Dan Sosnoski: Welcome to “The Future Adjustment,” Chiropractic Economics podcast series on what’s new and notable in the world of chiropractic. I am Dan Sosnoski, the editor-in-chief of “Chiropractic Economics,” and our guest today is Ty Talcott , DC. He is the president of HIPAA Compliance Services. And he’s a certified HIPAA privacy and security expert. He’s consulted with thousands of health care practices related to business development, and protection strategies. And Dr. Ty is here today to talk to us about some of the threats and risks facing today’s health care practices and how you might go about mitigating them and remaining compliant with regulations. Dr. Ty, welcome to our show.
Dr. Ty Talcott: Thank you so much.
Dan Sosnoski: All right. Well, just to kind of get going here, in your experience, what are some of the major threats facing practices from a security standpoint? Is the risk mainly digital?
Dr. Ty Talcott: Well, that is kind of a yes and no answer. The most serious thing is digital because that would be your ransomware attacks that completely shut down your business, hacking attacks that steal your data from your electronic devices, but, realistically, actually I just returned from the Washington, D.C. Cyber Security Conference, boy, there’s a snoozer, two days with those folks. But, anyway, I learned a lot of information, and as of now 39% of the risk that you run is still direct theft, people stealing your laptop computer out of Starbucks when you set it on the table and go to the bathroom. People breaking into offices and physically stealing, and only about 17% of attacks that are happening are hacks, you know, electronically coming in to your electronic digital devices. But the point there is that just a couple of years ago it was only 2%. So that’s the growth industry, the cyber-attacks, the electronic hacking into digital items, the ransomware attacks.
these are the things that are just raising…causing havoc in chiropractic offices and of course nationwide in all types of businesses, and that’s the growth industry. If you want to look at what’s the growth industry in attacking data, that’s it. That’s it.
Dan Sosnoski: I’ve read in some of the security literature that medical records tend to be among the most valuable on the black market. Is that correct?
Dr. Ty Talcott: That’s correct. You can get about $5 per name on the black market for identify theft type information, name, social security number, etc. You can get almost $500 per file for a full health care file because of all the information and data that it contains and the information we gain from our patients. What we gather and collect, it is just…it’s so massive that it’s worth a lot more on the market. And you know what they do with this information? The reason these people keep stealing it and they get all this money, they do identity theft, they make insurance cards and ship them overseas. People buy these insurance cards and come get care on your group policy.
And you don’t know that they are getting care on it until you get the EOBs that come in. I’ve never been to this doctor. By then they are back out of the country. The other thing they do is they take all your patient’s information and they file their tax returns. And if they have a refund coming, they collect those tax refunds.
Dan Sosnoski: Yes.
Dr. Ty Talcott: And that’s where they make their big money on this stuff. And that’s why this stuff is so valuable and sometimes people go, “You know, why do they care about my stuff? I am not sure they are really so interested in my data. I don’t know that I’m at risk.” No, they want your data because they can make lots of money on your data.
Dan Sosnoski: That’s the point I really wanted to make very clear to our listeners today, that if you’re running a medical practice, you are the whale in the water. You are the target that they are coming for, so that’s why you want to be really careful. Hey, Dr. Ty, you mentioned a term just a little while ago, you mentioned ransomware. That is a particularly nasty kind of attack. There was a hospital that got hit in California. They had to pay the cyber criminals something on the order of $17,000 in bitcoins to get their data back. How can a doctor defend against this if even a large hospital couldn’t?
Dr. Ty Talcott: Well, the reason…I mean, it’s actually harder for hospitals. They’ve got hundreds of staff, people running around that can get in that data, share that data, share their passwords with other people, who then get in and you don’t know who was in there and who wasn’t. They have way more devices than the typical office that they have to protect and keep everything updated, the patches and the firewalls, and all the things that they have to do. And they have more exposure because they have more data transferring back and forth and going everywhere. It’s actually easier for a typical doctor’s office to protect that than it is for a hospital to protect it. It’s a massive thing. I mean, I have a video interviewing a woman who…a small chiropractic practice in the Pennsylvania mountains, who was hit by ransomware.
A screen pops up on your computer and says, “We have your data. You’ve got five hours to pay us $5,000. If you don’t, you’ve got five more hours to pay us $25,000. If you don’t, we’re going to sell or, you know, expose your data on the Dark Web. We’re going to weaponize and destroy your computer. You will never get your data back again.” They even have worms that can go backwards into your backup data so your data is completely gone. You’re shut. Now, that is also a HIPAA violation so you have to report it to HIPAA. Now you get fined by HIPAA, probably a minimum of a $50,000 fine for what’s called willful neglect. And then you have to turn around and monitor the credit of every patient who was exposed for a period of at least one year, about $10 per patient per month, and so the chiropractor that got hit in Kentucky had 5,000 patients or $50,000 a month.
That can be a practice shutting issue. This is a huge, huge problem, and what you have to do in an office to protect against ransomware, is you have to have an entire HIPAA program in place. By putting in a HIPAA program, getting it in place and then following your own policies and procedures under that program, it’s a de facto thing. You can’t be hit by ransomware, you are protected. That is why if you get hit by ransomware, it is automatically a HIPAA fine. So the solution is to get a HIPAA program put in place, make sure all of the factors of the HIPAA program are covered and implemented and then you both guard against ransomware. You also guard against those fines if you were to be struck.
So it’s a…this particular woman actually shared information which you can’t get people to do because under federal investigation it could affect your license, your PPO contracts, all this different stuff. And the world changed last year on May 20th. The WannaCry virus hit a 115 countries at once, and this ransomware disproportionately hit health care. Health care was at the top of the list of what got hit, and so the world changed. The Industrial Revolution, the invention of electricity, the invention of the Internet, these are all world-changing effects. Well, now there is one that goes with it called Cyber Attacks. And it is a world-changing event, so you’ve got to change or you’re going to get left behind or swallowed up by the world.
Dan Sosnoski: Right.
Dr. Ty Talcott: It’s a major change.
Dan Sosnoski: And a little bit earlier you’d mentioned that even though that is a significant risk, and we can all see that it is, that just direct human theft can still be a problem, and another risk to a practice just involves the staff members, the people who are working for you. They can be vulnerable to what’s called a human engineering attack. Are you familiar with that? Can you tell us a little about how a practice can avoid that kind of problem?
Dr. Ty Talcott: Well, in fact, under the laws of HIPAA, you have to do at least an annual training. You have to document who was at that training. Not just that, you have to document the topics you covered, because if you get hit in a certain way with an attack and you can’t prove to the government when they investigate that you trained your people how to not do or do the things they are supposed to do, then you have full liability. They will give you no slack at all.
Dan Sosnoski: That’s right.
Dr. Ty Talcott: That’s why you’re required to issue periodic security reminders to your work force that have to do with things that are in the current news of potential attacks, and if you don’t do that, you have to do that at least on a monthly basis. That was the opinion of the cyber security symposium, is the law says you have to issue periodic. Nobody knew what that meant. They came out and said that they felt that the typical physician’s office had to be issuing these once a month to their people and documenting they received the information that they agreed to read, understand and abide by the information. It goes on and on. And this is to prevent things such as having your staff untrained so that they open emails that are inappropriate where people were doing phishing attacks trying to get into your computer, into your data.
Dan Sosnoski: Right.
Dr. Ty Talcott: Telling people information over the phone that’s inappropriate. Doing workarounds where your staff might go, “Well, we’ve got this anti-virus or this block or this firewall, but we shut that down because it slows things down and we have to get work done or whatever, and they work around these things that have been put in place. They share passwords. This is a big problem. Sometimes they use bootleg software. They don’t have new software that has the automatic updates. So it is not updated. They click on the wrong pop-up, you know, it comes up on the computer. There’s just all kinds of things that can happen where outside individuals design these attacks to come into your computer and disguise themselves as email addresses of people you know.
And so you click on it because you’re confident. Don’t click on one unless you’re expecting an email from someone. I mean, not just that you know them, and, “Oh, that’s their address,” but you’re actually expecting them to email you something. Because they’ve gotten so good now, they can make it look like it came exactly from the person that you know. And the person you know doesn’t even know it’s happened. It gets crazy, but they’re very good at what they do.
Dan Sosnoski: Right. That technique is what they call “address spoofing.” And it can be very pernicious because we get those attacks periodically here at Chiropractic Economics. I don’t know why but people sometimes just try to sneak into our system that way. And so everybody gets periodic reminders to not click on emails that are unexpected, exactly as you say. The other common weak link can just be a direct phone call. Someone calls up your CA and says “Hi, this is Scott with your software vendor. And we need to check something on your system. What’s your password?” And if your staff are not trained, they might fall for that and just give the attacker the log-in credentials right over the phone.
Dr. Ty Talcott: Absolutely. It happens all the time.
Dan Sosnoski: Happens all the time. So, Dr. Ty, one of your areas of particular expertise is HIPAA compliance. Could you just give us like just a brief topline overview of what HIPAA wants to see in a security and privacy program?
Dr. Ty Talcott: They want to see that you have a compliance officer that has a job description and knows all of the different types of notifications that are required to be issued to your patients. They want to know that you have a notice of patient privacy policy that is updated from 2013 Omnibus Rules, and that you’re issuing a copy of that to every new patient, that you’re getting a signed authorization from the patient that they received it, and that you have those copies available in the office. They’re looking to have an accounting log that shows everywhere that you send anyone’s private information out of your office. They’re looking for your business associate contracts to be in place. You’re required to have a contract with anyone who stores, transmits, or you’ve given access to your data. You have to have an actual contract, an agreement in place with them. It was created in the Omnibus Rules of 2013.
They’re looking for your staff training in-services, what you train on, the fact that they’ve agreed to abide by it. They’re looking for a physical plant audit done at least once a year where you’ve looked to see if your computer screens are visible and all that. Most importantly, they are looking for a complete and total risk analysis, which is really a risk analyses because it is a risk analysis done of each of your electronic devices that goes together and you put all those risk analyses together into one giant risk analysis. They’re looking for what are called periodic ISARs. That stands for Information System Activity Review. This is where you’re checking audit logs on your computer to see who accessed the data when, and did they actually delete, alter, or simply observed data and who were they, when were they there and what were they doing.
You’re required to do a once a year A to Z HIPAA program audit and evaluation. You’re required to have what has typically becomes over a 100 pages of just policies, just to cover the required policies in a chiropractic office, typically takes around 100 pages. It has to be customized to your office. This is why you can’t buy a book from somebody that says, “This is a HIPAA compliance manual with 500 pages in it,” five years ago, and you set it on a shelf to collect dust. You actually made the government’s case if they walk in the door and say, “What’s going on with your HIPAA program? You’ve had a breach. We’re investigating,” you point to some book on a shelf.
A lot of the time they blow the dust off of that book, you’re toast, because it has to be active, dynamic and it has to be customized to your office, and you made their case for willful neglect. And that’s a minimum of $50,000 fine, willful neglect, up to $1.5 million. You’re required to have an equipment maintenance log on every electronic device, who worked on it, what they did. You’re supposed to have…of course, you have to have model releases in place for testimonial use, and there are about a dozen audits, evaluations, re-audits, re-evaluations, or analysis audits that you have to do on an annual or more frequent basis, or your program is not current.
And if you have a program, but your program is not current, you’ve just made their case as well. Because putting the program in place means you know it had to be kept up, and if you didn’t keep it up and that caused a breach, because it wasn’t current, then they are going to nail you to the wall on that as well. And there’s your 100,000 foot overview in two minutes.
Dan Sosnoski: Right, and, of course, you know, disaster can strike but at least if you do wind up getting audited after a problem and you’ve got a well-documented, well-implemented HIPAA compliance program, that tells the auditors that you made every good faith effort to make your practice as hardened as possible. And that goes a long way.
Dr. Ty Talcott: It’s interesting that you said the word, some type of a disaster because one of the things I didn’t mention, you’re also supposed to have a required contingency plan that consists of two parts, a data recovery plan and an emergency mode operation of how you operate and protect information during the disaster, like a tornado or whatever. What you said is absolutely correct, and it’s absolutely critical. And that is one of the things that came up at the Cyber Security Symposium this year that I’ve never heard them say in seven years that I’ve been attending the Cyber Security and HIPAA programs in Washington, D.C. to stay on top of this stuff. They’ve finally said, and some of this is because of Trump and he doesn’t like regulation, but he knows this has to be regulated because we have to stop the ransomware attacks.
But what he did sort of put in place and what’s out there now, they stated that if you can show that you have documented…this doesn’t mean that you just, “Oh, yeah, we do that,” and somebody says, “We do that in the office.” No. You documented a good faith effort to cover every one of those regulations that I’ve talked about. In other words, 100 pages of policies, that is what it takes to make sure you’ve covered every one of those regulations with a good faith effort. They say that they are now, for the first time in seven years that I’ve been doing this, they say they are more inclined to assist you if you have a problem if you can document that you’ve done good faith in all areas.
However, and that’s the first encouraging thing I’ve ever heard, however, there is a however, if you have failed to document even one area of requirement, then there’s no mercy.
Dan Sosnoski: Well, that’s the name of the game, and it’s important for all health care providers of all stripes to be very careful with security, with protected health information, and, you know, experts like yourself, Dr. Ty, are doing a very valuable service in trying to make sure that nobody goes unaware of the challenges, and nobody lacks the tools they need to get compliant. Well, that’ll be a wrap for our talk today. I want to thank you so much for spending some time with us, Dr. Ty. This has been extremely informative, and you’ve given us a bulletproof look at The Future Adjustment. I’m Dan Sosnoski, and we’ll see you next time. Thank you, Dr. Ty. That was excellent.
Dr. Ty Talcott: Thank you so much. I appreciate it.