We began our discussion with the recent hack of Medicaid that occurred right in our own backyard; Utah. Getting hacked is never a good thing, and I asked Raj what he thought might be the fallout from the hack. According to Raj, in the short term, Medicaid can expect to pay penalties and fines. The clincher is that in the long term we can expect our State taxes to increase according to Raj.
Raj points out that this is not uncommon to see large organizations being hacked; however, the government has made progress by mandating and implementing better compliancy regulations making it more difficult for hackers to target larger organizations,. What Raj found interesting is a recent case involving a Phoenix cardiology group, consisting of two cardiologists, who had agreed to pay a hundred thousand dollar ($100,000.00) fine for using cloud computing in their medical practice. Turns out the doctors were using a web based calendaring and scheduling system and neither cardiologist had done any due diligence on their vendors to verify if the technology complied with HIPAA privacy and security rules.
Now, the attention of hackers are turning to the smaller medical practices, smaller accounting firms; those who need to be HIPAA, PCI, or GLBA compliant. Many businesses are not compliant, and are trading short term savings for long term liabilities. In addition, businesses owners fail to understand the loss of customer value when an incident occurs. It will become more and more expensive for businesses not to meet the standard of practices than the cost to assure you are in compliance.
It all boils down to implementing good security practices. If a breach occurs and you can show that you are following the standard of best practices, it will greatly increase your odds of avoiding devastating penalties, fines, and loss of customer trust.
Take the time to understand what the law requires of you. The following link provides a PDF created by Raj depicting a number of great case studies in failure. The information will definitely make you think about who’s Internet is it anyway, and who’s got your back when it comes to your personal information.
The criminal hackers are now targeting the low hanging fruit…Small professional businesses, home offices, and the individual end-user. In addition to the information that is available on your computer, it’s the theft of that power and speed, and the ability to command as a Zombie PC and combine it with thousands of other computers (Botnet) to attack other businesses, websites (DoS – Denial of Service), competitors, large corporations, government, infrastructure, etc.), all because too few understand or implement digital safe practices.
The, “I am to small mentality doesn’t hold water any longer”, said Raj. The law does not require perfection, but it does require you to follow best practices for the business you are in, and reduce your risk footprint.
We switched gears and addressed the recent incident of Kimberly Hester being fired for refusing to give her employer her Facebook password. The way Raj addressed it was the employer would have to be insanely stupid to follow that thinking. You can listen to additional comments about this discussion at time stamp 00:26:26
I asked Raj what he thought about our digital footprints becoming more like full body imprints likened to snow angels we made as kids. How, is all this abundance of information influencing law enforcement practices here in the US? Time stamp 00:28:59. Raj’s response took us back to how some of the profitable businesses today got their start as aggregators collecting massive amounts of personal information and selling it to the US Government. It will surprise you the amount personal information that has been collected and sold about US citizens to the US government since 1940’s.
Here is something for everyone to think about, what are your thoughts about the iPad dictation function being sent to Apple servers, or HDTV capability of watching you watch TV? How about Samsung and other manufactures that have built in cameras and microphones that are always turned on and capable of watching the viewers? Television, radio, and cars are next.
There is a great deal more for you to listen to…download the interview. There is always good, solid, and usable information to be mindful about, as well as implement.
Well, good morning, everyone, and welcome to the Cyberhood Watch radio show. Today is going to be one of those exceptional days. Again, we have Raj back to join us. We’re going to try something very unique and different today. Raj is going to be talking to us today about HIPAA compliance and reverse backup disaster recovery. And we’re going to be talking about that for the first part of the show. Then later on in the show, we’re actually going to go live while Raj conducts a live HIPAA PCI compliance webinar for the medical communities in Joplin, Missouri and Jackson, Missouri. So as we hold off until Raj joins us, I’d just like to maybe talk about some of the things that have taken place in the disaster recovery area. If you’re one of the ITs that are involved in the enterprise area, you’ll be aware of what’s taking place with Amazon and their recent problems and what effects that will have on the rest of us. Let me introduce and bring back Raj. Raj, are you there?Raj:
I’m here, Dave. Can you hear me?
Dave: I can hear you. A little faint, but I can still hear you. I was just explaining to everyone that we’re going to be trying something unique today in a sense that first of all, we’ll start our show talking about the disaster recovery, maybe even touch a little bit on what you’re going to be talking about or what’s taking place with Amazon. And then later in the show, we’re going to go live as you conduct an interview with folks regarding HIPAA compliance in Joplin and Jackson, Missouri. So with that, why don’t you start us off and kind of give us an idea what disaster recovery is and a little bit about business continuity and how that works together.
Raj: So disaster recovery, as the name implies, are policies and procedures we need to have in place so that if a disaster strikes your business, you can recover from it. What could be a disaster? It could be something as simple as the gas company having gas exploding to water flooding your business to obviously hurricanes and tornadoes shutting down your district or your state. So whether you look at HIPPA, PCI, every major security law out there pretty much says that you need to have disaster recovery procedures in place. It’s not enough to have all policies sitting on a shelf. People need to be trained on what to do when a disaster strikes. And business continuity is a super set of that. And what business continuity says is, “We know disasters are going to happen.” Whether it’s a physical disaster, natural disasters, it could be something like your employee accidentally CC’ing your entire customer list with a rude of offensive message. That’s a disaster. It could be something like losing power or a foreign nation giving something completely out of the ordinary that impacts your business. You’re getting a lot of shipments from China and all of a sudden, the Hong Kong port gets blocked. What do you do? How do you keep your business running in the event of a disaster? So business continuity is looking at all the risks that could possible effect your business and having things in place so that if your primary building has a water flood, you can continue your business from an office down the block, or a different county, or a different state. So business continuity is keeping your business running in the middle of a crisis. You know, a good example of that is hospitals. You’ve got a hospital. It can’t be moved unless there’s a hurricane in the parking lot. They still have to provide critical care and help to their patients and to their communities with a tornado going on. How do they do that? They lose power. You can’t just say, “Oops, we lost power. Everybody on life support, you’re dead.” That opens them up to litigations not to mention a whole bunch of other social ramifications. So business continuity says, “You should plan for failure, and you should plan for how to run your business.” How do you make payroll? How do you pay your vendors? How do you get paid via customers? How do you deal with firefighters, police, media, the regulators, everybody else while keeping your business running? It’s really documenting what you’re going to do if XYZ occurs.
Dave: So I guess the question that a lot of people have on their mind is: what is that fine balance with having enough to cover you and not more than what you need to be an overburden financially on you? So how do you find that right balance that prepares you for the worst?
Raj: Sure. So again, like everything else, if it’s too overwhelming, step back a minute and fix the manageable chunks. Let’s take you and I, for example. We’re both men, we both run our business, we’re both humans. So let’s take the common disaster. You’re travelling tomorrow, and you forget your wallet in the back of a cab. That’s a disaster. Not to the universe but to you personally. How do you recover from that? A good thing to do before you travel might be always once a year photocopy everything in your wallet: your driver’s license, your credit cards, your insurance card, your dental card, whatever else you have in there. And keep the photocopies in your safe at home, and give a copy to your wife. So that if you’re in a cab, you leave your wallet, you call your wife and say, “Sweetheart, I can’t find my wallet. What’s my credit card number? What’s my passport number? What’s my healthcare number?” And this way, you can recover and continue with your day and then when you have downtime, call up your bank. Call up your insurance company and get all of those restored. A similar thing you can do with your business: “Hey, what are we going to do if our email server goes down? Not for an hour. For a day, for a week, 2 weeks.” It’s going to happen at some point. How do you keep operating if your email server goes down? If you’re like most people, you got half a dozen email accounts. For me personally, Raj@brainlink.com is who I’ve been on the Internet since 1994. That’s the best way to find me, but if brainlink.com goes down tomorrow or right now, for example, the first thing I’m going to do is take a deep breath. Then I’ll get on my LinkedIn, let people know, “Hey, I’m currently out of commission. Brainlink.com isn’t working. Connect with me over here.” I’m also going to direct people to my Gmail or my other backup email accounts, which are nowhere near where brainlink.com is hosted. And if I lose my cell phone, which I live in, I lose it in the back of a cab. Here’s my process. Recognize I can’t find my cell phone, dial it, it’s not dialing. Step 1: call my admin and say, “Hey, I can’t find my phone. Nuke it.” So that if somebody finds my phone, they’ve got the physical devise to make phone calls but they can’t get access to my accounts, calendar, all my sensitive data. Step 2: call Verizon, “I lost my phone. Get me a new one.” I don’t care what a new one costs. This is where I am. FedEx it to me overnight or go to a local Verizon store, pay retail, get a new phone, and immediately put in the 5 most common numbers I dial: my wife, my admin, my assistant, my insurance company, and my dad. And then when I have downtime, I can reconnect with our server and suck out all my calendar, contacts, appointments. So the disaster is I lose my phone. The recovery process is step 1: notify my admin. Wipe my phone. Step 2: notify the phone company. Step 3: restore all my contacts and calendars and let it do that while I have dinner, cocktails, whatever.
Dave: You know, something that you said really not pertaining too much to disaster recovery. Well, it’s part of disaster recovery because you brought it up. But is the nuke or wiping your phone remotely, is that something you’ve added onto your phone? Or is that something that every phone is equipped with?
Raj: It comes on the phone. Since you’ve got it built in. Some of the newer Androids have it. If you have an iPhone and the iCloud enabled with the setting turned on, you can wipe them remotely. Every single security and privacy law out there pretty much requires you to equip your smart phone, your laptops, and so on and be able to wipe them remotely wherever possible. Let’s say I was a doctor. If I had my patient information in here, even something as simple as a patient’s name and phone number and I lost the phone. If I could not nuke it remotely and the gap between losing it and wiping it was less than a half hour or hour, a small window of opportunity for the attackers, I now have the potential HIPAA violation on my hands. So encrypting your phones in a smart idea. Having a remote wipe that works is a smarter idea. You should have both and you should test them. Every time I get a new phone, the first thing I do is I configure my email, calendar, and contacts. And after I’ve used the phone for a week and I like it, the next thing I do is schedule if Raj lost his phone. What do we do? Can we wipe the phone remotely? Can we wipe a phone if the phone is turned off? So my current phone, the Galaxy S3, the remote wiping feature isn’t that reliable so I have turned on a feature instead that encrypts the flash on the phone where if you don’t know the password, all you can do is make emergency calls. It will not use the operating system. I can’t wipe it remotely securely. So I take the next approach, which is encrypt the whole phone. Worst-case scenario: you take the phone away from me and all you can do until you wipe it is emergency calls.
Dave: At least you have that capability. So talk a little bit about what’s taking place with Amazon because that seems to be a pretty good example that maybe we’ll kind of cover a little bit more. Maybe even lead into the significance of being prepared even at that level. You can still experience this.
Raj: Right. So in the last couple of years, every vendor has become a cloud vendor and they’re all marketing, “Oh, the cloud is more reliable.” I have my opinions about whether the cloud is right for all businesses. Let’s say your business, Cyberhood Watch radio, it’s not a security-compliance business. You could live in the cloud. Lots of companies have based their fortunes in Amazon. Companies like reddit, imgur, Pinterest, flickr, a whole bunch of others. And a couple of months ago when we had the hurricanes and tornadoes down there, the Regina Data Center went offline. Amazon blamed it on bad weather. Okay, fine. Yesterday, out of the blue, their Eastern data center started messing up for a couple of hours. They took down major websites. Now, there’s no bad weather. There’s no electrical problems. We don’t know why Amazon went down. They got back up but here’s what happened in the meantime. Lots of companies came back. Some companies did not fully come back. Some were out of date. Some data they could not recover. And their contracts say, “We do full recovers. We don’t guarantee full recovery.” A good example of disaster recovery which is bad planning is reddit vs. Netflix. Now, Netflix lives on Amazon. But the guy running Netflix, one really smart guy, the CEO…he said, “We know Amazon’s going to fail.” As a result, Netflix has a presence in every Amazon region around the world so that if Virginia goes down, Oregon, Washington won’t. A lot of the smaller companies, a lot of the younger companies, without the financial firepower and without the level of planning go down. The only difference between the 2 companies, Netflix and reddit, which are both larger corporations is Netflix plans for disaster and had a proper procedure in place. It literally is spending a lot of money and engineering time and the brainpower costs more than the dollar bills in planning in Amazon’s failure. In our newsletter, brainlink’s the brainlink brainstorm, we talk about 2 very important things. The cover story is What’s the Difference Between Disaster Recovery Vs. Continuity and Why You Should Care. And page 3, we actually talk about something more important and that is are you doing reverse backups? I’m sorry. That’s going to be in the next issue. Are you doing reverse backups? What’s a reverse backup? You use the cloud, whether it’s Gmail for email, Google Docs for your documents, Salesforce for your sales management, Amazon for whatever, are you backing up your cloud vendors? Because every vendor contact I’ve ever read says their recover is best efforts and if that’s not good enough for you, the most they will do is refund your monthly fees in that month. Your data loss is your problem, not there’s.
Dave: So you’re saying then that the reverse backup is an alternative to just having everything in the cloud? In other words, it’s a backup backup.
Raj: Well, the cloud is really not a backup. For a lot of people, the cloud is a primary store now. Five years ago, free cloud would tell people that if you’ve got stuff on your laptop, you need to back it up on a an external drive or company’s server or something else. Back it up locally, back it up offsite, or back it up in the cloud. Now if all your photos are on flickr, if all your contacts are on LinkedIn or Gmail and that’s your primary storage. Or it’s iCloud on your iPhone, what are you going to do if your cloud vendor goes down? Google closes applications on a regular basis. If a product doesn’t work, they’ll shut us down. Lots of .com companies and cloud vendors have gone down. A good example: MySpace. Ten years ago, they were the king of the world. Where are they now? So if they go out, if they’re not out of business. If they were, how would you restore all of the contacts and the relationships? I live on LinkedIn. You and I communicate over LinkedIn a lot. I trust it to some extent. But if LinkedIn went down tomorrow, I’m not sure I have all my contacts and relationships saved somewhere. I have all my contacts, but the relationships? Who I know, who they know. They data is pretty hard to download and save. But if and when they make the feature available, you can bet I’ll be the first guy going, “Save me my social graph.”
Dave: Gotcha. And it really boils down to and you’ve talked a lot about this in the past in those hidden costs that a lot of businesses overlook. An accident may happen, your data may go down, it may get up and it may stumble getting up. But it’s that reputation that is probably more costly than maybe even the downtime sometimes.
Raj: Right. Things will happen. Email server will crash. Data will get corrupted. Your cloud vendor is going to have a problem. Your employee is going to say something stupid about a client in an open microphone. You’re going to lose your phone. You’re going to do something stupid today. I live in New York. It’s an axiom. If you live in New York, once in your life, you’re going to get mugged. Do you have a plan for it? If you drive, and I know you do, as a driver you know at least once in your life you’re going to be in a car accident. Whether you caused it or somebody else caused it, it’s going to happen. Do you have the proper tools for it? If you’re going to drive a car, you’re going to have car insurance. You should wear your seatbelt and have a car with airbags and anti-lock breaks. And not drive a 2-pound tinfoil car. If you’re in New York City, you’re going to get mugged. Plan on it. Have money to give to the muggers. Make sure you have backup of your IDs. You know, you get mugged and lose your jewelry, call the cops. You lose your driver’s license, you use your credit card, get a replacement pretty fast. So the big mindset that people may want to adopt that these things are going to happen to them. Mercy loves everybody equally. Plan on him visiting you when you don’t want him to.
Dave: This is off of disaster recovery and reverse recovery but I wanted to touch a little bit about your book and how it’s going. I know we did have a show a little after you launched the book. What kind of feedback are you getting? Or are there some of the moments where you wish, “Oh, I wish I would’ve thought of that or I would’ve added that.” So kind of talk a little bit about what your book is and then maybe how it’s being received and the feedback that you’re getting.
Raj: Well, as you know, my book is called The Most Important Secrets to Getting Great Results from IT: Everything Your Computer Guy Never Told You is available on Amazon. It’s doing very well, and the feedback I’m getting is, “When did you find time to write the book?” And that’s the biggest feedback I get because apparently writing a book is a big deal, and it is. Before I wrote mine, I had no idea what a daunting process it was. It is definitely a project, but the people who read it really go, “Wow, this is a good, quick read. It’s not a lot of heavy data.” It takes most people an hour, an hour and a half to read it. Some of them go back and pull out some chapters and quotes and go, “Oh, I’m going to talk to you more about that,” or, “I never thought of that.” It’s doing its job. It’s helping smart business owners and professionals think about their lives and their businesses in a more intelligent, helpful manner. Some people come back from reading the book and say, “Hey, I want to hire you for my company. I want to hire you for a seminar, webinar, something.” Others go, “Hey, thanks for recommending The Four-Hour Work Week. I just read it because you told me about it and this is fun. This is really helpful. So people are getting great value out of it, which makes me happy. We are getting clients from it, which makes me equally happy. And there’s not a lot that I would’ve changed in the book. I am currently working on my second and my third books. The second one is all about HIPAA and PCI compliance. That is primarily for the healthcare sector. And the third one is going to be kind of our conversations. The state of the universe on cyber security, digital surveillance, cyber rights, what you and I as parents or grandparents and community stakeholders need to think about and what options we may want to take to leave a better future for the next generation.
Dave: No, go ahead. Finish off. I’m sorry.
Raj: One of the Middle Eastern governments just announced that they created the world’s largest biometric database of any country of history, and they’ve actually applied to the Guinness Book of World Records to get recognized of having the world’s biometric database in the world. Every citizen, every tourist, every visitor, every prisoner, if you’re in airspace and you land in their country, you are fully biometrically tagged. And this is a Middle Eastern country, not a democracy, no real civil rights, and they’re bragging about building the world’s biometric database
Dave: Wow. I’ve got to stop you on that one because the first thing going through my head is how they’re collecting it. Is that through GPS, geofencing, geotargeting? And how are they gathering that data?
Raj: That’s a whole large conversation, but they’ve done it similarly in India. They’ve launched huge program to distribute 500 million biometric IDs to the poorest people in India to really illuminate or minimize the fraud that occurs in food distribution and social aid. So the goal of the programs are fantastic and noble. On the other hand, they have invest very little to almost no investments into security because they’re concern is we’re trying to get half a million people fed. We’re trying to save society, and security is not even a consideration. So today they might go fix the problem, but they are setting the seeds for destruction 20 years down the road for their kids. In this country…I don’t know which candidate they support, Obama or Romney, but they’re both emailing me every day with more and more targeted emails. You know, Obama is telling me every day how much I’ve donated to him. So does Romney. And if you use their cell phone apps and both candidates have them…these apps are spying left and right. They’ll tell you who in your neighborhood belongs to what party affiliation. They’ll tell you if your neighbor is sitting on the fence and you may want to call to get them to vote for the candidate of your choice. They’re recording a lot of data about you. Wired put out an article just this week on the intense, insane amounts of detail both the campaigns are collecting and data mining in real-time to win this election.
Dave: Yeah, that is amazing technology, what’s going on there. I don’t think, and I’ve mentioned this before. Any app that you download that either is for fun, games, whatever, I don’t know if everybody reads the terms of service of what they’re capable of doing.
Raj: Nobody reads them. If you’re buying an app or getting an app from a company or commercial provider, that’s one thing. But now you’re getting applications delivered to you either by elected officials or people running for office. And you would think, “Obama is an elected official. I’ll be protected with Constitutional rights.” But I don’t know this, but I’m willing to bet that they’re willing to argue that it’s actually private data owned by private corporations and you don’t have the same rights you would from a government app. And they are collecting a lot of data that I don’t think they have the right to collect but they are collecting. But we have no rights on it. There’s a great story out of Canada about 2 weeks ago where last year, a lot of people signed a petition that support gay marriage. What people didn’t realize and nobody thought about back then including myself is that everybody signed up for these emails or petition online. That list was not destroyed when the campaign was over. Just 2 weeks ago, one of the politicians was caught using that list of people who supported gay marriage in Canada to email people to support him because he’s running for reelection. And on the one hand, this is abuse of government collected data. On the other hand, nothing in the terms of service on the petition said that we can’t use this data for future politicians.
Dave: Right. Yeah, it amazes me what the capabilities are when you an accept an app. The fact that they can turn your phone on without your knowledge and listen to a conversation. They can take pictures without you even being aware of it. The fact that we keep our phones within 3 feet from us, that’s kind of frightening when you think about it.
Raj: It is. And with that, my friend, I’m going to put you on pause. We’re going to start the webinar on HIPAA compliance with the folks in Missouri, Joplin, and Jackson. So I’m going to get them on the video call. Hang on a sec.
Dave: All right. While Raj is doing that, for anyone who has come in a little after the beginning of the show, we’re going live to listen to Raj talk to Joplin, Missouri and Jackson, Missouri on some HIPAA regulations. Are you connected, Raj? Maybe we’ve lost Raj. And we have. So in the meantime, we’ll just hold still and see if Raj can get back on, and we’ll go forward from there. The last thing we were talking about in regards to the terms of service and downloading apps on your mobile phones. It’s really something that has been a concern of mine for a little while now. When you agree to use that third party’s app or not, you really ought to take a good, close look at what you’re agreeing to because like I said earlier, the fact that you have…. let me just cut back in. Raj? I thought we had Raj.
Raj: Hang on a second. Hey, Dave, can you hear me? Okay, I’m going to put you on speaker on mute. So, Joplin, Jackson, and Dave in Utah, welcome to the first national HIPAA seminar. We’ve got you folks live in Jackson and Joplin, and we’ve got Dave on his radio show out of Utah.
Dave: Love this technology. We’ll be right back. Don’t go away.
Raj: So if you don’t mind, folks, I’m actually going to hold this to my ear.
Dave: Are we there, Raj? Because we can’t hear you.
Raj: Can you hear me?
Dave: I hear you. Have you started your show?
Raj: Yes, the seminar is on so we’re going to talk about HIPAA, PCI, Red Flag. What are they? Some case studies and some guidelines. The folks on the radio show, the links to the PDFs are on our website, brainlink.com, and Dave can put them up on your radio show whenever you like. So what’s HIPAA? We all know what HIPAA is. It’s wrapped in 1996 and came in 3 parts: the privacy regulations, transaction code sets, and security. And the real goal of HIPAA has always been to reduce the cost of healthcare, not by taking money out of the hands of doctors and nurses but actually by cutting out the biggest source of waste in healthcare, which is processing paper. 82% of all healthcare spending in the country, healthcare is about 3 trillion dollars each year, of which 2.2 trillion dollars is waste just getting paid. Those of you who work in medical office, you know how much it is to get paper from insurance companies. Raise your hand if you enjoy insurance companies and getting paid. Raise your hand if Medicare makes your day. Raise your hand if patience, when it comes to getting paid, makes your life easier. Let the record show that nobody is volunteering to admit that getting paid is so much fun in healthcare. It’s not fun, and every insurance company out there from Medicare, Medicaid to the private actors want to minimize the payments that you get as a doctor or practitioner. Every patient wants to know how to reduce my copays, how do I get it for free. Insurance companies have no desire to pay you what you’re worth because that’s money that’s coming out of their pockets. And the cost of going back and forth on average, a single service transaction, a single service in your office or hospital can take 10 to 30 steps before you get paid. That’s a lot of overhead and HIPAA’s primary goal is to eliminate as much paper as possible to cut down the steps as fast as possible so that doctors and nurses in hospitals get paid, patients get great healthcare, and insurance companies make a profit so they do it intelligently, by giving them healthcare and actually pushing paper back and forth. How many of you knew that the real goal of HIPAA was reducing the cost of administrative costs and paper? Most people don’t know that. They think it’s another regulation by the feds.
Raj: Okay. So we talk about penalties about HIPAA. Every law out there: HIPAA, PCI, Red Flag, every law has what the rules are and what it’s going to cost when you don’t comply. We all know that with HIPAA penalties, it’s $10,000 to $25,000 per person per year per violation. The law breaks up the penalties into 3 segments: penalties for accidental misuse all the way up to knowing misuse and misusing medical data criminally. The one thing that they always leave out of the regulations and the laws is the cost of bad publicity. Slide 6. So what is High Tech? High Tech is HIPAA 2.0. From 2001 to 2006, the feds were really not enforcing HIPAA. They were trying to get their heads wrapped around what is this new beast? What is this new giant elephant? 2006 through 2010 they really started enforcing it vigorously against large institutions: hospitals, insurance companies, research hospitals, healthcare plans. And they learned a lot. The feds got a lot of feedback from small providers, large providers, consultants on what’s working and what’s not. High Tech closed a lot of loopholes. And HIPAA gives you a carrot and a stick. The carrot is: if you deploy electronic health records, you charge correctly, and you qualify for funds, you can get back $44,000 over the next 5 years from the feds. That’s the carrot. What’s the stick? If you don’t comply correctly, you could face penalties if you’re violating HIPAA. The penalties are increased significantly. Slide 7. One of the things they’ve done is they’ve increased penalties across the board for accidental misuse up to criminal misuse. Second and more important, if you lose more than 500 records in your medial practice, you are now required by law to tell the office of rights in DC your name, your organization, what the problem was, and how many records you have lost so you can be listed on what’s known as the HIPAA Wall of Shame. And you’ll be on this website for at least 5 years once you’ve posted. If you have a breach, not posting it is a double violation. So this is the first time we have name and shame as a part of federal law, so that publicity now is a part of the law. Secondly, what High Tech did is they recognize a big flaw in HIPAA. With 40, 50 people in DC, there’s no way in the world they can enforce HIPAA across the country. So what High Tech did is they went to the attorney general and say, “Attorney generals, you’re all bigger than DC, than the office for HIPAA compliance. If you guys prosecute HIPAA violations, we’ll split the penalties with you.” High Tech overnight increased their HIPAA enforcement taskforce from 40 people to about 5,000. So now it’s your local attorney general you have to worry about because they’re looking for money and they’re closer to you than DC is. Slide 8. [Audio is garbled here at 39:08] has been the biggest champion of consumer privacy in America. They have prosecuted more companies that are violating your privacy and mine that anyone else combined. And for the last decade, they’ve been working on healthcare data on a lot of third party companies, from Google Health to MSN Health to a bunch of third parties. They started getting together to create websites encouraging patients to go post their healthcare data online. As a provider, you can’t post the data anywhere. You post it, you’re in a HIPAA violation. As your consultant, John and I can’t post your patient data anywhere. We risk ruining the HIPAA, High Tech, and business agreements. But as patients, you can put your data on your blog and it’s perfectly fine. So a lot of companies tried to step in the breach and tried to make a run around HIPAA by encouraging consumers and patients to violate their own privacy rights and post their data on third party websites. FPC said, “That’s not going to be allowed.” One of the things that High Tech did was really shut down a lot of the third party health portals. It also, in the law, gives you case-by-case examples of how to do proper compliance. Let’s go to slide 9. The biggest complaint or question I had about HIPAA from a lot of clients, attorneys, and doctors is that, “If I have a laptop and it gets stolen and it’s fully encrypted and we get it back an hour later, is that still a violation?” Before High Tech, the answer was maybe. Post High Tech, we have a very clear definition. If the laptop was stolen and it’s properly encrypted and you could improve to the attorney general in a court of law that you have proper encryption, strong passwords, and data was not decrypted, you do not have a HIPAA High Tech violation. If on the other hand, and the law says this, you have a laptop or cellphone that is stolen and you get it back, if you cannot proactively prove, forensically prove that the data was not compromise, the assumption from the feds and attorney generals will be that you had a HIPAA High Tech violation, you lost protective health information. Let’s go to slide 11. So what is protective health records? That’s where almost every data you have on patients past, present, and future. Slide 12. This is one of the biggest changes that High Tech has come out with. One argument I used to have with attorneys is that a piece of paper with your name, address, and phone number on it is considered PHI. Pre High Tech, that was not considered PHI. Post High Tech, here’s what the law says: personal health records is any identifying information that is past, present, or future for the provision of healthcare for an individual. This literally means if you have your patients’ names, phone numbers, any data on a blank sheet of paper, that’s PHI. If you have a list of perspective clients that you’re going to be marketing to or doing fundraising with on a blank sheet of paper, that is also PHI because the assumption is that if that document came out of you facility, out of your practice or your hospital, then we can infer and we can assume that these are past patients, current patients, or potential future patients. So now the telephone book excuse or exemption is not valid. Do not let attorneys, consultants, other people try to be clever with the law. Follow the spirit, not just the letter. I’ve seen some of the case studies. People have obeyed the letter but not the spirit and have gotten nailed. Let’s go to slide 13. This reiterates that if you have a record of somebody in your database, whether it’s your Outlook, your phonebook, whatever else, that is considered having a relationship with a covered entity. Let’s go to slide 14. How many of you accept credit cards in your practice? Cool. Congratulations. You’re subjected to PCI. What is PCI? It’s a private rule. It’s not a law. But a rule you signed or your practice signed with the banks to allow you to accept credit cards. PCI and HIPAA go very well hand-in-hand. What PCI says is you have to protect cardholder information. What’s that? Name, credit card number, expiration date, security code, address. You’ve got to protect it. They call it cardholder data. If you replace credit card number with medical record number, date of birth, healthcare metrics, it’s PHI. And under HIPAA, a credit card number is also considered PHI. So if you accept credit cards, following PCI compliance is not only a good idea, it’s also the law. Slide 15. Again, like HIPAA, PCI has its own penalties from $50,000 first offense all the way up to lifetime revocation of credit card acceptance globally. So there’s the slap on the wrist, the kick in the back, and there’s a permanent ‘we will not let you do business with us for life.’ Slide 16. Red Flag. Again, I don’t plan to read my slides word for word. I figure you are smart enough to read the slides on your own. I’m going to give you the metadata around why it is important. What’s Red Flag? For those of you in healthcare, rejoice. Red Flag is HIPAA for all your vendors. Your attorney, IT guy, florist, baker, butcher. As a consultant, I like Red Flag. It makes more business for me as a business owner. I hate it because now I need to put in practice for my business what I’ve been telling you guys to do for the last 15 years. And Red Flag literally is any information that your business
or my business collects on our customers. If a third party acquired it, they could lead to ID theft or loss of data. And just as HIPAA, you have to protect information. Red Flag says you have to protect any information that could lead to ID theft. Can you hear me?
Speaker: [Something at 46:20]
Raj: I’ll try to get John back on. Let’s try that again. Ain’t technology wonderful?
Dave: It’s the best.
Raj: Robin, you should [something at 47:15]. Some people pay extra for that. In fact, you might want to ask your audience what’s better: seeing me or not seeing me? If they want to see me, charge them double. John, are you back?
John: [Something at 47:30].
Raj: All right. So why should you care about all of this? Let’s go to slide 18. Historically, every client I’ve ever had has asked the same question, “So what if I lose data? What’s it going to cost me?” Well in 2005, the institute went up to 14 of the largest companies in American who had lost 100,000 records or more and said, “Are you guys willing to participate in a study with us?” They wanted to know the cost they had of losing records. If you lost 100,000 records or more, it’d cost you $1500 in direct costs. Consultants, lawyers, printing, and so on. $1400 in indirect costs. Initial consultants, more printing, more lawyers, dealing with regulators. And most important, 58% of your losses was lost customer costs. For those of you sitting in the audience listening on the radio, do you know how much your average customer is worth to you? What’s the lifetime value for each of your customers? Have you quantified that? What would it cost you if you lost a customer? How many of you know that? My recommendation to you is do your homework. Pick 2 or 3 of your patients tonight or your clients tonight, pick them at random, and calculate what their annual worth to you is. What’s their 5 year and lifetime worth to you as a practice? Or as a business? If a customer is paying you $1000 a year, over 10 years they’re worth about $10,000. How do you quantify what your patients are worth to you? And what would it cost if you lost them? Let’s go to slide 19. So 2005 through 2010, they went every year and they went to the same companies and new companies and said, “What’s it cost you to lose the data?” Here’s what they found: 2005 through 2010, direct costs stayed the same. Indirect costs stayed the same. We know that. Your salary didn’t go up. My salary didn’t go up. Well, not much. The lost customer cost, on the other hand, more than doubled. So if you lost records in 2010, on average it cost $214 to lose each customer. And they dug further into the data and what they discovered is that through healthcare, your average is $282 per record loss. Why is healthcare stick business? It’s higher dollar amounts, more stickiness, and when healthcare lost data, they have the highest [something at 50:12] rate. If Kmart loses my records, I’ll go to Wal-Mart. If my doctor loses my data, I’m not going back to that doctor ever again. If you look in the bullet points down below, healthcare on average lost 6.5% of patients. That’s a 7% term rate. All the impact on you today is that if customers never came back to you tomorrow. I see some of you shaking your heads. This is why compliance matters. Okay, slide 20. Help, I’m panicky and aggravated. Is that your definition of HIPAA? Come on. Be honest. It’s mine. Okay, I have a lot of case studies for you. I’m not going to go through all of them, but I’ll go through the most important one that you should care about. As I said earlier, 2001 through 2006, the feds were not really enforcing HIPAA. 2006 through 2011, they went after the big boys and big girls. In 2012, they nailed a 2-position cardiology practice out of Arizona. This is the poster child for small practice HIPAA compliance. For the last couple of years, they had been using Google calendar, Gmail, Yahoo!, all the free web stuff to manage their practice. This went a couple of years getting investigated, which cost them a fortune. And this year they finally settled, and they have to pay $100,000 cash and implement the correct adaption point. How many of your practices have about a half a million dollars cash sitting around doing nothing that you’d love to spend on consultants and lawyers and feds? Please raise your hand so I can email you tomorrow. Robin, John, please take notes. These are people who should be on the hotlist for tomorrow.
Speaker: [Something at 52:10]
Raj: Exactly. So if you don’t have a half a million dollars lying around doing nothing, start taking HIPAA seriously. This year, they’re gunning after small providers. Most of the big providers are fairly safe and secure. We know that the big strong now lies in practices just like yours.
Speaker: [Something at 52:35]
Raj: They did that back in 2009 to deal with the larger providers. So let’s go to slide 24. This is the second poster child this year. So [Freedom Health] is one of the biggest medical billing companies in America. They screwed up in Minnesota big time. They had 4 of the biggest hospitals as their clients, and they decided to mix all the patient data together for marketing purposes. That’s a violation of BAA. That’s a violation of HIPAA High Tech. Here’s the punch line: the Minnesota attorney general said to these guys, “Hey, you violated HIPAA. Get out of my state.” For the next 2 years, they cannot do any business in the state of Minnesota. “B: give me 2.5 million dollars cash. C: at the end of 2 years, you have to ask my permission or get special permission to do business in this state.” And that result is 2.5 million dollars in fines, lost their 4 biggest customers in Minnesota, a lot of customers in other states, and according to their own guidance, this 2 years ban out of Minnesota is going to cost them 23 to 25 million dollars in lost revenues. So now you have proof that every penalty is $9 to $10 in lost revenues. So Phoenix Cardiology Group paid $100,000 in penalties. Their lifetime losses could easily be half a million to 2 million dollars because they’re a small provider with more to lose. Now, slides 25 onwards are case studies just from this year of various areas where small practices tried to follow the letter but not the spirit of the law and got nailed. I’m not going to read them for you one by one, but I will give you one good one. Page 33. So the last couple of years, there have been a couple of startups coming to our providers, doctors, and lawyers and saying, “Hey, you’re subject to HIPAA. You can’t talk about your patients’ public. You should encourage your patients to sign a contract with you saying they can’t give you a bad review on Yelp or epinion or so on.” And a lot of doctors and lawyers don’t have this. The feds said nothing doing. You cannot put your patients under a gag rule. You as a covered entity cannot talk about your patients in public. If they want to post an opinion, positive or negative, online, you can’t bind them to a contract. That is a clear-cut HIPAA High Tech violation. Let’s go to slide 35. IBM is one of the largest companies in the world, one of the smartest. And when their new CEO came in she said, “Let’s do security practices.” IBM owns more security technology than everybody else in the world combined. They’re the oldest, smartest technology company out there. They advise governments. And they literally said, “We cannot secure DropBox, Siri, or iCloud.” They have banned DropBox, iCloud, and Siri, the voice on your iPhone or iPad, from their entire business globally. So the next time your doctor wants to dictate Siri, you might want to show them this slide. What IBM literally said is, “Every time we talk to Siri, your voice gets recorded and stored.” We have no idea what Apple’s controls are. We don’t trust their security, ergo using Siri is a violation of existing security and privacy rules. So you might want to be careful about using things like Gmail, Hotmail, DropBox. One of my favorite stories out of healthcare is back in the early 90’s, a lot of cardiology
. They lost those battles. The anesthesiologists did something intelligent. Once they lost the battle to reform, they said, “Why is it becoming unprofitable for us to put people under the anesthesia?” They realized that in 1990, 1 out of 5,000 people they were putting under on the operating table were dying as a result of anesthesiologists’ mistakes. They reformed the training processes, the procedures, and in less than 10 years, the death rate went from 1 in 5,000 to 1 in 300,000 patients. As a human being, which group would you want to be in? 1 in 5 or 1 in 300? I’d pick B every time. And dollars and cents, their fees dropped 46%. Their malpractice claims dropped. This is actually, verifiable numbers. Complying with HIPAA, High Tech, etc. and doing it correctly saves you money, saves you grief, keeps you out of the gun sights. Summary: laws aren’t static. They change all the time. HIPAA came out, revisions came out, High Tech game out, Red Flag. Laws are not static. They change data. You have to pay attention to that or John, Robbin, or someone like myself should advise you on it with your attorney. Secondly, court cases really determine how laws are really enforced. Thirdly, generals are expanding the compliance landscape. Every business, every entity is now being regulated by 57 different state and federal privacy and security laws. Encrypt, encrypt, encrypt. Encrypt your laptops, your desktops, your emails. Encryption isn’t like what it was 10 years ago. It’s a lot easier these days. I have an iPad 3. It took me about 3 minutes to configure. If you steal my iPad, you get 10 tries to try my password. After the 10th try, it wipes itself clean. You get the iPad, congratulations you have a new toy. You don’t need my data. Hardware is cheap, software is expensive, data is priceless. Safeguard your data. Treat hardware as disposable commodities, which is what they are. And lastly, upon having a breach, train your staff on it. It’s not a matter of if you’re going to have a breach. It’s a matter of when. That’s it. Go to the last slide. You’ve got my contact info. I’m open for questions. Yes, Robin?
Robin: [Audio is too garbled here at 59:40]
Dave: Well, folks, it seems we may have lost Raj. He concluded his live seminar with Joplin, Missouri as well as Jackson, Missouri. We’ll wait a few seconds to see if he reconnects, but if not, I want to say thanks to Raj for including us in this very unique broadcast. We’ve never done that before. It’ll be interesting to hear the feedback. Unfortunately, as listeners, you didn’t get to see the slides. But maybe we can figure something out on how to do that. Anyway, I’m holding on to see if whether or not Raj will come back online. If not, we’ll just call it a day. So don’t go away. Give it a few minutes, and we’ll see what happens. Okay, that’s another nice thing about Skype. You can be in direct communication with your guest online. I’d sing you a song but I’d lose every listener the Cyberhood Watch ever had. So I’m going to assume that Raj is in the middle of answering questions live and may not be aware that he’s lost connection with the Cyberhood Watch radio. So again, I’d like to thank Raj for being our guest today. And thank you to all my listeners for tuning in and for all those who will download this later. You can go to the blogtalkradio.com/cyberhoodwatch and you can get all the recordings there. Then we’ll see what happens from there. Okay, thanks everybody. I’m going to sign off because I don’t think Raj is going to be coming back. Thanks. Have a great day.