Join Jason Karn of Total HIPAA Compliance and Rob McDonald of Virtru as they discusses the advantages and challenges of using electronic devices in your practice and offer tips to help keep you HIPAA compliant.
About our Presenters
Jason Karn is the Chief Compliance Officer at Total HIPAA and has been active in HIPAA training since the inception of the 2013 HIPAA Rules. He is the co-author of all Total HIPAA 2.0 training for Agents and Brokers, Employers, BA/Subcontractors, Medical Providers and Dental Providers and is a regular speaker, blogger and a significant Twitter influencer on all things HIPAA.
Rob McDonald is the VP of Customer Solutions at Virtru and a perpetual student of technology, information security, and privacy practices. He was named a Top 100 Healthcare CIO to Know by Becker's Review for his work with several acute care organizations and has previously consulted with corporations to help them assess their information security positions, identify their shortcomings and raise security awareness amongst their employees.
- NueMD HIPAA Infocenter
- HIPAARDY Parody Series
- Breach Notification Guide
- Total HIPAA Compliance - includes 50% off first month of HIPAA services
- Cognito Forms
Olive Lynch: Hello everyone. Welcome again, and thanks for joining us today. My name is Olive Lynch and I'm the Creative Marketing Manager here at NueMD. Also, joining us today is Chief Compliance Officer at Total HIPAA, Jason Karn and VP of Customer Solutions at Virtru, Rob McDonald. I'm gonna go ahead and hand it off to Jason to get started. Jason?
Jason Karn: All right, great. So, let's go ahead and get started here. We do have a lot to cover. Just a little bit of housekeeping. The materials here are changed frequently, so we suggest you go back and review source materials about what we're gonna talk about today, you know, technology six months down the road. These things could change. Also, this is just advice, this doesn't create any sort of agreement or any attorney-client privilege between us, person, or entity.
Jason Karn: Now we have that out of the way, we're going to get started with email encryption. Now, Rob is here from Virtru, which is a wonderful program that we ... One of the programs that we recommend over here at Total HIPAA Compliance. And the first question I want to ask you, Rob, and as we go through this, is, is TLS enough for transport layer security? We hear a lot about, okay, we're going to encrypt information from point to point, and transport layer security technically does that. Or TLS as you would see. So, we see that with Gmail, Hotmail, Yahoo mail, those sorts of things, but could you discuss a little bit about why these aren't appropriate for a practice to use and why TLS may not just be enough on its own?
Rob McDonald: Yeah, I think it's a great question and it's honestly a question that industry has done a poor job of explaining and presenting to its customers. I think ... And generally, people are at a loss to understand why if their bank uses SSL encryption with their website, why is this not good enough for my email? And there's a couple of reasons. First, let's talk about TLS and SSL and what it means as it relates to email encryption, right?
What that means is, much like that website you go to when you're doing your online banking or if your EMR, EHR is web-based and you go to that website and you see the little green lock in your browser, what that means is that as data is passing from your computer to this server that is giving you that application or that email interface, it's encrypted while it's in motion, right? While it's going back and forth.
What it does not mean is after it's been stored on that server, so if Gmail, or Hotmail, or Yahoo, or any of these websites that are using TLS and SSL, once they store that content you have no assurances as to how that's being stored or protected. So, while TLS and SSL are required, absolutely required, and important, they are not enough. So, you use Gmail or some of these email providers, you need to ensure that once it's on the other side of that transmission that it's also secure.
In addition to that, these free email accounts like Yahoo and Hotmail and many others, they do not even provide assurances for what they're doing with that content while in transit, right? They're not viewing you as an organization that is a regulated entity and applying the appropriate controls to that. So, additional protection on top of that content as it's going through that SSL and TLS encryption is critical to ensuring access control and data security.
Jason Karn: Now, wouldn't you also say, along with that, that dealing with authentication, so, knowing that you're actually getting it to the person where it's supposed to be?
Rob McDonald: Absolutely.
Jason Karn: Sometimes, you know, we see a lot with spoofing, that sort of thing, so this, you know, the having a program, an email encryption program, really says "Hey, lets just authenticate that we know exactly, to make sure that we're getting it to the correct client, to the correct person."
Rob McDonald: Yeah, Jason, that's a perfect expansion of that concept. So, once it's on the other side of that connection, right? You have no idea what's taking place, right? That recipient may grab it, may not grab it, they have no way of knowing. So, by protecting it early, before it's even, before TLS and SSL is even in palce all the way to the recipient, you're effectively authenticating and verifying them as a one-to-one contract between you and that recipient, absolutely.
Jason Karn: Right. And another thing I want to bring up with this, as you're looking at email encryption, you have to have the business associate agreement in place, if you're using one of the free services, like a Gmail, Hotmail, they're not going to sign a business associate agreement that's going to say, "We're handling this information and this is what's going forward." And that's a part of that requirement with HIPAA, so as we go through these things and go through these items with everybody, I'll just point out some of the regulatory items that we need to make sure that are taken care of also.
So, you got the encryption, but you need to make sure, essentially what we're saying is, you really need to look at what programs you are using, making sure you have that business associate agreement and then what they're actually doing with that information as far as encrypting along from point to point and authenticating that it's actually getting to the proper patient or client along the way.
Rob McDonald: Absolutely.
Jason Karn: So, moving forward here, as you guys hear today, we're going to do sort of a discussion about issues that we see, things that we come across, do a little back and forth on this.
Is filing sharing ... And I know a lot of our practices today, we use file sharing all the time here at Total HIPAA and I'm sure you guys do too because the transportation, you know, making sure that you got information is going from place to place and that it's secure is really important. Rob, you've got a, actually ... Excuse me ... We were talking about this a little bit beforehand, is you guys actually have an overlay, that you're in BETA right now, where you overlay over Google Drive.
You know, we were talking about what kind of things should physicians take into account when choosing a provider, but I think it's important to say, why is something like a Google Drive, you know, you may have a business associate agreement with Google Apps, why is that not sufficient for HIPAA compliance? Like what else does a practice need to think about when they're going into this situation?
Rob McDonald: Yeah, that's a great question and it's a concept that is worth talking about. The way we share data, create data, and store data today is drastically different than it used to be. There's a lot more sharing involved today. There's a lot more collaboration involved today and because of that, that means your data takes pathways to third parties and to additional recipients that would not have happened in years past.
That means that while data is in one of these ecosystems, like Google Drive, and while that's fine while it's inside that ecosystem, it doesn't stay there. It doesn't stay there because that platform is meant for collaboration and sharing. Once you share that content outside of that ecosystem, you have to extend security controls to that object, to that file in this case, to ensure that that recipient is authenticated, to ensure that content is protected, both in transit and while it's on the other side of the recipient, the transmission to that recipient. And you have to have some access auditing, or logging on that content as it's leaving that ecosystem.
While all these storage providers are great, you have to start thinking about the virality and the collaborative nature of the content you're creating, how it's leaving those environments, to ensure that you are applying control, encryption, and authentication necessary to meet, not only compliance, but to try to future proof your position. You have to start thinking down the road, and including that road map conversation, how you're going to be utilizing in the future and the total cost of ownership in that equation to protect that payload where it sits in these file sharing platforms.
Jason Karn: Yeah, that's great. Now, what are some of the issues that a physician needs to take into account when choosing a provider like, what kinds of things would you have, would you recommend that a physician look at before they say, "Okay, I'm going to go with this specific file sharing protocol or this provider?"
Rob McDonald: Yeah and I think, and Jason, you'd be perfect to talk about the regulatory requirements out of this, but from a technical perspective, I mean, let me cover that for a second, right? You want to choose a file sharing provider that in and of themselves are taking in consideration the technical requirements for regulatory compliance. So, again, moving away from some of these free solutions or free tiers because they just don't view you as an entity that has the regulatory compression, HIPAA and PCI because of that they just don't have the controls in place. That's a business view, right? I think, you could probably take us through quickly on the regulation side and what that means, right?
Jason Karn: Well, yeah, from a regulatory side, you really need to make sure, the going standard right now is 128-bit encryption, making sure that your file sharing service has a minimum of 128-bit encryption, as part of their policy, but yeah, you're right. With a lot of these providers you really have to go into an enterprise level in order to get the business associate agreement.
Again, and this is something you'll probably hear me speak ad nauseam today is that a business associate agreement is really key to any of these programs that you use because these are your business associates, they're going to be handling information on your behalf, and so you need to make sure that they are, that you have proper contracts in place. We've seen some huge fines come to companies that don't have these proper business associate agreements in place. I think beyond, even a technical aspect, is making sure from a regulatory standpoint that you have these things in place.
Then, you know, one of the things that also I think is really important to think about is, what's going to be easy for your staff to use? I mean if it's something that's so locked down that it takes four or five clicks for a staff member to get to and work with, it's not going to be something that you're going to end up, that people are going to use. They're going to look for shortcuts, they're going to look for ways around, which is then going to short circuit your security.
Rob McDonald: I couldn't agree more. I just want to expand on that for a second, my background can help here.
Jason Karn: Yes, please.
Rob McDonald: My background is in healthcare and I, and a lot of my time is spent, in the past, how do I make technology work with the business processes in place? Because at the end of the day, in these practices, the individuals in these practices, that's not their job. Their job is not to encrypt files, it should be easy to use. You have to focus on user experience when using these products, otherwise it's very difficult to get the awareness level up, to get the adoption rates up, to make the technical product, the protection layer, even useful, right? So, at Virtru we focus very heavily on user experience.
Jason Karn: Right and I think that's, from what I see, is one of the big differentiators with your guys' product is that they are, they're very easy, they're very low bar for a user. It's very user-friendly and integrates quite nicely with a lot of the products that you're currently using.
Secure Text Messaging
Jason Karn: Going forward here, we're going to talk a little bit about secure text messaging. Now, this is one of those sticking points, a lot of people, we see a lot of people bringing their own devices into work and for productivity reasons, you know, practices are allowing this to happen. They're allowing access to calendars, to emails, and to all this information and one of the big sticking points points is, what do you do about text messaging? And text messaging really is a big issue, going forward here because you have again, the security issue.
Are you, you know, if you're saying, conceivably if you're saying, everybody's on an iPhone and you're in iChat, there is encryption there, but you have from regulatory standpoint a very sticky point that you don't have a business associate agreement and Apple is not going to give you one. But then if you have people that are using, say, an iPhone and jumping, say, texting a doctor who's using an Android phone, that's a, not a secure ... Then that jumps from being, from a secure ecosystem to a not secure ecosystem. These are the things that you need to start thinking about.
So, you know, and if you don't have that business associate agreement, you don't even know how long these providers are going to be storing that information. So, once it jumps from one server to another, so when you think about the trip that a text takes to get to your phone, you know, it could go through three, four, ten servers before it actually gets to your phone. You don't know how long those providers are going to be storing that information as it jumps. I don't know, Rob, do you want to add anything to that?
Rob McDonald: I mean, I do, real quick. That was great and it's been my experience as well in implementation, but a way I try to think about this is while these devices are great, BYOD is great, and texting is something that everyone's used for ease of use, you have to sometimes put the perspective around, what if I need to find out what's happened, right? So, you had mentioned logging and discovery, that's critical because at some point, you as a practice have to say, "I need to know what's going on inside my practice," and if there's a black hole there, that's not viewed as a positive thing from a compliance programs perspective.
Jason Karn: Right and especially, we've been seeing a lot recently, there've been some of the biggest, some of the bigger issues that we've seen recently have to do with, actually with staff. Not necessarily with, we always think about these hackers coming in, exploiting things, but really what we need to start thinking about, internally what's happening? Who has access to patient information? Making sure that people who shouldn't have access to patients their not working with, if their asking for that information, we need to know what's going on or be able to backtrack and say, "Hey, why was this person, why was this patient's information accessed? Who was accessing it? Something happened."
We saw recently out of Florida, there was a nurse practitioner who has been sent to prison because they used that information they collected from a patient for filing false tax returns. So we see things, we start seeing patterns with the logging, I think we're going to talk a little bit more about that logging in some of our later slides here as we move forward.
Jason Karn: Let's see, we're going to now go on to firewalls. These firewalls, this is the way you protect your network, this is the way you protect your devices. And basically, as it sounds like, you're putting a wall between yourself and the outside world and only allowing certain channels for access to your network or from your network.
One of the first things I want to bring up is there's essentially two separate ways of setting up your firewall. You've got the white listing versus black listing. Now, white listing says that you're going to deny all access to your networks and only authorize programs as they request access to go out, so say, if you're using Google Apps, that you would authorize that Google Apps has access to your device and you would open up that channel for them.
Black listing says, hey, I'm going to know what each of the bad websites are, or bad users out there, and I'm going to deny access per user. We recommend that people use white listing. It's a very simple setup and you know, we want to make sure that we say, let's go ahead and let's block all traffic as much as we can, lock down these devices.
Now, we're going to go into a little bit more depth here on the two, there's essentially two different kinds of firewalls, there's your software firewalls and your hardware firewalls. Most software firewalls these days are built into your systems. You know, if you're using a MAC, you're using a PC, a Windows based device, you do have that ability to lock down those devices. Those are fairly robust programs. You can also, sometimes as part of your virus protection, there are firewalls that are a part of those.
And now, Rob, we were speaking about those, I guess, about two days ago. What's your thought about whether using, is it, you know, are you okay just using your internal software firewall or do you ... Should you be looking at something from say, like, Symantec or one of those providers that gives an additional firewall protection? What's your thought on that?
Rob McDonald: I, you know, this is a question that gets posed a lot and the way I like to think about this is, would you leave all the doors to your house open and then just try to protect yourself if someone comes in, right? And you have to start viewing your data like that, right? Your data is the computer, it's the information on it, and the house is fundamentally, your network, where all your assets are, where all your computers are, servers are. I think the answer, most people would say, right? Is that I would want a lock on my door and be able to protect myself if someone was in the house, right?
Jason Karn: Right.
Rob McDonald: But you have to view it from a layered approach, right? I would recommend use of both to give you that defense and depth, those layers of defense in your organization.
Jason Karn: Right and we're going to talk a little bit about hardware firewalls, you know, a lot of people, when it comes to larger networks, that additional layer of protection to really say okay, let's protect this entire network not just necessarily protecting each individual devices. You had spoken a little bit about basic versus next generation of firewalls, so, if you might want to elaborate a little bit on your thoughts about that and about hardware firewalls in general.
Rob McDonald: Yeah, I would love to, Jason. I'm more excited about this today than I have in the past because today ... Today, a lot of vendors they have made protecting your network, the firewalls provided from, just from small to large organization, unbelievably easier, right? Next generation firewalls, what that really means today, is that you can purchase these devices from security vendors that give you multiple layers of protection. They're scanning your traffic for improper websites, they're scanning your traffic for viruses, or malware, they have tools that allow you to detect if sensitive information is leaving your network in the clear.
These next generation devices, they sounded very complicated and they used to be, but they've really gotten a lot more accessible to organizations that are smaller and they scale up to large organization and much more affordable today. They've really reached the point where, you know, Jason, as you and I have talked about a lot, right? Compliance is a lot about a battle between your budgetary constraints and your risks. They've reached a point today where these next generation firewalls are really affordable for virtually any practice. They give you a great deal more protection than what we would call a basic firewall, which is really just protecting what you explicitly say to block or allow. Not as adaptive.
Jason Karn: Right. Right, and one of the nice things about these next generations, wouldn't you say, is some of the logging that you get versus sometimes basics are really basic, that they're just there sort of as a, literally a wall, versus really logging what's happening. So, you have an idea of what kind of traffic is coming your way and going out.
Rob McDonald: Fantastic point. That's exactly correct. They give you those historical and real-time insights into what's going on in the network, allowing you to take action, or allowing the device to take action on your behalf to protect you more proactively. Absolutely.
Jason Karn: Great, so as we move forward here, going to talk a little bit about virus protection. I know this is a big question, most of the time we get, you know, what do you guys recommend? And you know, there are lots of great options out there, but maybe even talk a little about that, about some of the protections that are out there, what you recommend and some of your thoughts about some of the virus protection programs that are out there currently.
Rob McDonald: Yeah, I mean, and certainly I just want to say, Virtru, we're an encryption company, we don't side with any one vendor for any virus, so my recommendations are just based on best practices and concepts available. I just want to mention that and there are a lot of options today. You know this, Jason, there's a lot of great companies out there and maybe what we can talk about first is the different types, right?
Jason Karn: Yeah.
Rob McDonald: So, there's more basic virus protection and I don't know if you want to talk a little about ransomware today, but there's a lot of variance of viruses you have to protect yourself from today and I know that you guys encountered in the healthcare industry, on the compliance side, these ransomware threats today to institutions just drastically more than they used to be, right?
Jason Karn: Yeah, I mean, I think it's a really important thing to bring up because hospitals and practices are, have shown themselves to be very vulnerable and those are quite lucrative channels for ransomware because you're looking at something ... You're looking and saying well, if I am, if I have health information, I can't afford to be without that because if I don't have information on say, somebody who has a condition that, where they need treatment right away and could have allergies, or could have some key information that I need, that piece to the puzzle, you have to have access to that information as a physician.
So, you know, there is that level of, "Okay, well, maybe I should just go ahead and pay these fines." I think it's very important to talk about as all the ways that you can really look at starting to protect yourself and making sure that that information is accessible, which is part of that HIPAA requirement, is making sure that information is accessible at all times and in its most complete form.
Rob McDonald: Right, so you think of a virus, you think of a destructive action, today they're so much more sophisticated. Not to scare you too much, right? They're taking your data. They're selling your data and some of this data you are the steward to protect it. You are, that is your responsibility. When it comes to virus protection today, you know, again, much like these next generation firewalls, a lot of vendors out there like [Sophos 00:22:59] and Symantec have produced these really amazing and comprehensive suites, which make it more accessible to organizations, to give you more advanced protection, right? So, basic anti-virus protection, behavioral detection, anti-ransomware detection.
A lot of these anti-virus vendors today, like Sophos and Symantec and Carbon Black, give you one pane of glass. One interface to view the protection across all your [access 00:23:29] making it easier to use, and more consolidated for compliance reporting, and for log review and analysis. Absolutely.
Jason Karn: I think that actually leads us into our next topic here, which is monitoring logs. I mean, this is something we've been talking about in all the sections, you know, with being able to, really being able to say, "Hey, this is what's happening with my data, this is where it's going, this is who's been accessing information," and you know, if it's an outsider, if it's a malicious outsider, or even a malicious insider, you know what's happening here.
We've talked a lot about this and I think you were saying, you know, one of the issues, at least that we've run into here and I think you might be able to help out with, is that we find a lot of practices go, you know, "I got into being a physician to help people. I didn't get into doing all this monitoring, all these different pieces and see this as like a huge hurdle they have to jump. Maybe you could assuage some fears here with what goes into this and maybe some ideas about some vendors and maybe some costs.
Rob McDonald: Yeah, absolutely. As a technologist and a security professional, that frustrates me as well, right? I always hated having the deployment conversation where I had to impose additional tasks to physicians and caregivers, but it's critical, right?
Jason Karn: Right.
Rob McDonald: Today, as you know, and as you pointed out, Jason, so many log sources. So, basically all these different systems, services that are creating this data that has information in it that may be alluding to a threat, an attack, exfiltration of data, a breach, right? If you can't view those logs, if you can't review them, they don't serve any purpose, right? But, luckily today, there's a lot of vendors like AlienVault, for example, or Alert Logic, that have tried to take the concept of aggregation, bringing all these logs into one place, correlation and analysis, meaning reviewing those logs for anomalies, events, and concerns, and then alert and escalation, right? So that's basically the three tiers of log review.
You know, Jason, you and I have talked about this, depending on where you're at in the last cycle of compliance, you can make this a journey. Using tools like this to aggregate those logs and scheduling your review of them, making it easier to review or as you start transitioning, grow and expand your practice, using some of these more automated vendors like Alert Logic and AlienVault, to automate a lot of the anomaly detection. The most important thing to take away is that you should be trying to move forward, and move towards the goal of bringing all of this log data, analytic data, security data into one place, right? Using these vendors to aggregate that. You even have the opportunity to review those logs, which are a regulatory requirement, am I right, Jason?
Jason Karn: You are correct on that. That is a big part of regulation is look ... HHS is going to want to know that you know what info ... what is happening with your data and that you've been in control of that data. So, if there are anomalies that are happening, that you're seeing a lot of traffic, maybe from an external source coming in, that you're aware of that and address that in a timely manner. That's one of the reasons that logs are so important and such a big part of HIPAA.
Rob McDonald: Yeah, and it's a scary concept to think about. I just described bringing all these log sources in from these various places, right? That's hard to think through, but much like you do, so well, when working with organizations and bringing them through the compliance process, this is a journey. You have to start somewhere and a lot of these vendors today ... Go ahead, I'm sorry.
Jason Karn: Well, no, no. I was just going to say that is, we say that a lot, that you don't go from zero to a hundred in five seconds, it really is a journey. You put one foot in front of the other and you step through all this and I think that's really important for people to know that it's a process of getting there and getting, you know, even making sure that you're, as you say, aggregating these logs, that you're reviewing these logs, that you've set up that review process. I think that's really important and that's a great point.
Rob McDonald: Yeah. Absolutely.
Jason Karn: Okay, well, moving forward here, encrypting devices. Now, this is a tricky one here, because a lot of people say "Hey, well, HIPAA doesn't require encryption," and if you read the law actually it says it is a suggestion. It's something that is recommended, but yet, not, does not say, "You must do this," but as you delve down deeper into the law, it actually says you need to do a risk assessment and determine if encryption is appropriate for your practice.
I will tell you, as I've worked with many companies, and I've done hundreds of compliance plans, I've yet to see a practice that has come to me and proven that they don't need to encrypt devices. A lot of this has to do with the fact that from a regulatory standpoint, if you have, if that information is encrypted and the keys or the password is not with that information. Say, you lose a laptop device, which happens more often than we want to admit, if that device is password protected and it is encrypted than that's not considered to be a breach. There's no reasonable way that information can be accessed. That 'Get of jail free' card is what we call, what I like to essentially call that, really says to me, encrypt all your information.
Encrypt your devices, make sure, you know, as we were talking about email encryption, texting, making sure you're using a program for that. If you're using file sharing, that they're encrypting that information. Storing it properly. So, essentially turning it into, you know, a jumble of letters so that it's indecipherable. You have a lot of options that are already built into the devices that you currently use, if you guys are Windows users, there's BitLocker, it's free, make sure you store those keys somewhere. In case you need that key, or your IT person needs that key, you don't want to lose those because if you don't have the key, you can't get back to your information. If you're on MAC, FileVault 2 is something you can use, and that's also, that's native to your operating system. Apple will store the FileVault 2 keys in your Apple ID if you'd like to go that route.
When it comes to your mobile devices, that's a whole nother level. I know, Rob, we were talking about this earlier, is about, you know, iPhones, Apple products, as far your iPad and your iPhone are natively encrypted, but Android and Windows aren't always natively encrypted by default. We were talking about. That’s correct, right?
Rob McDonald: Yeah, that's correct. That is correct and you know, an important note here, is you might map back to that procedure, right? As you're going to encrypt devices, if in there you don't have a checkpoint that says you need to go in and verify that these devices, whether they're BYOD or company approved, are encrypted, like you just said, Android and these Windows devices are not by default, you're not following your own procedures. It's critical to check and ensure and validate that the encryption's in place, absolutely.
Jason Karn: Right, and also, I'd say with caveat, if you find out that your Windows or your Android devices are not encrypted, make sure you back them up before you go through the encryption process because if something fails along the way, you will break that device and you'll lose all your information. So make sure you back those things up beforehand. And you know, which brings to mind, and we're not really going to talk about that that much today, but I will say, this is a standing thing that you should have in place or if you don't, you need to get into place, is making sure you have good backups of all your data and you're storing those backups offsite and that they are properly encrypted also. I just want to throw that out there as we go through this.
Mobile Device Management
Jason Karn: This leads to our next, I think leads really nicely to our next subject here, talking about mobile device management, you know, as we were just talking about encrypting these devices. How do you recommend, you know, because we're dealing with so many different devices, people walk in. I mean, I'm looking at my desk here. I've got a MAC mini, I've got an iPhone and I've got an iPad sitting here, and you know, that's not uncommon for somebody to have multiple devices, how do you control all those devices that, and how would you recommend controlling those devices that employees may bring in and will be storing and will then have contact with your protected health information or the data that you need to secure?
Rob McDonald: Yeah, and it's a tough question. It's something that I think, maybe organizations are struggling with today. Mobile device management is a concept that we'll talk about today and what it basically means is that all of these vendors, Google, Android, Apple and Microsoft, they've all built into their platforms a standard. A standard by which they've all agreed to. To allow for you as an organization to impose security controls onto those devices and report on them. Reportings the critical aspect of that, right?
Jason Karn: Right.
Rob McDonald: Where if you don't have that MDM policy, I mean, what do you do, Jason? You're going around and you're manually verifying these devices periodically, right? You're logging that somewhere, in a spreadsheet or somewhere for your compliance, but you're doing it manually, right? If you don't have that MDM in place.
Jason Karn: Correct. Correct. We've actually run into where people will say, this is what you need to do and they may not actually physically, turn the device into IT and then when you come to find out that one of your employees has said, "This is such a pain in the butt. I'm going to turn off all the password protection because I just like turning on my phone and having access to my information right away." I don't, we see that less and less, but we do see people doing that and that's one of those moments where you go, you really, you know, with all the information, not only PHI that this device can touch, but your personal information.
I mean, on my mobile device I have access to financial information, I have access to things that I would never want anybody that I didn't trust having access to. In fact, people I trust I don't want to have access to this information. It's how do you manage those devices and make sure that your employees are doing that? Do you do physical audit every quarter? Do you have a software program that you overlay? What would you recommend?
Rob McDonald: Yeah, I mean, I think you nailed it, right? These point in time health checks, they're important. They're great, but what do they tell you? They tell you what's happening at that point in time. Much like going to the doctor every five years instead of annually when you're supposed to. You may not know something bad's happening until it's too late, right?
Jason Karn: Right.
Rob McDonald: So, the MDM platforms is what we would recommend, right? The industry is going to recommend from a security perspective. Now, much like encryption, much like the next generation firewalls, this used to be very difficult and expensive. It used to be a hurdle, but I will look at this from another perspective, but I want to bring up to everybody today, is that these requirements, the security aspects of HIPAA are going to basically be a ratio of feasibility and budgetary constraint. As the industry makes it easier and easier and more and more affordable to use these things, like MDM, the excuses or the risk threshold for not doing it gets very low.
So, at some point, and we're reaching that point right now, to not use these tools because of what used to be an obstacle from price or technical sophistication, they're becoming no longer an excuse from a compliance assessment or audit perspective. We would definitely recommend the implementation of a true MDM. Again, most all the vendors today, you know, Google provides an embedded one in their G Suite product. Sophos has one built into their anti-virus product making it very simple and affordable for you to enforce the policies that you have for mobile devices and at any given time, report on deviations from that. So, if someone was trying to unlock their phone, or their trying to route their phone so they can bypass the controls, you would get notified, allowing you to close the gap much faster than waiting til your next monthly or quarterly manual inspection.
Secure Sockets Layer (SSL)
Jason Karn: Quickly, I think we're going to talk about SSL or secure socket layer and why this is so important. We were actually just talking about this right before this webinar. You know, and I'm always surprised that how many times when I go through an audit of physician practices, how often, and I would say it's usually at least 60% of the time when I look at websites, that they don't have an SSL on the website, so they're not encrypting that information. And so, what I want to talk about a little bit here, Rob, is why this is so important, that not only from a validation standpoint, but also, what an SSL does to protect your patients.
Rob McDonald: Yeah, I mean, we talked about this at the very beginning of the tele ... a bit about like when you go to your banking website, right?
Jason Karn: Yep.
Rob McDonald: If you are not utilizing that properly terminated SSL certificate, you're basically opening up that communication from that patient to you, to attackers, to impersonate you. If they can impersonate you, they can intercept that traffic and if they can intercept that traffic they can read that PHI and produce a disclosure event. It's not just validation, it is protection, but those two are hand-in-hand with SSL, right?
Jason Karn: Right.
Rob McDonald: With a properly purchased, publicly signed certificate you can ensure who you are and you can assure your patient that while that data is in motion to your website, via referral form or the actual EHR and stuff, you can assure them that that is protected between those two points. It's critical today. It's no longer optional.
Jason Karn: Yeah and there are a lot of ... There's a big push in the industry, itself, to actually start enforcing from ... I've read that Mozilla is starting to downgrade searches on websites that do not have SSL on the website, so you don't see that "HTTPS" in the address bar and we're also seeing, you know, there's a big initiative to try, you know, the prices are not that high as far as ... You know, a lot of your web providers will give you an SSL for free, you just have to request it. It's probably part of your hosting package and if it's not, it's a minimal cost, but I will say, from a personal user, and I think you would agree with this, if I go to somebody's website and they don't have an SSL that's properly implemented on the site, I do not, I usually steer away from that site. That's a vendor or a person that I don't want to do business with because I'm concerned about if they're taking my security, you know, if they're really taking my security seriously.
Rob McDonald: Yeah and that's not an opinion from two industry professionals, right? That's an opinion of the general population today, as seen by some of these movements that you just discussed. It's a reputation builder. If you're missing some of these foundational elements, you're saying to that end-user, I may not be taking security as serious as I should be and as a result that's going to give them confidence issues with you as a provider in today's age of electronic medical records and electronic exchanges. Absolutely.
Jason Karn: Right and this brings up another interesting issue, or interesting question, is VPN, or a virtual private network, and we were talking a little bit about this is about, do you or don't you? To VPN or not to VPN, is the question I guess we should say. So, what are your thoughts on VPN and how that can either be an additional layer of security or maybe that's, whether it's needed or not?
Rob McDonald: Yeah and let me take just 20-30 seconds to break this down for VPN. VPN is basically a way to ensure that between me, or my computer, and where my VPN is terminating, that everything we exchange is private and confidential, right? The way I like to think of this from a business perspective and from a healthcare perspective is, anytime I'm going to be exchanging information that is sensitive or private, it needs to be over an SSL connection, to a website. It needs to be encrypted at the object level, like Virtru provides, or it needs to be over a VPN.
If I am exchanging sensitive information, if I'm in one of those modes, one of those approved compliant security channels, SSL, object level encryption with Virtru, or over a VPN, you're doing that. You're protecting that content and that privacy of that information. Try to look at it from that limb, how am I communicating this information? Over what channel? It's not one of those three, and it is sensitive, you should seriously consider implementing one of those options that's relevant for that communication.
Jason Karn: Now, and this is something we discussed also is, if you're going to a website that has a properly implemented SSL, you see the HTTPS in the address bar is, do you really need a VPN because that information is encrypted? Now, there's metadata that says, "Hey, I went to" ... I used this example earlier, that I went to ESPN because I'm obsessed with March Madness, of course, but you know, we go, as we get there, do you really need a VPN at that point?
Rob McDonald: Yeah, exactly. It's a great question and in my personal opinion, you know, from a business perspective, if the access, the fact that you're accessing is not a regulated metric, meaning that the fact that I'm simply accessing it, if that's not something that's regulated or sensitive, then you don't because that SSL certificate for that website is going to ensure that the actual payload is protected, right? Always think of it from that perspective that you just provided, that's my opinion.
Q: So, the first question that I have here is, for manual client side encryption, is there a particular level required by HIPAA such as AES?
A: (Jason Karn) I got this one, I think. So, when it comes to HIPAA, as I said earlier, that it's a recommended standard. Now, when you look at RMS and National Institute of Standards and Technology risk management framework, they set the standard at 128-bit encryption. Now, whether that's AES or not, that's up to you. I know a lot of people use higher encryption standards than that. We'll see a lot of 256, but if it's at minimum of 128 then you're good to go.
Q: The next question I have is, is Grasshopper HIPAA compliant? And I believe they are referring to the virtual phone system, the VPN.
A: (Jason Karn) That's a good question, now, here's where the issues lies in, it's what's happening with the voicemail? As Grasshopper works, it's a voice-over IP service, sort of like a RingCentral or a 8x8, those essentially fall into the conduit exceptions. Those are like your, you wouldn't need to have a business associate agreement with your ISP, your internet service provider or with the post office in order to send information.
They fall into that, but the question is, what's happening with voicemails, if a patient's calling up and saying, you know, "Hey, I need to get a refill on this prescription for this specific thing," then you have, at that moment, there's PHI that's being stored on a server that's not onsite. That's where you would need to have a business associate agreement. I am not sure if Grasshopper will sign a business associate agreement and encrypt that information. I know RingCentral will at a certain level and I know 8x8 will, but I'm not sure ... I don't know for sure if Grasshopper will do that, but that's what I would look for.
Q: Next question I have for you guys is, can you reuse or dispose of a device that stored PH, excuse me, that stored PHI on it at one point?
A: (Rob McDonald) Yeah, just to be clear the question was around, re-user disposal of a device that has PHI on it at one time I believe and the way I would view that concept is, you need to have a media destruction and a media re-use policy today, that defines what to do with the device once it's been used and has PHI on it and the answer is you can. There are methodologies in place to take a device that has been encrypted, properly wipe and clear the content of that using standards available today and then to basically perform a reset or a reconfiguration of that device. Or dispose of it, but the key is a formalized process and procedure for the destruction and/or reuse of that, utilizing these industry best practice data sanitization and destruction methodologies. I mean, Jason, would you agree with that concept?
(Jason Karn) Yeah, I totally agree with that and I would also expand that to think about not just reusing the devices, but really think beyond, you know, the device side, and one thing we caution people on is, and they don't think a lot about, is photocopiers.
That was a big find that came down a couple years ago because a practice didn't wipe the drive on a photocopier and that information was not encrypted and there was, you know, thousands of patients information on that photocopier that was returned to a leasing company. So, think about all your devices, you know, what is actually storing PHI and things you may not even realize are storing PHI and make sure that you are properly wiping those devices so that they can either go back to the leasing company or you can donate them, just make sure that information is properly destroyed and sanitized.
(Rob McDonald) And Jason, I think that really emphasizes the importance of doing and including a data discovery and data flow assessment to your normal risk assessment because if you don't know where your data is, like the copier, you would never include that in your sensitive storage concepts for destruction, right?
(Jason Karn) I totally agree and that's something that we really delve into and look for when doing these risk assessments for companies, is try to find places, because what we find a lot of times is working with practices, is they have information in all these different disparate places and they don't realize that, "Hey, I need to consolidate everything into one area." Sort of like when we talked about the logs earlier, that making sure the information is consolidated in one area so that you know if there's an issue, where information is, who has access to it, you know, and this goes beyond, you know from a threat level, from a let's say, like a hacker, this can go to a natural disaster or fire. Knowing how to get yourself back up and running as quickly as possible. So, knowing where your data is stored, how to get access to it, and who has access to it, that's really important part to it.
Q: So, the last question I have for you guys is, you say this is a journey, but didn't HIPAA require that all of this had to be in place by September 23, 2013? Aren't fines retroactive back to 2013?
A: (Jason Karn) I would actually counter that and say, the original HIPAA law was actually, goes back into the 90s. So, we had privacy ... Excuse me, it was 2003, was the original ... So, '96 was when the law was written, but that was more about portability. When it came to privacy, we're looking at 2003, so you should really have had policies and procedures going back to 2003, if your practice was around at that point. Then we had the, 2009, we had the American Recovery and Reinvestment Act, which then put the high-tech rules into place and now we're looking at 2013. So, yeah, you really should have all these things in place as part of that journey.
Now, you know, if you haven't done all these things, do you need to go back and create these things, like you would say, "Let me create my old tax forms when you’re going to the IRS," not necessarily. I think what we really need to focus on is, what are we doing now and what is our history going forward and really think about what we're doing now and what we can do to best protect a practice. Now, there might ... If you do get audited, I'm not saying you wouldn't get a wrist-slap for that, but really, when you think about what HHS and OCR are trying to do when it comes to HIPAA compliance is, they want to see, yes, they want to see a history of compliance, but they want to see that you're also moving forward and have a good security stance.
So, I think they're really looking for more corrective actions instead of saying, "Hey, let's fine these doctors and get them, and you know, and try to get more money out of them," because you'll see, if you look on the website, on their website, that they talk about, yeah they list the big fines that they've been sending out, but they also list corrective actions. They say, "So, we worked with this practice, they had insufficient risk assessment, we had them do this, this, and this, and they corrected those actions." That would be my recommendation.