Information security: The non-negotiables in digital healthcare acceleration part II with Todd Friedman, Brian Tolkkinen, and Stephen Squires

In this episode of the Post-Acute POV, Navin Gupta, SVP of the Home and Hospice Division at MatrixCare, sits down with Todd Friedman, Chief Information Security Officer at ResMed, Brian Tolkkinen, Director of Information Security at MatrixCare, and Stephen Squires, Director of Information Security at Brightree, to discuss the non-negotiables related to information security every provider should have when engaging with digital healthcare. Discover best practices for creating and maintaining an effective security program and tips to keep your data and information secure.

To properly protect your organization’s information and ensure compliance with regulatory and industry requirements, it’s imperative to have a strong security program. Listen in as our guests dive deeper into what providers should look for when creating their own security strategy and the importance of prevention, response, and recovery while responding to inevitable security incidents.

Links mentioned in the episode

Shop Safely | CISA

Scams and Safety | FBI

2-Factor Authentication

What we covered in today’s episode

1. Many organizations and individuals are susceptible to falling for scams, particularly during the holidays. Guide us through some gotchas, tips, and awareness that people should be taking note of.
2. Todd, as the leader over this function, would you mind just framing up the focus areas, and then we’ll talk about how you deal with security incidents?
3. What is a security incident?
4. Steve, I know we’re talking about prevention, response, and restoration regarding security incidents. What about the aspect of prevention, in particular? How do you view this?
5. In terms of governance, what are some things we should be paying attention to?
6. Testing is an important part of protecting digital data. Steve, you are actively involved in testing information security practices, can you tell us more about this?
7. Once you have prevention measures in place, inevitably something happens, and we need to get into response and restoration. Share with us what that means and what that looks like.
8. If we do report an incident, from a governance standpoint, what does that response look like?
9. Very briefly, if I’m a care provider and I want to get a security program kicked off, what are two elements that you would prioritize and say pay attention to this?

Resources

• Hear part 1 of today’s episode.
• Check out our blog post on this topic.
• Learn more about MatrixCare solutions.
• Listen to more episodes of the Post-Acute POV.

Disclaimer

The content in this presentation or materials is for informational purposes only and is provided “as-is.” Information and views expressed herein, may change without notice. We encourage you to seek as appropriate, regulatory and legal advice on any of the matters covered in this presentation or materials.

Transcript

Speaker 1:

Hi, and welcome to the Post-Acute Point of View, our discussion hub for healthcare technology in the out of hospital space. Here we talk about the latest news and views on trends and innovation that can impact the way post-acute care providers work. And we take a look at how technology can make a difference in today’s changing healthcare landscape in both home-based and facility-based care organizations and the lives of the people they serve. Today, we hear from Navin Gupta, Senior Vice President of Home and Hospice Division for MatrixCare and his special guest. Let’s dive in.

Navin Gupta:

My name is Navin Gupta. I am the Senior Vice President and Division Head for the Home and Hospice Division here at MatrixCare. Welcome again, to another episode of the Post-Acute Point of View. This is our MatrixCare podcast. The topic for today is going to be information security, a non-negotiable in digital healthcare acceleration. And this happens to be part two, if you have not had an opportunity to listen to part one, highly encourage you to go and subscribe to the podcast and listen to it. We had just a great session where we discussed various topics, topics around what makes a great security program, governance, vulnerability management, and compliance. And we are pleased to be hosting back again three experts in the area of security. First of which is Todd Friedman, he is the Chief Information Security Officer at ResMed. We also have Brian Tolkkinen, he is the Director of Information Security at MatrixCare and Stephen Squires, he’s the Director of Information Security at Brightree. Welcome again to the three of you.

Todd Friedman:

Thank you.

Brian Tolkkinen:

Thank you.

Stephen Squires:

Thank you.

Navin Gupta:

So security is a very wide topic, and I know we were not really able to even scratch the surface in part one. Today, we will focus on three broad areas. First of which is we’re in the holiday season, scams are all around us, but it gets sort of amplified during this time. We will also talk about security incidents and incident responses. And then if you have time, I’d love to be able to do a lightning rapid fire round with our guests as well. So, Todd, I want to begin with you. It’s not just healthcare organizations, but many organizations and individuals are really susceptible to falling for scams and particularly during the holidays. Guide us through some gotchas, and some tips, and awareness that people should be taking note of.

Todd Friedman:

First of all, thank you for the opportunity to speak with you again. We had so much fun in the first session and we’re really excited to have a second opportunity to talk with you, but yes, this is a very busy time of year for attackers and for criminals. And it always has been, you know what I mean? Traditionally, people are more susceptible at the holiday season because they get a lot of personal email that they’re expecting. It’s a question of statistics, right? That people are expecting emails from FedEx, or UPS, or DHL.

            And so this year is going to be even more challenging and 2020 has been a challenging year in so many ways. You can’t even count them all, but the holiday season is going to even be tougher because so many regions are shut down and that in-person shopping has been reduced. So online shopping is going to be even bigger. So just a couple of examples and you’ve seen these, I mean, you’ve either seen them in the news as things that have worked as breaches or you’ve even seen really suspicious emails coming to you or texts, things like FedEx notice that your shipment has been delayed. And again, if you’re in a hurry and you’re expecting that you may click on that link to get more information, or Amazon, or another online retailers, but there’s things that we can do.

            Attackers are opportunists and they look for easy ways to steal money, just like a criminal with a gun, but they have anonymity. So one of the things that I like to do is think like a hacker and I recommend this of everybody, and you don’t have to have a lot of skills, you don’t have to have engineering skills to think like a hacker, just step back for a second and say, if I was a hacker, how would I try to steal information? What types of things might look legitimate to them? And I think it’s a really interesting exercise and if nothing else comes out of it, I think that you’ll be more conscious about changing your passwords, about really reading emails before you click on things, or looking for suspicious activities. One thing about people trying to take advantage of us, it can be really, really subtle. I mean, it could just be a feeling, and Navin, you’ve probably had this feeling, looking at an email going, something’s just not right here.

Navin Gupta:

Yes.

Todd Friedman:

It’s just fishy and you can’t necessarily put your finger on it, but you know that it’s suspicious, definitely stop and take a deeper look at that and see if you’re right, right? You don’t want to make the mistake. And then other things can be so obvious, even some of the phishing tests that we do, we’ll have misspellings or really obvious fake URLs, but hackers, this is a business for them and you’re not going to see some of the dumb mistakes that we’ve seen in the past like misspellings. Phishing emails are getting really good. I like this analogy of a house, of trying to protect your house and there’s so many things that you can do to lock it down, but the fact is, if somebody wants to get into your house, they’re going to get into your house.

            And so it’s not necessarily a question of being totally secure. It’s more a question of just being more secure than your next door neighbor. I know that sounds really cold, but you want to be a less desirable target and so there’s things that you can do. As I was thinking about this, I thought about COVID-19 as I do pretty often.

Navin Gupta:

Yes.

Todd Friedman:

And we’ve been getting the same advice all along, wash your hands, socially distance, wear a mask, over and over again. Right? And I saw a post from a CEO, he went back to the influenza of what 1919? And to look at how they handled Spanish Flu, and he said, what he found was notes saying socially distance, wash your hands, and wear a mask. It’s just age old advice and so some of this is going to sound redundant, but some simple tips that you can do to harden your house is don’t reuse passwords for different accounts, try to have unique passwords, change your passwords occasionally because passwords do get stolen, you do see breaches, huge breaches sometimes. And if they get your password and you’re using it elsewhere or even a using it on the same account you’re at risk.

            Many popular sites now make multifactor authentication possible and that is having a second form of authentication. So like for me, I use it on my cell phone, so if I want to log into a sensitive account, I have to go in and do a second factor and click on something. Password managers are great and really inexpensive and we highly recommend those. We make them available to everybody for free at ResMed because we think it’s such an important control. Also just using good computer hygiene and device hygiene, keeping your software up to date, use paid antivirus solutions. I know it seems like an unwanted expense, but you really need to have antivirus to help protect you.

            And also make sure that you have backups and that they’re restorable. You hear a lot about ransomware and the best way to defeat ransomware is to have backups available. But one last thing, and especially going back to the idea of this being the holiday season, during the holiday season or definitely after the holiday season, you might want to take a look at your credit report and your banking information, and just look for any suspicious activities, and if you find them, report them immediately. You can often get money back. You can often help them catch the people who are committing crimes if they have good notice.

Navin Gupta:

Wow, Tom, I feel I should be paying for such great advice being offered here, and a lot of it just resonates if you think about passwords and passwords reuse. Wow. I think a lot of people are… It’s going to hit them because it’s very, very common to your point about being able to use password managers that automate the process and really give you the technology and the tools to do it. Your thoughts and ideas around multi-factor authentication is becoming more and more common, but really taking advantage of that. Very practical in terms of keeping your systems updated is very helpful as well and backups. I think everything that you touched on truly resonates, and it’s just like any good counsel that we receive, eat healthy, maybe do a little bit of exercise, it’s that discipline to really execute on it. So thank you. This is very, very helpful.

Todd Friedman:

There’s a couple of good sources of information that we can share too.

Navin Gupta:

Okay, yeah.

Todd Friedman:

There’s a government organization called CISA and they’ve got a website set up specifically for shopping safely. And so it’s just a couple of vignettes, a couple of tips and tricks, and also the FBI has a sub-site called Scams and Safety. And so if you’re interested these are really good sources of information and they’re free, and so I’d highly recommend them.

Navin Gupta:

That’s great Todd, when we post this podcast and on our blog we’ll make sure that we include these links as well and I think that will be great. There’s a lot more we can talk about it. You want to really get to security incidents and incident responses. And I know Brian and Steve play a very important role within the organization. Todd, as the leader over this function, would you mind just framing this up for us as to what is sort of their focus areas and then maybe we’ll deep dive a little bit more and talk really about how do you deal with security incidents.

Todd Friedman:

Yeah. No, thank you very much for that question. Information security as a field is so broad and people might think that it’s all about engineers and that you have to be a programmer or an ex-hacker, or very technically astute to be in security, but the fact is there’s a lot of different requirements and a lot of skills. And one thing I love about security is that people can really play to their strengths and their interests, and incident response is a really good example. And we talked about this session before and it just made me smile because Brian and Steve are so amazing at what they do and what they do is so different.

            So I think this is going to be pretty interesting because Steve is an engineer and an analyst, and Steve correct me if I’m wrong, you would rather do nothing but be trying to reverse engineer malware, and trying to protect things, and setting up honeypot traps on your home network. And Brian, you are so great at governance. As a matter of fact, you’re getting your master’s degree in healthcare law.

Brian Tolkkinen:

Right.

Todd Friedman:

And so much less technical than Steve and in our environment we have a need for both. And so I think this next conversation is going to illuminate how different that is, and how different these guys are, and also how valuable it is, and why you need both.

Navin Gupta:

Todd, I want to get into, deep dive into it, just for our audiences could you just frame up what is a security incident?

Todd Friedman:

So any event where your system may have been breached and it doesn’t necessarily have to be an actual breach, just some suspicious activities where it looks like somebody might have had access to data, might have had access to a system, or if you’re even just seeing strange behavior on a system, you want to make sure that it’s not security related. So at those points you would want to engage with the security teams to start investigating and very early on. And we treat it very seriously, we try to pull together a team of experts and really find out if we have a problem or not. That’s the first thing that we want to do, but that’s what Steve and Brian will talk about.

Navin Gupta:

That’s great. Thanks for helping us understand that a little bit better. So I know when we talk about incident and incident responses, we’re talking about really, sort of three categories around prevention, response, and restoration. So Steve, let me begin with you. I know we’re talking about prevention, response, and restoration with regards to security incidents. Technically let’s talk about the prevention aspect. What can you sort of inform us about how do you view this?

Stephen Squires:

Sure. So I’ve got some key points when we talk about prevention. I mean, everybody wants to prevent an incident from happening from the smallest one to the largest one. The whole idea is to protect those borders from bad actors getting in, but not only that as Todd alluded to there, I mean, security awareness training is huge in prevention, which you don’t think of. You think of putting a tool or a piece of software in there, but I mean the first, most important one is that security awareness training, right? You need to train your frontline defense, which are your employees and contractors, right? So anybody that has an email address, a company email address needs to have that security awareness training so they know how to deal with those phishing attempts. Most importantly, that’s kind of a key thing today. Why try to hack somebody’s password when you can ask them for it? Right?

Navin Gupta:

Yeah.

Stephen Squires:

So that is really important to have them understand how critical and how badly they want you to click on that button. They want you so bad to either download that piece of software or log into a portal that gives them your username and password to your email system, so that’s one critical piece. Also, then we move to kind of the technical software bits, so endpoint detection and response software. There’s lots of them out there, but if somebody does happen to click on something and a malicious piece of software executes, you want the system to go, “Hey, that’s odd. That’s different. That’s not something I usually see. I’m going to flag that and kind of raise some bells about it to help try and catch that before it becomes a problem.” When it comes to ransomware, I mean, a couple of seconds after that executes, that’s it you’re done. Right?

            All of your software now on that computer and anything attached by a network drive is encrypted. So getting this stuff caught at the onset is really important. Falling in line with kind of standard practices is patching, you hear me say that all the time, even on the last podcast. Patching is so important of getting those operating system and third party software updated, and there’s always patches. And I mean, you’ve got the Microsoft patch Tuesday, that’s been around forever and you need to get that, keep that software updated and patched so that bad actors have a smaller window of opportunity to get in there and get a foothold on a system or on an entire network.

Navin Gupta:

Steve, really the two points that you made resonates and not only just resonates, but it’s something that an organization should be paying attention to. So really training, using early detection or end point detection, and then patching or just keeping your systems up to date as well, and so it’s sort of the cornerstone around prevention. Brian, in terms of governance, just a different angle to this again around prevention, what are some of the things here that we should be paying attention to?

Brian Tolkkinen:

And some of the audience may be familiar with other similar models that break down the incident response phases differently. I like this one for our purposes here because of its conciseness. It lends itself well to our limited time, prevention, response recovery. And I think that as we’re talking through this, we will likely spend more time with the prevention phase. And I think this is natural because in practice, if we’re putting more time and investment here, and being proactive, and doing it well, then the subsequent phases are going to go much smoother when an incident does happen. And with that, we can significantly limit the impact and cost to everyone involved when it does happen. So continuing with prevention, Steve, there’s a lot of overlap in how you and I think about this naturally. You talked about training, where your mind quickly goes to specific technical solutions, I’m initially thinking more about prevention or readiness in the sense that we want an effective policy in place to make sure that we’re implementing an incident response program that meets the needs of the business and our customers.

            We also need an effective business continuity policy in a disaster recovery plan. So that in a disaster scenario if things get that bad, we’re able to recover within a reasonable timeframe. In some cases, this might involve the failover to services running at a remote site and then fail back to services running at the primary location when we’re back to normal steady state, but along with all that, we also need very importantly, a computer security incident response procedure. So this is a key document that kind of guides our activities throughout the incident response process. And in this document, we have specific roles defined for the incident response team. We have guidelines for categorizing different types of incidents and risks. We have guidelines for communication and escalation within the organization.

            And Steve will talk a little more about the incident response procedure in a minute when we talk about testing as well, but you think about all that documentation involved, of course, in addition to all that, we need to have an effective and trained incident response team, right? We actually need people to do the work.

            So just to give an idea of the variety of roles and areas of specialization needed on an incident response team, these can range from a scribe or a note taker who helps track and document the details during a meeting or the series of meetings that take place throughout an event, especially important when dealing with larger events, we have the incident response manager, the person who acts as kind of the central control point and who facilitates communication and activities across teams. We have forensics experts, the individuals who they’re going to be combing through the environments and the logs to find indicators of compromise. Of course the legal team has always involved for oversight, and then we typically have a number of subject matter experts who have intimate knowledge about our environments and services and who can help with the risk assessment and with fixing the issue ultimately.

            And some of those roles involve specialized, ongoing training and even certification. This is just some examples of certifications held by our team members are, certified information systems security professionals, CISSP, that one is pretty well known. GIAC certified incident handler, healthcare compliance certification, and ITIL certification. So along with policy and procedure and having a trained team, we also need to be sure that we have the proper third parties available to support us when an incident happens. So we need agreements in place with key organizations to be effective, so these would include outside counsel to help with legal assessment, a firm that specializes in security forensics investigation. So we may have them take over the investigation for indicators of compromise and to help make sure that the chain of custody of the evidence is maintained throughout the event.

            And then also as one last example, our insurance provider is key for a number of reasons, obviously, but when an incident happens, we may need to contact our insurance company to make them aware of what is happening, what we’re doing about it and they may be able to help coordinate other third-party resources as well. So with all of that said, hopefully the audience gets the sense that incident response can involve many people, multiple internal teams, multiple third parties, and a lot of moving parts that need to be coordinated when a serious incident does occur, which brings us, I think, to the importance of testing the machine before something bad happens. So that when it does happen, we’re sure we’re going to be able to fire on all cylinders. And again, if we do a good job in the prevention phase and the readiness aspect, we’ll be able to limit the impact in cost to everyone involved when it does happen. So testing is an important part of this and Steve, you and I are both actively involved with testing. What are your thoughts on this?

Stephen Squires:

One really important part of this is tabletop exercises. So getting the group of people responsible in these situations together, and then going through some mock incidents. So ransomware a big, huge important one. One of the big things with these tabletop exercises is having people really think through this as, “Okay, guess what? Bang, we just lost an entire office, everything’s encrypted. What do we do?” A lot of people, especially in their day to day on the IT side and in different departments, don’t really think of that kind of stuff. And then when they get plopped into a scenario like that, they’re like, “Whoa.” Every time we run these internally, people go, “Thank you. I didn’t even think of some of that stuff of some of the issues and challenges we would have if something like that happened.” And a lot of people come away with a huge laundry list of things that they need to go back and find out. Right?

            So a couple of key things when it comes to tabletop incident response exercises is having predefined roles. Who does what? So you don’t want people running around with their hair on fire when an incident happens for real, you need to have people understand what role they will play. You have scribes like Brian suggested, you also need communication channels to understand when and if you need to talk to legal and privacy, depending on what type of incident that is. Supply chain contacts, you don’t want to go looking through emails trying to find a critical vendor or somebody else that you need to get in touch with at the time of an actual incident, because as I mentioned earlier, when it comes to ransomware, your stuff’s getting encrypted very quickly. Logistical things too, how would you disconnect the computer or a network from the corporate network? That’s not an easy task in some aspects. So having the knowledge to, okay, here’s what I would need to do in that incident, those are key things to know before hand, before you really need to know.

Navin Gupta:

Yeah. Wow. It’s such a broad, I think Todd started this in his opening remarks about security, it’s so broad, it’s so many roles, so many elements to it, even just getting an appreciation, Brian, what you shared about the roles and the number of sort of actors that are involved both internally and externally, and having documented plans in place, and being able to do mock incidents, and being able to do testing. It almost feels like security sometimes is in the backseat, it’s looking behind, people don’t really know so much that goes into it in terms of preparedness and readiness there. I know I’m finding myself just listening to the two of you, getting educated and saying, wow, I’m just thankful for having the maturity and the depth within our organization so that we can take care of not just internally, but ultimately we’ve got 17,000 facilities that we serve and thousands of home health and hospice organizations, and you’ve got data, and just being aware of all of this is just amazing.

            Let’s move on to, we’ll combine just response and restoration. And Steve, I’m going to just ask you to continue. So you’ve got all of this prevention, inevitably something happens and we need to get into sort of this response and restoration. Talk to us a little bit technical, what does that mean and what does that look like?

Stephen Squires:

Sure. So, and this is kind of, as Brian mentioned, there’s so many different ways to slice and dice these different things for incident response, but the response is so important. I mean, how you respond to an incident is critical. I mean, it shows your customers and investors how prepared you are and can determine the difference between a potential small issue or a major one if it takes too long to execute. So when it comes to, there’s various ways and various methods, you’ll get these kinds of information that there could be an issue. So as I mentioned, those ERD tools are running on those end points or firewalls. Unusual activity, those are the key things that you’re going to have detections for or from employees as a part of that security training that they got, “Hey, I just got a weird email. I didn’t click on it. Here’s what I saw. It could be a coordinated attack.”

            And then also you’re going to get issues from customers and partners too. So some of this may be noise, but you need to respond and look at it nonetheless, and determine based on your incident response plan and your runbooks what processes do you follow to address and decide is this an incident or is it just a false positive? So when it comes to the runbook executions, security engineering side, their technical expertise will be used to provide kind of initial forensics and support for those different systems.

Navin Gupta:

Brian, again, from a governance perspective, you started crafting quite a few things. So again, we do have a reported incident, from a governance standpoint, what does that response… And I know there’s documented plans with the rules, talk to us a little bit about response and then restoration as well.

Brian Tolkkinen:

Right? Yep. And so to give some insight into what I’m going to be doing during the incident, that may be helpful, I’m the person who typically functions as incident response manager during the incident. So I’m primary for facilitating communication and activities across the organization and teams. So during an incident, I’ll be communicating upward to senior management at the appropriate times, give them an awareness and to get any assistance we might need. I’m also going to be working directly with legal on formal risk assessment. And the risk assessment itself is, our approach is based on NIST, the federal agency NIST, N-I-S-T, their risk assessment methodology. So we’re going to go into way likelihood of unauthorized access with impact or potential impact to our organizations to come up with an overall score. And then we also factor in health and human services guidelines for determining whether a breach has occurred.

Navin Gupta:

Right.

Brian Tolkkinen:

So the assessment is key, it is conducted, initiated very early in the incident response process, and then it is updated continually throughout the incident. And that assessment is also key input when preparing customer communication, so if an incident has resulted in damage, corruption, or loss of system availability, clients are going to be notified. They’re going to be aware of it very early on and kept updated via our normal customer support procedures and communication channels, but customers will also be formally notified in every case, according to HIPAA requirements. So we provide formal written communication within the notification timeframe as defined in our business associate agreements that we have with our customers. So leave it at that and turn it over to Steve to continue.

Stephen Squires:

Thanks Brian. So depending on kind of the environment and the nature of the incident, I mean, you may need to invoke a DR plan, right? So if it’s a production issue as opposed to an office, you may need to declare an actual formal, full incident and then execute a disaster recovery plan and fail over to a secondary site.

Navin Gupta:

Sure.

Stephen Squires:

And continue on as normal with those maybe degraded services, depending on what’s set up in that kind of secondary DR site and that’s kind of the key.

Navin Gupta:

Yeah, so it sounds again, it’s a combination of obviously there is management, and oversight, and governance really, as Brian you talked about it, and suddenly there is a number of things that happen from a technical standpoint as well. This was great and we’ve covered sort of two broad topics, one, Todd, you talked about just scams and just general awareness, and hygiene, and goods protocols that we should be using. And the second is really something many, many organizations should be maturing and having in place before really they have an issue within the organization and I think that segment is going to really help.

            I know there are a number of providers within our community, both large and small, and some of the larger ones have got great depth and maturity in what they do. There may be smaller ones, smaller providers that are getting started on this journey, we’ve never done this before, but we’re going to do a very quick lightning round with the three of you. And so very briefly, or maybe under a minute each, I’m going to ask if I’m a provider and I want to get a security program kicked off, what are sort of two elements that you would prioritize and say, hey, pay attention to this? So Todd, I’m going to begin with you.

Todd Friedman:

Well, thank you. The first thing that I think is critical is a people thing. It’s not a technical solution. And I think that the organization has to really want to have a program and be willing to invest in it, so I think executive leadership is critical. I’ve seen situations where I didn’t have the support I needed. Just quick example, I asked the CFO one time if they would support a security control that I wanted to put in place for executives. And this was at a different company, in a different industry, his response was, “I’ll support it until one of the division presidents pushes back.” And what I realized is that I didn’t have the executive support I needed to be successful, so that would be number one. And part of that too, is having somebody, a management person that’s responsible for security like me, or like Brian, or like Steve.

            The second thing, and I think if you don’t do this there’s almost no point in having a security program, is just having good, basic hygiene, just having your systems patched, having them be as secure as possible. And so many companies don’t take care of that and then they’ll put sophisticated controls in place that almost don’t matter because there’s so many ways into the network and to the data that they’re not taking care of, so that basic hygiene would be my second.

Navin Gupta:

That’s great Todd, two very good points. Again, you want champions within the organizations that support it, you need the right people that are going to be responsible and accountable, and then obviously just you need to have these systems and processes to do hygiene, good hygiene in terms of security as well. So Steve, let me ask you the same question. What are the two elements that you would pick?

Stephen Squires:

Sure, thanks. Complimentary to Todd’s comment there, I think you need top level executive support, but then you also need it to be… security needs to be commonplace in the general employee population. They need to understand the importance of security and of feedback, and the whole security awareness, right? Just in general of having all of your employees understanding the importance of security, that the leadership supports it. So that’s reinforcement to the employees that, “Hey, if I see something, I need to say something and I need to follow the proper policies and procedures that are laid out.” Right? And then vulnerability management is another key important piece that, a couple of things as I mentioned earlier, about patching and things like that, but you need to know where your risk points are, and know where those critical pieces lie, and make sure that they’re monitored, and patched, and managed.

Navin Gupta:

Yeah. I’m going to put your first bucket in the education and just the awareness piece where right through the organization that we’ve got this level of training and education, and the second is sort of this, not surprising, you’re talking about technically being able to manage the barest vulnerabilities that might be within the system. How about you, Brian?

Brian Tolkkinen:

Yeah. So it was fun to hear what Todd and Steve’s take were on this. Mine’s a little-

Navin Gupta:

You cannot pick their options. You’ve got to have [crosstalk 00:29:09].

Brian Tolkkinen:

Shoot. Okay, well then I will focus on risk management, so if I were starting a security program, the first thing I would do is engage a third-party security firm for formal security risk assessment. And this is going to help me understand where the organization’s weaknesses are, relates a little bit to what Steve was saying about vulnerability management, but we want to make sure that we understand where those weaknesses are and this will help us make smart risk-based decisions regarding where to put our money. And bringing in a third party really makes a lot of sense, especially if just getting it started because it brings objectivity and depth of the expertise to the exercise that internal management and customers are going to appreciate.

            And then using a third party can also go a long way, I think, with government investigators, if they’re reviewing our program for any reason, having conducted formal and third-party risk assessment can improve our culpability score with them. The second out of that risk assessment should come and action plan. And the third party can assist with compiling that plan, but again, we’ll want to go after areas of higher risk, of course, but we want to look for low hanging fruit opportunities where we’ll get the most bang for our buck. And then we’ll also want to start implementing and improving on the fundamentals over time. So focusing on fundamentals, like regular review of user access to our systems and removing unnecessary accounts and privileges, training our staff, like Steve said, and then also putting some of the basic technologies in place like encryption on mobile devices and antivirus is often going to be much more worthwhile than investing hundreds of thousands of dollars in some of the more advanced technical solutions out there too soon. Those are my two points.

Navin Gupta:

Brian, very, very practical, very logical as well. Just doing an initial assessment, where are we? What is the maturity of the security within the organization? Identifying the risks that might be there and then point two, which really goes hand in hand is the ability to craft action plans that get executed on. Very, very helpful tips. I know I get… I’m constantly getting educated with this. Thank you again, really great session. Honestly, maybe it’s my personal bias because I’m enjoying the series with the three of you, I’d love to do a part three maybe in the next quarter as well. And we can’t have enough of it, in this sort of acceleration of digital and all things digital, the ability to really keep all things secure is going to be so, so important. So thank you again, I really appreciate it, Todd, Steven, and Brian.

Stephen Squires:

Thank you so much [crosstalk 00:00:31:33].

Brian Tolkkinen:

All right. Thank you.

Speaker 1:

That concludes the latest episode of the Post-Acute Point of View from MatrixCare. We have a lot of guests and topics coming up that you won’t want to miss, so be sure to subscribe. If you’ve enjoyed today’s podcast, and if you have a topic you’d like us to discuss, leave us a review. To learn more about MatrixCare and our solutions and services, visit matrixcare.com. You can also follow us on LinkedIn, Twitter, and Facebook. Thank you for listening, be well, and we’ll see you next time.