In this episode of the HIPAA Vault Show, we Dive into the complexities of creating HIPAA-compliant healthcare apps. Following recent data breaches, we tackle the top five questions developers face, from understanding PHI to ensuring ongoing compliance. Learn about essential security measures, the challenges and costs of compliance, and strategies for maintaining it. Whether you’re developing new software or refining existing applications, gain valuable insights to navigate the healthcare sector’s regulatory landscape effectively.
Transcript:
Adam
Hello, and welcome to the HIPAA vault show, where we discuss all things HIPAA compliance and the cloud. My name is Adam Zeineddine, and I’m joined, as always, by CTO and founder of HIPAA vault managed security service provider Gil vidals.
Gil
Hey, Adam. I like that intro. Thanks. Looking forward to talking today.
Adam
Yeah. How’s it going?
Gil
It’s been pretty good. I noticed that there was another kind of an older breach that you posted. It sent over to me. That happened in 2023, but then you tagged something that came out of that more recently. So it was the same breach, but now new information has been revealed. Is that right?
Adam
Yeah, exactly right. Let’s dive into it. So, medical management resource group, also known as American Vision Partners, breach affects 2.35 million patients. Steven Alder at HIPAA Journal reports. So, MMRC, doing business as American Vision Partners, has recently confirmed in a notification to HHS that the protected health information of 2,350,236 individuals was compromised in a hacking incident. MMRG detected unauthorized activity within its network on November 14, 2023, and took immediate action. They determined the nature and scope of the unauthorized activity. And on or around December 6, 2023, they confirmed that there had been unauthorized access to its network and the removal of files containing patient data. And this actually links to. It links to a previous breach reported by Keenan and associates way back in August 27.
Adam
Now, Keenan and associates were doing business with MMRC, and so it turns out that breach actually led to their clients data, which included patient data, being compromised. So what are your thoughts on that, Gil?
Gil
Well, I’m not sure I followed you. So you’re saying this breach happened in 2023, but you’re saying there was more fallout than was originally realized at months later.
Adam
Exactly. Right. Yeah. So, Keenan Associates, they confirmed that there had been unauthorized access to its internal systems between August 21 and 27, 2023. And during that time, certain files were exfiltrated. And at the time, the incident was reported, and it had affected 1.5 million individuals. But the latest report by a client of theirs has confirmed that even more of those were affected. These things are like, kind of. It’s forensics. Right? So more things pop up as more information comes to light.
Gil
Well, yeah, and I think that’s a serious condition. Right, where you thought it affected what you said here, one point x million. And then later, you find out months later, hey, guess what? It actually affected another million. Those are big numbers we’re talking about. We’re not talking about going from 100 to 200 patients. We’re talking about going from a million to over 2 million. So yeah, these are serious concerns.
Adam
And Social Security numbers, driver’s license numbers, passport numbers, financial account information, health insurance plan information.
Gil
And is there any information on how the breach was performed?
Adam
Yeah, I think that’s in the, let’s see here. Certain files were exfiltrated from its systems.
Gil
It says the hackers gained access to parts of its system containing the data of members of its welfare benefits plan. So we know it was hacked, but they don’t tell us how it was hacked.
Adam
It sounds like network servers were disrupted. That’s fairly vague.
Gil
So it doesn’t sound like it was an inside job where it was an employee. It sounds like somebody did come from the outside.
Adam
And they’ve offered individuals affected complementary credit monitoring, identity theft protection and theft resolution services.
Gil
And I think maybe that’s the takeaway here for our audience to listen is to say, well, what do we learn from this? Why does it matter other than it’s yet another attack and stolen data? What needs to come out of this for our audience? And it’s important. It’s really important actually, from a business point of view, what would happen? Let’s say that you or someone in our audience has an application that only has 1000 patient records and let’s say they were breached. So you get 1000 records. So how do you calculate the calculator? Yeah, no, it’s pretty simple. You could take the 1000 and multiply it by, say, $4, or some people might use $5. So say $5. So that’s $5,000 and you could double that to get $10,000. You say, well, why am I doing this math?
Gil
Well, the four or $5 per patient record is the average in the industry for having to buy this identity monitoring that you just described earlier. And so that’s one of the things that is a requirement that when you do have a hack that’s successful, you’ve got to go out and buy this identity theft monitoring application that you can get on behalf of your customers. So if you have 1000 customers that you had, or patients rather, and those leaked out, you’re looking at $10,000 that you’re going to have to go then pay to an app provider for this identity theft management and each one of your patients will have a login to some McCaffees or, I don’t know, the vendor names. There’s a bunch of them out there. They all do the same thing.
Gil
But these vendors are just tracking any movement of your patient’s data in the. So for example, let’s say this Social Security number pops up somewhere on the web and this identity tracking can see that. It’ll report it back to that patient. It’ll say, hey, your Social Security number was just used on this website. And the idea there is that whoever stole those thousand patient records, they’ve resold that information somewhere, they’re reselling it. So that’s why you have to pay for this subscription, for identity theft tracking. And I think that’s a good takeaway from this. It’s like, well, that’s too bad for these guys. Well, it’s true, it’s too bad for them, but it’s also something that everyone should know how to calculate that. And you say, well, what does it matter if I can calculate it? How’s that going to help me prevent this?
Gil
Well, we’re not suggesting it’s going to help you prevent this situation, but it will help you prepare for it. And how do I mean that? Well, you can go out and get, you should have cyber insurance. Professional errors and omissions. That’s another term for the cyber insurance that you would need to get. And you can get that insurance, and you have to know, well, how much should I have? And so this is a great way for you to figure out how much do you need to spend on it.
Adam
Cyber insurance is only going up nowadays, isn’t it?
Gil
Yeah, it’s going up a lot. Going up a lot. Mainly because of the ransomware attacks it’s costing. These insurance companies may have to cough up millions of dollars one incident, right? And they have dozens of incidences a month. You can only imagine how much they’re paying out insurances in a business to lose money. They don’t lose money, they make money. They’re profitable. So that means they have to increase their premiums in order to stay in business and cover all these costs and make a profit on top of that. So it is costly, unfortunately. Well, this leads us into the next topic. I know you wanted to just talk a little bit about software. So our audience that they have a healthcare app, say, hey, we’re writing a healthcare app.
Gil
What can they do to prevent what’s happened to these guys at the medical management resource group? How do you have your developers writing their code? Or what can you do to prevent a hack?
Adam
Yeah, definitely thought we’d answer some of the common questions that developers reach out with. When you’re developing an app, one of the first questions you ask is like, does it need to be HIPAA compliant? And the follow on question I ask is, does it have protected health information? So what’s protected health information?
Gil
Well, sure, we’re going to identify that. So there’s different types of sensitive information. There’s credit card information. That’s the credit card numbers, that’s called PCI. And then there’s personal identifiable information, Pii, that’s like their Social Security number, their home address. And then in the HIPAA world, we’re adding the information about their medical records. The patient can be tied to a medical record where you can see what diseases they’ve had, what procedures they’ve taken on. Those things are inclusive of being considered as HIPAA. So if you don’t have that, if you just have Social Security numbers for your patients and where they live, that’s still sensitive, you still need to protect it. But it’s not considered HIPAA compliant information. It now is something else. It’s personally identifiable.
Gil
I would say the risk, yeah, I guess the risk is lower because the sensitivity of the information is a little bit lower if you’re not including medical records.
Adam
Yeah, and I used to play quite a bit of poker. And in poker there’s these kind of like unwritten rules where let’s say you’re in a position where you’re not sure whether you should check or fold. The general consensus is fold. And if you’re in a position where you’re not sure whether you should check or raise, then the general consensus is raise. So why do I bring that up? Because if you’re not sure about Phi, whether it is Phi or whether it isn’t Phi, we generally recommend that if there’s a gray area, then treat it as if there is Phi, you’re going to be on the safe side. So that leads us on to if there is Phi, how can the software be built configured to make sure that it’s secure and private in compliance with HIPAA?
Gil
Well, coding is like any other discipline. You can code something functionally the same as another developer. So you have two developers side by side. They could both code it. So if you looked at the application, oh, look, they’re the same. But under the hood, the way they code it could be different. One could be much more security oriented, and the other one could not be. So one example, one specific example of that would be a developer could decide to encrypt the data that’s coming in, the patient information in the database. That’s something that a developer would do. They’re developing the software. They can say, oh, let’s encode the patient fields where it actually holds that data. And the other developer might say, no, I don’t do that, I don’t encode that. So that’s one decision they would make and also the two factor authentication.
Gil
One developer might say, oh, when they log into the application, it doesn’t matter if they have two factor. The other guy says, no, you need two factor. So it’s really, there are options and decisions that they’re making all along the journey of developing this code that are important. The other thing is just keeping up to date, like the actual programming language. Let’s say they’re using Python. Well, we have to make sure they’re using the latest version. They could be coding in a version that’s a bit old, that has vulnerabilities and exposure. Well, they should be coding on the latest version that has all those vulnerabilities remediated. So those are just some of the things that come to mind of how the developers can actually be proactively using their skill set to secure the data.
Adam
Yeah, that’s great. And obviously it’s easier said than done. If you don’t pay attention to it, things can fall through the cracks. So what are the main challenges that you’ve seen working with thousands of customers over the years to help them get set up with a HIPAA compliant software? What are the main challenges that come up sometimes?
Gil
Yeah, one of the main challenges I’ve seen over the years is that when we get a new customer and they’re like, hey, we’re going to move into your environment because we want to be compliant. But they’ll say oh, but our application is old. In other words, it was written years ago and they’ll say we don’t have the developer team anymore, and so on. So they basically stuck with this legacy product and when they go to bring it over and we say okay, well let’s use the latest platform. When they copy their files over and their programs, it doesn’t work, it’s like, oh my gosh, look, it’s broken. That’s because their code isn’t compatible any longer with the latest. Let’s say they were an old version of Python and they move over and it’s a new version of Python.
Gil
That’s like they need a developer to go through and update the function calls and the program. And it might be fairly simple, but if they have millions of lines of code, maybe it’s not so simple or quick. And so that’s one challenge that I see often is that they move over and they’re kind of surprised that maybe their cos it’s not compatible with the latest platform.
Adam
Yeah, that’s definitely a challenge. What are some of the costs associated with developing? Obviously there’s development costs, the time of the developers, any kind of tools they need to actually develop the functionality.
Gil
I think it’s clear, or it should be clear to a business owner, business manager, that if they have an application that will be touching medical and patient data, you’re going to spend more money to secure that. So what the message is, don’t go out there and be gullible and think, oh, I’m going to go find the cheapest hosting provider and just cross my fingers that nothing’s going to happen. That’s a really bad plan. Very bad plan. Instead you should be thinking, okay, I want to secure it, and there’s different levels of security. What level do I need? But it’s going to cost more than the bottom level. And so that’s something. So if you’re going to be in business and your application is going to be touching patient data, your business needs to cover those costs.
Gil
You need to be able to charge your constituents, your customers enough to cover your security charges. So I think maybe that sounds obvious to people. Of course that’s obvious. But you’d be surprised how many people we have that come over to us as customers that have been hosting somewhere for years that didn’t have any security measures and they were lucky that nothing bad happened and they decided to move over. And we’ve had others who did get hacked and said, oh, we’re going to leave this platform. They weren’t so lucky. So I wouldn’t rely on that. I would make sure that either your team knows what they’re doing and can provide the security, or that you go with a compliant provider like us, HIPAA vault, they can do these things the right way for you.
Adam
Great. And then the final question that comes up a lot is, how do you maintain HIPAA compliance? I know.
Gil
And this is good. We can’t cover this too often because it’s not necessarily obvious. So if you have a healthcare app or someone audience has a healthcare app and they say this needs to be HIPAA compliant, it’s almost the wrong perspective. The perspective is you as the company, or your company needs to be HIPAA compliant. So compliance is at the company level. And I think that’s something people might not quite grasp. So it’s not, is my application compliant? Is my company compliant? Now, why do I say that? What’s the reason for that? Because HIPA is defined as three areas, administrative, technical and physical safeguards. So let’s just suppose that you are hosted, your applications at Fort Knox, super secure, and you’re like, oh, good, I’m HIPAA compliant.
Gil
But then you’re audited and the auditor says to you, hey, show me your training records for all your employees to see. When’s the last time they took a HIPAA training module? And you’re like, the answer is never. Or only one or two, but the rest didn’t. And now you realize, oh my gosh, the administrative safeguard is a fail. And the auditor says, okay, you failed there. So that’s at the company level. Even though your application was completely secure, you’re missing that. Or let’s say another example is, let’s say your developers are in your office and they go out for lunch, take their lunch break, and their monitors are all left on, and there’s medical data right there on their screen. Well, that’s a big no. And that has nothing to do with your cloud service provider.
Gil
They can’t control what’s on the monitors of your employees. You have to train your employees to make sure you have your screen lock on. So there’s lots of things like that. Your policies and procedures need to be reviewed and so on, many items like that could be a real issue in your company. And so it’s a comprehensive view of the technical, administrative and physical safeguards that you have to take into consideration. Now, having said all of that, though, let’s be honest about it, let’s be straightforward. Where a hacker is going to come in is going to be primarily through your application, through the web, or a phishing attack where some of your employees may have clicked on a link they shouldn’t have clicked on. Those are the two big entry points.
Adam
So, yeah, it’s really just constantly, persistently keeping up to date with all the requirements to stay HIPAA compliant rather than a one and done.
Gil
Right? Yeah, it’s a lot of work, which is why, frankly, that’s why HIPAA vaults in business are some companies, or a lot of companies that prefer not to get into that world because they don’t have the resources or they don’t want the resources and they don’t want to take the time to do that. They’d rather focus on their core business and they don’t want to monkey around and worry about that. So it gives them the peace of mind and the ability to focus elsewhere. And we work with them as a team, though, if they have questions or concerns and we can jump on a call with them and review the different vulnerabilities that might be that’s showing up on their platform. We can display those, look at them, and then have a plan on how to remediate those.
Adam
Okay, so we’ve gone through five different areas there and questions that developers typically want to know. Was there anything you think we missed for this one, or have we covered enough?
Gil
No, we’ve covered plenty. I think we all right.
Adam
Here for compliance software development, it’s an ongoing commitment. It’s required. We encourage developers to view compliance as an integral part of development and the development lifecycle rather than a one time effort. And the last thing to say there is, if you want to stay informed, reach out to us. Our website is hipaavault.com. You can ask us any questions that we might not have covered in the podcast at podcast@hipaavault.com. And that’s it for this episode. Until next time, thanks for stopping by.