On this episode of The Modern Practice Podcast, host Gary Tiratsuyan is joined by Adam Grantz, cybersecurity expert and Director of Enterprise Customer Support at Rectangle Health.
During this informative discussion, Adam dives into:
- The types of threats both large and small healthcare organizations face
- The risks and repercussions of a cyber attack
- And how to better protect your practices and patient data.
Learn more about how Rectangle Health’s security and compliance solutions can give you peace-of-mind and protect your practice and patient data.
Gary Tiratsuyan 00:21
Hello, everybody, and welcome back to the Modern Practice Podcast. Today’s episode is all about cybersecurity and protecting your practice and patient data, reducing risk of costly penalties and doing everything you can to avoid landing on a well-known government hosted list. I know this may be scary, but there are things you can do to gain peace of mind. And joining us to share insights, strategy and tactics to help navigate all things cybersecurity is Rectangle Health’s resident cyber guru, Adam Grantz. Adam, appreciate you taking the time being here.
Adam Grantz 00:56
Thank you, Gary. Thank you for inviting me.
Gary Tiratsuyan 00:58
The pleasure is all mine. And I’m excited to have the opportunity to connect. So, take me through your career journey, What interested you in cybersecurity and have you always been in the space?
Adam Grantz 01:10
Well, I started with compliance services about 10 years ago, and I really started in sales, then kind of worked my way into the customer experience part of it. And I really didn’t have an interest in cybersecurity until I started dealing with incidents; I became kind of the first responder—the liaison between clients, the insurance, the IT. And when I saw just exactly what a practice has to go through when they’re breached, that’s when my interest in cybersecurity really, really grew. And then I just started researching and learning from there.
Gary Tiratsuyan 01:48
I’m no cybersecurity expert. And I want to start from the top and really give our audience a lot to digest here. So how would you define cyber risk and then cybersecurity?
Adam Grantz 02:01
Well, cyber risk means, you know… it’s all about protecting digital information. So, for healthcare, it’s protecting that patient information. And cyber risk just means your exposure to the hackers, the criminals that are out there. How exposed are you? Cybersecurity is everything you do to lower the amount of risk that you put yourself out to, and just to protect your office, protect your patients and stay within HIPAA compliance.
Gary Tiratsuyan 02:30
And as you mentioned, the risk obviously comes from the cybercriminals, people with malicious intent. Who are they targeting? And where does healthcare fall on that list?
Adam Grantz 02:40
They’ll target anybody they think they can get money from. But healthcare is really one of the most targeted industries that are out there. Healthcare practices—because of the amount of sensitive information they have, they’re very attractive to cybercriminals and hackers. And then they have to stay under HIPAA compliance as well, which makes them more likely to pay a ransom.
Gary Tiratsuyan 03:05
Makes sense. And are there levels to the damage that can be done by cybercriminals, let’s say, low impact to high impact?
Adam Grantz 03:14
Low impact would be one that’s very common, because it’s very easy for the hackers to do. It’s called an encryption hack. And that’s where, you know, the practice employees walk in, and in the morning, they can’t get into their computers, there’s a ransom message locking them out. But all the hacker has actually done is encrypted their password. They don’t actually have access to the patient info. Higher risk when they are there in your system, and they have access to everything and they’re threatening to release it. You know, they’ve really kind of raised the stakes lately by publicly posting patient pictures and info, even before the ransom conversation even begins, kind of as a threat to what will happen if they don’t pay the ransom.
Gary Tiratsuyan 03:56
It seems very calculated and as I mentioned before, malicious. And just out of curiosity, without naming organizations specifically, do you have a few examples from within the healthcare space of cybercriminals doing this kind of damage that you just mentioned?
Adam Grantz 04:12
Last month alone, there were there were over 60 locations that that were affected. And those are just the ones that have over 500 patients. Those are the ones that are publicly made available on the hhs.gov website.
Gary Tiratsuyan 04:27
That’s, as you mentioned, breaches affecting over 500 patients—smaller locations with fewer patients impacted are not on that list. So, what’s the after effect if a practice or an organization is impacted by a cyberattack, financially for the practice and then for the patients?
Adam Grantz 04:47
It’s really an invasion of their privacy and all their information. Health information is some of the most sensitive information there is, which could potentially be put out there. That would open up the practice. to lawsuits potentially. For the practice, it’s really about the loss of business they’re going to have while they’re trying to get back up and running, whatever the costs are for new hardware, their IT costs, things like that, as well as the cost if they have to pay the ransom, that’s going to be in cryptocurrency, but it’s usually a couple hundred thousand dollars.
Gary Tiratsuyan 05:24
Just trying to figure out how to manage all that how to how to pay the ransom and deal with it is just mind boggling to me. And a few more questions before we get into how to avoid all this. Let’s talk about that list practices must do everything they can to avoid landing on, what is it where can our audience find it?
Adam Grantz 05:47
So that is hhs.gov—the Health and Human Services website, and just search breach report. And it is right there. It’s again, publicly available. If a breach affects more than 500 individuals, you not only have to notify those individuals, you then have to notify the government, as well as put a message on your website, basically notifying the world that has happened.
Gary Tiratsuyan 06:11
That could potentially scare off new patients, patients that are just browsing through your website, whether they’re scheduling an appointment or paying a bill, what have you. It could just potentially lead to really longstanding damages. So, with that list, what does it publicly disclose?
Adam Grantz 06:29
So, it’ll have the name of the organization, the state that they’re in, the number of individuals that were affected, and then the type of breach. So, as we discussed, it could have been an encryption breach, or it could have been something else. So those are the details that we’ll have. And then if, and then again, going into any of those locations, you’ll see all the details on their websites.
Gary Tiratsuyan 06:52
I want to take a step back, because we’ve spoken about organizations with impact to 500-plus patients. And I think there’s a misconception that it’s only larger organizations that are targets for cybercriminals. And that’s clearly not the case.
Adam Grantz 07:09
Correct. Yeah, it’s really kind of split in half. But the smaller or middle-size practices… those are equally targeted by the cybercriminals. The larger organizations, they’re going to invest a lot of money in their cybersecurity. So, while they may be attractive in the sense that you can probably get a bigger ransom out of those, they’re much harder to infiltrate. Whereas the small practices, the medium-sized practices, they’re really not ready for this.
Gary Tiratsuyan 07:40
And speaking to that, I want to talk through what can be done to avoid this chaos in this disaster. Can you take me through some of the necessary steps that can be taken immediately, by practices and larger healthcare organizations?
Adam Grantz 07:55
Absolutely, yeah. You should always be monitoring your systems. You should always be maintaining an active antivirus active firewall, again, monitoring all the time. And staff training, as well, is something that cannot be undervalued. As sophisticated as these hackers have gotten, the number one way that they get into a system is still user error. It’s still somebody in the practice, clicking on the wrong thing in an email or website. So, the training and the policies that they are required to follow by having that be a consistent, year-round thing—that’s the best way to protect yourself.
Gary Tiratsuyan 08:37
Great insight, and I just have to think with ongoing staffing shortages, retention issues, wearing multiple hats for the existing staff managing payments, communication, billing, follow up calls, all the above… with this new onboarding, constantly bringing in new staff, you can assume that these people are trained and ready to look out for what’s potentially a threat. So, I think it’s super important to keep top of mind and build a healthy habit of keeping an eye out for these potential risks.
Adam Grantz 09:11
It’s really a requirement. If you’re going to run a business, especially a healthcare business, you have to take this into consideration.
Gary Tiratsuyan 09:20
And there’s just some things best managed by outsourced parties. If you’re not an accountant, don’t do your taxes. And if you’re not a cyber expert, bring somebody on that is an expert because there’s too many risks, too much potential for major hits to business. And really the most important it’s potentially stalling patient care. Right?
Adam Grantz 09:43
Right. Yeah, we talked about the amount of risk that could happen and it’s really the risk that it poses to you your reputation that could be so much worse than the financial piece. And yeah, healthcare doctors, dentists, office managers—their job is to focus on the patients. They can’t be a full-time IT and a full-time compliance consultant, in addition to doing what they need to do for their patients’ healthcare.
Gary Tiratsuyan 10:10
I agree. I know you’re extremely busy. But before we wrap up, I just want to thank you for taking the time. Again, I think this was really insightful. And I’m looking forward to having you your team on an upcoming episode so that we can dive deeper and connect again in the near future.
Adam Grantz 10:26
Absolutely. Yeah. Yeah, this was a lot of fun. Thank you, Gary.
Gary Tiratsuyan 10:30
You got it. And for our listeners tuning in today, if you have questions about cybersecurity compliance or want to have a discussion to see where your practice or organization stands as far as risk, I’ll have a link in this episode’s description to schedule a time with an expert that can take you through all of the needed steps to avoid landing on that list, to avoid losing potential patient data having to pay ransoms. I highly recommend you taking this important step to protect your practice, and your patients. And as always, we want your feedback. Leave us a review. Send us your comments and questions. And be sure to like and subscribe as we’ve got a lot more valuable information coming your way from experts in the industry on the Modern Practice Podcast. Thanks for tuning in. Till next time, everybody.
Editor’s note: This interview has been edited for length and clarity.