E3: COVID-19 and Telehealth & Cybersecurity

Jeffrey B. Miller, Esq. is a skilled transactional, commercial, regulatory, and compliance attorney and consultant with 25 years of experience providing trusted advice and representation to clients across all areas of business, with an emphasis on healthcare. As part of his practice Jeff addresses matters pertaining to information privacy and security, including matters under the Health Insurance Portability and Accountability Act (HIPAA) and related Office of Civil Rights mandates, assisting clients in avoiding potential legal and regulatory entanglements while enhancing operations and value. He’s currently Senior Counsel with Saxton & Stump, and Director-in-Charge with Granite Governance, Risk and Compliance, where he leads his firms’ information privacy and security practices.

Warehaus:

My name is Matt Falvey and I’m your host for today’s episode. Today, we’ll be talking about the impact of the current pandemic crisis on cybersecurity in the health care industry. Today’s guest is Jeff Miller. Jeff is a skilled transactional, commercial, regulatory and compliance attorney and consultant with twenty-five years of experience, providing trusted advice and representation to clients across all areas of business with an emphasis on health care as part of his practice. Jeff addresses matters pertaining to information, privacy and security, including matters under the Health Insurance Portability and Accountability Act and related Office of Civil Rights Mandates. He has his clients and avoiding potential legal and regulatory entanglements while enhancing operations in value. He’s currently senior counsel with Saxton & Stump and Director in charge with Granite Governance, Risk and Compliance Consulting (Granite GRC Consulting), where he leads his firm’s information, privacy and security practices. So, Jeff, welcome! I thought we would start off by having you tell the audience a little bit about yourself, and what led you to your current practice.

Jeffrey Miller:

Sure, Matt. Happy to be on the show and thanks for having me. Basically, you know, I’ve been an attorney now for more than 25 years. During that time, I’ve worked for a lot of different sizes of companies from a private practice standpoint, helping clients to a lot of time in-house. I’ve worked for physician practice management programs. I’ve also worked for the largest health care company in the world and done some international work. And I’ve even done some work in the medical device and life sciences biotech side.

What’s different in all these roles is that, I was always asked to address a lot of different things involving information, privacy and security. So that goes from Hibbing high tech to GDP. For those of you who are familiar with the European regulations, to the recommendations that the FTC has put out, to Gramm-Leach-Bliley and all those other things that tend to govern how we protect the information that we have.

Warehaus:

Yeah, that’s awesome. You definitely have an extensive background and certainly we’re going to link your bio and website up at the end of this week when we post this. But I want us to talk a little bit about this current COVID-19 pandemic. In what way or ways, if any, do you see cybersecurity risks increase overall? And I guess then kind of transfer into the healthcare industry, right?

Jeffrey Miller:

Sure! So overall, they’re definitely increasing. And it’s not really a change in how things are being done or a change in cybersecurity, I should say. It’s more of a change in the risk profiles of companies as COVID-19 has come in. There has been a tremendous shift in the way companies do business. And I’m not telling anything new to the people that are listening to this. But one of the big shifts has been getting employees to work remotely because, of course, thanks to the different governors’ orders that we’ve had – particularly here in Pennsylvania – we have had employees now working from home so that we can keep our businesses running, which has been terrific. But because of that, we’ve had to use a lot of new types of technologies. For some, we’ve had the same old technology, but we’ve had a tremendous number of employees that move over to using it. And when you do that, your risks significantly increase. Whether it’s something that the employees themselves are doing – and as you may know, most of the online security issues that arise from information, privacy and security actually come down to individuals making mistakes – whether they don’t log on correctly, or whether they click on an email that they shouldn’t be clicking on, or whether we’re using a brand new system, and they don’t use it correctly.

This is how we create holes in our security and information ends up leaking out or being taken from us. And so that’s one of the big areas when we come to healthcare. There’s been a tremendous increase in telehealth, and telehealth is actually a perfect type of thing for this. But as we come out with telehealth, do we come out with some real problems related to it? And basically, what you have today is… you have practices that have been using telehealth, or hospitals or any other health care provider for that matter. And they have a system in place and they’re using it, but they now have new employees use it who aren’t as familiar with it. And it creates a lot of struggle. And sometimes that struggle leads to people taking shortcuts. And sometimes those shortcuts result in problems with your information, privacy and security. And so that’s something we need to be careful with. And it’s basically a people issue.

The second thing that we have to deal with is the use of new technology in software. Now, there’s plenty of great software out there that we can use for telehealth. And they’re established. And they’re good. But they’re not perfect. And these software makers and providers still maintain the responsibility for privacy and security. And so, they need to do the appropriate things in their contracts with these groups, in their due diligence with these groups, to make sure that they have a solid system.

But another real problem that comes up is when we use other types of technologies. A recent example is … many health care providers have shifted over to using Zoom because Zoom is publicly available. It’s easily available. There’s lots of people that use it. It’s used by Fortune 500 companies. And it’s really simple. And so a lot of us have grasped on to using these for meetings. And then a few weeks ago, we saw that, you know, not only was Zoom a good idea for us, but it also attracted hackers. And hackers are actually able to get into the Zoom’s system. They had entry into about 4 percent of the meetings out there. And when they entered them, what they were doing was they were sitting in as a member of the meeting.

So, if you can picture it, you’re having a remote meeting with twenty-five or thirty of your employees, or you’re happy you’re doing some telehealth with somebody and you don’t notice it. But there is someone else in the meeting with you, someone else meeting one or two or three persons, but they’re not showing up on the system because they’ve hacked their way in. And every time you share a piece of information – so maybe it’s some of your intellectual property or some your competitive ideas, or if you’re a health care provider, you’re talking about someone’s health condition and you’re showing them a part of their medical record up on the screen or something like that. Or you’re showing them some of their test results – there’s somebody else there and they are taking screenshots of that information. Or they’re actually taking what you distribute through the electronic system. They’re getting copies of it and they’re using that information purely for their own financial benefit. And it’s a real struggle as we move into addressing these kinds of issues so quickly without taking the time and the effort we need to take to make sure they’re safe.

Warehaus:

Yeah, no doubt. I mean, my daughter’s a physician assistant in cardiovascular medicine here in a local health care system. And, you know, as you indicated, they embrace Zoom. And she did have to go through or the health care system did have to say, ‘Hey, we have to start using passwords, etc. because of hackers or nefarious individuals getting in on these meetings.” And, you know, the goal is always financial gain. What do you see as maybe the most effective way to prevent that? And let me rephrase that. Do you think two factor authentication or passwords work? What I mean, is there a way to stop it? What do you think?

Jeffrey Miller:

Yeah, I’d be hesitant to say that there’s a way to stop it only because of the creativity of these of these hackers. It’s really, as I think a lot of people realize, a cottage industry now. There are entire groups of people that all they do is figure out how to hack into things, and how to stay anonymous so they can take information. So, I’m not sure that we’re at the point where we can, “stop it”, but we can do is make it very, very difficult. Passwords are really, really basic. And so, we shouldn’t have anything without a password. And if you’ve read the Zoom articles, they quickly put in an insistence that people use the waiting room. So that’s the default option. Then, you actually have to virtually let everybody in. Matt, you still need to train your employees. Don’t just say, OK, everybody come in. You have to know who’s in the waiting room so that you can let them in. And if you’re not sure, you shouldn’t be letting them in. Two factor authentication for a system as a whole, is kind of a state of the art type of thing to do. And it’s great. And I’m sure most people, if they do online banking, have two factor authentication.

And, you know, quite honestly, the banking industry, for reasons that are probably pretty obvious, is a bit ahead of healthcare and most other industries in how to protect information online. So, you’d be familiar with two factor authentication there. And it’s really helpful. At the end of the day, though, what you really need to be able to do is have someone who is on your side who can look at your information objectively, who can come in and can do an inventory of all your ISA assets..anything that can go online that can be hacked into. That includes your faxes, your printers, your copiers, etc. It’s amazing how many things are somehow tied into your company’s system these days. You need to look at each of those things, and see how the software is protecting them, to make sure that people can’t use any of these devices that we sometimes don’t think about, as a backdoor into your systems to get to your information. And as we said before, just the great expansion of the use of this technology to remote employees or through telehealth, has caused many openings for people. We just need to be as careful as we can be to make sure that we don’t leave any of those doors open.

Warehaus:

Yeah, that’s great. Great advice. Great advice and counsel. So, given that we’re obviously in some challenging times here with Covid-19 and all the shutdowns and quarantines, et cetera, sometimes good things come out of hardship. Nassim Taleb wrote in his book Antifragile: Things that Gain from Disorder, that anti-fragility is beyond resilience, robustness, the resilient resist shocks and stays the same. The antifragile get better. What changes, in your opinion do you see coming to healthcare, cybersecurity and maybe even talk about how you would envision healthcare being delivered?

Jeffrey Miller:

Sure. Yeah, absolutely. There is actually some fantastic developments that have come out of it. You know, the expanded use of all these technologies we’ve been talking about have created big new opportunities to keep people safe and healthy. And so, for example, if you look at the history of how things have been going on in healthcare right now – in terms of remote health care – it’s been very slow. And for the most part, it’s been really slow because there’s concerns about quality. Can we actually help people remotely at the same levels as if they’re standing in their doctor’s office, or their physical therapists office or any other office that, you know, might have someone standing there with them? The second thing is, does the technology really allow us to gain the kind of data that we need in order to make sure that a doctor can make decisions that are appropriate? And that’s been a question. And the third thing really is kind of a fraud concern. Is there some way that people can subvert the payment systems and the controls related to that to commit fraud related to these things? And because of that, we’ve had a great reluctance on the part of payers, which includes Medicare and Medicaid, but also of the commercial payers too, as to whether they even want to pay for this kind of service. So, until COVID-19, for the most part, they didn’t. They did it, only under really limited circumstances.

So, for example, if you live in a very rural area and you need the help of a specialist and the specialists isn’t in that area, you would go to another healthcare facility. So, you had to leave your home, go to that facility and that facility would then call the specialist, and the specialist can then help you remotely from the other facility. But that was – I’m not going to say only – but that was virtually the only way that you could have help from telehealth then. As you’ve seen with COVID-19, suddenly there’s a big push to say, “Stay in your homes, don’t get into groups, don’t bring it if you’re ill, don’t just walk into your doctor’s office because you might make everybody else sick”. That has led to a tremendous amount of telehealth use. And frankly, I’m not sure if we have the time, but inside the facilities themselves, there’s been telehealth going on, and I find this interesting. But what this experience has shown is that – the truth is – that we do have the technology. Technology isn’t as limited as it was even 10 years ago, when it comes to what we’re capable of doing. And so that’s been terrific. So, if you think about it, you’re wearing your Fitbit or your Apple Watch. Think about what that tells you about your health and the things that in the aspects that they have been related to, that it can tell you about your temperature, it can tell you about your heart rate, it could even tell you about your blood pressure.

Or, you can get separate devices that will tell you about your blood pressure at home, which is quite different than where we were about 10 years ago. Not only that, but the quality of video visits – just the fact that we’re talking together like this – shows that we can have something really good, and it’s sufficient to provide some basic medical care, which is really terrific! So, when you combine those two and you say, “Well, for some types of medical care, I can get the data needed. There’s no technological limitations that are stopping me in the quality of the visit for basic stuff like for your primary care doctor. I can pretty much do this remotely through a video call or something”. It’s really terrific. And when you combine that with some additional controls related to payment, those concerns are really kind of gone! And suddenly we’re living in a world where we really can do a lot of this telehealth remotely. We can have a good set of care with a good conversation with your doctor and have good care, without having to go to their office! This is quite amazing, and because of COVID-19, we’re starting to see that we’re actually having to do it. And it’s proving itself.

Warehaus:

Yeah, I think a couple things. As you were talking, I was thinking about the strain on the healthcare model. People go to emergency rooms for, you know, illnesses like strep throat, earaches, etc – and you and I talked a little bit about this last week I mean –wouldn’t telehealth be great for, you know, all demographics and socio-economic status? What a difference you can make by having telehealth and telehealth support type facilities, you know, in neighborhoods where people can get to it more easily especially if they don’t have the smartphone apps or whatever the case may be. I mean, smartphones and other technological advances have certainly become, you know, a lot more affordable, without a shadow of a doubt, as technology has evolved. But wouldn’t it be great to, you know, to improve healthcare access for both low-income and senior citizens? I mean, I had bronchitis back around the Christmas timeframe. And you know what? My doctor is a very good friend of mine, but I just didn’t feel like calling, trying to get an appointment or whatever. Our health care is fantastic at Warehaus, by the way.

I just basically did a telehealth interview with a physician who happened to be stationed in Philadelphia. I sat in literally my kitchen and, you know, the rest was history. So, it was fantastic. Got my zip pack in and I was on my way. So, I think there’s a lot of awesome, awesome things that can come down the pike here, wouldn’t you agree?

Jeffrey Miller:

I totally agree with that, Matt. It’s fantastic! Actually, because what goes along with it is medical economics. What we’ve seen over the past couple of decades is that there has been a significant drop in the supply of primary care physicians in particular. So, fewer doctors are going into primary care. But of course, our population continues to grow. Not just that, but most of the doctors are preferring as a group to stay in cities or in the suburbs right around cities, which means rural areas are starting to lose access to these doctors. And through the use of telehealth, they can have good quality care at frankly, a lower cost because we don’t need the facilities. And at a convenient switch, which people have never had. I mean, you talk about having it at your kitchen table. How long has it been since you’ve had a doctor ever offered to make a house call? I mean, it is a lot like a modern-day house call. And you know what? It can happen anytime your doctor is willing to do it. And I could see a time when, you know, some young parents wake up in the middle of the night. Their kid has a high fever. They’re really worried. They call their doctor’s office and someone’s on call. And within 10 minutes, there’s a doctor whose face is there on the computer helping you, looking at your kid, getting the vitals from the information that you can get from your devices at home and giving you some good information right there at 3:00 o’clock in the morning. It is certain to happen and no one has to go anywhere to do it.

And there’s something else, though, I think we should think about it. We have all these benefits, which is great. But we also have to be aware that, you know, every time you have these pros, the cons always kind of follow. The primary cons that we have right now, assuming you stay within the limitations of what telehealth is capable of – which are, as we’ve seen, pretty big and we can do a lot – is that we have these cybercriminals get involved. That sounds cynical, but anything that is good, and makes progress is followed by people who want to capitalize on it in that kind of negative way. And so, you know, we’ve seen the Zoom example, which is true, but there are plenty of other examples. We’ve had clients who’ve been getting a lot more of what we would call phishing attacks, which you and your listeners might be familiar with. But they are basically sending in emails. Maybe they’re getting information off the dark web, emails of people in the company – and that might be another podcast for you sometime – but there’s an incredible amount of information out there. And they’re taking their emails and they’re using them. They’re posing as them and they’re sending it and saying, click on this link for whatever. Here’s a document we talked about in our meeting and a couple of weeks ago or something. And people are clicking on stuff, and that unfortunately releases malware into their system and suddenly we have a hacked system. And so that’s another reason why we just need to be careful.We need to make sure our systems are strong and we need to make sure people understand and are trained when they’re using them.

Warehaus:

Yeah, yeah, no question. So, I’m curious, you know. I work with, Warehaus – we are full of civil engineers and architects. And I’m curious, how do you see this changing healthcare facilities, design, construction and operation?

Jeffrey Miller:

Yeah, I think it’s that’s going to change, pretty substantially. And it’s exciting! In a lot of ways, as you guys know, the design of a healthcare facility is very intentional. It is set up in very specific ways to make sure that we provide the best patient care, the best patient experience, and we do it in a way that’s efficient so we can do it fast and effectively. And as this kind of remote medicine begins, we’re going to see that trend continue. But it’s going to affect the design of healthcare facilities in, I think, at least two ways. I think the first one is that, there’s going to be a reduction in the facility-based care for patients who can be served outside the facility. Much like we’ve been talking about for the last ten or fifteen minutes. I’ve read quite a bit about this. And many people think that smaller, more specialized hospitals and healthcare centers are going to emerge because of that. And something you mentioned yesterday – neighborhood centers – that are specifically designed for telehealth visits, particularly in lower income communities, or in communities with a lot of senior citizens. So, in those cases, what we have are senior citizens or lower income earners who need the convenience of a doctor but don’t have them working in their area.

So, what they’ll do is, the doctor’s office, or the health system, or whatever the organization is, will set up an office specifically for telehealth. And with that, a patient can just walk down the street and receive care. There’s, perhaps, a nurse there, maybe not even that, but someone who can use the equipment that gets the room set up perfectly for telehealth. And they can have their doctor’s visits right there! So cost efficient for the patient! So convenient for the patient! So cost efficient for the health system or the practice, and so simple for everybody to use! I think we’re going to see quite a bit of that. I mean, can you imagine just walking down the street to your physician’s office, setup specifically so that you can see your doctor? But it’s so convenient and so close that you don’t really have to get in your car and go anywhere. And if you’re in a lower income neighborhood or you’re a senior citizen that can’t get around – it doesn’t matter – you have the same access as everybody else. That is pretty exciting!

The second trend that I see basically is the specialization of hospitals, because I think what you’re going to see that general hospitals are going to become much rarer. Right now, we have a hospital that sits in a community. Everybody goes there for everything. And so we call it the general hospital, which is great. But they’re not going to need to have all these specialists at all these hospitals, and recruit them in so that we can handle anything that happens in that neighborhood. Because, they’re going to be able to handle a lot of this stuff remotely. And as we get better and better at it, more and more healthcare will be done remotely. So, what you end up seeing are hospitals that tend to move towards a specific specialty. They will have a group of specialists together, whether it be cardiology or neurosurgery or something. They work together to improve their care, to share their skills. And they’re located in the same spot and they’re helping each other. And when they are needed elsewhere, they can telehealth in or they can take a trip somewhere to do a surgery. But they maintain kind of a professional academic base at one area. And I think we’re probably going to see quite a bit ofthat going on as well.

Warehaus:

Yeah, agreed. And I wonder at what point do insurance companies take a look at the cost reduction, year in and year out, and start identifying virtual medical appointment best practices and maybe, even change best practices for certain conditions and so on and so forth. So yeah, it’s interesting. It’s really exciting actually! So, I guess we’ll be winding down here. Jeff, what piece of advice would you like to leave with our audience that maybe we didn’t discuss? Maybe there’s a theme, maybe there’s an opportunity, maybe there’s a threat, whatever the case may be. What would you like to say or leave with our audience?

Jeffrey Miller:

Sure. Probably two things. The first thing is that, this is a really – and people know it – this is a really important topic. Not just right now under COVID-19, but going into the future. Because what this has shown us is that, the technology we need to have effective telehealth that reduces cost, and increases convenience is here. And that seems like a rare combination! The technology that maintains quality is here. And it’s growing and it can continue to grow.

So, as we are thinking about this concept, we need to prepare for it right now because the future is here. And it’s just a matter of how we are going to do that? Organizations that can jump on it, that can get their facilities setup correctly, that can get their security set up correctly, that can make sure people are trained right and can get these ideas implemented are going to be really successful while everybody else is going to be trying to catch up. So, it is a really important topic. The second thing is that, we should not underestimate what cybercriminals can do. As we said before, it is a cottage industry. And there are people who are very good at what they do: sitting around, figuring out how to hack into systems, how to fool people, or how to find weaknesses in systems and get into them. And unfortunately, they are pretty successful. We’ve all seen a lot of that. But we can do a lot to keep that from happening. Yes, you’re planning your facilities but you are also training. Your plan and your strategies on how to set things up need to be thorough. We need to keep those in mind, because that must be an integral part of what we’re doing. We have to make sure we plan that from the beginning so that we’re strong when we come out the door, rather than trying to catch up after we’d been hacked into and chaos as occurred. As we all know, there’s significant ramifications to the company, to the patients, to your IP ,if you’re not a healthcare related company, to your competitive strategy, to everything when that information gets outside of your company and it’s now impossible to protect. But those who think about it early on, and work through their strategy are far more successful than those who wait until something happens. So, I guess that’s my advice.

Warehaus:

Yeah, that’s awesome. That was great advice. Why don’t you tell everyone how they can get in touch with you or how they can find you? Again, we’re going to provide a link when we post our podcast in this interview, but please share with everyone how they connect with you.

Jeffrey Miller:

Sure. Well, I’m director in charge of Granite GRC. We’re a governance risk and compliance company. People can certainly call me and reach me at 7-1-7-2-0-5-8-0-2-8. Or, you can also send me an email and I’ll be sure to get back to you as quickly as I can. And the email is jbm@granitegrcconsulting.com. And my colleagues and I at Granite Consulting have been doing this work for a long, long time. We’ve helped a lot of people do it and we look forward to helping a few more if you’re interested in that kind of help.

Warehaus:

Well, that’s great, Jeff. Hey, this was a fascinating call. I really enjoyed it. Love your insight and your background. Very impressive. And I can’t…once again, thank you so much for taking your time out of your schedule to do this for us and with us. I enjoyed it. Thank you so much that I really appreciate it, too.

Jeffrey Miller:

It was a good time. And let me know if there’s any other way I can help.

Warehaus:

All right. You bet, buddy. Listen, stay safe and healthy and we’ll be in touch.

Jeffrey Miller:

Ok. Take care. All right. See you, Jeff.