Archives For healthcare

In case you missed my recent interview with Marc Haskelson

Here’s a short clip on the difference between security and compliance (Specially HIPAA, but Marc’s answer applies to just about every compliance regulation I can think of – PCI, GLBA, SOX, etc). The gap is big and healthcare companies are paying for their lack of knowledge on this subject! When there’s confusion in the marketplace, there’s also opportunity. You can learn more about how to tap this market right here.  Just click the Compliancy Box.

© 2015, David Stelzl

compliancy group

Advertisements

HIPAAHIPAA Isn’t Helping

If You Want To Help Sure Up Security, Start With HIPAA

As I mentioned in yesterday’s post, I’ll be interviewing Marc Haskelson later today, Founder and President of The Comliancy Group. He didn’t write the HIPAA requirements, but he understands them, and knows which of your clients need HIPAA.  He also knows where it falls short.

HIPAA Is Not Security – It’s A Government Law

Do you know what HIPAA stands for?  Google it and you’ll come up with more than one answer…if you’re going bring it up in a meeting, make sure you know.  Here it is: Health Insurance Portability and Accountability Act. (Note, it’s not the information portability act, and it’s not HIPPA).

It would have been great if the authors of HIPAA understood technology and security. The fact is, many of your clients either require HIPAA compliance, or will in the near future. The problem is, “HIPAA isn’t helping” healthcare security according to Gary McGraw, CTO of Cigital (a leading software development firm headquartered in Dulles, VA.)  If you’ve read my book, The House & The Cloud, 2nd Edition, you know I agree.  There’s a large chasm between compliance and security, but regardless, HIPAA is required.

In a recent study, “Healthcare overwhelmingly scored lower than financial services firms, ISVs, and consumer electronics firms, which include some Internet of Things providers.” according to Kelly Jackson Higgins, in an article posted on DARKReading.

As McGraw states it, “All [HIPAA] did was increase bureaucracy and the tiny print stuff handed out each time you go to the doctor. It over-focused the healthcare domain on privacy and patient privacy data, which is an important thing. But there are many other aspects of security that have little to do with privacy.”

The real problem with HIPAA is it has given doctors a false sense of security. In a recent healthcare conference I spoke at, every session that had something to do with security was all about HIPAA. When I gave my presentation, I started by asking the audience to forget about HIPAA for just one hour, and listen to what it means to be secure.  The response was one of surprise. No one had ever told these people that data, governed by HIPAA, was still at risk.

Over the past year we’ve seen numerous companies attacked, regardless of their HIPAA compliance efforts. To name just a couple; Anthem and UCLA Health come to mind.

I have a colleague who recently took a job with Websense.  This year they publised a study showing healthcare organizations are being hit 3 or 4 times as often as other firms by cyber attacks. Forbes noted in a recent article that healthcare data is worth 10 times that of credit card data on the black market.  A Trend Micro study shows that “nearly 27% of data breaches reported over the past decade occurred in the healthcare sector, and healthcare was the hardest hit by identity theft in the past 10 years, with 44.2% of those cases caused by insider leaks,” (Cited by the DARKReading article above).

Here’s The Problemcompliancy group

People think they are secure when they are compliant. HIPAA requires so much paperwork that the security issues get lost in the process. The financial companies know they’re a target, while a recent survey published by Trustwave reports that healthcare IT professionals don’t.

How can you get involved? First, where there’s a problem, there’s an opportunity.  I’m interviewing Marc today to get a better sense of what HIPAA really requires, and to show technology resellers how to get involved. Healthcare companies and their third-party providers both need help as well as education on HIPAA. The House & The Cloud Message was extremely effective in the healthcare conference I spoke at. For the first time their eyes were opened, and they saw the need. This kind of education opens doors of opportunity that are both helpful to your clients and profitable to your business.

Here are two things you can do…

First, visit the Compliancy Group Site to get more information on how to become a HIPAA Security Provider. Marc will do everything he can to help you get up and running with minimal time and investment.

Second, enroll in the Security Sales Mastery Program – If you qualify with one of the many sponsors supporting this program, I can get you a free seat (Normally $450).  Contact me and we’ll find a way to get you into the program.

© 2015, David Stelzl

compliancy groupHIPAA Is Important!

Tomorrow I will be interviewing Marc Haskelson, President of The Comliancy Group.

Marc’s team works with technology resellers to address HIPAA in the small and mid size markets, providing tools and professional services to take your clients through the process. Tomorrow’s interiew will not be broadcasted to the public;  it’s an exclusive session for the SVLC Insider’s Circle. However, you’ll want to download some information if you are doing anything with Security or Managed Security Services.  Here’s the link to learn more:

Find Out How You Can Get Paid to Help Your Clients Become HIPAA Compliant  <<< CLICK HERE!

© 2015, David Stelzl

IMG_2593

Healthcare Records Can Be More Valuable to Hackers Than Your Credit Card Number…

On the day JP Morgan announced the theft of 79 Million account records, I will be presenting a keynote on healthcare security at the annual 3T Systems Healthcare Summit, in Avon Colorado.

My heading – “Healthcare Records Can Be More Valuable Than Your Credit Card,” comes from a Sept 2014 article from Reuters. While the full details on one’s financial account information is worth quite a bit, card numbers and names have become a commodity.  That doesn’t mean hackers don’t want them. They do.  When a hacker steals 56 Million from a POS system, there’s money to be made.

But Healthcare records, containing names, birth dates, social security numbers, and medical history are worth about $10 per record. So when Community Health Services announced a 4.5 Million record breach earlier this year, you can believe the hackers are doing pretty well.  And there’s no federal tax to be paid on the resale of this information.

Other important sound bites:

  • Medicare fraud over the past year is up to $6 Billion. Who is going to pay for that? You and I will.
  • 40% of healthcare companies have reported a breach over the past two years according to a resent threat report.
  • 90% of healthcare cloud services are hosted by companies with a medium or high risk rating….
  • The FBI tells us medical security is weak and it may take years before a victim catches on.

What Will Hackers Do With All This Data?

They’ll resell it of course. There is the threat of someone misusing this information on purpose for extortion purposes. And there’s that risk that data could leak out, exposing someone in a way that would harm their reputation. But the real threat is fraud. When Community Health Services was hacked, China was blamed. Why would the Chinese want this data?

Healthcare data is primarily used in two ways. The buyer will use it to buy expensive medical equipment that can then be resold – such as expensive motor scooters. The other scam is to file fraudulent medical claims. When this happens the victim will likely start getting medical bills that aren’t theirs.  Trying to fight this won’t be easy if you’ve ever had to deal with bill collectors.

All of these costs will eventually be passed onto us as consumers and tax payers.

The Key Problem

The problem is HIPAA.  I don’t mean that the HIPAA laws create a weakness. What I do mean is that they have pulled everyone’s attention toward compliance laws requiring a lot of effort to keep up with – but don’t necessarily lead to security. Take the assessment requirement for instance.  Doing automated pen tests is something every company should do, but in my opinion it’s hardly an ethical hacking test.  All it does is expose major weaknesses in the systems that are scanned.  It does nothing to combat the social engineering tactics that hackers will actually use.

Thanks to 3T Systems for hosting this informative event, along with their partners including Check Point and Citrix.

© 2014, David Stelzl

How will you get to the right people?  This is the question every sales person should be asking and it seems to be the focus of just about every sales training program or methodology.  Several years ago I had been working to get a meeting with a large healthcare organization in the southeast.  Our team had successfully met with the IT people several times and had established fairly good rapport; however, sales were slow in coming and budget seemed to be our primary obstacle.

Our strategy was to land a meeting higher in the organization where perceived business value might move some budget our way.  Finally, I was granted a meeting with the Vice President of Operations.  This person had the authority to approve money and would certainly be central to a successful proof of concept or pilot type project.  Our meeting started with the Vice President showing up late, but we were ready with our list of promising questions and discovery skills.

After an initial greeting and introduction, I launched into my “solution selling discovery process.” Giving me just enough rope to hang myself, our VP prospect answered the first question.  But as soon as I began presenting my follow-up question, he looked over at our IT advocate and roared, “I thought you said these guys had something important to share with us.  So far all I’ve heard are a bunch of open-ended sales questions.  What is the purpose of this meeting?”  How do you recover from that?

There are all kinds of tricks and strategies for getting that meeting at the top. However, in my experience, this is not the real challenge.  The real challenge, which is not adequately addressed in most sales books, is that of building peer level relationships at the executive level.  We have all gotten the “Big” meeting at some point in our lives, but how many are consistently staying at this level after the first meeting?

© 2011, David Stelzl