VanRein Compliance Podcast

! BREAKING ! OCR releases NEW HIPAA Audit requirements that will impact your business + The Singapore F1 Grand Prix

Rob & Dawn Van Buskirk Episode 58

Ever wondered how to navigate the ever-evolving landscape of HIPAA audit requirements and cybersecurity threats? This episode takes you on a thrilling journey where the stakes are high, and the races are fast - both in the realm of F1 racing and the world of healthcare audits. As we rev our engines, we chat about the latest F1 races in Singapore and Italy, sharing our top picks for teams and drivers. We also dive into the nitty-gritty of the new HIPAA audit requirements, focusing on the shift towards more cybersecurity-based threats.

Buckle up as we shift gears and delve into the heart of cybersecurity threats. Drawing from the HHS OCR's list, we discuss the top five threats businesses face today - from social engineering and ransomware to data loss. But fear not! We also lay down the roadmap to navigate these threats with their ten recommended mitigating practices. We illuminate the potential risks, the effective countermeasures, and the importance of being proactive rather than reactive when it comes to cybersecurity. 

As we cross the finish line, we explore the terrain of strong compliance practices and securing your environment. We highlight the value of encryption, identity and access management, data loss prevention, disaster recovery, and asset management. We also underscore the significance of antivirus and anti-malware software, robust passwords, and wifi security. And in the spirit of staying ahead of the curve, we evaluate the implications of new laws emerging from the recent election cycle. So, join us for this adrenaline-packed episode; let's navigate the racecourse of cybersecurity and HIPAA audits together.

Thank You for Listening to the VRC Podcast!
Visit us at VanRein Compliance
You can Book a 15min Call with a Guide
Follow us on LinkedIn
Follow us on Twitter
Follow us on Facebook


Rob:

You're still Dawn.

Dawn:

I am. You're still Rob I am.

Rob:

Ooh, I got another button Ready Ha ha ha. I have new toys. It's fun Cheeseball . Oh my gosh, Dawn, I'm excited, you're excited, we're excited. Right, we are excited. We finally have some updates. Updates to the audit requirements for the HIPAA.

Dawn:

The HIPAA.

Rob:

The HIPAA. We also just had a heck of a F1 race in Singapore.

Dawn:

Yes, that was exciting and fun.

Rob:

We're going to start there and then we're going to talk. This podcast is really going to focus on the new audit requirements for the HIPAA, and our team is already working on updating our platforms because our customers get that. That's what they get. They get the latest and the greatest in HIPAA audit technology and service. So, yeah, so actually, don, who is your favorite F1 team? And I'll preface this by yeah, we're big F1 fans. They don't watch any other sports but little college football, but obviously F1 races. So who's your team?

Dawn:

Well, I'm partial to Ferrari.

Rob:

I don't like Ferrari, the Ferrari.

Dawn:

Like the Ferrari, but the Ferrari. But I like. Well, I like a few.

Rob:

Let me just preface I like somebody just give you a Ferrari. I like some of the drivers.

Dawn:

So I like Leclerc, he's Ferrari, I do like Lando with McLaren and I like Russell with Mercedes. So I'm kind of all over the place. But honestly, ferrari was amazing in Singapore. It's amazing that thank goodness they light up that track because again they're driving 200 or some miles an hour with no headlights, you know, but they make it work. That's like the light name of Queen.

Rob:

Remember that, remember he got Well, yeah, well, they got NASCAR stickers, but there's no headlights, Right?

Dawn:

right same thing, but no, it was a very exciting race Actually last week in Italy.

Rob:

The Temple of Speed, the Temple of Doom? No Temple of Doom.

Dawn:

That was pretty amazing too, because they have, the way the tracks are, a lot of really good passing, and so it's not like Monaco, where you can't pass, but yeah, maybe one place Exactly.

Rob:

But yeah, it was amazing, you finally won one. You've won your Ferrari, your Dutchman.

Dawn:

I keep saying it he is a winner. He's great, we saw him in person on his track 10 in a row. He is an amazing young lad. But, sometimes you fall when you're the winning person.

Rob:

Oh, it just was not set up. The car was not set, the car wasn't set, the driver's were set, it was just not set. But hey, they broke the record. Of Max won 10 in a row and remember he's not grumpy. He's Dutch like me, so you just remember that, Don.

Dawn:

Okay, and you know what's funny is, if you guys don't know, rob is half Dutch, half Italian. And so yes, but it's now. It's. Oh, I'm Dutch. I'm Dutch, I'm Dutch when your Dutchman was winning, but now it's like oh, oh what.

Rob:

no, I didn't flip over to the Ferrari. It's good to see the Ferrari, you gotta say it. Like the Ferrari. Good to see they won.

Dawn:

Finally, Carlos has been right there.

Rob:

So was it more strategy, Ferrari strategy or more Carlos' strategy? Because he's chums, I think, he with landup.

Dawn:

Oh yeah, no, I think he did great himself.

Rob:

So yeah, it was amazing To keep land on. So now, but next week's in Japan next week's a new race, you never know. Next week's. Well, this week Yuki could win. Yuki could win.

Dawn:

Maybe that would be nice if he finally won something.

Rob:

I think Lawson's gonna continue to go. I don't know where Carlos is gonna be back, because he busted up his hand.

Dawn:

Yeah.

Rob:

And Zanvort. So and you know listeners if you love F1, just let us know. Put it in the comments have a little chit chat, a little chit chat, chit chat, that was fun.

Dawn:

That was like a race. You wore your jersey proud there, don. You did good, I did you did good, I did, you did. So let's talk about the big news in the HIPAA.

Rob:

Oh, let's see where's my other button. Yeah, horn Jazz is good. Actually we need the little news ticker.

Dawn:

This is big news. Actually, this is very important news.

Rob:

Why don't you go ahead and break the news?

Dawn:

Don. So the HHS OCR they just came out with in the last few days. They came out with some updated audit requirements.

Rob:

They did.

Dawn:

So our customers know, and some that have been through the audit, you know, one year, two year, three year, four year, the questions are remain about the same.

Rob:

They have been. They remain about the same, very stagnant.

Dawn:

What the HHS OCR did is they have updated them to be more I can't find the word the more current, more current with cybersecurity relatedness in them? I guess I don't know. However, you want to say that.

Rob:

Yep.

Dawn:

So basically, what they've done is they've taken because of cybersecurity is such a buzzword, if you will they've really updated and said you know what?

Dawn:

we're not just going to ask you do you have a policy procedure? We're going to ask you specifically about your security and, honestly, the whole assessment is more about, instead of really the administrative, technical, physical kind of. It is more just about security in general. I mean it encompasses physical security and technical, yes, but it is very focused on the word security. So we are excited because this is where we need to be now the HIPAA has not changed in over 30 years.

Rob:

The law is the law. Well, it changed in 13. The high tech law yes, the high tech. It changed in 20, but the foundation has been the same.

Dawn:

I appreciate that the questions are tailored more towards the electronic age we're in and to more cybersecurity. So we are updating that currently and it is going to. The questions are going to evolve, they're just going to be more robust. So that is very exciting, very exciting.

Rob:

It is. And when the government makes changes, they don't change the law. They're making subtle changes to how you're audited. So if you get your audits through us which I hope you do or you do your own audit what you can do right, but you're going to get lost in that audit. I'd say, right now it is tough Everybody that's tried it. They come right back to us and go, nope, we're going to do it. Or they come to us and have help. They're really focused on cybersecurity and your practice or your business has got to be audited against the new standard and the reason for this is the 405D program.

Dawn:

So what this is is the HHS developed this, this is basically a task group and they developed the health industry cybersecurity practice Yep, hicp I know another acronym, right Another acronym, but this is amazing because they are really focused, focused on managing threats and protecting patients, protecting data. So they have outlined the top threats, the top five threats, and they've outlined 10 mitigating practices. You could do so we're going to go through that, but this is big, so we want to make sure we cover this. So then you get the information Yep.

Rob:

Let's go ahead and dive in Dawn

Dawn:

Dive in.

Rob:

Because it's a focus on cybersecurity.

Dawn:

Okay.

Rob:

So we're going to do a new HIPCA, hipca, hippa.

Dawn:

HIPAA, I don't know.

Rob:

Let's just go ahead and dive in. Let's just do it, let's do it.

Dawn:

So let's talk about you know, we just we in our last podcast, we talked about HIPAA violations. We talked about you know, rob talked about MGM, the breach, ransomware attack excuse me, not a breach Well, it did breach data, but anyway, social engineering. So that is one of the top five threats. Social engineering if you don't know what that is, I'll tell you. It's an attempt to trick you into giving out personal information or infecting your device by clicking on a link and basically that link, by you clicking on that, that gives access to the hackers. So that's social engineering. That's that is happening a lot.

Rob:

Okay.

Dawn:

Yeah, ransomware.

Rob:

Yeah, we know what this one is.

Dawn:

Yeah, I'm a hacker, I'm in a. You know I'm going to hold your data, whatever that is could be billing data, could be health information, whatever that is, social security numbers, anything like that. I'm gonna hold it for ransom. I'm gonna ask you for a million dollars. I'm gonna ask you for Bitcoin, all that kind of stuff.

Dawn:

The third one is loss or theft of equipment or data. This is a big one. This happened a lot during COVID Discreneled employees, people that were like things were closing down, companies were shutting down. People were like stealing things because they were just upset that type of thing Stealing, stealing computers. And then, if they're not encrypted, you got to spore. If they still have access, that's the other thing still access the computer, they can get whatever they want off it. So, loss or theft of equipment or data. Also, people can't believe it. They leave their bags in their car and their front seat. I'm talking to mostly women on this one because it's just crazy In our neighborhood. I can't believe how many people post. My car got broken into. Oh really, what did you have in your front seat? Take stuff out of your car.

Rob:

And not only that, but travel, yes, travel. We've done a lot of travel the last few years. People have the big bags and the airports, the planes. Things need to be zipped, locked and lean is main, if you will, Absolutely.

Dawn:

So the? And the fourth one, insider, accidental or malicious data loss. Is there any disgruntled people that work at businesses and companies?

Rob:

Maybe that would quite quit. Or working remotely, or people looking for companies that do remote work only work. Or yeah, no, that never happens.

Dawn:

We had one Company bought company B. They merged into company A, whatever, and those people that got merged into it decided to start trying to steal customers to start their own company.

Rob:

See, so that's malicious.

Dawn:

So yes, that happens.

Rob:

People get malicious, people get desperate People are mean.

Dawn:

People are. There's some meanness out there. And then the last, the final one. This is a big one attacks against network connected medical devices.

Rob:

This is, this is so this is a big one.

Dawn:

So here's. Here's a scenario, if you're kind of confusing what this means. Cyber attacker gains act access to a care provider's computer network through an email phishing attack. Takes command of the file server Mm-hmm to which a heart monitor is attached. While scanning the network for advices, the attacker takes control of all heart monitors in the ICU. Yeah, multiple patients at risk now that is awful, that is like I mean that could, that's like murderous, I mean that's, that's just a whole, nother level of attack.

Rob:

Cyber war is it's. Probably the next larger war. It's actually being ongoing, yeah, yeah it's, it's pretty bad so.

Dawn:

So there you have it. Those, those are pretty big.

Rob:

I mean that's those are big ones. That's that's big ones. You've got it. This is. This is very exciting, because of course, that's the compliance world exciting.

Dawn:

We're excited, we have new requirements. Oh, yes, yes, yes, I don't want people dying.

Rob:

No, okay, okay, act, okay Good, because they're running windows.

Dawn:

Yeah, so now, now that I've talked to Said the five threats, rob, I want you to go through the tit, the, the ten Mitigating practices. So you're you're very good at this stuff, because this is like email encryption, this is all that kind of all that kind of stuff, and and so why don't you give us, you know, and I don't know if you want to run through all ten, but why don't you give us the ones that you know that you want to go through, that you feel that you want to?

Rob:

Yeah, because the Hicpe.

Dawn:

HICP oh.

Rob:

What what I'm excited about this is is the healthcare industry's security Guidelines are now in the audit. So when you perform your audit, if you have us do it, if which I highly recommend you know do it yourself. Either way, that'd be fine. But email protection systems is huge. Yes, they still love their, their posters, they still love your, the security, making sure that your in email environment is secure. You know there's many ways to do it. We've audited everything from Sophos to Baracuda's to 365 to Google, to everything, and everything has problems. But the best thing is you have to mitigate that and you have to secure email.

Rob:

Endpoint protection is huge. I know here. You know our, our company as a compliance company. We run all max and I. Everything is encrypted, everything is fire vault on it. If you're on Windows, make sure everything is bit locked. If you're on Linux, you can encrypt that as well and track them. So we know where every computer is at any time. So someone, unfortunately on our team gets their computer stolen, we know where it is and we can shut it down, just like your phone, like find my iPhone.

Dawn:

Mm-hmm.

Rob:

That's the same, the same key Identity and access management is. Key is making sure you know who has access to your environment, so you cannot have access to people that are not supposed to have access. Yeah, so Make sure there's no anonymous. Make sure there's no passwords underneath the keyboards.

Dawn:

Make sure there's nothing like that in any Shores of that?

Rob:

Yeah, dlp, you know that is Data loss prevention, oh, I was saying protection. Disaster recovery. Yes. If you have an attack, if you have an incident, if you lose data, if you do anything like that, you have to make sure that you're able to restore that data and make sure to get that back.

Dawn:

Couple of these others just quite a few goons. And do we do disaster recovery and contingency planning?

Rob:

Oh, of course we do here at the Van Ryan Compliance pod. We should just do a whole thing on DR.

Dawn:

Oh, that's.

Rob:

Then we can talk about zero-tracks.

Dawn:

That's another folks listening. Disaster recovery planning is so People put that on the back burner. But here's the reality. We all have disasters that happen, I mean you have a storm.

Rob:

Your dog had a disaster with the skunk.

Dawn:

Oh yeah, you have a storm, you have money stolen, you have your business's revenues decrease. It doesn't matter what emergency or what accident or what things are gonna happen. But you have to plan for it you have to have some sort of insurance and that having a disaster recovery plan, what to do, when to do it and then how to continue. Your business is huge, yeah.

Rob:

The other area that DR is huge because obviously it's hurricane season, which we always track right. There's always cyber attacks. There's always power grid issues. So you gotta make sure you plan for that. The other thing you gotta make sure is know where your assets are. Asset management is big People forget.

Rob:

Yeah, I don't like Excel, but hey, if you can, just if you have a small team, fire up an Excel spreadsheet. Here's your team members in one column. Next there's a still number Wizard warranty expired. Also, your CPA is gonna need that for asset depreciation. He's Don, loves finances and asset depreciation.

Dawn:

You dive into that world lately.

Rob:

You've gotta track your assets and make sure you know what's going on.

Rob:

Yep, same with network management and vulnerability management. So network management is monitoring the network. Now how do we do that remotely? Right, there's how we do it remotely. Our team is remote and always will be. Remote is we have agents on every machine. So we have our rippling agent, which is tied into our HR, which is tied into the people which manages the assets, and then we have Sentinel-1 on every computer so we track all that. So we know everything. We know the information, we know what softwares installed. We know all of that.

Dawn:

We just had one on one of our employees' computers that we had to-.

Rob:

It was a hung install. It was a little weird.

Dawn:

It was really. It was a weird thing, but we were able to stop the process.

Rob:

Yep and mitigate it.

Dawn:

And mitigate it. It was really great to do that remotely, yep, and that ties into the vulnerability management.

Rob:

You gotta have the antivirus you gotta have, whatever platform operating system you're on, you gotta have antivirus and anti-mallware and make sure things are, have the ability to remediate that risk and that virus or the ransom attack. So, and if you're folks at home, make sure they have, like you know, wip 23 on their, on their wifi, make sure they have strong passwords, not just the house number, street number, name.

Dawn:

Don't have your dogs, that's what you're doing that's always fun to see what networks are open in the neighborhood.

Rob:

Yeah, yeah, I drive around.

Dawn:

So try that, try it like join other networks or turn on your see what other networks in the neighborhood that are like open it's pretty funny because you're like, oh, that's that neighbor, cause they have their full names, and it's like, oh my gosh.

Rob:

I wouldn't recommend joining, but you could.

Dawn:

Oh, don't join but, like you, when you turn it on, turn off, turn it on, you can see it. Lists yeah, yeah, you can see it all out there.

Rob:

Have strong passwords for your network. Have extremely strong.

Dawn:

Ours is hidden, which is a good idea. Zero trust yeah, we don't even. We don't even exist.

Rob:

Rough the grid.

Dawn:

Not, really, not really.

Rob:

Good idea, sir. You know the because it yeah. Vulnerability management is is key, making sure we have good cyber hygiene.

Dawn:

We wash our hair we wash our.

Rob:

we wash our teeth. Brush our face. Sure, wash our face, brush your teeth. Uh-oh, hey, we got the cheesy thing again. The next couple is just really really making sure you have cybersecurity governance and you have a team, a response team, that they know what they're doing. Do not ignore this. Um, it can be, and it's usually. It sits within your IT team, in in within your technology partners as well. They'll be there to help making sure you establish security policies, procedures and guidelines of what it takes to actually secure everything and make sure everything is secure.

Dawn:

Uh-huh.

Rob:

And know how to respond when there is a problem, don't ignore it.

Dawn:

Yeah.

Rob:

You know, don't just say, oh well, we'll be fine tomorrow. No, we gotta deal with it today.

Dawn:

Yeah.

Rob:

And also, if you have an attack, understand the attack. You need to understand, by law, you're supposed to understand it, and then you're actually, uh, actually, supposed to um, notify the FBI, because they need to track the type of attack as well, cause they they look at everything from a global standpoint. Yep, those are, those are key pieces. Those are all very key pieces that we've got to go ahead and dive into and make sure that we know what we're doing. Yes, we can ensure that we have a secure environment.

Dawn:

Mm-hmm.

Rob:

That's really good, don, is that the pod? That was a lot, we got a lot. I got through a lot. Let's see. Let's recap because I can't have.

Dawn:

I had fun things so as as current customers and prospective customers listening um. You know, when Rob and I built our assessment tool for the HIPAA, the HIPAA we, we, we tied in a lot more than the government questions.

Dawn:

So, as, as our customers know, we added probably about 50 additional questions, something like that, um, with a lot of cyber. So we are excited that now the government is addressing, adding more cyber uh, cyber uh questions, adding that more into the questions. So, um, we're excited because we, we, we had kind of already done that Um, but they have done, um, a couple things, a couple areas, a step further. So it's going to be really nice to blend that. So, uh, we, we've already um provided a very robust assessment, um, more than what the government has, and now they're sort of catching up, if you will. So it's exciting and it's exciting that they're finally identifying that they needed to up their game.

Rob:

So we're excited about this. There's a lot of rhetoric, there's a lot of stuff going on. Yes, there's an election in a year and, of course, we have to talk about it all the time. Um, but these are the things that we watch. This is the things that Van Ryan watches. Is, you know, um, what are the new laws? There's a lot of new state laws coming out too, and we'll have to dive in one of those.

Rob:

But obviously um, we're excited about the new requirements for audits All right, I think that's a wrap for the HIPAA.

Dawn:

That's the.

Rob:

HIPAA. And that's the pod. All right, we're out. Bye, bye.