Return to webinars index

Healthcare Cyber Security | Ask a Pro, Ep. 4

In this episode, we discuss new a new amendment to HITECH, NIST and 405(d) HICP security frameworks, and how these security principles affect clinical outcomes.

Posted on · Last updated on

This episode’s guest speakers:

  • A headshot of Donna Grindle
    Donna Grindle

    Founder & CEO at Kardon

  • A headshot of Chad Holstein
    Chad Holstein

    Director, Security & Compliance at ProSource

  • A headshot of Matthew Mulcahy
    Matthew Mulcahy

    Director, Business Development at ProSource

Everyone, thanks

for joining us for our fourth episode of the Ask a Pro series.

Today, we’re going to highlight the health care compliance industry

and touch on some of the new compliance regulations that are in the space

and practical approach to address them.

First, we’re going to walk through our three speakers today.

Our featured speaker from our partner Kardon is Donna Grindle,

and I’ll give her the floor to introduce herself.

Yes, that’s me.

I am the Don of Kardon

and been in healthcare IT since well into the previous century.

So we won’t go. We’ll just trust me.

It’s a long time.

And about ten years ago,

we decided to get out of the MSP business, out of all the other stuff,

and focus only on managing privacy and security compliance. And

it’s been an interesting ride since then.

But that’s what we do.

We help people build and manage those programs and sometimes

we get to know people before they need us in a crisis.

And unfortunately others we meet in a crisis.

But and I’m also a

task group member for the

HHS 405(d) Cybersecurity Task Group,

so that we are worried about managing

and helping cybersecurity improvement

in the health care industry, in the whole sector.

Great. Thanks, Dana.

Next up, we’ve got a earshot.

Hey, I’m Chad Austin.

I’ve been working with ProSource for about three plus years now.

I’m in charge of leading our efforts in the realm of cyber

security and compliance.

I also do some part time engineering

for our company as well, you know, on crafting some security solutions

internally and for the clients.

So thanks to our last topic, we got myself, McGehee.

If you’ve watched any of our previous episodes, I’m on all of them and

I oversee our sales and marketing and a little bit of everything I ProSource

I’ve been here for about eight years though, and just looking

to help everyone understand a health care idea a little deeper.

So first

I thought I was going to touch on her specialty,

which is really the compliance side of things.

So Donna, the floor is yours.

Well, I want to make sure

that everybody understands this new high tech amendment

that was signed January 5th, 2021.

For some reason, no one really knows about it.

We’ll just leave it at that.

But it is becoming a

a regular topic of conversation in health care.

And we need everybody to understand that there is an option there.

This is designed as an incentive to adopt the practices

and it while optional,

we all know in cybersecurity today, the more

you can prove that you’re actually trying to prevent a problem,

when a problem occurs, you’re going to be much better off.

And hopefully they prevent them.

And the way this amendment works is,

you know, they’re trying the carrot, not the stick approach,

is if you choose to adopt what they define as recognize security practices.

And you can prove that you have been doing this for the previous 12 months,

then any kind of enforcement

action, audit action, anything that occurs

where the Office for Civil Rights is looking into your program,

they are required by law to take into consideration

that you can prove that’s happening.

And I can assure you it would have been that way all along without the law.

They’re just making sure it’s written in there.

So what are recognized security practices, one might ask?

Well, they defined in the law three very specific points.

One is the near cybersecurity framework.

We call it near CSF, which I’m sure you guys,

Chad and Matt, you know plenty about the near cyber security framework.

The other is the 405, the help

industry cybersecurity practices, which is what I mentioned before.

It’s specifically designed for health care,

cybersecurity guidance and resources

being that are freely available.

We love free

and there’s a large group of us is both public

and private partnership developing these resources and guidance.

And then the law says others.

You can show or explicitly recognize, recognized

by statute or regulation.

They haven’t really cleared what that is.

So most of my lawyer folks will say, make sure you’re doing one of the two

that they do make sure of.

So I strongly recommend using Hiccup, which is,

you know, nerd speak for health industry cybersecurity practices.

If you haven’t gone down the path of this

cybersecurity framework or any of the others,

the value of Hiccup is it’s designed you determine the size

and complexity of your organization, and then it gives you rules to follow,

which is different than what this does.

Not that you can’t do it.

And if you’re interested in more, my weekly podcast,

help me with HIPAA, where HIPAA and humor collide to make learning fun.

We did a

full episode reviewing all of these things and

reviewed OKRs guidance

on their video they released and there’s a light there.

Help me move the comms. 384

And to get a little further into those HICCUP guidelines,

you can go to four or five dot HHS dot gov to learn more about those.

But there’s,

there’s a lot of supplemental things that are helpful.


you know, fliers and and little videos and training.

And we have a wide variety of things there.

And more is coming in 2023.

But there’s a main God in Hiccup

and it says let’s focus on backup check and

let’s focus on five

primary threats to health care, and that’s phishing and social engineering.

Ransomware lost or stolen devices,

insider accidental or intentional data loss

and then attacks on connected devices.

So our entire focus is everything we do

roots back to one of those threats somehow,

if we believe any way

that if we focus on those five, we’re going to cover I don’t know.

You guys can speak to it, but we feel pretty certain

you’re going to cover most any problems that come up.

And then you have the main guy that’s written for laypeople

in plain English is what my team calls it.

And then there are accompanying

technical guides for you to use with the technical people.

So technical folks have guides that help them

as well as things that speak English.

And then again, you have to have proof like honest to goodness,

documentation, meeting notes, contracts, all of these things

that you’ve adopted these guidelines.

So the sooner you start, the better off you are.

Great. Thanks so much, Donna.

Next up, we’ve got Chad, who’s going to expand

on the security side of things a little bit.

Chad, your reading, by the way. Yeah.

So what is next?

Newest is a cybersecurity framework

that helps businesses of really any size

better understand kind of managed

and reduce cybersecurity risk overall.

It is a federally run company

and some examples

of missed controls within this would be something like

system and communication protection, media protection.

It’s a response is very, very important.

Configuration management.

Um, how to nest, uh,

how to administer four or five D controls help with my business or practice.

So this one kind of piggybacks off of DOD a little bit.

Um, the five fi threats to cover in

each ICP, you know, how do we mitigate those threats?

So like phishing and social engineering,

this would be cybersecurity awareness training

we use know before internally


So your endpoint detection response, you know,

network segmentation, things like that will care for that

lost or

stolen devices so you can have remote wipe

policies in place on your endpoints.

You can also have, you know, encryption very important

insider accidental or intentional data

loss DLP policies,

which is data loss prevention, you know, for email

or just having policies in general for your organization and help with that,

you know, attacks on connected devices,

really anything that we just talked about whenever

can help with that that category

and something else to add here is a required compliance officer.

This is not just for your IT folks to manage.

This is actually for the organization itself to manage.

And every organization should have an internal compliance officer

that’s assigned

and that’s a

big Strat.

So, you know, Donna touched on a lot of the compliance pieces.

Chad touched a little bit on cybersecurity and, you know, some of the frameworks

that are not necessarily required or are governing, but

give you leading indicators on an approach to take to heart in your business. So

I came

up with the three CS, which is basically, you know,

the compliance side of a business, the cybersecurity side of a business.

And the last thing that a lot of its compliance people forget about

is the clinical side of the business.

So understanding

the approach to it, change management, a compliance change management

and pragmatically applying these principles

in practice

at the end of the day will impact your clinical outcomes.

So making sure that when you’re adopting these frameworks,

you’re taking into account clinical outcomes

such as patient turnaround time fronts, front of desk workflows.

How long does it take me to check in a patient?

How long does it take me to get them out of the office?

Because if you’re making these i.t changes,

you’re already investing into your business.

That way you want to make sure is that you’re not losing out on that investment.

You’re realizing efficiencies at the same time beyond just becoming secure.

So really when you can check all three of these boxes, it’s the perfect triangle

for change.

But unfortunately a lot of people don’t make these changes until there’s an event

I talked to So many people on a weekly, monthly basis about

these three core pillars and

everyone knows they have to do it.

But the reality is the majority of people don’t do this until an event happens.

So people generally fall into a proactive reactive bucket.

Are you are you aware of the risk to your business?

Are you aware of the threat landscape and are you getting ahead of it

or are you not sure where to go?

Because it’s it’s you’re unsure with your current I.T

provider, your insurer with your current compliance officer

if these are the right changes to make and then something happens

and then

you flip over to that proactive bucket because you realize that your risk was

too high and an event happened.

So another important thing to remember is that all of these are

driving forward patient privacy and confidence in your patients,

that your practice is secure.

No one likes to go to a health care clinic and see password.

Always ask.

I know when I go to a clinic. I was at the dentist yesterday.

I’m looking at their computers. I’m a nurse.

I can’t help myself.

I want to see a is home is all my medical record are all my medical records saved?

You know, the screen is locked

with all my medical records and other patients are walking by it

and other people are being exposed to that.

And you know it.

It makes me lose trust in my provider.

So there’s a different angle here from a clinical side

that you have to think about and definitely a patient privacy side.

So, you know, when we talk about cybersecurity,

obviously we want to use, you know, the greatest tech.

We want to realize our returns.

But a lot of times people take the wrong mindset.

One understanding

what are the types of results I’m looking for and what are the clinical

outcomes to my technical changes that I should be deriving.

So that’s the thing I always want people to think about

is beyond compliance, beyond cybersecurity,

what are the clinical outcomes

we’re looking to derive and how can we not only improve our compliance

stance or cybersecurity stance, but how can we serve our patients better?

So with that, I wanted to jump into the Q&A,

and we have three or four questions here from the audience.

Let me just organizes.

So Kyle asks,

Are there upcoming changes to compliance requirements within health care data?

If you want to take that one, you’re probably the best suited.

Well, there’s always what feels like changes

happening, but definitely with the information

blocking 21st Century Cures Act, those kinds of things are moving along

and there are proposed changes to align

the privacy rule with CFR 42.

Part two The Substance Abuse Abuse rules.

So there are definitely a lot of things moving and calming.

Cybersecurity, it’s a different animal.

And no matter what your business is, there is a lot of potential

things that are happening, like the CSF is for the critical infrastructure sectors.

Originally CISA, the Cybersecurity and Information Security Agency

of the Department of Homeland Security can take breath after that.

But those first folks are in charge of creating

a lot of either recommended

or potential regulatory requirements coming down the pipe.

So no matter what you’re in, health care or not, there’s a lot

to pay attention to regardless of what kind of business you operate.

Everybody is under attack these days.

Yeah, So that’s I’m going to skip the next question.

I’ll come back to that.

But I think that leads into this question from John.

Well, where do you start with implementing cybersecurity controls?

John, That’s probably a good one for you in terms of a schedule approach.

So I think the best way to go about it is really, you know, to go

to your internal compliance officer or engage with your

your team for your organization or they’ll likely.

Yeah, Yeah, exactly.

And they will likely point you in to a third party, you know, compliance team

that will

come in

and do like risk assessments, asset management,

all of that kind of stuff to get you started down the road of compliance.

There’s a whole list of controls you have to work through. But

I think that’s that’s probably the best advice I can give on a start.

So you’re saying really to establish a baseline with some partners or. And.

Absolutely. Yeah, absolutely.

I mean, you’re going to you’re going to need to perform

vulnerability scans and things like that eventually.

And you don’t want to be self attesting.

You know, you’re you’re

scanning the vulnerabilities and then you’re telling yourself,

hey, you know, myself, let’s go fix these issues.

And if if they’re not, you know, there’s just not a check and balance there.

It’s not it’s not great. So if they’re brand that’s great.

They’re having that outside push helps kind of move these types of

ideas forward.

So I’m going to be back here.

Uh, Cindy is asking what are the best channels

to keep up with these types of changes?

So I assume that’s on the compliance and control side.

So, Don, I you want to take that one?

Well, there’s definitely a lot of ways to keep up.

I mean, our podcast now, as we like to say, is free

and we’ve been doing it for seven years, have never missed a week.

If you’re unhappy, triple your money back.

But the guidance that we include on there covers a lot of these different things.

There’s also sign up for the mailing list on the four

or five day HHS dot gov.

You can sign up for six alerts at their website

and a long list

of different kinds of entities may find the system

a very valuable regardless of whether they’re in health care.

But they do provide some resources and we utilize those and create a crossover.

And then of course, you could come to the project boot camp, go to price

segment,, and you can learn from KARDON and our partners.

It’s a three and a half day where we give you those resources

to track, and KARDON certainly has a lot of those resources available as well.


Thanks so much.

On the last question from Kelly, here is how do you manage

security changes that impact workflow?

Um, I can take that one. So

understanding workflows critical.

Um, and understanding the changes, the workflow is obviously essential

and making sure that you’re not going to really kill your staff.

So when, when looking at change management principles generally involving the key

staff, they’re going to be impacted by any technical changes important to get a

good full picture of the changes you’re implementing and all of the

tentacles they have in terms of how they’re going to impact people.

So, you know, make sure you’re involving all the parties involved.

You know, you don’t want to unilaterally

tell people to do something without getting critical feedback

from different perspectives.

So having a good group,

not just your I.T person and not just the stakeholder

bring into administrative staff, bring in different staff.

So you have a full picture of how any given change can completely,

you know, record workflow or make it better

and then you know, have a plan to roll that out incrementally and you know,

it does make sense to do it all at once sometimes depending on the change.

But just just include

different perspectives and different parties to make sure that

really everyone is being cared for that is going to be impacted.

So with that said, that was the last question.

I’m going to pop over to this.

Get in touch slide real quick.

These are the best ways to get in contact with any of us.

I’ll just hold this here for a second.

And I wanted to really give Donna a last second here.

If I know you have a podcast on it.

Any other closing remarks here for anyone

thinking about health care and health care compliance?

You know, the state of health care in general.

Will definitely understand that it will not get better

the longer you wait and it’s not going to go away.

And the easiest thing to do

is to just get started.

You can’t.

You’ll never be able to be perfect.

This is not something that you do in two weeks.

This is something that is, as we say in health care,

all of the privacy and security things are not a project you complete.

It’s a condition you treat.

Great day.

So like does a Yeah, yeah.

Once again, thank you everyone, for joining.

Thank you, Donna.

Once again so much really a foremost authority

on anything complies based in health care. So

until next

time, episode five should be coming out sometime next month.

But really appreciate our one for attending today.

And if you have any other questions, feel free to shoot any of us an email

or give us a call.

I hope everyone has a wonderful New year and we’ll see you in 2023.

Speak with an IT expert

Schedule a free, 30-min consultation with one of our IT experts — if, after the call, you didn’t get any value, we’ll buy you a coffee!

Check out our resource library

We’re always adding new content to our digital library. Our blog articles, guides, and customer stories cover a broad spectrum of topics like emerging tech, industry-specific regulations, and security best-practices — just to name a few.