LUBBOCK, TX – On the heels of Apria’s recent notice of data breach, Medtrade Monday sat down with Medtrade presenter Jeff Woodham, vice president of Operations at Texas-based Mandry Technology Solutions. As an expert in cyber risk management, Woodham helps companies boost their cyber security precautions.
Medtrade Monday: What’s the level of awareness about ransomware attacks among HME providers?
Woodham: It’s probably somewhere between medium and high. I think most people today understand the term ransomware, but as it relates to what they’re doing inside their business, I think that probably lacks behind what people understand about the term.
Medtrade Monday: How would you describe your most recent experience at Medtrade in Dallas?
Woodham: We were in the first slot so we had all the sleepy eyes, but in general I think the energy was good. We had good engagement on questions. I had a handful of people come up afterward. I would characterize the energy as medium to high. Cyber security is a topic that’s not necessarily in the sweet spot of billing and reimbursement or product selection or legislative advocacy. Given those realities, I was pleasantly surprised with the amount of energy and engagement that was there around the topic.
Medtrade Monday: Was there a particular question or concern that kept coming up?
Woodham: HME isn’t too much different than other industries that we work with. The big question is; Okay, how do we start? Where do we start? It’s getting a little bit of momentum and overcoming the inertia to look at your organization from a cyber risk management standpoint. We get a lot of those questions. What’s the minimum that we should be doing? We have some good answers and we can put some good content around that.
Medtrade Monday: What is the first step?
Woodham: It’s multi-faceted. Do cyber risk management training awareness, so phishing simulation training and awareness. Implement multi-factor authentication and patch your devices, meaning make sure they’re up to date. That’s three and it’s the basic hygiene—we call them non-negotiables. If you do those three things, you’re not standing still. You’re not a sitting target and you’ve gotten some basic things going to help improve your posture as it relates to cyber risk management.
Medtrade Monday: What goes beyond the basic hygiene?
Woodham: The first thing we typically do is an assessment. We do an IT security risk assessment that is pretty broad, but it will give you a snapshot of your organization’s network, computer assets, as well as non-technical things such as policies, procedures, and controls.
Medtrade Monday: What’s the human element in risk reduction?
Woodham: It isn’t all just bits and bytes and ones and zeroes and mouse clicks and web pages; it’s about other things as well—behaviors, policies, and controls. From there we get a picture and can say okay, here’s your priorities beyond just the three things that I just mentioned—kind of the basic hygiene.
It’s not a one-time project where you can start and stop on a two-week window and be done with it. There are things that take time. There are things that need to be addressed on an on-going basis. So we always refer to it as a process, not an event or project. The process should span more than just a short project window or time frame. It should really be part of what you’re doing from a risk management standpoint across the whole organization.
Medtrade Monday: Why would cyber criminals care about mom-and-pop providers?
Woodham: Unfortunately, cyber criminals are indiscriminate about how they attack. They’re looking for weak links and they’re not necessarily concerned about the size or the industry per se, although health care does tend to get a little more attention just because of the value of the data around the health record.
Medtrade Monday: What’s a worst-case scenario?
Woodham: The scenario that would be disastrous would be that you get some type of cryptoware, something gets inside your network through some vehicle—whether it’s an in-user that clicks on something they shouldn’t, or they get through your systems because they’re not patched and updated. Once there, they’ve got control of your environment and therefore, a ransom request. If you don’t pay the ransom, then your data that you have—at a patient level, which now invokes your HIPAA security requirements and the OCR gets involved, and HHS and all the like.
But they may also have your employee data, so now you’ve got your employee’s data that’s exposed. So you have identity theft and financial fraud that can happen to your employees—and potentially to your patients. So the worst case scenario is the data that you have gets exposed. It gets sold to someone who then has ill intentions, and you find yourself with the inability to perform services from a healthcare perspective—but then also defending yourself from a liability perspective of harm that was caused by either patients and/or employees. We’ve worked with companies that have been across the spectrum like that.