In this episode our special guest Joshua Sitta of cyber-security firm Sittadel discusses a recent article covering 6 different hospitals that experienced a security breach in Alabama.

Listen in Spotify: https://spotifyanchor-web.app.link/e/ORTAUat77yb

Watch on YouTube: https://bit.ly/3NeTF3d

Transcript:

Today we have a very special guest, Joshua. Welcome.

Yeah, thanks for having me, Adam. Appreciate it.

Yeah, absolutely love having you here. Learned a lot about your company and one of the things I wanted to ask you about was this article that I shared with you yesterday, and there's a clinic in the southeast of the US who has six locations, a healthcare provider and they had a security breach, an incident, and patient health information was released. And we think it actually impacts quite a few patients because of the article that was released and they had a cybersecurity firm that was contracted to help them protect this information and there was a breach. So, I want to pick your brain on this and you read the article and I wanna get your first thoughts.

Okay. So my first thought is this article is called, there's an Alabama Hospital and they had six locations get their patient information. But if you read the article, it actually says they were using a service provider called Fortra.

And Fortra is a cybersecurity practitioner and Fortra had a hacker come in and breach their systems. The headline is the hospital lost access to their patient information. Their patient information got compromised, but that's not really what happened. The body of this article says it's the cybersecurity company.

It's somebody in their service chain, right, who had the breach. The reality is in HIPAA, it doesn't matter. The covered entity is the one who gets on the hook for how PHI gets treated. So if there's any breakdown of PHI in the supply chain, it still falls back to the covered entity. That's a good point.

So you're not saying that the flaw here is that a cybersecurity incident took place, but in fact, there is more of a testament to having a cybersecurity firm because they know how to detect it and they're taking the right action very quickly. And I think more importantly, communicating with the healthcare center and the patients in a timely manner.

Yeah, that's what I wanna say as a cybersecurity practitioner. But I also know that the reason that this is an article and the communication happened is because this is a mandate for the way HIPAA compliance works. Sure. What we can tell by this coming out almost exactly three months after the incident took place is that over 500 patient records were compromised.

This is speculation. That's not in the article, but just because of the timing and the reporting it looks like they were compelled by their p i mandates to create some new stories to, so that all their patients might know in the area. So as a, if I'm a hospital, if I'm a covered. Now I'm not necessarily caring so much about how this was proof of a good cybersecurity program.

I'm just caring about the regulatory mandates that are sitting in front of me. What are the costs that I'm gonna have as part of the breach cleanup? What are my PHI violations? Right? Am I gonna have regulatory fines that come this way? Am I gonna lose customers? Are those customers gonna try me in civil court?

Do I feel good enough about the people that I've trusted to do my cybersecurity, that their work, when it goes to court on my behalf, that I'm not also gonna get brought into hot water, or was I maybe negligent in some of the diligence that I've done? It gets really sticky really quick. Once a cybersecurity gets to the point, once a cybersecurity incident gets to the point where we have to start reporting it out in local news media.

And on that note, where do you think the pain is gonna fall the most? The cybersecurity firm or the health healthcare provider?

Yeah. There's three different disciplines that have to come together to answer that question. There are compliance people, which are the people who make sure that cybersecurity is being done.

There's the security people who are actually doing the work, and then there's the legal people who are authorizing things. Business associates agreements, right. I'm a cybersecurity person, so my focus is in making sure that stuff gets done. But because of my proximity to court I've got some information about how this can go in a court, even though I'm not a lawyer.

The role of the business associates agreement is to do a lot of things. Of course, the good natured stuff, like we wanna make sure that everybody knows their information is being taken care of. But then there's the real business reason behind it, which is it's a risk management agreement.

Hey, man, if I go down, you're coming with me, right? It's distributing your legal risk across multiple organizations. Let's imagine that it's gonna cost me a hundred dollars per customer record. And there's 500 records that have been breached. You're looking at $50,000 that are totally gonna be accounted for.

It's probably a lot more than that number of records. And it's probably a much higher cost. But let's stick with $50,000 for now. If that's just my regulatory fines, okay, I'm gonna pay that out of pocket as the covered entity. In almost all cases, I might be able to work with my insurance company and see if they can help me with that, but that's gonna be very agreement specific.

I can expect that I'm gonna have to stroke that check though as the covered entity. Now I'm gonna look at who is potentially also accountable. This article, it was information that was stolen out of that platform. The platform holder, there's probably a good case that they're also responsible as well, but unless there's been special wording in the contract for what's gonna happen post-incident as a business associate, They have much less risk that's in the game.

So really as the covered entity, I'm going to be trying, whoever I can try, because I gotta figure out how to make ends meet at the end of the day. Sure. You have patients coming to you. And so as the covered entity, now it's my turn to go after my partners who let me down and if it's patience coming after me.

Who's to say how much they're going to come to me for if this becomes a class action lawsuit? Because there's enough people involved and there's enough lawyers with 800 numbers who are going to take these cases, this could get very expensive very quickly. Even if I'm just paying court fees, I could be going to court a whole lot.

All of a sudden I'm further incentivized to start bringing some other of those, the people who assigned these business associates agreements with me. So there's risk that's involved. We know that the covered entity is probably gonna have to pay some regulatory fines. And then there's a whole lot of ways that the consumer, the civil court could go.

As the business associate, I would be reviewing that and I'd be saying, I need to go and approach the hospital and say, we feel bad about this. We see that you've got these fines. We wanna split the cost Sure. With you. Right. That would just be good business, but it's gonna, it's gonna become down to a legal battle really to determine who's gonna be left holding the bag.

Yeah. And I, I think with somebody reading this, maybe a smaller A smaller practice, an owner, a doctor, a revenue manager who says we only have one location. We have, maybe a book of 1,500, 2,000 patients. We do all of our stuff in house. Thankfully we don't have this problem and we're probably not subject to this type of risk because that provider was getting really big, they were outsourcing some of their resources.

Let's address this smaller clinic here. We have the majority of providers in clinics that have fewer than five practitioners in an office. That's where the majority of medical care exists, is these smaller practices. So what is the risk? And are they, you might argue that, hackers per se would go towards these mid to large size providers because they can get more with the same effort.

But what is the takeaway for a small practice in this situation?

Couple things to consider. The first thing that I would consider if I'm a small organization is health and human services. The HIPAA people, they understand that I don't have the same budget that the big hospital has. Right? There's, there is some forgiveness that is gonna be extended my way. As long as I can show them evidence that I have a cybersecurity program.

And is that expensive to in install just a mature cybersecurity program? Just from a for a small practice? They're not looking at a huge capital expense, right?

It depends on what road you go down. Okay? If you want to hire a cybersecurity professional and you wanna buy cybersecurity tools, and you want to take the architecture time, the engineering time, and the operational time to really start to build a cybersecurity program together you're looking at a multi-year project that's gonna have high salary costs, high tool costs; it gets really expensive, really quick.

Right.

Take the cybersecurity practitioner, the service provider's word on this; it's much cheaper to outsource that to somebody who has done this with a clinic before.

So you're saying you can get the level of sophistication of a mid to large practice at a practice with outsource solutions.

But what do you say to that practitioner who says clearly the outsource solution was the recipient of this breach. So how do I, how do you respond to that question?

So if the way I would respond is I would look right back at that clinic, and I would say that's, That was at the cybersecurity providers organization.

That wasn't your fault. Let's just look at your vendor risk management policy and let's look through those steps and say, what information did you require from your cybersecurity practitioner before you entered business in them? You entered business with them. So if I can look through your documentation and I can see we asked.

And understanding of how they were gonna protect the information that we share with that cybersecurity company. Okay, great. When I'm Health and Human Services and I review this, I say, you did your due diligence. It sure is a shame that this happened. We're maybe gonna go a little easier with you on the fines because we understand you've got a smaller budget and you're serving the community.

But if I look at that and I say, oh, you don't have a vendor management policy. You have no framework for how you determine who is a good person to share your protected health information or not. I'm finding you negligent. You are actually a risk to the community that you're serving. The longer that you are doing business this way.

So now, health and human services, they have a reason to help push you to a dire financial position where you need to solve this immediately or simply go away from the community.

That's really insightful. It sounds like what you're saying is that a small practice can put in reasonable effort and at a reasonable cost and really reduce their financial risk in the event of a breach because they've just done some basic documented due diligence that demonstrate that they really did vet their vendors, that they have a framework for qualifying who they should be in business with and what those what those standards should.

Before entering in that business agreement. And from your experience, it sounds like you're saying that when fines are assessed, that is really taken into consideration, effort, due diligence, documented standards by which you evaluate your vendors regardless of the outcome, the breach and how bad it is; these things make a difference on the financial impact of the breach.

Our case studies are showing that all of the highest financial penalties for cybersecurity incidents, those are coming from organizations that just didn't have their ducks in a row. They had no plan for what to do when a cybersecurity incident came.

They didn't have any. There was, there were no elements to their cybersecurity program. And it sounds like what you're saying is you can have two programs that are side by side equal in sophistication. One is not very well documented. The decisions were haphazard. I knew the guy or I was familiar with this firm and I just chose them versus the same sophistication.

Better defined standards a better filter and a better framework for making the decision to go into business with that vendor. And those two sophisticated programs equal in strength. One could experience a higher fee. When breaches are encountered because of the lack of documentation.

Yeah. And it's not even just documentation, it's just proof that the program is working. That decision making was happening ongoing. If we treat cybersecurity okay, we're gonna, we're gonna take this here and we're gonna do cybersecurity and we're gonna do this one time, and then we're just gonna call it good forever if we can't show that the program is evolving over time.

If we can't show that considerations are taking place to keep PHI. Then we're really showing we don't care about cybersecurity. If we have a cybersecurity incident in a in healthcare, in a field where, in, in an industry that is maybe more targeted than any other organization, any other industry that's out there.

If we are trying to show that our cybersecurity program is never gonna be defeated, we're never gonna have a cybersecurity incident, we're lying to ourselves. The small business administration knows that the FBI is out there and they're saying everybody is gonna have a cybersecurity incident.

It's not a question of if, it's a question of when. So the regulators aren't judging us by our ability to make sure we never have a cybersecurity incident. It's they're judging us on our ability to make smart decisions along the. To do the best we can.

And it sounds like a proactive approach where you're actively aware of what's happening with your current program, ways that it could be improved, and documenting those meeting minutes and showing the conversations between.

The provider and the the business associate who's providing those services is proof of involvement, proactive approach, awareness of potential weaknesses, and then doing a simple risk analysis. Even just a desk analysis of cost benefit and saying, this is our reason for this decision that we're not going to make that investment.

But just putting it on paper and actually sh showing that. Thinking about this process is enough to help the regulars make a decision that says, okay, you're not negligent. You just, you made a decision and this is the reason why we disagree with that decision, but you're not negligent, right?

So that's a really important point you made a decision that we disagree with, but we understand the criteria that you use to make that decision. That's a whole lot different than you never made a decision. You signed the document, you said, okay, yeah, send our information there. Secure. But you had no ability to detect when the information would be compromised.

You had no ability to respond to it. But you said this is the way that we're gonna be transferring all of our information. That's negligence.

So let's demystify some things about cybersecurity, and I'm going to specifically talk about your company. Sure. I've been really impressed by the work you've done for the people I've recommended.

I was really impressed by the work you've done for our company. So let's demystify some thoughts around cybersecurity. In this entire conversation, we've not talked about any technology. We've talked about respons. Due diligence, documentation, frameworks, decision making, communication, and collaboration.

We've not once talked about the type of firewall, the type of monitoring system, the te, the actual software. So it sounds like you're saying that the small practitioner, the small office, They can actually increase or enhance their cybersecurity immensely before they even talk about software.

That's right. And that's just decision making? In decision making. Yes, absolutely. Decision making is free. The, some of the most significant improvements you can make for your cybersecurity program is just to start making decisions. If you've never had that conversation with your leadership and say, okay, we are, we're having these kinds of patients, we have this kind of information for them.

How would we know if this information ever got compromised? If you've never asked a cybersecurity question, you can start improving your program for free today just by making it agenda item at the next staff meeting.

So you're saying if a small practice had a monthly meeting where on the agenda was cybersecurity topics to discuss.

Sure. And hey, we're gonna start, storing information this way. We're gonna start transferring it this way, and we're going to start sharing information this way. Those three bullet points will support, the investigation they're used in the investigation. The regulators look at this and evaluate the effectiveness of your program based on the meetings you're having, the decisions that you're making and showing.

How important is it to support these decisions with industry standards? How sophisticated does the decision making have to be? Right? So you start with having decisions being. And then you try to make those decisions better over time. Health and human services, hipaa, as much as it can cause grief for us.

It also provides a pretty good framework for us to get started. Some of the decisions we don't necessarily get to make decisions about. If a computer needs to have antivirus, that's told for us, we have to have malware scanning, real time malware scanning. Okay? So we have to have a solution to that problem.

How are we gonna have antivirus working today? Your decisions now that you're attacking one issue, your decision now is do we go out and we pay for a secondary antivirus, or do we use the one that came installed right out of the box when we bought the thing? If I'm smaller, I'm gonna use the one that's already included in the stuff that I'm paying for.

Then you apply that same decision making to different elements of the business. Let's take this article for example. How do I get information that's on my screen in front of my customers, my clients, or my service provider? One way is I use a secure portal like this. We use secure portals for PHI because we know that email's not secure and it's, we just can't email each other.

This kind of information, is that the only solution? It's not. We can totally evade this problem. If I'm dealing with getting information that I have to you. One way is I put it in the portal and you come and you check it out here. Another way is I keep my data close to my chest and I never let it leave, but I invite you to come into it giving you access to what I already have and what I am already paying for.

There's no cost to that, right? Buying a secondary tool to make it a little easier or to get some feature benefit that might not be contained right here there's there's a cost that's associated with that. We're solving this problem whichever direction we. A, an audit might come in and say, Hey, we don't think that your method of sharing it out is gonna meet all of the the requirements or features that we think you should be.

So we'd like to steer you in this other direction. We have a finding now, right? But we don't have a regulatory mandate. We don't have a penalty that's being applied for us. We have a recommendation. We have a recommendation, right? Recommendations are free.

These recommendations are, Findings. You may hire an auditor you can hire a cybersecurity firm to give you a third party review.

But some of these other things are free, like decision making, documenting conversations, and just communicating why you're doing things a certain way. And I've experienced these conversations with you remotely and you have these conversations with clients all over the country where, Getting on a phone call, you're getting on a Zoom call, you're getting on a teams meeting, and you're helping them go through these decisions and bringing up areas that they haven't actually discussed yet.

Hey, do you have a discussion around this topic and just guiding them through there. And this is specifically about your firm.

Can you just touch on some high value easy, low hanging fruit that a clinic or a provider might contact you for that you could share on this podcast?

So most people, when they think about cybersecurity, they think about headlines like these.

They don't want to be part of those headlines. The easiest way that you can start working with our company Sittadel, is you can hire us to be your 24 hour incident response partner. We don't promise that we're gonna prevent all cybersecurity incidents. But what we promise is when we detect an incident, we are shutting it down before it goes, and it creates costs.

We don't wait for a headline, we don't wait for an alert. We start monitoring the behavior that's going on in your systems. And as soon as things start to feel funny, that's when we go into action.

Can you define, feel funny just for our listeners who. Might hear that phrase and think what does that look like?

Yeah. So I was trying to keep all the technical information out of this. Okay, but consider this, if I've got my email open, I've got Outlook running. If I'm using Microsoft Office, outlook is supposed to run. If the computer tells our team Outlook is running, we know somebody's using. That's normal behavior.

Nothing funny about that. Okay. Outlook just started a process that's called Microsoft Word. An attachment has been opened. This is what the system is telling us. Okay that's normal. But now Word has opened up. Command line and Command line has started a terminal that's out to some some IP address that's out in.

So you're saying looks funny is a provider's terminology might say I've witnessed some abortive behavior.

So yeah. We call it anomalous behavior. Yeah. So things that are, that, are that a departure from standard. That's right. When we don't understand why things are happening, the, our, the first thing that we do is we stop it.

We stop it in its tracks. We don't interrupt it, but we put it on ice. So we prevent a situation from spreading, from continuing.

Containment?

Containment, that's a, that's the step in the incident response plan that we have. Okay. We follow a seven step incident response plan, and containment is the most important to us.

Let's make sure that this doesn't mature. If it matures, it's gonna steal data, or it's gonna steal money, or something like that. So we just put it on ice so we can. And until we understand it, we don't let it resume. We might investigate it and say, oh, isn't that strange? You've got somebody who's taking a vacation in Russia?

We didn't know that. Okay, that we'll let this go through, but we're always gonna pause what's going on, figure out what's what actually is happening. If it represents risk to the business or if it's just we had to change this one thing for this one time, it's not gonna happen again. Okay, great. Let's let it keep going. That's a great summary of a basic incident response plan.

So I know you and I can talk about cybersecurity all day because I've, in the last 18 months Learned to love it and appreciate everything it does for my company and for our covered entities. So if somebody wanted to learn more about your company you mentioned the incident response, like what are some other services that you wanted to highlight?

Yeah. We've got a services webpage that's right on our website. That website is https://sittadel.com. You can go to our services page and you might see some of the other stuff that we do. Okay. We have a VCISO which is it's a cybersecurity consultation.

That's right. Virtual Chief Information Security Officer. Okay. You have to have a security officer to meet your HIPAA requirements. You might not have the expertise necessary to lead all of these cybersecurity conversations. So through this service we're gonna book a meeting with you once a month, and we're gonna document, we take minutes, we understand the things that a business needs to be talking about if they're in.

We just document the decisions that gave me any along the way and we shepherd you through what some of those conversations look like. It's not a technical service. You're not paying for extra software, there's no extra tools, anything like that.

It's just a little bit of FaceTime with a virtual chief information security officer.

That's great. Our intention behind covering this article is to obviously educate our covered entities that are listening and to give them ideas on how to improve their cybersecurity program today at low cost, no cost solutions, having better conversations, making decisions, documenting those decisions.

And then when things start to not support your program, you start to look based on the data reasons and ways to improve your system and some new opportunities that are in the marketplace today, like virtual security information security officers who can guide you through these decisions that you're making.

And in the event of an incident, not if, but when you. The supporting documentation to give the regulators and show that you are mature in your decision making process and you're not haphazardly just assuming no responsibility for these incidences that will occur.

Yeah. We'll help you get from we did it this way because Mike said he seemed real confident that this was the right way to do it. We'll take you from that to, oh yeah. we map all of our IT governance, risk and compliance framework to the ISO 27,001 model. So there's a 17 stack of a stack of 17 different documents that. Put these into control areas. We'll give you all of the mature language in paper so that if you ever do have that uncomfortable conversation, it sure does look like all your ducks in a row.

Even if all you had to do was show up for an hour a month.

I can't help but ask you this question. Where do you think most people come up with their cybersecurity plan? And I can't imagine that in medical school when they graduate, that they've really gone through. Two years of sophisticated, patient health information security protocols.

It's probably a class you take before you're opening your business if you're the practitioner and the owner. Yeah. So where do they really start? Where do you think they really start with this information?

They've got an IT guy. Or they've got a an IT service that comes in and they say, you do it, you hook up the computers. You probably know how to keep the information secure, which is tragic because it's totally separate disciplines in it. You are trying to figure out how to make things work. You wanna close problem tickets. Hey, this computer couldn't talk to that one before. I know how to make the computers talk to each.

Cybersecurity is very different. We don't want things to work all the time. In fact, we only want things to work one way every time. Taking a landscape of all the functions and features and whittling it down just to the way that we want to do business, making sure that nobody can use the systems against us.

That's a completely different discipline. And we've talked about this before, where you're working with a covered entity, for example, and their IT guy has this approach to technology and sometimes the cybersecurity approach completely derails, and that's what you just mentioned there.

And how do you work with those local professionals who really know their stuff on a technical level, but yet look at some of these cybersecurity rules and think, how am I gonna make this work?

Yeah, that's actually something that we're really good at. We understand that we need it guys to help make everything work.

So if you go out to the website, you'll see that we have a knowledge base. And in that knowledge base today, there's 75 different articles that are published. And that sounds like too many. But what we'll do is we'll say, okay, here you. You are you're not that secure. You gotta think. You got things that are working very well.

We need to add some security. We could go into a room and three hours later we could flip on all the security configuration that's necessary to give you that hospital specific cybersecurity program that Health and Human Services is expecting you to have. But if we do that in three hours, everything's gonna break.

We stretch that technical implementation across about 10 weeks. Even though it's only three hours of technical work for us it's 10 weeks of training. It's 10 weeks of project management. Hey IT guy, we used to send emails this way, but that's not encrypted. We can't do it that way anymore. So if you'll head over to this knowledge base, this is the new procedure for making sure emails don't have protected health information in them.

Cause every time they do, that's a PHI violation and that's expensive for the covered entity. We're gonna steer them over a course of 10 weeks, we're gonna steer them into a more secure way of doing business. And we don't just make the IT guys job easier. Also, the people who are actually at the computers we've just released a whole set of knowledge based articles for them as well.

So we're training now the IT guy who's taking in the problem tickets. Oh yeah. This problem that you're having, it's because you're still doing it. The old. Here's the secure way. Here's a link to that knowledge-based article, and it's step one, step two, step three, as simple as it can be for how you need to be doing business today.

It sounds like that there are a lot of free resources for those IT professionals who may be wearing multiple hats at these clinics that are maybe smaller or they're stretched across multiple clinics and they're contracting their MSPs. So these professionals that wanna learn more about cybersecurity, specifically around covered entities and protecting health information.

Are there resources on your website that these professionals can use?

Absolutely.

We will tell you how to do it for free. We expect that as you start working on it, you'll say, eh this sure is tricky. And that's when you come to us and say, it sure would be better if you did this for us.

We wanna make sure it's done right. But if you go out to our knowledge base, knowledge.sittadel.com, there's all of the information on how to start doing a secure business today for free.

That's great.

Josh, thank you for joining me on this episode of Better Billing Today.

Adam, thanks so much for having me on.

When you guys came into our business and you took over our billing, we didn't realize how much money we were losing through just inefficient billing processes, not keeping track of who was paying for what. So if there's any way that I can give back, have me on again, I'm always there.

Absolutely. And you did mention one thing that we've been talking about in the last few episodes, which is your number one expense in business is uncollected revenue.

And that is not just for Providers and clinics and covered entities. This is for any business and there are billing practices you can install in your workflow that will help you find these these unpaid invoices or phantom payments, as we might call them in some businesses. The second one you mentioned for our covered entities, our second largest expense is actually.

Unrecognized HIPAA violations. How about that? So we don't know. We don't have them yet, but if we're not documenting our decisions it sounds like they could be higher unnecessarily.

That's right. Yeah, absolutely. In cybersecurity, all of our training, in every one of my certifications, the body of knowledge comes right out of the gate.

The first domain of information that we have to learn is your biggest risk in cybersecurity isn't hackers. It's not natural disasters that might destroy data. It's always regulatory mandates. Your biggest risk is regulatory risk. So even if we're not trying, if we're that person who's still got our head in the sand and we say we're never gonna be a target.

It doesn't matter. The biggest risk facing you in cybersecurity is what's gonna happen if you aren't doing right by your HIPAA requirements.

Well said. We're talking technology, compliance, changes in the industry, best practices. For our viewers who have been keeping up with our episodes, we do have more to cover in our our handout that we're giving away for free on our website BetterBillingToday.com. Cybersecurity is one of those things that we wanna share with our covered entities and our listeners and let them know that there are really valuable steps you can take to improve the security of your. That will save you thousands of dollars in fees when a breach does happen.

So make sure to download that today and if you have any questions or concerns, please don't hesitate to email us at office. BetterBillingToday.com. Again, this podcast is on all of your favorite platforms. You can find those links on our website and don't hesitate to reach out to us with specific questions, topics, or ideas for our next show.

Thank you and have a great day.

News Article: https://www.al.com/news/2023/04/company-with-6-hospitals-in-alabama-says-patient-info-may-have-been-disclosed-in-cybersecurity-incident.html

Free Guide: https://sparkbillingservices.com/5k-in-15-minutes

Have a billing story or question to share? Send them in to office@betterbillingtoday.com