Episode 2: Why You Need to Take Security And Privacy Seriously

Episode Transcript

CJ Wolf: This is CJ. Wolf, welcome to compliance conversation and today we have a wonderful guest, Steve Spearman

Steve Spearman: Oh Stop it! You are embarrassing me!

CJ Wolf: Steve is VP of HIPAA compliance services and we’ve got some good questions for Steve that I think are on a lot of minds out there in the compliance world, so thank you…

Steve Spearman: It’s good to be here!

CJ Wolf: Great, if you don't mind I’ll just start off with asking kind of a general question, since your world is the world of HIPAA security, what are the big trends that you’re seeing right now in HIPAA and info security and those type of things?

Steve Spearman: So a few things to point to, if I can point back just a little bit to the OCR audit this summer that was-

CJ Wolf: That was the big thing

Steve Spearman: That was the it girl of the moment you know.

CJ Wolf: All the conferences I went to everyone wanted to hear about it

Steve Spearman: Yea it’s like so if they ended up getting selected, target kind of where it is going to rollover where they are going to be doing businesses associates, but that was an interesting moment because it really did get the industry paying attention like oh my goodness! What would happen if we were audited and they kind of went back and had to ask like what would we do if we were audited? And so I think it is something that you know even for those that weren't a part of that it moved them forward.

CJ Wolf: I think that's a great point because when I was at a conference back east just a few weeks ago they had an OCR representative there and they were talking about the audits and one of the question that came up, they first ask anyone in the room is on the list and only one person raised their hand but everyone was interested for just what you said. They wanted to make sure if I get audited what would I do? And one of the question was a very simple question: could you list all your BA's?

Steve Spearman: yeah, yeah

CJ Wolf: Could you?.Because we are asking, OCR said this, we are asking everyone for a list of their BAs could you find that pretty easily? And a lot of people were like oh I'm not sure that would be an easy task

Steve Spearman: No, no I mean if you look at a lot of enterprises they may have hundreds, they may be contained in multiple kind of documents it might be in a license agreement if it’s a software, it may or may not have business associate agreement at the top and just based on my own risk assessment work where we address the management business associate it is very common where I say okay show me your list of business associates and they say, oh yea! We probably need to get right on that.

CJ Wolf: Right

Steve Spearman: And I think one reason that was sort of that moment this summer was significant because even though they only auditing about 200 clients they sent out this early form contact request to about 10,000 people.

CJ Wolf: Really?

Steve Spearman: It's like, so you have about 10,000 providers.... thinking that, “man, I could get audited” and so there was this very interesting flurry of activities around that. So, that's been a really significant event. I would say the biggest thing of the moment and it's not just this moment, I think really beginning in February of this year started then just continued and continues to grow has to do with ransomware.

CJ Wolf: Yeah, that's been on.

Steve Spearman: Yeah, I mean, it's huge my argument is basically that ransomware as a hacking event has changed the way, the calculus if you will, that information security officers, compliance officers, CFOs are thinking about information security because I believe they were willing to live with a certain degree of risk related to data loss. Like okay we might have somebody get some data and then it gets over and then we have report it. Ransomware really changes that algorithm because if you get attacked and it's successful you're not operating anymore.

CJ Wolf: Exactly they take over the system right, so you can't enter. Clinically a nurse can’t enter vitals or a doctor can't sign his note is that from my understanding correct?

Steve Spearman: We are beyond the days where people can just, “oh yeah I’m just going to do it on paper,” it’s like no today’s Hospital health system you know running a hospital involve the use of information systems to manage care to keep people safe and all that. So those are two of the big ones but there have been many many examples. The two most high-profile were in February, that was sort of what got that conversation going

CJ Wolf: That’s right

Steve Spearman: Even though we had them happening last year you know but that was very high profile and they had to pay the ransom and that was one reason and then MedSTAR in Maryland, the effect of that had been that people are looking and thinking about information security in a different way.

CJ Wolf: I would think so because you know having spent a lot of years in compliance everyone tries to use the stick approach versus the carrot approach off you’re going to get fined. This is no longer just a hip or OCR issue, it’s an operational issue. So, let’s say an organization is willing to pay the fine or whatever you’re not working, your organization is not working, I think it’s a good example of where good compliance practice can actually help operationally in an organization.

Steve Spearman: I mean they’re not there for no reason. And it’s like when this story really started coming out I’ve done some writing about ransomware and I hope to continue to do that but one of the points in my article before I publish it you know I send it to somebody and say hey what do you think about this? And in the article I had suggested that in some cases the paying of the ransom was a reasonable course of action. And somebody said whoa! No, no one should ever pay the ransom. This actually gets to a classic economic game theory conundrum

CJ Wolf: Don’t negotiate with terrorists! [laughs]

Steve Spearman: Right at the end of the day, it’s like yeah in principle if nobody pays the ransom it would be a successful model but when it’s you it’s like you do what you have to do, it’s like so and what to me when I think about organizations that have ended up paying the ransom and a lot do, I mean a lot do. It’s that the first thing that people need to be thinking about is backing up your data, it’s like this is such a…

CJ Wolf: So you can function

Steve Spearman: Yes so you can recover

CJ Wolf: Exactly recover.

Steve Spearman: I mean if you have a robust contingency plan and backup that you know you can recover and that’s a problem a lot of them say oh yeah we do backup but then they never really had to back up

CJ Wolf: And haven’t tested it

Steve Spearman: Tested it, testing and evaluation is one of the addressable standards it’s like …and it’s time, hey people out there, they know that you can recover from back up relatively easily. I am talking to the audience know...

CJ Wolf: absolutely

Steve Spearman: it’s like it’s the first most important thing that people need to do. Now let’s also put the things in place to keep it from happening in the first place.

CJ Wolf: Exactly

Steve Spearman: So I would say another one is phishing. It’s not the only but it’s an important vector for these kinds of attacks and so I personally, in my practice, put more emphasis on training employees to recognise that, even though that email mentions the company picnic last week, does not mean it's legitimate and teaching them the clues to indicate that hey, this isn’t right. Looking at a domain carefully

CJ Wolf: Right

Steve Spearman: I mean it could be that they grab the domain that where you have the M's in it they had gone and grabbed the domain where they use r and n instead so looks just like it. Being a little bit more careful can make a difference.

CJ Wolf: I don't know if you want to comment on this, but we’ve seen some organizations doing little drills. For example, they would send out little test emails and see who in their organizations clicks on it and does this and that as a learning experience. I mean some of us fall for that but then you learn and I'm glad you fell for it in the pseudo-tests when it was safe.

Steve Spearman: And it wasn't the bad guy yea.

CJ Wolf: Is that one of the things that you're talking about?

Steve Spearman: Absolutely I mean there are companies out there that do that. "fish me know before others” and they do, they would sort of send out a test. Generally the results are kind of astonishing when they send it out initially 25- 40% will click on that link if it's well-crafted...

CJ Wolf: Wow!

Steve Spearman: And this is what's interesting though, when you present it as a service though and you teach your people that hey! Once or twice a month you're going to get an email from....

CJ Wolf: Exactly

Steve Spearman: And it's not going to be real then it becomes almost like a game for them

CJ Wolf: Right there always thinking is this email is legitimate yea.

Steve Spearman: But that's what you want employees to be doing because one time they're going to look and it's not going to be from that service

CJ Wolf: Exactly

Steve Spearman: It's going to be from the bad guys and they think ah this does looks a little off...

CJ Wolf: Exactly

Steve Spearman: The grammar is not quite exactly right and all this sort of...And you teach them to look at that, and that can make a difference so there are a lot of things that people needs to be put in place around ransomware, it's such an important and significant development

CJ Wolf: Yeah

Steve Spearman: Those are two though that I think people should be paying attention to.

CJ Wolf: What other big trends, you know the end of the year sometimes can mean a flurry of work right? Tell us about that.

Steve Spearman: Because of meaningful use

CJ Wolf: Ok explain that a little more

Steve Spearman: risk analysis as you know is the very first HIPAA security requirement, the rules states that you must document the quote “treats and vulnerability to the confidentiality integrity and availability of the electronic protected health information” Meaningful use is obviously a program that is providing incentive has provide incentives and continues to provide incentive to providers, hospitals to use electronic health records. Well in the current year most providers are under what’s called modified stage II it’s been on every stage but under modified stage II it’s the number one criteria to conduct a risk analysis.

CJ Wolf: I see

Steve Spearman: interestingly HIPAA itself doesn’t actually say how often you need to conduct a risk analysis. Meaningful use does, its like annual

CJ Wolf: its annual, that means people are pressured to get this done this calendar year

Steve Spearman: I guess the world is like you and I are it’s like we procrastinate and we do things at the last moment.

CJ Wolf: exactly

Steve Spearman: so , yeah it’s a busy time right now for us and for me too, it’s like you know for too many people the risk assessment piece is like a check the box thing and yet it really is important

CJ Wolf: yeah

Steve Spearman: I mean you really do want to understand what your risks are and my go-to an analogy that I’ve used before and you heard me use like it’s a

CJ Wolf: great example

Steve Spearman: yeah it’s having your home inspected, it’s like having an annoying person go through with the clipboard with tools and a process so that they can document you know that open wire in the ceiling of your basement without a wire nut audit you know like.. And it’s the requirement that requires you to know, it’s the requirement or regulation that states that you are not allowed to say "ha I didn’t know". 

CJ Wolf: yes

Steve Spearman: You are not allowed to just claim ignorance

CJ Wolf: Exactly

Steve Spearman: You have to use it. So I just think it's worth beyond Meaningful Use, actually paying attention to what you are documenting and that you are going through those processes

CJ Wolf: Well you know I don’t live and breathe HIPAA security but I read OCR resolution.

Steve Spearman: you have a much more interesting life than that, yea and I get that.

CJ Wolf: but I read enough to know that it’s one of the more frequently cited nut failures in these settlement and in the resolutions agreements and that’s what you’re seeing right?

Steve Spearman: I mean I don’t know that I’ve ever seen a resolution agreement and you can easily find them...

CJ Wolf: inaudible

Steve Spearman: I don’t know that I’ve ever seen one that didn’t have lack of risk analysis or insufficient to risk analysis, is just super important and it’s the thing.

CJ Wolf: Well to bring back to your ontology of the home inspection, You know, I have moved around the country for work and I’ve bought enough homes, so I think I could maybe do one of the things on the list, you know, I could maybe check the ceiling if there are leaks or whatever but I don’t know electricity I don’t know foundation, I don’t know those types of things and it seems like there is probably organizations that are large enough and have the resources, maybe they have an internal person with expertise to do that annual risk assessment but most people probably don’t right

Steve Spearman: Yeah

CJ Wolf: Comment on that and those that try to do it themselves versus hiring somebody.

Steve Spearman: Yeah well first of all it says... so you might be able to do something simple like using a ground fault detector and go and putting them into your plugs but you probably don’t know where to get a radon detector for example...

CJ Wolf: Exactly

Steve Spearman: I personally believe that most organizations need to use experts to do this and some organizations do have that expertise but I would say majority don’t

CJ Wolf: Right

Steve Spearman: And there are even tools that are available that can sort of facilitate this but I think that they are not very effective in the hands of non experts.

CJ Wolf: Right

Steve Spearman: You know an expert can help you determine with something like encryption for example that which is an adjustable safeguards in the in the rules those tools are not going to help you understand and how do you weigh, like if I encrypt my database here sure it would be more secure but it would also increase the latency that’s how long it takes to repaint a screen or whatever

CJ Wolf: Okay

Steve Spearman: By a factor of 4,5 or six so you just took for that organization something that took half a second to repaint and know it’s three seconds for hundreds of clicks per day for a single individual for 2000 employees that’s a good reason that you could say well, it’s not reasonable and appropriate in this case..

CJ.WOLF: I See.

Steve Spearman: Most people don’t know how to really think through that expert determination.

CJ.WOLF: Yea

Steve Spearman: So I'm just, for both the benefit so that's a benefit client is that they're going to sort of say, "well it's in there even though it's addressable, so I guess I have to do it" an expert can help you make those number.

CJ.WOLF: Yeah it's not paint by numbers.

Steve Spearman: It's not paint by numbers, no it's not, not a simple decision tree, you know, you know...

CJ.WOLF: So let me ask you; let me kind of change direction just a little bit. Like I said I read about settlement agreements and advocate, we've all heard about advocate. I'm from Chicago so I know advocate, I did some in medical school, rotations in their hospitals it was a big settlement, I think, correct me if I'm wrong it’s still the largest single dollar amount 5.5 million for a single entity...

Steve Spearman: For a single entity yes.

CJ.WOLF: Tell us a little about that what we might not know beyond the headline.

Steve Spearman: And I think it's worth just pointing out that I mean we will have to see; the OCR equaled, I think with that advocate or maybe one before the advocate they equals the number of resolution agreement, like for this summer for the entire year {cross talk} which was more for than the year before that.

CJ.WOLF: They are ramping up.

Steve Spearman: They are ramping up but, yeah advocate was interestingly the largest so far, it was three breaches that happen in 2012 or 13, I think 2012 all within two months of each other

CJ.WOLF: Okay

Steve Spearman: So it's like bam, bam, bam, you know and so that apparently got OCR's attention. One of them was very large and the largest of it was the theft of four workstation in an administrative office...

CJ.WOLF: Okay.

Steve Spearman: That was the one that had the most record

CJ.WOLF: Not laptops

Steve Spearman: Not laptops, no desktop, right I mean and yeah....

CJ.WOLF: I mean towers, computer towers

Steve Spearman: Yes towers that somebody walks in and walked, out like these computers and lot of people, funny they go there they say well you know given that inscription is an addressable safeguard, we will do our laptops but factors related to workstation are what is the physical security is like?. In fact one of the finding of the office of Civil Rights was that they had not sufficiently determine the facility security that's there is a whole nother…

CJ.WOLF: locks on the door, alarm systems

Steve Spearman: The ATP right?

CJ.WOLF: Administrative Physical and Technical

Steve Spearman: Technical, yeah and there is a facility control standard that includes the physical security assessment

CJ.WOLF: That’s right.

Steve Spearman: and so that; those kinds of things are important so it was that and then they had a business associate that was doing work with them that was, I think about three; the one with the workstation was hundreds of thousands if not millions, I can't remember off the top of my head. The other one was a business associate who had stolen laptop about 3,000 records; no business associate agreement was in place {crosstalk}.
If I remember right the business associates was the billing company.

CJ.WOLF: Yeah, yeah...
It wasn't like one of these one-off. I don't know if they were business associates. It's pretty obvious you should have a current business associate agreement, right?

Steve Spearman: It was just sheer just not having processes in place to ensure these things weren't happening...

CJ.WOLF: Yeah, yeah. And interestingly all three of them actually took place as part of advocate's physician group, they had large physician organization all three of them were associated with that and so yeah, so advocate was notable for the size of the agreement and you know really I think it goes to sort of the attention that needs to be paid to things like business associate. We are generally seeing a trend around more fines being leveled for more failures of businesses associates

CJ.WOLF: That's right. Right

Steve Spearman: And you know that's just a general topic of discussion.

CJ.WOLF: Well good, I know we are probably getting short on your time so let me ask another question about specifically we were talking about....or what I read with the government accountability office about three or four weeks ago they published a report saying that HHS still was not their oversight and enforcement of PHI protection was still not good enough. So I have been in compliance a long time HIPAA was passed to 1996. A lot of people haven't done anything with HIPAA until enforcement started a few year ago, I think you would agree OCR has ten times increase their enforcement and yet now we get this report that they still haven't done enough and I just want to get your take on maybe reading the tea leaves if you could, what do you see in the future? It seems like this is a tidal wave that's continue; it's not getting smaller it’s not the fad of the day but rather something that’s going to get bigger and bigger.

Steve Spearman: Yeah it's no question, I mean and the reason “T" leaves wouldn't....wasn't hard because you can look back to a specific thing that happen and that was high trust, the same thing that funded...funded meaningful use...

CJ.WOLF: Hi-tech

Steve Spearman: I'm sorry, hi-tech that's correct. Hi-tech they funded meaningful use, basically included legislation that essentially impaneled, state attorneys-general to sue on behalf of their citizens for privacy, violations and the fines are split equally between OCR, the states and then the victims and so you say whatever your opinion of like well that's good it was clearly the intention of sort of making these events more high profile and then of course even the audit programs are an indications like you guys need to be paying more attention to that, that was clearly a direct result . Even though I will say that, that random audit program for the most part of those that are involved say the primary intention is not to impose fines, if something's really bad, maybe fraud, they might kick it over to do a formal compliance investigation but the ability to do that wasn't really baked right into it.

CJ.WOLF: Right

Steve Spearman: But no there is no question that I think we are going to start seeing that and you see that combined with other significant trends like ransomware or whatever and we're at a moment that is only going to keep growing from here, Where people are paying a lot more attention to this and if they are not they should.

CJ.WOLF: And to me it seem like it's not just like you mentioned earlier, a lot of times the driver is in compliance for trying to avoid some sort of penalty.

Steve Spearman: When it comes to PHI yes, that's something to keep in mind OCR could find you but it seems like it's good business practice and a lot of these organizations are worried about their reputations, so yes there might be an OCR enforcement but they're worried about it being on the front page of the.....and the patient saying should I even go there,

CJ.WOLF: Yeah.

Steve Spearman: Can they even pick a good business associate, they are going to lose my information and it seems like that is a little bit different than a lot of the other things in compliance that I've dealt with where reputation might be driving unless it was a fraud thing {cross talk}

CJ.WOLF: It's was a fraud thing I mean obviously....

Steve Spearman: Yeah it's like the absolutely if you have more than 500 records that are a part of a breach you have to report it to the local media, you're also going to be on what's called the...Hall of shame.

CJ.WOLF: 'Hall of Shame'

Steve Spearman: 'Hall of Shame' yes. It's like the naughty corner of the internet.

CJ.WOLF: Right. Which any of us could be on there by the way...?

Steve Spearman: Absolutely, yeah.

CJ.WOLF: Maybe you could clarify that...but I think it could be any of us
Any kind of breaches can happen. They can happen to the best....

CJ.WOLF: Absolutely. In fact I think it's exceedingly difficult to protect against a persistent targeted attack it's like...but you would like to at least know that you had your ducks in a row

Steve Spearman: Right, you've done everything you could to proactively try to prevent. Good compliance programs tries to prevent but then also if it couldn't prevent it detects and corrects so...

Steve Spearman: Well I think you know what I would basically... you've heard the analogy like "why did you rob the bank?"

CJ.WOLF: Yeah

Steve Spearman: it’s like that’s where the money was.

CJ.WOLF: haha!

Steve Spearman: I think more interestingly is, why did you robbed that bank?

CJ WOLF: Right.

Steve Spearman: It's like well there's security; the word is secure it's easier for them, so...

CJ WOLF: Low hanging fruit.

Steve Spearman: Low hanging fruit or its like, you know the bear in the woods, two guys, I don't have to run faster than the bear I just have to run faster than you.

CJ.WOLF: Right...

Steve Spearman: You want to be on the right side of that curve, you don't want to be easy.


CJ. WOLF: You don't want to be easy yea.

Steve Spearman: You don’t want to be easy picking. I think that's very consistent with a lot of other things in compliance, you could demonstrate if you get an inquiry from a government enforcement agency and you can demonstrate things very quickly that you have a lot of your ducks in a row, they might say, "you know what, we could maybe find something if we spend a lot of time at that organization but let's move on to the ones that are not as well prepared.

CJ.WOLF: Be pretty good if you could be great, great but at least please be pretty good

Steve Spearman: Yeah, yeah that's certainly what we can.

CJ.WOLF: I think we could talk about this all day

Steve Spearman: We could bore the world with all this stuff but.

CJ.WOLF: But before I close is there any question I didn't asked, I've asked some of the things that I might be aware of but living and breathing in this world do you think there is anything that I left out that people listening might want to know?

Steve Spearman: I think that; interestingly I think that, depending on the expert, can be really helpful....we do risk assessment obviously and we can help people with that. But even like a lot of organizations that don't, you know finding good vendors that can help you setting up your network is really, really important like that it's sort of dramatic when I go into a client and I work; I am working with a good reputable IT vendor that helps staging and provisioning of computers and all that sort to stuff how they're just more likely to be better and....
Yeah there is a cost associated with that but I think it's very useful to kind of pay attention to that kind of stuff. There's a lot, you know me, I could....But I think it's good advice; I think it's good advice

CJ.WOLF: I appreciate your time and expertise, I probably cut it off here but I think this is such an evolving area of health care compliance that we probably have you back at some point {cross talk}

Steve Spearman: I would be thrilled about that.

CJ.WOLF: there are probably some new things, who know what twelve months from now is going to bring us, right?

Steve Spearman: Hey, I may be standing guest... {Inaudible}

CJ.WOLF: I don't know about outstanding but, you know..... {Laughing}

Steve Spearman: I'll send the invoice. Where do I send the invoice?

CJ.WOLF: That's right. And to close out I'll be kind to Steve here and say go Clemson tigers.

Steve s Spearman: Go Clemson tigers, woo!

CJ.WOLF: So thanks again for your time I really appreciate your expertise.

Steve Spearman: Okay. Thanks.