Episode 411: Cybersecurity Performance Goals Transcript

Evan Dumas 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas. And  I’m your co host Evan Dumas. And

 

Liath Dalton 

I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system. With all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 411: Cybersecurity Performance Goals.

 

Liath Dalton 

Woohoo, goals. That sounds so exciting, right Evan? And we did, in our last episode, talk a bit about why these cybersecurity goals are so important. And basically the the backstory or the context for them is that we know that Health and Human Services are planning updates to the HIPAA Security Rule that will apply to all HIPAA regulated entities. And that the focus of those Security Rule updates are going to be in this area of cybersecurity, these specific cybersecurity goals.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So fortunately, we know the kind of details of what the particular goals are. And they’re divided into two categories, essential and encouraged, right?

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

And Evan and I are going to talk through what each of those are, how they fit into your existing security programming. And basically, the idea is to make sure that you’re equipped to be in compliance with the Security Rule changes before they even go into effect, just because this is good practice for safeguarding your clients’ information, and therefore you’re protecting your practice, too. So take it away, Evan, in terms of these specific goals.

 

Evan Dumas 

Yeah,

 

Evan Dumas 

so the essential goals are the ones they definitely want you to do. They, these are, you know, recommended, they’re not enforced, yet. But they’re kind of saying, hey, down the line, we probably will. But I’m gonna run through these pretty quick, mostly because we’ve already told you to do these in very many ways.

 

Liath Dalton 

Mhmm.

 

Evan Dumas 

So for instance, the first one is mitigate known vulnerabilities. Basically take care of things you know, you need to take care of. So if you have something you’ve been meaning to do, do it.

 

Evan Dumas 

Next one is email security. So make sure you know how not to be scammed or phished or frauded and other like email based threats.

 

Evan Dumas 

Next is multi-factor authentication. So turn on that two factor doohickey. Be it a text message or a little authenticating app, add that other little layer. So whenever any system lets you use multi-factor authentication, just turn it on.

 

Evan Dumas 

Basic cybersecurity training is also an essential goal. So, just make sure people know and how to do basic security behaviors, you know, different passwords, things like that, but make sure your folks are trained.

 

Evan Dumas 

Next is use strong encryption. So this is making sure the systems that you use have strong encryption, which pretty much every system does nowadays, but this you know, speaks to more folks who have, say their own servers or systems like that. But you know, strong encryption also comes into play when you talk about full device encryption or encryption when it comes to communications etc.

 

Evan Dumas 

The other one is real nice and great, of revoking credentials for departing people, including, you know, employees, affiliates, contractors, volunteers, interns, things like that. When people leave, make sure they don’t have access anymore, and make sure you shut that off.

 

Evan Dumas 

Basic incident planning and preparedness is another step. So have something written down of what to do when an incident happens. Now, you see they don’t say breach, because not all incidences are breaches. You find that out through investigation. But have something written down of what to do to help you investigate, document, find out what this is just be real prepared.

 

Evan Dumas 

Also, use unique credentials. This means don’t share accounts anywhere, don’t like, having multiple people share credentials is a huge risk because it’s hard to detect, as they say, anomalous activity because multiple people are logging in. So make sure people have unique credentials.

 

Evan Dumas 

Separate user and privileged accounts is a real interesting one. And this again, speaks to more, say you have a account, that’s an admin, to either your EHR to Google, Microsoft that has all the power to change things. Don’t use that on a regular basis. Don’t share that with anybody have just a regular user account. And keep all the powerful admin ones separate so that on your day to day, should you lose the keys to your user account, it isn’t one with a lot of power.

 

Evan Dumas 

And the last essential goal is vendor supplier cybersecurity security requirements. This is getting BAAs, this is knowing that your third party products and services are doing their own risk mitigation and other things. So make good choices when it comes to picking vendors.

 

Liath Dalton 

Exactly. So before we start talking through what the enhanced goals, which are the sort of pieces that we know will be encouraged, but not explicitly required, whereas these essential goals will be explicitly required. Yet, every single one of these makes real sense as to why it is necessary. In no way are any of these goals, arbitrary or performative requirements.

 

Evan Dumas 

No.

 

Liath Dalton 

They all absolutely translate directly to being able to effectively safeguard client info, or reduce risk exposure or significance of impact, if a threat is is realized. And the other interesting piece about them as that they are not new.

 

Liath Dalton 

If you

 

Evan Dumas 

No, not at all.

 

Liath Dalton 

are managing, formal and implemented HIPAA Security Compliance using the PCT Way system, each of these components that are contained in the essential goals are already really baked in to the policies and procedures, to the workforce security manual, and to the hands on practical implementation support related to services selection and system configurations that support policies and procedures being enforced, and for device and workspace security, too.

 

Liath Dalton 

So a number of these are not actually, if you’re kind of following along and doing things the PCT Way, are not going to who require changes for how you’ve been managing things. And if you haven’t taken the formal compliance step yet, and are thinking well, should I wait until things are specified as to what the upcoming changes are going to be? No, you don’t don’t need to wait, you want to take action sooner, sooner than later so that you are effectively managing these risks and already have them covered and don’t have to do change management when the updates go into effect down the road. You’ve just got all your, your HIPAA ducks in a row, or your hippos in a row! To mix metaphors. All right, Evan, what about those enhanced goals?

 

Evan Dumas 

Yeah, so these are the, you know, not as essential but still recommended. And these cover a bunch of things that some apply to group practices and more speak to those who have their own systems.

 

Evan Dumas 

So having an asset inventory, like we recommend to just have an inventory of all your assets, everything that handles PHI.

 

Evan Dumas 

Third party vulnerability disclosure. So having a process to, you know, respond to known threats provided by vendors and service providers. If they say, hey, oh, no, we had a breach.

 

Evan Dumas 

Another

 

Liath Dalton 

Mhmm.

 

Evan Dumas 

part is third party incident reporting. So having a process to respond to their other incidents and other things.

 

Evan Dumas 

Cybersecurity testing is a very interesting one. That’s like having people pretend to hack into your systems, which doesn’t quite as fit if you don’t have your own servers, things like that. It’s called pen testing.

 

Evan Dumas 

Another is cybersecurity mitigation. So having really a process to prioritize and act on vulnerabilities that you discover through these simulated attacks.

 

Evan Dumas 

Another one is to, it’s sort of the same vibe, of detect and respond to relevant threats, tactics, techniques, and procedures. And they have another acronym for TTP, I’ll never say that, again, because it’s confusing. So this is really just creating cultural and organizational awareness, to just know how to respond to these threats and what your sort of response looks like, when they happen, etc, for the entry and exit points on your network, where where PHI comes in and leaves.

 

Evan Dumas 

Another is network segment, segmentation, which is nice. So we generally recommend having your own Wi Fi and guest networks, this was more detailed of if you have mission critical network assets, having that separated from other networks you have. So you know, if you have a small system, not as not as capable or feasible.

 

Evan Dumas 

Centralized log collection. So when you do have your log of people’s activity, and audits and things like that, all have in one place, so you know, it’s saved, you know, it’s easy to see, it’s just easier to respond to incidents if you don’t have to go running all over the place for an investigation.

 

Evan Dumas 

Another is centralized incident planning and preparedness. So just make sure that you consistently maintain these incident plans, you drill on them. And then you just update your response plans as threats change.

 

Evan Dumas 

And lastly, is configuration management. And this is one some groups use. It’s feasible or no, of defining security devices and system settings in a real consistent manner for everybody’s devices and how they access things. And just like being on top of and control of people’s configurations.

 

Liath Dalton 

Mhmm.

 

Liath Dalton 

And that, in particular is really part of the process for all practice provided systems and services that contain Protected Health Information, right?

 

Evan Dumas 

Yep.

 

Liath Dalton 

I want to be configuring each of those systems to be safeguarding information and helping to enforce the policies and procedures we have around the necessary safeguards. So that every every system is kind of maximally configured to help prevent user error or mistakes or someone forgetting the behavioral measure that translates to the required security outcome.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So in terms of these enhanced goals, there are a number of pieces from them that are already all explicitly addressed by by HIPAA, actually, in terms of having a asset inventory and reviewing access and usage logs, like we know that’s typically folks least favorite part of, of actually implementing their policies and procedures, it can be a little tedious looking through all of the access and usage logs from from systems to identify if there was anomalous activity, or something that merits further investigation.

 

Evan Dumas 

Mmm.

 

Liath Dalton 

But these these are pieces that are already provided for, and some of the pieces in the enhanced goals, like the penetration testing, as Evan said, are not going to be applicable to those of you who aren’t running your own servers.

 

Evan Dumas 

Correct.

 

Liath Dalton 

And in part, this is why we have said you don’t want to have to manage

 

Evan Dumas 

No.

 

Liath Dalton 

running your own servers,

 

Evan Dumas 

please don’t.

 

Liath Dalton 

No.

 

Liath Dalton 

cause, that does not sound like how you want to be allocating time and resources and just the sort of stress of managing that level of risk exposure.

 

Liath Dalton 

That’s why we outsource it to business associates

 

Evan Dumas 

Yep.

 

Liath Dalton 

who get to take on that responsibility and liability.

 

Evan Dumas 

Yep.

 

Liath Dalton 

So Evan, what was your main takeaway after looking at these goals and thinking how this is going to impact folks in the PCT community and the practices that we work with?

 

Evan Dumas 

So the first was actually kind of a sense of relief, because everything we’ve sort of been preaching is what they’re recommending now. So now, knowing that we weren’t going overboard is always great when it comes to security.

 

Liath Dalton 

Mhmm.

 

Evan Dumas 

Like ahh, okay, we are rational creatures who did think of this well. So knowing if you do these things, you’re you’re taken care of also knowing that they understand, it’s a tiered system. Where there’s the super recommended ones, the essential goals. And then there’s the enhanced goals that are like, you know, stretch goals. So that’s, you know, if they were to say everything is equally important, that’s not feasible. That’s not how you do risk mitigation and risk planning, you prioritize them. So knowing that they’ve done that, too, so that if you check all the big boxes, great, and if you get some of the essential enhanced ones, also great. So knowing that there is that, there is a there is a ranking to this, which is nice.

 

Liath Dalton 

Which, you know, continues to support the sense of this being reasonable and usable.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

right, despite being a regulatory framework. For a long time, we’ve talked about the flexibility and scalability, being  user friendly and supportive of actually being able to manage accomplishing the necessary outcomes. But this just kind of further supports that or is additional evidence of, of what the approach and purpose of the regulations and regulators are. And so it’s it is heartening to see actually, in the, in the scheme of things, I think you put that beautifully Evan.

 

Evan Dumas 

Mmm.

 

Liath Dalton 

So we’ll continue to be informing you as the, if any additional details of these updates and changes go into effect. We can also anticipate that once the changes do officially go into effect that we will be doing a CE training with one of our healthcare, cybersecurity friends, to help equip you on on that front with real practical application focus and get those CEs at the same time.

 

Liath Dalton 

But we’ve, we’ve got you, you don’t have to manage this alone, or get overwhelmed by all the acronyms that Evan and I just waded through to kind of bring this distilled news to you.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So rest assured, it will all be manageable. And we’ll see you good folks next time.

 

Evan Dumas 

Yeah, see you next time, everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at PersonCenteredTech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.