Richard Guttman (09:15):
We talk in the industry a lot about the shared
responsibility model and thepartners that are helping you
manage the data in your system.
(09:36):
Where do they start and wheredo they stop?
If you're using a cloudplatform, for example, you will
know that all of your textmessages and all of your
communications are encrypted,and that's something that you
would ask your vendor providerto provide you information on
the encryption standards and howthey do that.
(09:58):
But then your responsibilitystarts once that information
enters your system and all thepeople in your organization that
are going to have access to it.
The infrastructure softwaresoftware provider will encrypt
it, and now you need to manageit securely and make sure only
the right and minimum peoplenecessary have access to it in
(10:21):
your organization.
Erin Vallier (10:22):
So, in the event of a data breach or cyber attack
, what steps should a home careagency take to mitigate the
damage and ensure they're beingcompliant with relevant
regulations?
Mitigate the damage and ensurethey're being compliant with
relevant regulations.
Richard Guttman (10:34):
Us providers in particular have a unique, I
think, advantage a central,federally managed regulatory
environment built around HIPAAthat can guide any agency to
prepare itself.
One, the security rule underHIPAA, which provides detailed
(10:54):
technical requirements andobligations.
Two, the HIPAA privacy rule,which governs how consents must
be obtained from individuals andhow privacy must be protected
through the minimum use of thatinformation.
And the last component is thebreach notification rule, which
(11:15):
sets out the specificnotification requirements in the
event that there is a databreach, whether it's inadvertent
or intentional, how to notifywhich agencies.
So HIPAA is a great startingpoint.
There are plenty of tools outthere that will help you map
your HIPAA compliance Verysimple checklists.
(11:35):
If you do that, you're on yourpath to being both ready in the
event of a breach, but alsoyou're going to be taking best
practices to prevent against one.
Erin Vallier (11:46):
Well, that's reassuring that there's plenty
of resources out there foragencies to tap into that will
map everything out so thatthey're not trying to go this
alone or making up their ownrules along the way.
You mentioned something thatstruck a question in my mind
minimum necessary use.
What is minimum necessary useof a client's data, and how does
(12:08):
an agency put that intopractice?
Richard Guttman (12:11):
All of these kind of subjective standards can
be confusing, but what we askour customers to do is to take
into account the size of theorganization, dissemination of
information where their patientsare, where their care workers
are, and to draw some reasonableboundaries around who needs
(12:33):
information for what purpose?
If you're a scheduler, wetypically look at the schedules
in your city or region.
If you're a caregiver, we'reseeing people narrow the access
only to their patients or tothose within a certain number of
miles from their home.
All of these practices willensure that a defensible minimum
(12:57):
, necessary standard is met bythe care provider, but at the
end of the day, it's reallycommon sense.
That is the most valuable assetto have.
Look at what your employeesneed to do their jobs and make
sure that they don't have accessto more than that, because
that'll just be exposing you torisk.
Erin Vallier (13:17):
That makes sense.
So this just solidifies theimportance of having a solution
that really offers you a robustcapability when it comes to
setting roles and permissions.
It's not just for theconvenience of your employees
not to get confused byeverything, it's also to protect
the agency right.
Richard Guttman (14:03):
Absolutely, and roles and permissions are a
great example of how you cancreate flexible user groups and
access privileges that are alsovery compliant.
Track all of the access thatdoes occur.
So systems are now reallyfocused on the new aspect of
many privacy regulations, whichare the obligation to maintain
logs of all the accesses, allthe views, all the changes to
records.
So when I started off the showby talking about the value of
those records, often it's notjust the face of the record,
(14:24):
what would have been in the oldpaper chart, it's now the
metadata that runs underneath it, and that metadata is extremely
valuable when you're looking tosee what happened in the event
of a potential breach or apotential employer outside
person who went beyond the scope.
So you need to understand whatthe capabilities of the systems
(14:46):
you're using are to track thatimportant underlying audit data,
and it's required under HIPAAand GDPR, and almost two-thirds
of new privacy regulationsinclude requirements to have
audit logs and audit trailsavailable from all of the
systems that you use.
Erin Vallier (15:06):
That's fascinating to me.
So it will actually allow youlet's just say you got hacked
you can go back to that verypoint where it happened and see
from the metadata exactly whodid it, where they were and
exactly what happened.
It's kind of being a littledetective, if you will.
It's very cool.
So, richard, how do you know ifyou're doing okay when it comes
(15:29):
to cybersecurity or if you'vejust been lucky so far?
Richard Guttman (15:33):
Well, I think those of us who operate in the
space know it's not a questionof if, but when.
You will face some level ofcyber attack, and the
proliferation of systems and thenumber of interconnected
systems increases the risk toall players.
(15:53):
If you look at some of the majorhealth care data breaches, you
find that it's often not theprimary provider, the health
care agency, but it's a smallvendor that was running a call
center, or a third-partyoffshore vendor that was
responsible for one smallcomponent of the system that was
(16:14):
the weak link that created thedata breach.
Yet the primary company, thehealthcare company that has the
data, needs to report thatbreach and can have direct
liability for it.
So I think of it as waterflowing around an old house.
You know it's looking for theweakest possible place and the
(16:35):
weakest vulnerability in thewater will never stop moving
until it finds that spot.
So the best way to protectyourself is to understand who
the other players in your systemare so that you can work with
them.
We're seeing software companiesworking with healthcare
agencies in advance, doingthings like running joint
(17:00):
exercises of how they'll respondin the event of a data breach.
We call that a tabletopexercise and it can be extremely
valuable for preparing for boththe communication and the
technical rebuild associatedwith having a data event.
Erin Vallier (17:18):
That's fascinating , so get educated and practice.
What are some good resources toeducate yourself about
cybersecurity?
Richard Guttman (17:26):
I think that there's a ton of great
government resources out thereat hhsgov that you can use to
get detailed information onHIPAA compliance and all of the
various checklists that you canprovide.
You can also work with yourupstream provider of your
(17:48):
systems to ask about theircybersecurity and their privacy
protections, many of which willbe shared in the public domain.
Those providers in turn look atinfrastructure companies like
Microsoft and AWS, who providenow detailed information about
their security and compliancepractices.
(18:09):
So the best way to do it is tolearn from those upstream from
you both so you understand whereyour responsibilities lie, but
also you're going to get bestpractices from someone who's a
little bit more sophisticated.
But also you're going to getbest practices from someone
who's a little bit moresophisticated.
It's like having an olderbrother or sister who went
through high school ahead of you.
You can ask them which teacherto avoid or what classes they
(18:29):
should take.
Erin Vallier (18:30):
So lean on your partners and find a good
government resource.
I just have one final questionfor you, Richard.
This has been very informative.
What other advice do you havefor agencies that you haven't
shared already?
Leave us some parting wisdom,some little glimmer of hope that
they can protect themselves.
Richard Guttman (18:51):
I think the thing that we know is that small
, simple and even non-technicalexercises make a huge difference
in improving cybersecurity.
You can use easily availabletools to run practice phishing
exercises to train youremployees how to identify emails
(19:14):
that are potentially risky.
It's not a complex task and itwill really improve your
security profile.
Phishing is such a huge sourceof individuals making mistakes
and clicking the wrong links.
We talked about preparing for acyber breach by literally
spending two hours play acting.
(19:34):
What would happen?
Do you have backup systems?
How would you switch to paperand for how long?
Which systems could you useoffline?
Just practicing for two hoursin preparedness will make you so
much more effective in theevent or when you have to face
that situation in reality.
So small investments, bigpayoff in the world of
(19:58):
cybersecurity.
Erin Vallier (20:00):
I happen to agree with you there 100%.
Being the recipient of some ofthose trainings, I've been
really shocked at how convincingsome of the phishing emails can
really be.
You have to be aware, you haveto know what to look for.
Something as simple or asdetailed as the website, when
you hover over where you'regoing, is like a couple of
(20:21):
characters different than what'sprinted on the page in front of
you.
If you don't know what to lookfor and you're in a hurry gosh,
I can see how anybody wouldclick on that.
They just look so real.
Richard Guttman (20:31):
We say trust, then verify.
You know and so learn.
When in doubt, verify with anindependent source within your
organization.
Always best practice, bothprofessionally and personally.
Erin Vallier (20:46):
Absolutely.
Thank you so much for sharingall that with the listeners
today.
It's been a real pleasurehaving you on the show.
Richard Guttman (20:53):
Thanks, erin, I really enjoyed it.
Erin Vallier (20:55):
This was super informative and I'm sure people
will want to hear more from youand learn more from you.
Where are you going to bespeaking next?
Richard Guttman (21:04):
I am going to be speaking at the Lycare Better
Outcome User Conference comingup in September it's the 18th to
20th in Niagara Falls, Canadatechnical detail so that we can
help guide agencies with evenmore kind of handheld
information that's going tofocus on particular healthcare
(21:28):
cyber risks.
Erin Vallier (21:30):
Okay, so you heard it folks Come to Niagara Falls
in September and let's peel backthe layers here and learn a
little bit more aboutcybersecurity.
Can't wait.
Home Health 360 is presented byAlayaCare and hosted by Erin
Valier.
First, we want to thank ouramazing guests and listeners.
Second, new episodes air everymonth, so be sure to subscribe
(21:52):
today so you don't miss anepisode.
And last but not least, if youlike this episode and want to
learn more about all thingshome-based care, you can explore
all of our episodes ataliacarecom slash home health
360 or visit us on your favoritepodcast platform.
If you have a data breach, it doesn't matter
necessarily that you intended toprotect the information.
You tried really hard.
There's a lot of liability thatproviders are seeing at the end
of the day, so everything we'regoing to talk about today, that
you can do to reduce your risk,is a worthwhile investment.
Erin Vallier (00:33):
Welcome to another episode of the Home Health 360
podcast, where we speak tohome-based care professionals
from around the globe.
I'm your host, erin Valliere,and today I am joined by a very
amazing colleague of mine,richard Gutman.
Richard is responsible for thelegal risk and compliance
functions at AlayaCare.
He leads a small team ofin-house and external
professionals who support keyaspects of AlayaCare's business
(00:55):
and operations, includingintellectual property,
commercial contracting andstrategic partnerships,
regulatory matters, privacy anddata security, corporate finance
, mergers and acquisitions.
Richard brings over 20 years ofexperience in building and
developing innovative andhigh-growth technology companies
, including serving as SVP ofLegal and Compliance at
(01:19):
PointClick Care, which is one ofthe leading EHR providers in
the long-term care space.
Welcome to the show, richard.
Richard Guttman (01:28):
Thanks, erin, it's great to be here.
Erin Vallier (01:30):
Well now, I know I can't reach you sometimes
You've got too much to do.
I'm happy that you're heretoday and you could spare a
moment to share with thelisteners some very important
information about cybersecurity,because it's a hot topic these
days.
Healthcare seems to have atarget on its back, and you can
tell that by all of the hackingand ransomware that is going
(01:51):
around these days.
Richard Guttman (01:52):
It's taking more and more of my time and my
team's time, and certainly thoseof us who've been in the EHR
EMR space are becoming fastexperts in security, privacy and
compliance.
And, yeah, I look forward tosharing some of my learnings,
(02:13):
certainly in the last 10 or 12years in this area, with your
listeners.
Erin Vallier (02:17):
Yeah, can you start by giving us an overview
of the current state ofcybersecurity in the home care
industry, and particularlyconcentrating on electronic
medical records, or EMRs as welovingly call them?
Richard Guttman (02:31):
The EMR provider is really at the center
of an ecosystem of information,and so the records in the
systems that companies likePointClickCare and AlayaCare
manage are growing all the time,whether it's through interfaces
to other systems or regulatorydatabases or increasing use of
(02:55):
clinical records.
There is so much informationthat is being safeguarded, so
the focus is massive, both interms of those bad actors who'd
like to leverage thatinformation for financial gain.
We'll talk a little bit aboutsome of those high risks.
(03:17):
Not only that, but thoserecords are now at the center of
litigation like negligence andmalpractice, personal injury and
also investigations.
Government agencies that areinvestigating perhaps fraud or
other regulatory violations areseeking out these records.
(03:39):
So the focus has never beenhigher on what is in the EMR.
Erin Vallier (03:46):
Sounds like a lot of pressure.
What are some of the commoncybersecurity threats that home
care agencies face and how dothey differ from those
encountered in other health caresectors?
Richard Guttman (03:58):
We can talk about that for a little bit,
because I mentioned kind of thebad actors.
Because I mentioned kind of thebad actors, that's what we read
about in the newspapers when wesee that you know, a large
health insurance provider hasbeen hacked and millions of
records have beenmisappropriated.
So that is the primary area wesee that in is kind of
(04:20):
ransomware, external attacks.
Ransomware, external attacksthat's where an offshore
criminal organization isactually operating and trying to
get records out of a systemthat they can lock down and that
they can offer to exchange fora ransom.
Often that starts much earlierin the process with what you'll
(04:41):
hear phishing attacks, which arethese social engineered
attempts to get people who havelegitimate access to share their
passwords and user IDs and oncethey have this information then
they have much easier way intothe system.
Then we have a whole category ofrising risks that are
(05:03):
associated with a home careagency's own employees.
Just Grunt told people who haveleft the organization and kept
their usernames and logins canbe a risk to an organization by
the email that was sent with thewrong patient's information or
the database access that wasgiven by mistake from one agency
(05:30):
to another.
So we have a whole series ofinnocent, unintentional mistakes
that lead to a data breach.
And just like we say, you know,you've heard in the
transportation space, you knowif you speed, it's what we call
an absolute liability offense.
It doesn't matter that youdidn't mean to speed, if you
(05:51):
speed you're guilty.
Erin Vallier (05:52):
I didn't see the sign officer.
Richard Guttman (05:54):
In the data space it's exactly that way.
If you have a data breach, itdoesn't matter necessarily that
you intended to protect theinformation.
You tried really hard.
There's a lot of liability thatproviders are seeing at the end
of the day, so everything we'regoing to talk about today that
you can do to reduce your risk,is a worthwhile investment.
Erin Vallier (06:15):
Sounds like it.
It's a very complicated problemthese days, and anything from
the well-orchestrated criminalsto a well-meaning employee that
just happened to make a mistake.
So I'm excited to learn more.
And these orchestrations, man,they're getting very clever.
I've seen some phishing emailsthat I just swore I got.
(06:37):
Like that really looks real, soyou got to be careful.
So where do you start if you'refeeling overwhelmed by this
task of securing your EMR andother sensitive data that you're
responsible for?
Richard Guttman (06:50):
Well, I think there are some really basic
starting points that a home careagency can use, and they're not
different than largerorganizations, whether they're
EMR providers or infrastructureproviders.
I think the best place to startis to draw a map of the data
that you have in your system,and this does not have to be
(07:14):
technical and it does not haveto be complicated.
You simply need to draw a mapof the data that's entering your
system and leaving your systemand who has access to it in your
organization while it's inside.
We draw these data maps.
Computer companies, technologycompanies, make them very
(07:36):
technical and sophisticated, butif you're a home care agency,
you can draw a picture that hasa home care worker entering a
home, gathering data from apatient around a visit or
medication.
You can have that informationbeing uploaded from a cell phone
into a computer that's goingback into a repository.
(07:58):
Draw that map and look at allthe points that health records
are being captured and wherethey're moving around in your
ecosystem.
Erin Vallier (08:09):
Awesome.
So bring out your best stickfigures and draw a map to
understand every point wherethere's information exchange.
I presume that is a point ofweakness or a possibility where
something might happen to beintercepted.
Am I catching that right?
Richard Guttman (08:26):
Yeah, absolutely.
You can put a circle aroundevery interchange between your
organization and a third-partysystem, whether it's the mobile
cell phone provider, or whetherit's the software company that's
providing you the system that'srunning on your phone company
that's providing you the systemthat's running on your phone, or
(08:47):
with a clinical labs agencythat's uploading data into your
system so that you can evaluateit.
All of those are potentialvulnerability points and that's
where you need to lookholistically at what can you do
around your people, yourprocesses and your technology to
reduce the risk at that point.
Erin Vallier (09:08):
Okay, well, let's dig in there.
What's the best way to prepareand prevent that cyber attack
from happening?
Richard Guttman (09:15):
We talk in the industry a lot about the shared
responsibility model and thepartners that are helping you
manage the data in your system.
(09:36):
Where do they start and wheredo they stop?
If you're using a cloudplatform, for example, you will
know that all of your textmessages and all of your
communications are encrypted,and that's something that you
would ask your vendor providerto provide you information on
the encryption standards and howthey do that.
(09:58):
But then your responsibilitystarts once that information
enters your system and all thepeople in your organization that
are going to have access to it.
The infrastructure softwaresoftware provider will encrypt
it, and now you need to manageit securely and make sure only
the right and minimum peoplenecessary have access to it in
(10:21):
your organization.
Erin Vallier (10:22):
So, in the event of a data breach or cyber attack
, what steps should a home careagency take to mitigate the
damage and ensure they're beingcompliant with relevant
regulations?
Mitigate the damage and ensurethey're being compliant with
relevant regulations.
Richard Guttman (10:34):
Us providers in particular have a unique, I
think, advantage a central,federally managed regulatory
environment built around HIPAAthat can guide any agency to
prepare itself.
One, the security rule underHIPAA, which provides detailed
(10:54):
technical requirements andobligations.
Two, the HIPAA privacy rule,which governs how consents must
be obtained from individuals andhow privacy must be protected
through the minimum use of thatinformation.
And the last component is thebreach notification rule, which
(11:15):
sets out the specificnotification requirements in the
event that there is a databreach, whether it's inadvertent
or intentional, how to notifywhich agencies.
So HIPAA is a great startingpoint.
There are plenty of tools outthere that will help you map
your HIPAA compliance Verysimple checklists.
(11:35):
If you do that, you're on yourpath to being both ready in the
event of a breach, but alsoyou're going to be taking best
practices to prevent against one.
Erin Vallier (11:46):
Well, that's reassuring that there's plenty
of resources out there foragencies to tap into that will
map everything out so thatthey're not trying to go this
alone or making up their ownrules along the way.
You mentioned something thatstruck a question in my mind
minimum necessary use.
What is minimum necessary useof a client's data, and how does
(12:08):
an agency put that intopractice?
Richard Guttman (12:11):
All of these kind of subjective standards can
be confusing, but what we askour customers to do is to take
into account the size of theorganization, dissemination of
information where their patientsare, where their care workers
are, and to draw some reasonableboundaries around who needs
(12:33):
information for what purpose?
If you're a scheduler, wetypically look at the schedules
in your city or region.
If you're a caregiver, we'reseeing people narrow the access
only to their patients or tothose within a certain number of
miles from their home.
All of these practices willensure that a defensible minimum
(12:57):
, necessary standard is met bythe care provider, but at the
end of the day, it's reallycommon sense.
That is the most valuable assetto have.
Look at what your employeesneed to do their jobs and make
sure that they don't have accessto more than that, because
that'll just be exposing you torisk.
Erin Vallier (13:17):
That makes sense.
So this just solidifies theimportance of having a solution
that really offers you a robustcapability when it comes to
setting roles and permissions.
It's not just for theconvenience of your employees
not to get confused byeverything, it's also to protect
the agency right.
Richard Guttman (14:03):
Absolutely, and roles and permissions are a
great example of how you cancreate flexible user groups and
access privileges that are alsovery compliant.
Track all of the access thatdoes occur.
So systems are now reallyfocused on the new aspect of
many privacy regulations, whichare the obligation to maintain
logs of all the accesses, allthe views, all the changes to
records.
So when I started off the showby talking about the value of
those records, often it's notjust the face of the record,
(14:24):
what would have been in the oldpaper chart, it's now the
metadata that runs underneath it, and that metadata is extremely
valuable when you're looking tosee what happened in the event
of a potential breach or apotential employer outside
person who went beyond the scope.
So you need to understand whatthe capabilities of the systems
(14:46):
you're using are to track thatimportant underlying audit data,
and it's required under HIPAAand GDPR, and almost two-thirds
of new privacy regulationsinclude requirements to have
audit logs and audit trailsavailable from all of the
systems that you use.
Erin Vallier (15:06):
That's fascinating to me.
So it will actually allow youlet's just say you got hacked
you can go back to that verypoint where it happened and see
from the metadata exactly whodid it, where they were and
exactly what happened.
It's kind of being a littledetective, if you will.
It's very cool.
So, richard, how do you know ifyou're doing okay when it comes
(15:29):
to cybersecurity or if you'vejust been lucky so far?
Richard Guttman (15:33):
Well, I think those of us who operate in the
space know it's not a questionof if, but when.
You will face some level ofcyber attack, and the
proliferation of systems and thenumber of interconnected
systems increases the risk toall players.
(15:53):
If you look at some of the majorhealth care data breaches, you
find that it's often not theprimary provider, the health
care agency, but it's a smallvendor that was running a call
center, or a third-partyoffshore vendor that was
responsible for one smallcomponent of the system that was
(16:14):
the weak link that created thedata breach.
Yet the primary company, thehealthcare company that has the
data, needs to report thatbreach and can have direct
liability for it.
So I think of it as waterflowing around an old house.
You know it's looking for theweakest possible place and the
(16:35):
weakest vulnerability in thewater will never stop moving
until it finds that spot.
So the best way to protectyourself is to understand who
the other players in your systemare so that you can work with
them.
We're seeing software companiesworking with healthcare
agencies in advance, doingthings like running joint
(17:00):
exercises of how they'll respondin the event of a data breach.
We call that a tabletopexercise and it can be extremely
valuable for preparing for boththe communication and the
technical rebuild associatedwith having a data event.
Erin Vallier (17:18):
That's fascinating , so get educated and practice.
What are some good resources toeducate yourself about
cybersecurity?
Richard Guttman (17:26):
I think that there's a ton of great
government resources out thereat hhsgov that you can use to
get detailed information onHIPAA compliance and all of the
various checklists that you canprovide.
You can also work with yourupstream provider of your
(17:48):
systems to ask about theircybersecurity and their privacy
protections, many of which willbe shared in the public domain.
Those providers in turn look atinfrastructure companies like
Microsoft and AWS, who providenow detailed information about
their security and compliancepractices.
(18:09):
So the best way to do it is tolearn from those upstream from
you both so you understand whereyour responsibilities lie, but
also you're going to get bestpractices from someone who's a
little bit more sophisticated.
But also you're going to getbest practices from someone
who's a little bit moresophisticated.
It's like having an olderbrother or sister who went
through high school ahead of you.
You can ask them which teacherto avoid or what classes they
(18:29):
should take.
Erin Vallier (18:30):
So lean on your partners and find a good
government resource.
I just have one final questionfor you, Richard.
This has been very informative.
What other advice do you havefor agencies that you haven't
shared already?
Leave us some parting wisdom,some little glimmer of hope that
they can protect themselves.
Richard Guttman (18:51):
I think the thing that we know is that small
, simple and even non-technicalexercises make a huge difference
in improving cybersecurity.
You can use easily availabletools to run practice phishing
exercises to train youremployees how to identify emails
(19:14):
that are potentially risky.
It's not a complex task and itwill really improve your
security profile.
Phishing is such a huge sourceof individuals making mistakes
and clicking the wrong links.
We talked about preparing for acyber breach by literally
spending two hours play acting.
(19:34):
What would happen?
Do you have backup systems?
How would you switch to paperand for how long?
Which systems could you useoffline?
Just practicing for two hoursin preparedness will make you so
much more effective in theevent or when you have to face
that situation in reality.
So small investments, bigpayoff in the world of
(19:58):
cybersecurity.
Erin Vallier (20:00):
I happen to agree with you there 100%.
Being the recipient of some ofthose trainings, I've been
really shocked at how convincingsome of the phishing emails can
really be.
You have to be aware, you haveto know what to look for.
Something as simple or asdetailed as the website, when
you hover over where you'regoing, is like a couple of
(20:21):
characters different than what'sprinted on the page in front of
you.
If you don't know what to lookfor and you're in a hurry gosh,
I can see how anybody wouldclick on that.
They just look so real.
Richard Guttman (20:31):
We say trust, then verify.
You know and so learn.
When in doubt, verify with anindependent source within your
organization.
Always best practice, bothprofessionally and personally.
Erin Vallier (20:46):
Absolutely.
Thank you so much for sharingall that with the listeners
today.
It's been a real pleasurehaving you on the show.
Richard Guttman (20:53):
Thanks, erin, I really enjoyed it.
Erin Vallier (20:55):
This was super informative and I'm sure people
will want to hear more from youand learn more from you.
Where are you going to bespeaking next?
Richard Guttman (21:04):
I am going to be speaking at the Lycare Better
Outcome User Conference comingup in September it's the 18th to
20th in Niagara Falls, Canadatechnical detail so that we can
help guide agencies with evenmore kind of handheld
information that's going tofocus on particular healthcare
(21:28):
cyber risks.
Erin Vallier (21:30):
Okay, so you heard it folks Come to Niagara Falls
in September and let's peel backthe layers here and learn a
little bit more aboutcybersecurity.
Can't wait.
Home Health 360 is presented byAlayaCare and hosted by Erin
Valier.
First, we want to thank ouramazing guests and listeners.
Second, new episodes air everymonth, so be sure to subscribe
(21:52):
today so you don't miss anepisode.
And last but not least, if youlike this episode and want to
learn more about all thingshome-based care, you can explore
all of our episodes ataliacarecom slash home health
360 or visit us on your favoritepodcast platform.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.