VanRein Compliance Podcast
Learn how you can secure the future of your business with a clear plan to reduce your risk. We discuss all compliance and data security matters of SOC2, ISO27001, HIPAA, GDPR, CPRA, NYShield, Texas HB300, ISO27001, HiTRUST and include life stories as well. It's NOT just a boring BizCast. We also talk about our Family Business and how you can start your own Family Business that will reshape your future.
VanRein Compliance Podcast
HITRUST Collaborate Conf Review + Texas Homecoming Mums +Importance of Vendor Relationships
Ever thought about how to build an unshakeable trust with your vendors? Ready to harness AI without fearing the risk of breaching data security compliance laws? That's exactly what we'll be uncovering in this latest episode. We kick things off with a nostalgic trip down memory lane, reminiscing about the delightful Texan tradition of crafting homecoming mums. We also share our experiences from the HITRUST Collaborate Conference in Dallas and discuss the importance of community support in events like the big band competition.
Nothing says trust like a reputable certification. In this chat, we unravel the intriguing aspects of High Trust certification, guiding you through the journey towards achieving it. Get familiar with the E1 audit, a cornerstone in building the fundamentals of HITRUST, and its application across businesses of different sizes. From control mapping to vendor risk management, our discussions navigate you through crucial conversations that could help mitigate risks vendors may pose to your business.
AI is changing the world - but at what cost? We tackle the often murky waters of AI usage, discussing the evolving landscape of certifications like SOC2, ISO, GDPR, and HIPAA. As we examine the High Trust AI Assurance Program and SOC2 auditors, we explore how your organization can use AI responsibly and securely. From assessing the cost of ransomware attacks to considering the potential benefits of becoming self-insured, we leave no stone unturned. Before we sign off, we reflect on the importance of having AI policies and discuss potential consequences of not having one. So, tune in, engage, and don't forget to connect with us on LinkedIn!
Thank You for Listening to the VRC Podcast!
Visit us at VanRein Compliance
You can Book a 15min Call with a Guide
Follow us on LinkedIn
Follow us on Twitter
Follow us on Facebook
Hello and welcome back to the VanRein podcast with Dawn and Rob. I'm Rob and I'm Dawn and I'm back. Dawn you let me come back.
Dawn:Boy good and bad with that boy folks.
Rob:She paused on that one. Yes, I am back from the high trust collaborate conference in Dallas from last week. We talked about this. We talked about this on the pod last week about me going. So I have all kinds of fun Tidbits. I met people. You may have some. You may even hear some paper rattling like I actually wrote notes. Wow, you believe that?
Rob:hmm, I know, look at that, look at that. But before we dive into the high trust because we like to call the HIPAA now it's the high trust there is a lot of other news Going on. The other news, don. What are the two other topics?
Dawn:I wish we had that news ticker.
Rob:I have a sticker the news ticker the. I have it in the podcast. You don't listen to it, don't you? Okay so you don't listen.
Dawn:Your own podcast insert insert news ticker hey, yeah, so we're gonna talk about the mum.
Rob:Yes, I said mum, the mum.
Dawn:Now we're not talking about fall mums, which everyone now has, because hey, it's fall in Texas, finally meaning it's under 90 degrees. Was this here right?
Rob:now 73. Oh goodness, that's sweater weather. That's like long pants.
Dawn:This is the first day of war in a long sleep.
Rob:You have to get jeans out.
Dawn:I know you don't wear jeans, but how many of you all know about the mum? And this is only in Texas. It's not just a southern thing.
Rob:It's the homecoming in Texas.
Dawn:Yep, it is a thing, people, and while you're listening, you should Google Texas mums. Homecoming mom's yeah and see what you come up with it. It's crazy.
Rob:It's a thing we do down here.
Dawn:It's some some of these girls, the mums are bigger than them. So very elaborate we had to make the mum the mum so our son is is Going to the homecoming dance with the girl and he had to make a mum, and as she has to make him a mum, yeah she wears the mum like around, like a necklace, and he wears it like on his, on his arm.
Rob:I guess, like a sleeve, a garter for your sleeve right arm, so it's a thing.
Dawn:So I quickly called my my friend, my close friend that Knows all about mums and lives here in Texas, and I said, hey, we have to go to lunch because you got to tell me how to do this mum thing. And so basically she told me go to Hobby Lobby. They have everything laid out all the school colors for what you know for each school and everything, and everything's all laid out and you just buy it all. You get a glue gun and you go and you just Google it and you YouTube it and whatever. So that's what I did I went and grabbed all the ribbon I could and I was there to.
Rob:I helped push the cart. Yeah, it's a big deal. It's like you have to do it.
Dawn:Yeah, so in in the center is an actual mum. It is a fake mum. It's a fake flower, you know, silk flower.
Rob:It's a white mum, my mom yeah and you decorate it with ribbon with.
Dawn:You could put teddy bears on it, you could put these boa things on it, you could put all these little things on it. Sparkly name. You know the names, the the the, the, the year you graduate. I mean it's seriously, there's a lot you can put on it. But Anyway, we got all the stuff and our son did it, did it, did a very nice job. He think thank goodness has the creativity. He got that from me.
Rob:And he did a really good job, and so we broke out the hot glue gun. Yes stapler, we put all the things together.
Dawn:Yeah, look at that. Yeah, so it was. It was a fun mom day, but anyway, with the mom the mom yes.
Rob:Well, I Are you mom, or? Mom, yeah, yeah, a mom day with the mom.
Dawn:Yeah, there you go, yes.
Rob:Oh my gosh. Yes, and homecoming is this week, so big week at school, you know, obviously it's the game dance, although funny.
Dawn:Let's talk about band. We won first place last weekend in the competition.
Rob:We did, we did win first place.
Dawn:We won first place and this weekend we have a really big. This is the big one this weekend. Thank you, yes.
Rob:There you go. You like that one this weekend's the big one.
Dawn:Yeah, but Rob and I both, and about 20, 25 other parents, we schlepped out like pushed and shoved all those props out onto the field. Yeah, folks, that's a good workout. It is a lot of work that goes into this.
Rob:If your kiddos are in music or theater, I mean, then you know it is a lot of work. Not to say there's not a lot of work with athletics. Right, it's different work, yeah, and it's just exciting to be part of it. And if you're not part of it, dive in with your kiddo or help. I mean there's a lot of help needed, and it's fun.
Dawn:It's a good time, yep.
Rob:It's a good time.
Dawn:All right. Well, let's talk about your. We talked about mom's, yes.
Rob:Now we're going to talk about, oh the high trust.
Dawn:Let's talk about your awesome time at the Gaylord in Dallas.
Rob:So Rob didn't just go to like go on the Hilton and have a conference this is the Gaylord. Have a cat down the Gaylord. And if no one knows what the Gaylord is.
Dawn:there's a lot of people, and if no one knows what the Gaylord is.
Rob:There's also one in Galveston. I think there's one in Nashville. Is it Galveston? No, there's no Gaylord in Galveston. No, not Galveston, not Galveston, nashville. Yes, you're right. Sorry, all the refineries in Galveston, oh my gosh.
Dawn:But it's, and I don't know if there's any other ones around the country?
Rob:I think there's one around the country.
Dawn:Okay. Anyway, tell them about the Gaylord and what was inside the Gaylord besides the.
Rob:Oh, it's fun this place if you have not been, I mean we've probably all been to large conferences or like car shows, right when they'll like a convention center it's a giant convention center, but the city inside the city. That's kind of what it is. I mean, there's a river walk in there, there's restaurants and there's restaurants and bars and every little nook and cranny. There's like four or five different conferences going on. So there's probably I mean, our conference is almost 500 people, so probably 2,000, 3,000 people just packed.
Dawn:Really cool. Was it cool so maybe like a mini Vegas inside? Was there like rides and stuff? No, there's no rides, just restaurants and Just restaurants, meeting areas, walkways, little river inside kateena canteens, just a little river inside, okay, a little river inside.
Rob:Kind of fun stuff though.
Dawn:It was good.
Rob:It was good, and the High Trust Collaborating Conference is back in person this year, which is good. So High Trust is another certification obviously that we do here at Van Rijn, along with SOC2 and HIPAA and ISO and GDPR and all the fun things at PCI, and High Trust is one that we have clients going through our process now. We perform the High Trust readiness, so we do the legwork, we're the handlers, if you will. We do all the legwork, we do the readiness to prepare you for the external audit. So, just like SOC2 or ISO, with High Trust you have the internal readiness and you prepare and then you hand that to the external auditor that has to be certified by the High Trust Alliance Board. So we have an organization we work with on that now and obviously just interviewed and talked to a lot of great people, a lot of different types of auditors last week, because we're always looking to add additional tool bags to the Van Rijn Tool bags.
Rob:Tools to the Van Rijn tool bag.
Dawn:Ah, there you go, there you go, you can talk.
Rob:Well it's late in the afternoon, as you do this in the morning. Now you have podcasts in the afternoon, but anyway, we're here, okay, so that's a dog doing.
Rob:Anyway. So High Trust we really focused on. There's a lot of different pieces of it. The big piece, let me ask just what is High Trust? High Trust was really created to focus on the auditing of those large enterprise healthcare technology environments. So a lot of the Blues associations, the Cygnus and the Walpwynts, a lot of the platforms used, focused on High Trust. So what we've noticed, though, now is High Trust isn't just for those large enterprises, it's for SMBs, and we focus on SMBs because that's where we really shine. This is where our clients really shine. So it's great to hear that now they have the E1 audit, which we'll talk here a little bit. So the E1 really focuses on essentials just building the essentials of High Trust out so that you can go forward and go into I1 and the R1 and the R2. So go through that path.
Rob:So the E1 is really our market, is where we start, and that's where our clients are going through now and then they go through that and they go forward with that. High Trust is really starting to align with SOC2. That's an update. So aligning the controls from SOC2 and even the NIST and the ISO standards, aligning those to ensure that all the controls are mapped out, because control mapping is huge.
Rob:So you have your different controls, you've gone through the audits and you've got to make sure everything is mapped out correctly. Oh, let's see what else I have here. I've got so many little nuggets here. Venter risk management is big. So the VIRM or VRR, we perform these for a long time and one thing that I got out a lot of the auditors is, instead of sending the nasty questionnaire that everybody gets here fill this out here, fill this out here, fill this out what they recommend in seeing and this is why you go to conferences is perform a VRR Just going through or VRM just going through a vendor risk management conversation.
Dawn:The fly just stifled over you, with you Sorry.
Rob:That's what fly.
Dawn:I'm like. I'm like getting the fly out and then it went over to you Sorry.
Rob:I'm talking VRMs. We're talking flies now, sorry.
Dawn:Okay, well, that happens on the podcast.
Rob:Hey, we can flow and go. Here we go. So the vendor risk management there's a fly in the studio. Oh well, I showered. I did Basically interviewing your vendors, with your client on board.
Dawn:Oh, I like that.
Rob:Either in person, on a Zoom, on a Teams, on a Google, on a, whatever you have a phone call and just going through the basics of what sorry, the dog's chasing the fly, it's a fly. Show kids what the vendor is performing and the services they're offering. Because what we're finding is people say, well, so-and-so has my fax services. Well, you call so-and-so and they'll go, oh well, they have fax, they have SMS and they, oh, we do the website. And then people go, oh well, I thought you do the website and a lot of companies don't know what they don't know, especially get the bigger.
Rob:Or your companies have been purchased, or the legacy companies or their companies that have just expanded and they've kind of forgotten what they have. So we do a lot of this. I call it VR vendor risk reviews, and you're reviewing the risk with the vendor because your vendors are putting risk on your business, especially with how they handle that data.
Dawn:So very good.
Rob:Do we get through that? We got through that in the fly. He's still chasing the fly.
Rob:He's still trying, yeah, so one thing interesting too is I heard this is a theme at the High Trust Collaborate Conference and of course they're there to promote high trust. But I have to remember too the auditors that are there are also SOC2 auditors. They're starting to say that SOC2 is becoming more diluted because, well, call them out, the Vantas, the Drattas and all those platforms that are saying, hey, we're the tugboats, we'll get you audited and get your certificate in weeks, which isn't the case, and it dilutes the uniqueness and the gravity of a SOC2 certification.
Rob:It's always been kind of that more of a lead standard. So a lot of people are looking for something new, looking for something that is more stringent, which is high trust. So that was interesting. So the drive by. Soc2 auditors. Keep hearing about that now.
Rob:It's a new thing Everybody in their car is a SOC2 auditor. Just drive by and do it, and that's not the case. One thing I was also excited about is the High Trust AI Assurance Program. So High Trust will update their assessment, I would say up to about four to five times a year. So we're SOC and we're ISO and we're even GDPR and now HIPAA finally changed three weeks ago. After years, High Trust will change it. High Trust is an organization that will look at the industry and go hey, NIST changed, ISO has made some changes we need to update. So they have a High Trust AI Assurance Program. That means that you can now review and certify your organization for the usage of AI in your organization and how the data will be used or sent within the organization. So that's kind of exciting and I just rolled that out, I think, this week.
Dawn:Well, this is airing.
Rob:That's a big deal because the other certification platforms haven't touched it and we've already been asking. So the next thing we're doing at Van Riney's rolling out AI usage policies. How will your organization use AI? What type of data are you going to grab, what type of data are you going to have and use, and how will it be used and where is it going to go? So be very careful. Always ask where is it going? You're going to use AI Great. Is it private? Is it public? Is it a public cloud? Is it AWS? Is it Azure? Is it Google?
Rob:Is it a platform that got used internally or built internally? Is it on some hackers? You know a computer in his basement. You never know stuff like that. Another item is verifying implementation. So the key piece is making sure is that is you verify that you've implemented the control? So we're very good at the auditing, we're very good at the policies, the procedures we as an industry, I'll say that but the verification is lacking. Is it really happened? Did it really happen? Did we really implement that password policy? Did we really implement that encryption policy, locked door policy, off-boarding policy? Someone leaves, do we shut down all their access, stuff like that? Those are key pieces that we had brought up. And you know, don, the session I actually kind of liked going was the cyber security insurance workshop. Yeah, because that's what I went, because you weren't there. It kicked me out. So let me ask you hey, can I get? When a client says, hey, can I get a discount on my cyber insurance by becoming a high-trust compliant and certified?
Dawn:The answer is no, correct, what about?
Rob:a five sock two certification. How about a HIPAA certification?
Dawn:No.
Rob:Or actually I should re-frain that HIPAA attestation.
Dawn:No.
Rob:GDPR no.
Dawn:Nothing no. Bobita Boom no.
Rob:Then what's the value of insurance? Ooh, so they can make money on it.
Dawn:I hate to say it.
Rob:So they? Yes, there were two brokers and two insurance agents from large insurance companies there at the conference and they said they just don't know how to make how to justify the underwriters are, how to justify the discounts, basically saying they just don't want to lose the money because it's quite a bit of money they make. So, no, you don't get a discount, but what you do get is a clear understanding of where your data is and the risk you have. So interesting, you don't want no umbrella policy there, don.
Dawn:Yeah, it's not like a house and car and umbrella policy.
Rob:No, no, we got nothing with that. The other thing that's interesting is a lot of people are becoming self-insured so a lot because the insurance agency in the industry is so archaic on how they underwrite risk and they're not fast enough on how to basically do business. Today for small and medium. Large companies are even starting to become more self-insured because premiums are continuing to go up 20, 30% a year. So people are like, okay, if I take that line item on my ledger million dollars or half a million dollars and I invest that at 10 to 15, well, 15 would be great, but let's just say a 10% return.
Rob:I can make money on that and be self-insured. Why should I pay the insurance companies? So I'll tell you that this is a goal of ours one day to be self-insured.
Dawn:Yeah.
Rob:I think insurance is great to get you where you need to be, but then sit down with your controller and see if I can go hey, can we be self-insured. Now I will say that the one thing they mentioned is these are large, established companies that probably have 15 plus years in the business or in their own business. So they have the cash flow, they have the ways to monetize it. So don't go out and say, well, Robin Dodd said I'd be self-insured.
Dawn:Yeah.
Rob:Take your time on that one yeah. Some of these ransomware attacks and the you know can cost 50,000, 100,000,.
Dawn:You know more than that.
Rob:Oh, it's easy if you get it, 100,000. Yeah, you're half a million to a million.
Dawn:So the cyber insurance is what we're saying. We are saying it is important to get.
Dawn:It is important to get. If you have a millions of dollars stashed in the bank, you know maybe you can do the self-insurance thing, but it will. It could cost you so much money where it could definitely close your business. So, having that cyber insurance even though it can be I mean there's some policies depending on the size of the company and how many records that you have. You know you could be paying 3,000, 6,000, 10,000 a year, plus, plus, plus. But when you think about that, when forensics and all this stuff going through all the data of you've lost everything, and if that costs $100,000, do you have that in the bank? You know? I mean, that's what you got to ask yourself, so definitely cyber insurance is definitely something that, in these days, you definitely need it.
Dawn:It definitely is. Is is the coverage that you need for your business.
Rob:I sound like an old insurance agent.
Dawn:Well, I'm a believer in insurance. Yes, it's annoying, it's, it's a peace of mind, but it is definitely important.
Rob:And especially when you when you need it.
Dawn:Yes, it's good to have.
Rob:Well then, we're going to turn a focus on to AI.
Dawn:AI, ai.
Rob:AI. Everything is talking large learning models, llms, all of that Big piece of the conference is AI. How does it work in healthcare? But on healthcare it's working. Your business there are a couple of things is friends and foes of AI right, you can have a friendly bot and you can have an evil bot. Let's get down the evil bot first. Oh boy, so there are there are the dark sides.
Rob:It's always more fun that way, right, you know Darth Vader. Anyway, the dark side of AI is is the wow. There's so many, but we're going to hit a few right here. A couple of them is the bots, and the AI is now being trained on large language models and. Llms on how to to attempt to crack your password.
Rob:They're also doing phishing simulations so well the children even know if it's a test or real anymore. The other one is actually looking at your LinkedIn post to see kind of what you're doing in your business and trying to actually capture your likeness and social engineering. But the scariest one is the deep fakes. So, like us on this podcast, or you on a voicemail or cheese any type of voice message or even your written language, or if you wrote a article and you posted it somewhere, getting that information and mimicking you as a, as an owner of a business or an illiterate position or someone, just a member of your company, they could try to extort money from the bank or release funds or the hackers are using it to to get additional information and all of that. So, like we talked, you know probably that MGM hack. A little bit of that was AI.
Rob:That was a few weeks ago. So AI can be the foe. So what that means is you have to have an AI policy and procedure. This is something we're going to start rolling out. So what is our use case of AI? And don't say we're not going to use it, because if you say that, then the device that you're using today to listen to the podcast that's connected to the internet. You're like oh, wait a minute, we're going to use the internet. You know, 20 years later, oh, it's fine.
Dawn:It's perfectly fine.
Rob:Thank you. So you have to adopt AI. You have to adopt how you're going to use it, what you're going to do with it and where it's going to be. There's enough bad pieces Now. The good piece of it is think about the amount of data that you have from your client data. Think about the data in your industry. Think about the data not only from financial, but customer service and success. Being able to take AI and say go, run a report on how many happy customers we have, how many negative customers we have. Where do the pain points? And finding all that?
Rob:Looking at your FTE ratios, you have enough people do you want onshore or offshore, all of that, all the HRPs you could do all that through AI and it gives you a good baseline. But the big area is sales and marketing. That was probably the biggest takeaway is it's very adaptable now for sales and marketing, where you can write copy for your sales and marketing campaigns and really get things rolling that way. So AI is big, big. Did the fly go away finally.
Dawn:I think it did. That was nuts.
Rob:For listeners. How did this fly? Just in the studio, just like flying around Nuts. Okay, the other thing is putting the AI opt-out banners on your privacy policies on your website. So we're starting looking at that. So when you say never say accept all cookies on a website, you got to have everything in there. You got to read those. Take some time to read to see how your data is getting mined and sold.
Rob:It's getting sold. Your data is sold. You're for sale. I had to say that. So, yeah, those are key pieces. I'm looking at my notes here. Don, you are you did really good.
Rob:I'm the go at start. Voice fishing. Yeah, voice fishing was the one who kind of talked about is where they had examples of a CFO. They captured his voice, they figured out. Their bank called their bank to release funds and do a wire transfer for like 50K and was able to do it because the voice recognition software matched Well. The AI was able to capture the voice of the CFO, mimic that and give that voice print to the bank and the bank release the funds.
Dawn:That's nuts.
Rob:So it's getting more and more sophisticated. So what we have? To do is become more and more sophisticated as well. Yeah, and those things you do in your organization is look at the AI policy, see how we're going to adapt it, because you're going to need to. This is how business is going to be done and what you're going to do, so those are key pieces. Get that, we got that. It's good stuff. Okay, I think AI was the last big piece that we really dove into.
Dawn:But overall it was really good it was a really good conference.
Rob:It was exciting to see people like 500 people all out and about and just really focused on data security compliance. I know people say, oh, that sounds boring, but it was fun. It's fun to get out and see people and you kicked me out for a week, yeah.
Dawn:Did you have a good week? It was quiet.
Rob:But you and the dogs do when the kiddo.
Dawn:It was quiet. I was still here by myself since the kid was out of band and the dog's just sleeping. That's it, yeah.
Rob:That's it. Well good, well good nuggets. Everything's down in the show notes. And hey, if you want to, the high trust collaborate conference in Dallas, let us know. Connect and LinkedIn. Put it in the comments below and love to connect with you. And also thank you for listening, appreciate it. The more people get to listen to this, the better. So, like, subscribe right now wherever you listen to this podcast. And I think we covered it. We got the moms in, we got marching in, We've got the high trust. I think that's the pod.
Dawn:That's it.