Home Health 360: Presented By AlayaCare
Gain a fresh perspective and new ideas for running your home-based care organization by listening and learning from industry professionals around the globe.
Hosted by home health tech expert Erin Vallier. You’ll hear from home-based care leaders on trending industry news, challenges, and best practices to help prepare you for the future of care.
Tune in every month to stay in the know and bring your team actionable insights from the best in the business.
Home Health 360: Presented By AlayaCare
Navigating Cybersecurity Risks in Home-Based Care
From sophisticated plots by cybercriminals to unintentional data breaches from internal staff, healthcare organizations are facing more, and more severe, threats to protecting their sensitive data. In this episode, Richard Guttman, AlayaCare's Chief Legal Officer, shares insights into the current state of data security and privacy in the home care industry, including common threats, actionable prevention strategies, how to stay compliant with regulations, and helpful resources to elevate your cybersecurity preparedness and ensure the safety of your data. Richard digs deep into how organizations can fortify their defenses by mapping data flows, implementing the minimum necessary use principle, setting precise roles and permissions, using audit logs to meet regulatory standards like HIPAA and GDPR, and more.
Episode Resources
- Webinar: Ensuring data security and privacy in home-based care
- Blog: 5 proactive steps to improve the security of your home-based care data
- Guide: Evaluate the security and performance of your home-based care software
- How AlayaCare delivers best-in-class security and performance standards
- Security Center: Security & Privacy at AlayaCare
If you liked this episode and want to learn more about all things home-based care, you can explore all our episodes at alayacare.com/homehealth360.
If you have a data breach, it doesn't matter necessarily that you intended to protect the information. You tried really hard. There's a lot of liability that providers are seeing at the end of the day, so everything we're going to talk about today, that you can do to reduce your risk, is a worthwhile investment.
Erin Vallier:Welcome to another episode of the Home Health 360 podcast, where we speak to home-based care professionals from around the globe. I'm your host, erin Valliere, and today I am joined by a very amazing colleague of mine, richard Gutman. Richard is responsible for the legal risk and compliance functions at AlayaCare. He leads a small team of in-house and external professionals who support key aspects of AlayaCare's business and operations, including intellectual property, commercial contracting and strategic partnerships, regulatory matters, privacy and data security, corporate finance, mergers and acquisitions. Richard brings over 20 years of experience in building and developing innovative and high-growth technology companies, including serving as SVP of Legal and Compliance at PointClick Care, which is one of the leading EHR providers in the long-term care space. Welcome to the show, richard.
Richard Guttman:Thanks, erin, it's great to be here.
Erin Vallier:Well now, I know I can't reach you sometimes You've got too much to do. I'm happy that you're here today and you could spare a moment to share with the listeners some very important information about cybersecurity, because it's a hot topic these days. Healthcare seems to have a target on its back, and you can tell that by all of the hacking and ransomware that is going around these days.
Richard Guttman:It's taking more and more of my time and my team's time, and certainly those of us who've been in the EHR EMR space are becoming fast experts in security, privacy and compliance. And, yeah, I look forward to sharing some of my learnings, certainly in the last 10 or 12 years in this area, with your listeners.
Erin Vallier:Yeah, can you start by giving us an overview of the current state of cybersecurity in the home care industry, and particularly concentrating on electronic medical records, or EMRs as we lovingly call them?
Richard Guttman:The EMR provider is really at the center of an ecosystem of information, and so the records in the systems that companies like PointClickCare and AlayaCare manage are growing all the time, whether it's through interfaces to other systems or regulatory databases or increasing use of clinical records. There is so much information that is being safeguarded, so the focus is massive, both in terms of those bad actors who'd like to leverage that information for financial gain. We'll talk a little bit about some of those high risks. Not only that, but those records are now at the center of litigation like negligence and malpractice, personal injury and also investigations. Government agencies that are investigating perhaps fraud or other regulatory violations are seeking out these records. So the focus has never been higher on what is in the EMR.
Erin Vallier:Sounds like a lot of pressure. What are some of the common cybersecurity threats that home care agencies face and how do they differ from those encountered in other health care sectors?
Richard Guttman:We can talk about that for a little bit, because I mentioned kind of the bad actors. Because I mentioned kind of the bad actors, that's what we read about in the newspapers when we see that you know, a large health insurance provider has been hacked and millions of records have been misappropriated. So that is the primary area we see that in is kind of ransomware, external attacks. Ransomware, external attacks that's where an offshore criminal organization is actually operating and trying to get records out of a system that they can lock down and that they can offer to exchange for a ransom. Often that starts much earlier in the process with what you'll hear phishing attacks, which are these social engineered attempts to get people who have legitimate access to share their passwords and user IDs and once they have this information then they have much easier way into the system.
Richard Guttman:Then we have a whole category of rising risks that are associated with a home care agency's own employees. Just Grunt told people who have left the organization and kept their usernames and logins can be a risk to an organization by the email that was sent with the wrong patient's information or the database access that was given by mistake from one agency to another. So we have a whole series of innocent, unintentional mistakes that lead to a data breach. And just like we say, you know, you've heard in the transportation space, you know if you speed, it's what we call an absolute liability offense. It doesn't matter that you didn't mean to speed, if you speed you're guilty.
Erin Vallier:I didn't see the sign officer.
Richard Guttman:In the data space it's exactly that way. If you have a data breach, it doesn't matter necessarily that you intended to protect the information. You tried really hard. There's a lot of liability that providers are seeing at the end of the day, so everything we're going to talk about today that you can do to reduce your risk, is a worthwhile investment.
Erin Vallier:Sounds like it. It's a very complicated problem these days, and anything from the well-orchestrated criminals to a well-meaning employee that just happened to make a mistake. So I'm excited to learn more. And these orchestrations, man, they're getting very clever. I've seen some phishing emails that I just swore I got. Like that really looks real, so you got to be careful. So where do you start if you're feeling overwhelmed by this task of securing your EMR and other sensitive data that you're responsible for?
Richard Guttman:Well, I think there are some really basic starting points that a home care agency can use, and they're not different than larger organizations, whether they're EMR providers or infrastructure providers. I think the best place to start is to draw a map of the data that you have in your system, and this does not have to be technical and it does not have to be complicated. You simply need to draw a map of the data that's entering your system and leaving your system and who has access to it in your organization while it's inside. We draw these data maps. Computer companies, technology companies, make them very technical and sophisticated, but if you're a home care agency, you can draw a picture that has a home care worker entering a home, gathering data from a patient around a visit or medication. You can have that information being uploaded from a cell phone into a computer that's going back into a repository. Draw that map and look at all the points that health records are being captured and where they're moving around in your ecosystem.
Erin Vallier:Awesome. So bring out your best stick figures and draw a map to understand every point where there's information exchange. I presume that is a point of weakness or a possibility where something might happen to be intercepted. Am I catching that right?
Richard Guttman:Yeah, absolutely. You can put a circle around every interchange between your organization and a third-party system, whether it's the mobile cell phone provider, or whether it's the software company that's providing you the system that's running on your phone company that's providing you the system that's running on your phone, or with a clinical labs agency that's uploading data into your system so that you can evaluate it. All of those are potential vulnerability points and that's where you need to look holistically at what can you do around your people, your processes and your technology to reduce the risk at that point.
Erin Vallier:Okay, well, let's dig in there. What's the best way to prepare and prevent that cyber attack from happening?
Richard Guttman:We talk in the industry a lot about the shared responsibility model and the partners that are helping you manage the data in your system. Where do they start and where do they stop? If you're using a cloud platform, for example, you will know that all of your text messages and all of your communications are encrypted, and that's something that you would ask your vendor provider to provide you information on the encryption standards and how they do that. But then your responsibility starts once that information enters your system and all the people in your organization that are going to have access to it. The infrastructure software software provider will encrypt it, and now you need to manage it securely and make sure only the right and minimum people necessary have access to it in your organization.
Erin Vallier:So, in the event of a data breach or cyber attack, what steps should a home care agency take to mitigate the damage and ensure they're being compliant with relevant regulations? Mitigate the damage and ensure they're being compliant with relevant regulations.
Richard Guttman:Us providers in particular have a unique, I think, advantage a central, federally managed regulatory environment built around HIPAA that can guide any agency to prepare itself. One, the security rule under HIPAA, which provides detailed technical requirements and obligations. Two, the HIPAA privacy rule, which governs how consents must be obtained from individuals and how privacy must be protected through the minimum use of that information. And the last component is the breach notification rule, which sets out the specific notification requirements in the event that there is a data breach, whether it's inadvertent or intentional, how to notify which agencies. So HIPAA is a great starting point. There are plenty of tools out there that will help you map your HIPAA compliance Very simple checklists. If you do that, you're on your path to being both ready in the event of a breach, but also you're going to be taking best practices to prevent against one.
Erin Vallier:Well, that's reassuring that there's plenty of resources out there for agencies to tap into that will map everything out so that they're not trying to go this alone or making up their own rules along the way. You mentioned something that struck a question in my mind minimum necessary use. What is minimum necessary use of a client's data, and how does an agency put that into practice?
Richard Guttman:All of these kind of subjective standards can be confusing, but what we ask our customers to do is to take into account the size of the organization, dissemination of information where their patients are, where their care workers are, and to draw some reasonable boundaries around who needs information for what purpose? If you're a scheduler, we typically look at the schedules in your city or region. If you're a caregiver, we're seeing people narrow the access only to their patients or to those within a certain number of miles from their home. All of these practices will ensure that a defensible minimum, necessary standard is met by the care provider, but at the end of the day, it's really common sense. That is the most valuable asset to have. Look at what your employees need to do their jobs and make sure that they don't have access to more than that, because that'll just be exposing you to risk.
Erin Vallier:That makes sense. So this just solidifies the importance of having a solution that really offers you a robust capability when it comes to setting roles and permissions. It's not just for the convenience of your employees not to get confused by everything, it's also to protect the agency right.
Richard Guttman:Absolutely, and roles and permissions are a great example of how you can create flexible user groups and access privileges that are also very compliant. Track all of the access that does occur. So systems are now really focused on the new aspect of many privacy regulations, which are the obligation to maintain logs of all the accesses, all the views, all the changes to records. So when I started off the show by talking about the value of those records, often it's not just the face of the record, what would have been in the old paper chart, it's now the metadata that runs underneath it, and that metadata is extremely valuable when you're looking to see what happened in the event of a potential breach or a potential employer outside person who went beyond the scope. So you need to understand what the capabilities of the systems you're using are to track that important underlying audit data, and it's required under HIPAA and GDPR, and almost two-thirds of new privacy regulations include requirements to have audit logs and audit trails available from all of the systems that you use.
Erin Vallier:That's fascinating to me. So it will actually allow you let's just say you got hacked you can go back to that very point where it happened and see from the metadata exactly who did it, where they were and exactly what happened. It's kind of being a little detective, if you will. It's very cool. So, richard, how do you know if you're doing okay when it comes to cybersecurity or if you've just been lucky so far?
Richard Guttman:Well, I think those of us who operate in the space know it's not a question of if, but when.
Richard Guttman:You will face some level of cyber attack, and the proliferation of systems and the number of interconnected systems increases the risk to all players.
Richard Guttman:If you look at some of the major health care data breaches, you find that it's often not the primary provider, the health care agency, but it's a small vendor that was running a call center, or a third-party offshore vendor that was responsible for one small component of the system that was the weak link that created the data breach.
Richard Guttman:Yet the primary company, the healthcare company that has the data, needs to report that breach and can have direct liability for it. So I think of it as water flowing around an old house. You know it's looking for the weakest possible place and the weakest vulnerability in the water will never stop moving until it finds that spot. So the best way to protect yourself is to understand who the other players in your system are so that you can work with them. We're seeing software companies working with healthcare agencies in advance, doing things like running joint exercises of how they'll respond in the event of a data breach. We call that a tabletop exercise and it can be extremely valuable for preparing for both the communication and the technical rebuild associated with having a data event.
Erin Vallier:That's fascinating, so get educated and practice. What are some good resources to educate yourself about cybersecurity?
Richard Guttman:I think that there's a ton of great government resources out there at hhsgov that you can use to get detailed information on HIPAA compliance and all of the various checklists that you can provide. You can also work with your upstream provider of your systems to ask about their cybersecurity and their privacy protections, many of which will be shared in the public domain. Those providers in turn look at infrastructure companies like Microsoft and AWS, who provide now detailed information about their security and compliance practices. So the best way to do it is to learn from those upstream from you both so you understand where your responsibilities lie, but also you're going to get best practices from someone who's a little bit more sophisticated. But also you're going to get best practices from someone who's a little bit more sophisticated. It's like having an older brother or sister who went through high school ahead of you. You can ask them which teacher to avoid or what classes they should take.
Erin Vallier:So lean on your partners and find a good government resource. I just have one final question for you, Richard. This has been very informative. What other advice do you have for agencies that you haven't shared already? Leave us some parting wisdom, some little glimmer of hope that they can protect themselves.
Richard Guttman:I think the thing that we know is that small, simple and even non-technical exercises make a huge difference in improving cybersecurity. You can use easily available tools to run practice phishing exercises to train your employees how to identify emails that are potentially risky. It's not a complex task and it will really improve your security profile. Phishing is such a huge source of individuals making mistakes and clicking the wrong links. We talked about preparing for a cyber breach by literally spending two hours play acting. What would happen? Do you have backup systems? How would you switch to paper and for how long? Which systems could you use offline? Just practicing for two hours in preparedness will make you so much more effective in the event or when you have to face that situation in reality. So small investments, big payoff in the world of cybersecurity.
Erin Vallier:I happen to agree with you there 100%. Being the recipient of some of those trainings, I've been really shocked at how convincing some of the phishing emails can really be. You have to be aware, you have to know what to look for. Something as simple or as detailed as the website, when you hover over where you're going, is like a couple of characters different than what's printed on the page in front of you. If you don't know what to look for and you're in a hurry gosh, I can see how anybody would click on that. They just look so real.
Richard Guttman:We say trust, then verify. You know and so learn. When in doubt, verify with an independent source within your organization. Always best practice, both professionally and personally.
Erin Vallier:Absolutely. Thank you so much for sharing all that with the listeners today. It's been a real pleasure having you on the show.
Richard Guttman:Thanks, erin, I really enjoyed it.
Erin Vallier:This was super informative and I'm sure people will want to hear more from you and learn more from you. Where are you going to be speaking next?
Richard Guttman:I am going to be speaking at the Lycare Better Outcome User Conference coming up in September it's the 18th to 20th in Niagara Falls, Canada technical detail so that we can help guide agencies with even more kind of handheld information that's going to focus on particular healthcare cyber risks.
Erin Vallier:Okay, so you heard it folks Come to Niagara Falls in September and let's peel back the layers here and learn a little bit more about cybersecurity. Can't wait. Home Health 360 is presented by AlayaCare and hosted by Erin Valier. First, we want to thank our amazing guests and listeners. Second, new episodes air every month, so be sure to subscribe today so you don't miss an episode. And last but not least, if you like this episode and want to learn more about all things home-based care, you can explore all of our episodes at aliacarecom slash home health 360 or visit us on your favorite podcast platform.