for joining us for our fourth episode of the Ask a Pro series.
Today, we’re going to highlight the health care compliance industry
and touch on some of the new compliance regulations that are in the space
and practical approach to address them.
First, we’re going to walk through our three speakers today.
Our featured speaker from our partner Kardon is Donna Grindle,
and I’ll give her the floor to introduce herself.
Yes, that’s me.
I am the Don of Kardon
and been in healthcare IT since well into the previous century.
So we won’t go. We’ll just trust me.
It’s a long time.
And about ten years ago,
we decided to get out of the MSP business, out of all the other stuff,
and focus only on managing privacy and security compliance. And
it’s been an interesting ride since then.
But that’s what we do.
We help people build and manage those programs and sometimes
we get to know people before they need us in a crisis.
And unfortunately others we meet in a crisis.
But and I’m also a
task group member for the
HHS 405(d) Cybersecurity Task Group,
so that we are worried about managing
and helping cybersecurity improvement
in the health care industry, in the whole sector.
Great. Thanks, Dana.
Next up, we’ve got a earshot.
Hey, I’m Chad Austin.
I’ve been working with ProSource for about three plus years now.
I’m in charge of leading our efforts in the realm of cyber
security and compliance.
I also do some part time engineering
for our company as well, you know, on crafting some security solutions
internally and for the clients.
So thanks to our last topic, we got myself, McGehee.
If you’ve watched any of our previous episodes, I’m on all of them and
I oversee our sales and marketing and a little bit of everything I ProSource
I’ve been here for about eight years though, and just looking
to help everyone understand a health care idea a little deeper.
I thought I was going to touch on her specialty,
which is really the compliance side of things.
So Donna, the floor is yours.
Well, I want to make sure
that everybody understands this new high tech amendment
that was signed January 5th, 2021.
For some reason, no one really knows about it.
We’ll just leave it at that.
But it is becoming a
a regular topic of conversation in health care.
And we need everybody to understand that there is an option there.
This is designed as an incentive to adopt the practices
and it while optional,
we all know in cybersecurity today, the more
you can prove that you’re actually trying to prevent a problem,
when a problem occurs, you’re going to be much better off.
And hopefully they prevent them.
And the way this amendment works is,
you know, they’re trying the carrot, not the stick approach,
is if you choose to adopt what they define as recognize security practices.
And you can prove that you have been doing this for the previous 12 months,
then any kind of enforcement
action, audit action, anything that occurs
where the Office for Civil Rights is looking into your program,
they are required by law to take into consideration
that you can prove that’s happening.
And I can assure you it would have been that way all along without the law.
They’re just making sure it’s written in there.
So what are recognized security practices, one might ask?
Well, they defined in the law three very specific points.
One is the near cybersecurity framework.
We call it near CSF, which I’m sure you guys,
Chad and Matt, you know plenty about the near cyber security framework.
The other is the 405, the help
industry cybersecurity practices, which is what I mentioned before.
It’s specifically designed for health care,
cybersecurity guidance and resources
being that are freely available.
We love free
and there’s a large group of us is both public
and private partnership developing these resources and guidance.
And then the law says others.
You can show or explicitly recognize, recognized
by statute or regulation.
They haven’t really cleared what that is.
So most of my lawyer folks will say, make sure you’re doing one of the two
that they do make sure of.
So I strongly recommend using Hiccup, which is,
you know, nerd speak for health industry cybersecurity practices.
If you haven’t gone down the path of this
cybersecurity framework or any of the others,
the value of Hiccup is it’s designed you determine the size
and complexity of your organization, and then it gives you rules to follow,
which is different than what this does.
Not that you can’t do it.
And if you’re interested in more, my weekly podcast,
help me with HIPAA, where HIPAA and humor collide to make learning fun.
We did a
full episode reviewing all of these things and
reviewed OKRs guidance
on their video they released and there’s a light there.
Help me move the comms. 384
And to get a little further into those HICCUP guidelines,
you can go to four or five dot HHS dot gov to learn more about those.
there’s a lot of supplemental things that are helpful.
you know, fliers and and little videos and training.
And we have a wide variety of things there.
And more is coming in 2023.
But there’s a main God in Hiccup
and it says let’s focus on backup check and
let’s focus on five
primary threats to health care, and that’s phishing and social engineering.
Ransomware lost or stolen devices,
insider accidental or intentional data loss
and then attacks on connected devices.
So our entire focus is everything we do
roots back to one of those threats somehow,
if we believe any way
that if we focus on those five, we’re going to cover I don’t know.
You guys can speak to it, but we feel pretty certain
you’re going to cover most any problems that come up.
And then you have the main guy that’s written for laypeople
in plain English is what my team calls it.
And then there are accompanying
technical guides for you to use with the technical people.
So technical folks have guides that help them
as well as things that speak English.
And then again, you have to have proof like honest to goodness,
documentation, meeting notes, contracts, all of these things
that you’ve adopted these guidelines.
So the sooner you start, the better off you are.
Great. Thanks so much, Donna.
Next up, we’ve got Chad, who’s going to expand
on the security side of things a little bit.
Chad, your reading, by the way. Yeah.
So what is next?
Newest is a cybersecurity framework
that helps businesses of really any size
better understand kind of managed
and reduce cybersecurity risk overall.
It is a federally run company
and some examples
of missed controls within this would be something like
system and communication protection, media protection.
It’s a response is very, very important.
Um, how to nest, uh,
how to administer four or five D controls help with my business or practice.
So this one kind of piggybacks off of DOD a little bit.
Um, the five fi threats to cover in
each ICP, you know, how do we mitigate those threats?
So like phishing and social engineering,
this would be cybersecurity awareness training
we use know before internally
So your endpoint detection response, you know,
network segmentation, things like that will care for that
stolen devices so you can have remote wipe
policies in place on your endpoints.
You can also have, you know, encryption very important
insider accidental or intentional data
loss DLP policies,
which is data loss prevention, you know, for email
or just having policies in general for your organization and help with that,
you know, attacks on connected devices,
really anything that we just talked about whenever
can help with that that category
and something else to add here is a required compliance officer.
This is not just for your IT folks to manage.
This is actually for the organization itself to manage.
And every organization should have an internal compliance officer
and that’s a
So, you know, Donna touched on a lot of the compliance pieces.
Chad touched a little bit on cybersecurity and, you know, some of the frameworks
that are not necessarily required or are governing, but
give you leading indicators on an approach to take to heart in your business. So
up with the three CS, which is basically, you know,
the compliance side of a business, the cybersecurity side of a business.
And the last thing that a lot of its compliance people forget about
is the clinical side of the business.
the approach to it, change management, a compliance change management
and pragmatically applying these principles
at the end of the day will impact your clinical outcomes.
So making sure that when you’re adopting these frameworks,
you’re taking into account clinical outcomes
such as patient turnaround time fronts, front of desk workflows.
How long does it take me to check in a patient?
How long does it take me to get them out of the office?
Because if you’re making these i.t changes,
you’re already investing into your business.
That way you want to make sure is that you’re not losing out on that investment.
You’re realizing efficiencies at the same time beyond just becoming secure.
So really when you can check all three of these boxes, it’s the perfect triangle
But unfortunately a lot of people don’t make these changes until there’s an event
I talked to So many people on a weekly, monthly basis about
these three core pillars and
everyone knows they have to do it.
But the reality is the majority of people don’t do this until an event happens.
So people generally fall into a proactive reactive bucket.
Are you are you aware of the risk to your business?
Are you aware of the threat landscape and are you getting ahead of it
or are you not sure where to go?
Because it’s it’s you’re unsure with your current I.T
provider, your insurer with your current compliance officer
if these are the right changes to make and then something happens
you flip over to that proactive bucket because you realize that your risk was
too high and an event happened.
So another important thing to remember is that all of these are
driving forward patient privacy and confidence in your patients,
that your practice is secure.
No one likes to go to a health care clinic and see password.
I know when I go to a clinic. I was at the dentist yesterday.
I’m looking at their computers. I’m a nurse.
I can’t help myself.
I want to see a is home is all my medical record are all my medical records saved?
You know, the screen is locked
with all my medical records and other patients are walking by it
and other people are being exposed to that.
And you know it.
It makes me lose trust in my provider.
So there’s a different angle here from a clinical side
that you have to think about and definitely a patient privacy side.
So, you know, when we talk about cybersecurity,
obviously we want to use, you know, the greatest tech.
We want to realize our returns.
But a lot of times people take the wrong mindset.
what are the types of results I’m looking for and what are the clinical
outcomes to my technical changes that I should be deriving.
So that’s the thing I always want people to think about
is beyond compliance, beyond cybersecurity,
what are the clinical outcomes
we’re looking to derive and how can we not only improve our compliance
stance or cybersecurity stance, but how can we serve our patients better?
So with that, I wanted to jump into the Q&A,
and we have three or four questions here from the audience.
Let me just organizes.
So Kyle asks,
Are there upcoming changes to compliance requirements within health care data?
If you want to take that one, you’re probably the best suited.
Well, there’s always what feels like changes
happening, but definitely with the information
blocking 21st Century Cures Act, those kinds of things are moving along
and there are proposed changes to align
the privacy rule with CFR 42.
Part two The Substance Abuse Abuse rules.
So there are definitely a lot of things moving and calming.
Cybersecurity, it’s a different animal.
And no matter what your business is, there is a lot of potential
things that are happening, like the CSF is for the critical infrastructure sectors.
Originally CISA, the Cybersecurity and Information Security Agency
of the Department of Homeland Security can take breath after that.
But those first folks are in charge of creating
a lot of either recommended
or potential regulatory requirements coming down the pipe.
So no matter what you’re in, health care or not, there’s a lot
to pay attention to regardless of what kind of business you operate.
Everybody is under attack these days.
Yeah, So that’s I’m going to skip the next question.
I’ll come back to that.
But I think that leads into this question from John.
Well, where do you start with implementing cybersecurity controls?
John, That’s probably a good one for you in terms of a schedule approach.
So I think the best way to go about it is really, you know, to go
to your internal compliance officer or engage with your
your team for your organization or they’ll likely.
Yeah, Yeah, exactly.
And they will likely point you in to a third party, you know, compliance team
and do like risk assessments, asset management,
all of that kind of stuff to get you started down the road of compliance.
There’s a whole list of controls you have to work through. But
I think that’s that’s probably the best advice I can give on a start.
So you’re saying really to establish a baseline with some partners or. And.
Absolutely. Yeah, absolutely.
I mean, you’re going to you’re going to need to perform
vulnerability scans and things like that eventually.
And you don’t want to be self attesting.
You know, you’re you’re
scanning the vulnerabilities and then you’re telling yourself,
hey, you know, myself, let’s go fix these issues.
And if if they’re not, you know, there’s just not a check and balance there.
It’s not it’s not great. So if they’re brand that’s great.
They’re having that outside push helps kind of move these types of
So I’m going to be back here.
Uh, Cindy is asking what are the best channels
to keep up with these types of changes?
So I assume that’s on the compliance and control side.
So, Don, I you want to take that one?
Well, there’s definitely a lot of ways to keep up.
I mean, our podcast now, as we like to say, is free
and we’ve been doing it for seven years, have never missed a week.
If you’re unhappy, triple your money back.
But the guidance that we include on there covers a lot of these different things.
There’s also sign up for the mailing list on the four
or five day HHS dot gov.
You can sign up for six alerts at their website
and a long list
of different kinds of entities may find the system
a very valuable regardless of whether they’re in health care.
But they do provide some resources and we utilize those and create a crossover.
And then of course, you could come to the project boot camp, go to price
segment, CNBC.com, and you can learn from KARDON and our partners.
It’s a three and a half day where we give you those resources
to track, and KARDON certainly has a lot of those resources available as well.
Thanks so much.
On the last question from Kelly, here is how do you manage
security changes that impact workflow?
Um, I can take that one. So
understanding workflows critical.
Um, and understanding the changes, the workflow is obviously essential
and making sure that you’re not going to really kill your staff.
So when, when looking at change management principles generally involving the key
staff, they’re going to be impacted by any technical changes important to get a
good full picture of the changes you’re implementing and all of the
tentacles they have in terms of how they’re going to impact people.
So, you know, make sure you’re involving all the parties involved.
You know, you don’t want to unilaterally
tell people to do something without getting critical feedback
from different perspectives.
So having a good group,
not just your I.T person and not just the stakeholder
bring into administrative staff, bring in different staff.
So you have a full picture of how any given change can completely,
you know, record workflow or make it better
and then you know, have a plan to roll that out incrementally and you know,
it does make sense to do it all at once sometimes depending on the change.
But just just include
different perspectives and different parties to make sure that
really everyone is being cared for that is going to be impacted.
So with that said, that was the last question.
I’m going to pop over to this.
Get in touch slide real quick.
These are the best ways to get in contact with any of us.
I’ll just hold this here for a second.
And I wanted to really give Donna a last second here.
If I know you have a podcast on it.
Any other closing remarks here for anyone
thinking about health care and health care compliance?
You know, the state of health care in general.
Will definitely understand that it will not get better
the longer you wait and it’s not going to go away.
And the easiest thing to do
is to just get started.
You’ll never be able to be perfect.
This is not something that you do in two weeks.
This is something that is, as we say in health care,
all of the privacy and security things are not a project you complete.
It’s a condition you treat.
So like does a Yeah, yeah.
Once again, thank you everyone, for joining.
Thank you, Donna.
Once again so much really a foremost authority
on anything complies based in health care. So
time, episode five should be coming out sometime next month.
But really appreciate our one for attending today.
And if you have any other questions, feel free to shoot any of us an email
or give us a call.
I hope everyone has a wonderful New year and we’ll see you in 2023.