Subscribe
You can subscribe to the HealthData Talks Podcast on Spotify, Amazon Music, Apple Podcasts and more.

Transcript

[00:00:02.528] – [00:00:22.839]

Welcome to HealthData Talks, where industry experts offer bite sized tips and trends for managing legacy data. Thanks for joining us. I’m Shannon Larkin from Harmony Healthcare IT, and I’m joined today by Nick Cardwell. Nick is our Director of Cybersecurity at Harmony. Thanks for being here, Nick. Thanks for having me, Shannon.

[00:00:25.039] – [00:01:48.609]

So, Nick, at Harmony where our job really is to store and protect PHI for our health care customers, security is definitely key. I mean, I would say it’s more than key. It’s like our top priority. So, I was hoping today we could just have a general conversation about security in healthcare. I mean, it’s no secret that health data is highly sought after by cyber criminals. There’s just so much rich data in a medical record for a criminal like date of birth, social security number, insurance information. So, can you just generally comment on the risk for health care providers today? Yeah, I mean, in the past, you know, three years, health care data breaches have doubled, right? According to the 2023 CrowdStrike Global Threat Report, one of my favorite reports to read on an annual basis. Healthcare is the most attacked sector behind financial and technology. So cyber risks threat, you know, an organization’s ability to operate and access their information. Really impacts their reputation and customer trust when they are, you know, impacted by a cyber event. It obviously impacts the organization’s survival, right, the ability to keep doing business as a result of that. And then of course, in healthcare, it could come down to actually impacting patient safety. So, yeah, there’s a lot at stake when you take a step back and realize potential impacts to cyberattacks.

[00:01:50.739] – [00:03:56.838]

Yeah. And when health care organizations archive their legacy data with a vendor like us, they’re essentially offloading risk and transferring that risk to us. So, what would you suggest a hospital or a medical practice looks for in an archiving vendor when it comes to data protection? Ah, I mean, a few things, right? You want to look for a, a vendor who, you know, maintains certification such as HITRUST or an equivalent that just shows that they go above and beyond, standard security practices. But beyond that and included in that, right, you want to make sure they’re able to respond to incidents, nobody’s immune to incidents, right? So, you want to understand their endpoint monitoring, their endpoint response or they’re working internally with the security team or they’re working externally with a security provider. You know what tools or solutions do they have in place for instant response and recovery, you know, CrowdStrike, endpoint detection, Artic Wolf, Sophos Trend Micro, you name it, there’s plenty out there, right? Other than that employee training, right, I can’t stress enough how important it is to train your organization’s employees against social engineering, such as phishing, but also proper data handling. That really helps build a security culture, which I believe is one of the most important aspects of growing businesses, right? Building that security culture because it’s, it’s there, it’s the threat is there, and it will always be there. So, making security a common topic of discussion and everyday procedures. We tell our employees personally that if it doesn’t feel right, say something even from their first day here and then, you know, as in, you know, you know, every now and then we’ll have a reminder about that. But I truly believe that’s really helped set the tone for our organization personally. It just shows how seriously we take security. I totally agree. I mean, I’ve been an employee at Harmony Healthcare IT kind of since the beginning and I take all of that very seriously with our annual training and our phishing, you know, tests and, and that sort of thing, you always must be on guard. So those are good suggestions for what to look for in an archiving vendor.

[00:03:59.189] -[00:06:04.051]

How else would you say Harmony Healthcare IT is really ensuring the security of our clients’ data? Are there other, other things we’re doing? Yeah, I mean, you know, part of that is we go above and beyond from, from a security stance by just investing in HITRUST that when you, you know, invest in Harmony Healthcare IT as you know, you, you’re a third-party vendor. Our platform is backed by HITRUST certified infrastructure practices, solutions policies and procedures. And its no easy task to do and maintain, right? So, we’re constantly on top of, you know, making sure we’re compliant with HITRUST controls, making sure that we’re on top of everything we need to be to prevent any malicious event or any breach to customer data. Customer systems for instance, are filtered against whatever they decide they want to access. So, what I mean by that is IP whitelisting is a pretty common term across the industry. But essentially, if a customer says these are the only, you know, locations we want to access our platform, those are going to be the only locations that are going to be able to access that platform. It just kind of minimizes that attack surface right off the the bat, right? But then we offer MFA and SSO capabilities. So, we’ve got to help facilitate secure authentication by doing that, which in turn, that’s backed by industry standard security group and role configurations that customers are in control of so that they allow their employees only what they’re allowed to do. You know, this is also known as lease privilege. So, but on top of all that, when customers choose to go with us, we take on a significant portion of the security responsibilities such as intrusion prevention and detection, both at the endpoint and at the network level, this goes a long way because we essentially monitor the environment 24 by seven by 365.And we utilize two separate top of the class managed security providers who are considered some of the best in their field, obviously. So, we kind of go to those measures just to protect our customers data.

[00:06:05.600] – [00:07:11.379]

That’s a lot. Yeah. And I know HITRUST is so important and we’ve been HITRUST certified for years, right? Like I want to say five years since 2017 actually. So we’re going on our sixth year, going on our sixth year and how often is HITRUST recertified? So, we’ve, we’ve always certified every two years to complete and then every year, every other year, there’s an interim. So, you’re essentially goin through a certification every year. But they take it easy on you on the interim side and then the next time around you go for a full certification and in each time in that we’re constantly gauging where they’re maturing as far as a framework and going up to the next step. Right. So, they’re releasing new versions of their framework. We’re assessing that framework to make sure it’s still applicable to us, make sure that it’s still right for our organization and improves the security of organizations. So, each time is different, but, you know, it’s one of those things with HITRUST that you’re constantly maturing your security of your program, which is huge.

[00:07:13.059] – [00:08:09.047]

I love that. And I’m not sure if, if your average hospital is also HITRUST certified, I guess you can comment on that but, but I’m, I’m curious to know what organizations can do themselves in house to reduce cyber risk? Yeah, I mean, you don’t know what you don’t know. So you have to start with identifying the risk now how you do that’s up to you. There are many affordable offerings out there where you can get a qualified third-party consultant or organization to come in and provide you with your organization’s risk, right? But if you’re not willing to pay for something like that right up front, there are many resources out there, CISA, The Department of HHS also has some awesome free solutions that can really help you self-assess your organization’s security risk and also your security posture, so I urge organizations to at least start there. Right.

[00:08:10.509] – [00:11:18.349]

Yeah, that’s helpful. I, I saw an article recently around how security can really be a struggle for a lot of the smaller hospitals and clinics, you know, where they just, they may have limited resources. Is there advice that you would give to those smaller organizations? Yeah. So, some may not have proper security processes in place. And they may be wanting to improve on their existing security program. There’s a lot you can do. But, you know, in my opinion, I would definitely, you know, boil it down to this, you know, small list which starts with just knowing your systems, taking an inventory of what you have. There’s an old security adage that you can’t secure what you don’t know you have. So, it’s very important to know what you have. So you can assess what security controls you can put around those items. Antivirus is a big one, pretty common out there, but frankly, this is an evolving requirement. You know, antivirus is not the same as it was 10 to 15 years ago. There are vendors out there that are building on antivirus going towards more the endpoint detection and response.  Next-Gen Antivirus really just trying to prevent the next big cyberattack. So, depending on what you want to do, you don’t have to go that far, but really having pretty much standard antivirus in place can, can prevent quite a bit of significant attacks. So, I would look there and then finding the right security framework. This is very important for an organization because you know, it has to be right for you both paid and free security frameworks have their nuances, right. Finding the right one for you. That makes sense from both the financial and legal aspect can really help your organization build a valuable path to maturing a security program. HITRUST and not to plug them here. But HITRUST definitely helps us improve on that because it helps us dial in on what we’re scoped for, right? We’re not a hospital. but we do work with hospitals. So, they, they build control programs that are essentially built for us, which is pretty awesome. And then creating a security policies and training staff policies absolutely help govern your organization’s procedures on a day-to-day basis. I know policies can sometimes be tedious to maintain, but they are of the utmost importance and really they help build that security culture that I was referring to earlier. Security culture definitely helps organizations continue to improve their posture because everyone’s talking about it at the forefront of conversations. And so, and then the finally set approved access privileges, at least privilege, in my opinion, is probably one of the most important controls an organization can put in place. I mentioned antivirus before. You absolutely want to have antivirus. But if all your employees have, or employees have administrative privileges on your endpoints, that would make no difference to an attacker, they’ll just disable the antivirus and then move it out their way. So, I mean, who can do what essentially only admins should have admin accounts and building on that, those accounts should be separate from their day-to-day accounts. So that would be what I would break it down to be.

[00:11:20.099] – [00:12:44.798]

Yeah, and so helpful. I mean, I think that’s good advice, not only for small hospitals, but healthcare organizations of any size. So, there’s just so much to keep on daily, keep, you know, keep up on. Are there any, you know, blogs or reports that you find yourself checking every day or anything you would recommend? What’s your feed? Oh, there’s quite a bit. I do frequent social media and I like to follow a lot of the, you know, security experts in the industry. I think a lot of the material that CISA puts out there has come a long way. I think they’ve provided a lot of, you know, benchmarks and checklists and items of that nature to really help me kind of feel good about what we’re doing. And they’re also very good about, you know, alerting us of, you know, growing threats, commonly exploited vulnerabilities across, you know, industries and rights. So, I definitely recommend CISA and there’s, there’s quite a bit of others but really just going out there and to, and using your resources, Google, there’s, there’s quite a bit of information out there but you know, just focusing in on healthcare, The Department of HHS has quite a bit of resources around security controls. So, there’s, there’s no shortness of information, that’s for sure.

[00:12:46.058]- [00:13:20.629]

Excellent. Ok, great, Nick. Thank you so much for joining us. I think you provided a lot of good information that our listeners will appreciate. So, thanks for being here. Yeah, thanks for having me and to our audience. Thanks for tuning in and be sure to join us next time for another episode covering tips and trends for managing your health data. That’s it for this session of health data talks. Check out helpful resources at HarmonyHIT.com and follow us in your favorite podcast app to catch future episodes. We’ll see you next time.

Speakers

Host:
Shannon Larkin, VP of Marketing and Business Development, utilizes her 25+ years of health IT experience to connect healthcare organizations with a team of experts that consolidate and modernize data storage to reduce cost and risk.

Guest:
Nick Cardwell, CISSP, CCSP, Director of Cybersecurity, has 5+ years of experience in Cybersecurity since graduating from Indiana University with a B.S. in Informatics with a focus in Security and a minor in Criminal Justice. In Nick’s professional career, he’s had experience in Governance, Risk and Compliance (GRC), HITRUST Compliance, HIPAA Compliance, Security Architecture and Engineering, Security Operations, Identity and Access Management, Incident Response, System Administration, Networking, Data Analysis, and Management.