In this episode, we are joined by Scott Giordano, Senior Counsel for Privacy and Compliance at Spirion, to discuss the intrinsic ricks and compliance concerns with remote hospital finance workforces.
Highlights of this episode include:
- What some of the biggest compliance challenges that face today’s remote workforce.
- What risks are associated with protecting patient data from a remote workspace?
- What hospital finance teams can do to get ahead of the curve of privacy compliance standards.
- How hospital finance teams can protect themselves from cyberattacks and data breaches
- And more…
Mike Passanante: Hi, this is Mike Passanante and welcome back to the award-winning Hospital Finance Podcast®. As hospital financial teams shift towards remote work, this new reality is accompanied by many intrinsic risks and compliance concerns. To provide some insight around these risks and what you can do to protect your hospital, I’m joined by Scott Giordano, Senior Counsel for Privacy and Compliance at Spirion. Scott is an attorney with more than 20 years of legal technology and risk management consulting experience. Scott, welcome to the show.
Scott Giordano: Thanks for having me on.
Mike: So as we were chatting before the podcast, this is certainly a hot topic. I think one that will be very much of interest to all of us listening, so we’re going to be hanging on your every word. But let me start out by asking you this: so as financial teams do make that transition to remote work, what have been some of the biggest compliance challenges you’ve seen so far?
Scott: Well, it’s funny, you would think that it might be a technology-related challenge, but it’s a person related-challenge. And that is that there’s been a somewhat of a cavalier attitude towards privacy. And I’ll give you a really crisp example is I’ve been on so many meetings, Zoom meetings, Teams, or maybe even Slack, any kind of meeting where they’re being automatically recorded. And the problem with that is that I mean, beyond just an issue of common courtesy, is this idea that, okay, now that’s being recorded. Where is that information stored? Well, who has access to it? Where are the backups? How long is going to be kept? And what happens if you lose control of it? Because remember, if you lose control of that kind of information, and it contains a trade secret or attorney-client privileged information, for example, those privileges are gone, the trade secret’s gone. And that’s it. You can’t get it back. You can’t unring the bell. So this somewhat cavalier attitude towards privacy has really been the biggest surprise to me since we transitioned all to a home environment network. And for me, it’s very troubling.
Mike: So there are some, one could say bizarre, risks for employees as they try to effectively protect patient data while working from home. Can you share any examples of that?
Scott: Yes. Number one on my list is the whole issue with smart devices, smart TV, smart speakers, smart everything. And the problem is with these things is that they’re constantly listening to you. And then the question is, great, where is that information recorded? Where is it backed up? Who has access to it? What are they doing with it? I know that sometimes the vendors of these things will say, “Oh well, we only record when you tell us to record,” or what have you. But the problem is, how do you know that? And you’re back at the same problem I mentioned earlier, is that if you have something that is attorney-client privileged, for example, or a trade secret or it’s confidential communication or perhaps embargoed because of trade compliance issues, now that information is out. And you can’t unring the bell. It’s a big problem. And it’s funny because you can’t get anyone to really give you a straight answer. I’ve dug into this and it’s really tough to get an idea. Are they recording you constantly or is it just at certain times? And should they be? So just as a practical matter, really getting rid of smart devices in your home environment, at least as far as their intersection with your work, it really should be top of the list.
Mike: Yeah. And that sort of bridges into my next question here because the Internet of Things has created more than a few counterintuitive compliance breaches, as you’ve alluded to for these remote teams. Are there any additional tips you can share for managers who want to understand the full lay of this new land?
Scott: Well, here’s the problem with IoT, Internet of Things, is that– and, in fact, this is going to be the biggest problem we have in the near-term maybe even the mid-term. And there’s two reasons for this. One is that IoT devices resist being secured, just by their nature. They’re functional, they’re not the kind of things that we take for granted every day like a regular computer or tablet or what have you. They tend to resist being secured and they’re ubiquitous. And it just seems like everything is talking to the internet right now, which is great if you want that information and you want to take advantage of it. Problem is that the security part has not been thought through. And so now it raises the question. All that information that’s on these devices, where is it going? And what happens if you lose control over it? And this is something– it’s a real issue. With Zoom, I’ll give you a great example. The Zoom lawsuits that are going on right now. Many people have discovered zoom by accident. They went to the home environment, they started using it because it was easy. And the problem is that there are thousands of Zoom calls that are out there on the dark web that anyone could access. Presumably, if you knew how to get to the dark web, you could go and find these things. And that’s a big problem. And that was alleged in the lawsuit. And it’s a big issue because once that information is out there, again as my theme for our discussion here, is once it’s out there, you’re not getting it back. And this is the kind of thing that– it’s a real issue, it’s not theoretical. And this is just Zoom. Think about all the other manufacturers of IoT. Where is that information? And is it out there in the dark web as well? So it’s a very real issue, and we don’t have a good way of solving it at this point.
Mike: Scott, how are the standards for privacy compliance evolving as a result of COVID-19? Any recommendations for hospital finance teams that want to stay ahead of this curve during and beyond the pandemic?
Scott: Sure. I wish I could say that standards have evolved as a result of COVID. Really, all we’ve seen this year in terms of privacy standards have been some new regulations with respect to facial recognition. And that’s usually done at a municipal level. So by and large, there has not been much progress. And really, progress in privacy takes a long time. It’s not something that is going to happen even in 12 months. So for managers and security team leaders that really want to get ahead of the curve, the NIST Privacy Framework which came out about a year ago, probably one of the best publications in a long time. And I love NIST. And I love everything they do. But in terms of privacy, this is it because this really gives you a great framework to work with. And it doesn’t mandate anything but it gives you all the different areas you have to address in order to advance privacy with your organization. And certainly, anyone listening to the podcast, if you have not looked at the privacy framework, well worth your time. It’s going to be the standard for privacy, in my view, for the foreseeable future.
Mike: Scott, let’s take a bit of a turn and talk specifically about data breaches. There have been at least three major hospitals that have recently been affected by ransomware and other issues, really just in the past couple of weeks. Are there any common themes we can take away from these breaches?
Scott: There’s actually three common themes. And by the way, just for the benefit of the audience, I believe the three you’re referring to, one was Universal Health, that was here in the US. There was a hospital in Germany where someone actually died as a result of the breach, indirectly. And then there was eResearch Technology, again, here in the US. So those are three big breaches that I was apprised of in the past month or so. And one takeaway is that phishing attacks, still the number one way for threat actors to get into your network because they’re so subtle and they’re very clever nowadays about doing this. And it’s just easy to get caught. There’s no other way to describe it. And I’m always on the lookout. And it’s unfortunate because so many things that come in that look like they could be trouble. And so you have to set time aside to make sure you don’t click on them, and you ask others, “Is this really legitimate?” So it’s a big challenge. Second, not faithfully patching your systems. This was likely the root cause of the problem with the hospital in Germany, is they didn’t patch a known vulnerability that had just been cited by, I believe, DHS here. And so the bad guys got in through that vulnerability. And then thirdly, the challenge with backups, and that is that having backups is not enough if your backups are also corrupted by the same ransomware. And so that makes it difficult because you want things backed up with regularity. But if the ransomware has got into it, then it defeats the purpose of having a backup in the first place. And there’s no easy solution for this. So I think ultimately, what we’re going to find, at least in some areas like healthcare and defense, is that we go to the air-gapped model, where you simply have one set of technology for the outside world, one set of technology for all of your internal systems, and there’s no connection between the two of them.
Mike: Scott, what can a hospital finance team do to reduce the potential attack surface for cybercriminals, while maintaining compliance in a remote working environment?
Scott: Well, top of my list is that if your institution has not conducted a data inventory or hasn’t updated it recently, I think now is a very good time to get working on that. And I say that because in my experience of doing data inventories for clients, for every two systems that we knew there was personal data on, we found a third that we didn’t know. And we only found it by digging into the network. And not just inventorying the network, but also talking to the custodians, talking to the people that are experts with the systems and saying, “So, what kind of uses are going on with this data beyond the apparent ones? Is it going downstream to other systems?” So for example, say that you have an Oracle database. Maybe that’s feeding into an HR system, which is then feeding into a finance system– or connected to finance, which is connected to a travel system. So you have to really chase all of the data wherever it’s going and make sure that you’ve accounted for all the different uses. So that’s super important. And then in terms of just general purpose reducing your attack surface, I mentioned that the NIST Privacy Framework earlier, also a great standard for going through and making sure that you haven’t missed anything.
Mike: Scott, what are the questions hospital finance teams should be asking themselves about data compliance and preventing potential breaches?
Scott: I think the general rule that I always use is that if something is powered by electricity, it probably produces personal data. And I know that may sound a bit hyperbolic. But you think about it, how many things are powered by electricity that produce information that can be tied back to you? Think about IP addresses or MAC addresses or other kinds of things that years ago we would have laughed and said, “Oh, that’s not personal data.” Well, guess what? That’s all personal data. GPS data? All personal data. So if you start with the presumption that if it’s powered by electricity, there’s probably personal data there, you certainly have a very jaundiced view of everything. You’re able to look at things and say, “Okay, let’s assume there’s data here. Where would it be? Who would have access to it? Where is it backed up, if anywhere?” And you ask all those hard questions, and I think you put yourself in a much better position to reduce your attack surface because you’re just thinking of things you wouldn’t have thought of otherwise.
Mike: And you really do have to play defense. Great insights, Scott. If someone wanted to learn more about you or Spirion, where can they go?
Scott: Spirion.com. We have a wonderful website. There’s all kinds of materials on there about everything. So imagine all the different privacy and security regimes, it’s all up there, the CCPA. If the CPRA is passed on this election coming up, I’ll have an additional materials up there on CPRA. So all kinds of good things for people in the privacy and security community.
Mike: Scott, thanks so much for coming by the podcast today and helping us understand more about how to work safely in a remote environment.
Scott: Thanks for having me.