Improving Your IQ on IT

January 20, 2021

Michael Zervas  0:03  In today’s episode of the healthcare huddle, we welcome Jason Culotta to the show, he is the IT Director. He manages all IT services for Encompass Healthcare Data Solutions. We drill down pretty deeply into the murky and unsavory world of IP security. He gives us a tour of what the bad actors are trying to do, how they’re trying to do it, and the different ways they’re trying to gain access to our businesses. If you don’t think the risk is real. After listening to Jason, you’ll know that it is.

Narrator  0:45  Time for the Healthcare Huddle, simplifying the business of healthcare, presented by Encompass Medical devoted to helping organizations succeed with customized medical practice management services, visit encompassmedical.com today. Now, here’s your host, Michael Zervas.

Michael  1:11  Welcome to another edition of the Healthcare Huddle. I’m particularly excited today to welcome Jason Culotta to the show. Jason is the director for all IT operations at Encompass Healthcare Data Solutions. As a quick overview, Encompass provides a full suite of IT services to the healthcare industry, they actually I think, specialize in healthcare, from hosting to infrastructure management, to Chief Information Officer roles to security and everything in between. And we’re lucky because Jason is the guy who keeps all of those clients systems running smoothly and safely, which is, I would imagine no small task. So Jason, welcome.

Jason 1:59  Thank you, Michael. Thank you for your time. I’m humbled to be on your podcast, and just ready to talk tech.

Michael  2:09  Great, and because I think you’re gonna be able to elucidate and enlighten our listeners to what’s going on out there. There’s a lot of information. But I want to narrow the focus of our talk today and maybe just drill down on the security aspect of your work. And because that seems to be in the news the most, it seems like I’m reading a different article or news blurb or headline about some latest security breach. And that gets me to wondering, from your perspective, all of these news items that I’m seeing, is it hype? Or is there really that much risk and exposure and caught compromising of data going on out there? What’s your view on that?

Jason  3:01  I really feel that the news media is not in a sense, doing a scare tactic they’re trying to bring to light what’s happening, what’s actually, you know, businesses are experiencing, we don’t know what we don’t know. And of course, bringing this to the surface helps us see what’s going on. Of course, we don’t think it’s ever going to happen to ourselves until it actually happens to somebody close to us. Or it happens actually, to us, which then at that point, it’s too late.

Michael  3:32  Right? Well, it’s interesting. It’s good to hear, you know, the term fake news is thrown around so much, but you’re dealing with this stuff every day. And it’s good to know that we should take it seriously. Maybe we could talk a little bit about what those risks are, what it looks like, and help us understand that. So hacking, my understanding is hacking is the attempt, I guess, to try to get into into my system. And then there’s a variety of techniques that they use to try to do that. And maybe you could walk our listeners through that definition. So as they’re reading these stories, they have a context and understand what exactly is going on in my organization, or what’s the risk, how are they going to get me?

Jason  4:26  Correct. And a definition of a hacker is a person who uses computers to gain unauthorized access to your data. Basically, they want your data that’s in your network that can be files, that could be identity, that could be your your financial information, credit cards and what have you. The different type of methods that they use, is what you hear these buzzwords, right the hacking the phishing spear, phishing social engineering, ransomware, spoofing, Basically, it’s putting it in layman’s terms, it’s like a burglar wanting to try to break into your house, they’re gonna have tools to break physically into your house, they’ll use a crowbar, they’ll use a rock to throw through your window, or they’ll use a lock picking toolset to get into your front door. And are our networks. They go the digital route, right? They try these different methods. Phishing, for one, basically is an email that’s sent to a user in the business. That looks legit. But it’s not. Once the user receives that email, they’ll usually click on a link, which sends them to another website that asks for their username and password. That’s how they can gather usernames and passwords to Microsoft products, different types of websites and in accounts that you have out there. They can also send emails with attachments that once you click on the attachment, it’ll go ahead and run and either it can encrypt your files on the network, it can do different things. It’s a program that usually runs when you click on that, attached file.

Michael  6:12  So let me let me jump in right there, because that’s helpful. So phishing is just what it says they’re trying to, they’re laying on different types of bait and hoping that someone comes along and clicks on it. And when they encrypt, so they’re trying to get me to give them data. And they’re going to you, maybe you can explain what data they’re looking for and how they use it. And you also mentioned that they will encrypt some of our data. So when the encrypted, what is that where the ransomware comes in, and they say, hey, send us this money. And we’ll read, in essence, really, what release yours what’s that give us an explanation of those two things. So that what type of data they’re looking for, and what they’re doing when they encrypt my data.

Jason  6:56  So the type of data that they’re looking for, is anything that they can do to gain access to other information. They’re looking for files, databases, that has information in those databases, like people’s identity, their account numbers, credit card information, the business’s financial information. So they’re there, they’re trying to it again, like the burglar trying to break into a house, they’re trying to get access to usually information that they can actually go and sell on the dark web. So with that information, that information translates to dollars for them. You know, back in the day, hacking started is just fine. It was a puzzle, right? How can I get in to Fort Knox, so to speak, how can I it was a puzzle, how can I get in and break into the system? Well, now there’s information behind that system, right. And so they can gather that information, like your credit card accounts, your personal information, take it to the dark web and sell it for dollars and big dollars. So it’s it’s very lucrative for them as being a hacker.

Michael  8:12  So the idea of being there is that they’re not even necessarily using it, someone who buys it one step removed from the person who’s got it, then is going to take that information and establish new credit in my name or in the company’s name, and then run up bills on that or drain a bank account or divert funds. That makes sense. What if that’s right, tell me Yes. But then also now tell me when they are when they’re encrypting my data? What’s the plan there? How are they monetizing that?

Jason  8:48  Yes, that’s correct. It’s just again, a thief, he goes and steal something, he’s gonna resell it usually to somebody else. For encryption, encryption, renders your files and folders, you can’t get to it. If you try to click on it, it won’t open. It’s basically like taking your files and folders and throwing them into a safe and locking it, you cannot get to it. So at that point, once they encrypt your data, they have information. They’re very nice. where they’ll actually information so you can call them they’re very nice on the phone. I mean, it’s almost like a legit business. You have people that are answer the phone and say, Hello, Mr. Smith, how are you doing? How can we help you, you know, you have your files and your folders encrypted. I’m so sorry, we can help you with that. You should have received a, a key, please give us the key. And then we’ll go ahead and give you the,  key, or I’m sorry, they’ll ask you for a code, which is usually whenever you have ransomware it shows the code on the screen, they’ll ask you for the code. Then they’ll go ahead and give you the key so you can unlock or unlock encrypt all your files and folders for a fee. And fees are not that expensive. So you go ahead and do it. Usually, if they make it too expensive, you wouldn’t do it, it would be bad business, you would go tell folks, hey, don’t pay the ransomware, where, with it being affordable, so to speak, you’re like, Hey, give him give him the code, give him the code. So you get the key and your business can still stay alive and move on today.

Michael  10:28  So in healthcare, they might want to try to encrypt my patient charts, because I can’t run the business, if I don’t have access to the patient charts. That’s and then so they’re going to ransomware me on that because otherwise my business is stopped. But also, if they could get access to my patient charts, and they didn’t encrypt it, there’s all sorts of information like maybe social security numbers, addresses telephone numbers that they could use to set up fake IDs, and then exploit that identity to be able to go out in generate income from that. It seems like this ransomware is that is that common? Have you seen that before?

Jason  11:11  Yes. And, you know, take a couple of steps back when you say charts, right charts back in the day when you walked into a medical facility was paper, right? Everybody put on paper it was stored on that paper in the facility? Well, now it’s gone to digital, they’re stored in databases. So a hacker, what’s very appealing to them is to hack the database, get the database with all that patient information, and go sell it on the dark web. And they’re selling that up to about $500,000 in most days. So it’s again, another lucrative thing that they’re working towards.

Michael  11:51  Wait a second, wait a second. I’m sorry, Jason, I got interrupted, I apologize. But you’re telling me one identity could be worth $500,000? Are you saying in packets,

Jason  12:01  The actual database, so a database Ah, 1000s of patient pay data within it?

Michael  12:10  Got it. So a database could bring a half a million bucks in? Wow, that’s incredible. That’s a big number. I’m sorry, I interrupted you. We’re going to talk about you know, if ransomware is a real threat out there, and if you’ve seen it.

Jason  12:27  Yes, yes, we have seen it. In fact, we had a business here locally, that ended up receiving ransomware. And it was, unfortunately on Super Bowl day. So what ended up happening is that once they received the ransomware, it basically rendered all their workstations and their servers, all their information, they couldn’t get on the workstations, they couldn’t get on those servers, when they would power them up, it would come up to a screen saying you’ve been infected, you have ransomware, here’s the code, call such and such number to get the, you know, ransomware key. So at that point, this particular company didn’t have backups. That’s the number one key that you should have running daily is your backups. At that point, they could have restored from backups. To get their information back. Since they didn’t have backups, they actually had to pay the ransomware fee, which was around $6,000. Again, affordable, right? It wasn’t like it was a million dollars. So they went ahead and pay the ransomware fee got their database, which had all the patients in it back. And of course, they still had to go and rebuild all the workstations and the servers. So a lot of time and money. Besides that $6,000 was still involved. But that’s when we came into the scene, that’s when they reached out to us where they really needed help. And that’s where we came in and implemented some of those technical standards, like backups, they actually how the hacker got in was that some of their employees were remoting, in straight from the internet into their terminal server. And how that works is that we all did that back in the day, we would just have folks from their laptop at home remote in meaning they would just connect right into the terminal server directly into our businesses. Well, that’s easy to hack. Basically, you can do what’s called now that buzzword is brute force hack. And what happens with that is that it’s just a program that the hacker runs that’s going to send a username and a password, two or three username and passwords every second 24 hours a day until it finally finds out a username and a password that works. That’s how they figured it out for this particular business. So according to the scene, we went ahead and implemented some technical standards, we activated VPN, which is a virtual private network on their router, and then had the remote folks VPN first, which created that secure network connection, and then remote into the terminal server. Because we didn’t want, we didn’t want that to happen twice to them.

Michael  15:24  But then that’s interesting that you’re in that brute force attack, they can have that program just running in the background constantly until it figures it out. And it’s just, it’s not, it’s just costing them bandwidth, it doesn’t really take they turn it on and set it and forget it. Right? 

Jason  15:42  Correct. And when I was working as a systems engineer for one of our clients, I basically walked in and looked at the event viewer logs basics, basically, it’s your logs within Windows on one of the servers, and on their terminal server saw where it was actually coming up with all of those different two passwords. And sorry, two usernames and two passwords, one every second. At that point, that’s when we took immediate action. And again, close down the remote access from externally created VPN, and then remoted all of their providers into their system.

Michael  16:22  So there’s this technical aspect, where you can, as you mentioned, put in these technical standards, to make sure that the wall and the barriers are getting higher and higher and harder and harder. But that still doesn’t. You still have the other side of the equation? Which is the humans clicking on emails or, or documents in an email and not being aware. How do you how do you stop that? Because it’s humans, and we’re going fast, and we miss stuff? Or we’re, that seems like a, that’s harder in a way.

Jason  17:01  Correct. And not, you know, I truthfully believe our weakest link is humans. And that’s what’s called social engineering. I mean, way back in the day, social engineering was started where somebody would pick up the phone and act, they put on their acting hat and act as an H back an AC person and call up the business and say, I’m your h back person, I need to get into your particular AC component, what is your new username and password for it? many different ways that the acting job came across very, very good for them. Because as humans, we believe everybody to be good. And we want to help, right? We always want to, and we feel good about helping folks. So we just give them the information. So with social engineering comes, you know, security awareness training, that’s what we have implemented within our business. Basically, we fish our own users. And we’re like, Whoa, why did you do that? Aren’t you going to exploit or encrypt your own information? Now, the way the security awareness training works is that we’ll actually send random emails to our company over the 30 days within that month, where it’ll come as an email that looks legit, it’ll have a link in it. And with that, if the person actually clicks on the link, it’ll send them to an informational page that says, Ah, you’ve been caught. Here’s some education on how to look at this email. Again, look at the, you know, email address header, look at some of the English. A lot of times some of these phishing attempts come across where the English is bad, right? If it comes from foreign countries, God forbid if all the English was correct, right. That would be another challenge for us. Right? The security awareness training is what really helps us in, you know, for an example in our company, we had a financial accounting person that received an email, and this is what we call spearfishing. It was targeted. Basically, the email looked like it was coming from the CEO. And it was emailed to the financial financial officer, when she received it. It basically had a legit bank name in there and a routing number and it said, Can you please move funds from our business bank account to this bank account? So of course, she started nibbling on the bait. She started interacting with the email emailing back on Hey, okay, this is what we have in our current accounts. This is how much do you want to move, you know, just basically started interacting with them. And, again, it’s okay, we’re just moving at a fast pace. Sometimes we will start nibbling on that bait. The thing is, is that we want the hackles to go up. At a certain point, you’re like, Wait a second. And that’s what she did. It was beautiful. Really? She picked up the phone, she called the CEO and said, Is this legit? What’s going on here? And of course, it wasn’t, you know, covered blown, so to speak. So that security awareness training is just giving our users that red flag or that third eye so to speak, that it just it trains them what to see and what to not interact with, or with me it my IT department, hello, Is this legit or not? We get we get those emails quite a bit. It’s, we love it, because we’re like it’s working. Our training is working.

Michael  20:39  So when you’re doing this, you do this for your team and your company. But are you also doing this for your clients is do you do that is that kind of a program that you can do for other healthcare organizations? 

Jason  20:55  You bet. And that’s just part of our security suite of services. Very, very easy to set up and not much at all, on a monthly basis, not much at all for what you get out of the training.

Narrator  21:16  Encompass Healthcare Data solution focuses on collecting the maximum from your revenue cycle, the revenue cycle management team regularly performs top 10% of outsourced billing companies with clean claims rate of 98.05%. Zero paid an hourly rate of .015% an average days in AR of less than 24 days, your practice could go back to focusing on providing quality health care to your patients without the nagging concern of leaving real dollars on the table. Encompasses revenue cycle management solution provides unparalleled visibility and control into your revenues by providing comprehensive dashboard and reporting system. The same reporting and dashboard system that the Encompass team uses to manage itself. Like most other revenue cycle vendors, Encompass only gets paid on net collections. Unlike other companies, they have a highly developed and unique denials management system that helps to ensure that your practice gets every penny that you’ve earned. For more information, go to encompasshds.com, select Revenue Cycle Management, and click the Learn More button to schedule your discovery call today.

Michael  22:30  You know, as we’re going through this consolidation of some of the independent practices are being bought up. And then there’s a remaining balance of practices out there in the world that are really working hard to be independent. And I’ve talked with more than a few of them over the course of my career, and, and they’re struggling, you know, to deal with regulatory change and reimbursement change. And they almost kind of turn a blind eye to this, or I’ve heard people say, you know, well, yeah, I’ve got an IT guy. And I know we’ve got a firewall and they think that that covers it and tell me why that doesn’t cover it or, you know, the IT guy that they have maybe doesn’t have this skill or knowledge or is there a gap there? And what is that from your perspective?

Jason  23:24  Correct. And, you know, I’ll give you an example of that. Basically, this business that actually received ransomware, they only had one IT guy, that it guy had been there for 30 years, did a great job of keeping the business running technical technology, technology wise, but he did not stay up to date on his skills. He didn’t stay up to date on what the latest technology was, on what the latest security issues were and how to, you know, put up your walls and fences to combat that. He was basically so busy with taking care of the staff tickets that were coming in, basically, that he was just firefighting, he was not investing didn’t have time or set time aside to invest to expand his knowledge and education on what was going on currently in the technical world, especially in the security realm. So that’s where we come in, or that’s where a team comes in. To rely on one person is again, kind of putting your eggs all in one basket where hopefully that person is staying up to date and they may be which is good. For the most part. A lot of times they run around being the firefighter and they don’t set apart that time to really stay up to date and educated on what’s going on in the world. So for hiring team like ourselves, we come with years of knowledge with years of Education, and with years of just constantly staying in tune with what’s going on, and putting those best practices into place,

Michael  25:08  It almost sounds like it’s a, it’s an arms race, you know, it’s like, um, you know, the the white hat, guys, you and your team and other people who do similar work are out there going, Okay, this is the latest that they’re trying this is the latest variation on a theme, or this is something brand new, here’s what we’re going to do, we’re going to educate, we’re going to erect a new type of wall, we’re going to work with our vendors to make sure that we’re buttoned down, and then they adapt to those adaptations, and you’re adapting, and it’s like this continual game that has to be played in. And it’s, it’s, you know, when I look at the small practices to or even medium to large practices, they, their focus, like you said, They’re, they’re moving so fast and so hard. And they don’t know what they don’t know that they also think that this is going to be incredibly expensive. And they don’t know how to explain the solution, like you said, and so are the solutions expensive. Is this, is this hard? I mean, I know the costs are incredibly expensive. But is it expensive to get white hat phishing, or to, you know, do other types of testing and in education? Is it cost prohibitive?

Jason  26:26  Well, if you look at the, you know, the overall result of if you’ve gotten ransomware, I mean, with this business that got ransomware, if they put dollars to how much they’ve spent with the time and money, I mean, they were down for several weeks, all those were physical, they had to rebuild them all. They weren’t virtual. When we came in, we’ve moved them to the cloud, we virtualized all that. But as far as some of these services, there’s several different services. And there’s several different technical standards. Some of them is just regular, easy operating system patches, you know, that’s basically applying windows patches to your workstations or to your servers, there’s two factor authentication that you can set up, which are Microsoft services in services nowadays. Of course, a lot of folks don’t like the two factor authentication, that’s when you want to go log in somewhere at text you a code, and then you have to load. Again, it’s very effective. Blocking remote access straight from the internet internet is one of the big pieces, we just took on a client that we found out to this day there. They’re still doing that. So we shut it down, implemented VPN, and got them on the right track. Another big piece backup your data. Some of the security services is vulnerability scans, this is where you can have software that runs in your network that basically shows all the different holes, maybe some of the workstations that don’t have the right patching some of the routers or switches that don’t have the up to date firmware, the different pieces that alerts you as a IT system administrator or you company on what needs to be patched in order to be secure. There’s another thing called SEM and I kind of alluded to this earlier SEM, that security event information management. Basically, it’s log management on the server and looked into the event viewer log and saw all these logs of all the username and passwords, the brute force tool that the hacker was trying to use. That’s logs, whoever has time to go look at these logs. As an administrator, IT administrator you supposed to go look at these logs daily, we don’t have that time. You can automate this, this sim piece basically is automated. It goes and looks at all your workstation Event Viewer, look at your event logs, as well as all of your server logs. If it sees something out of the norm, boom, alert goes up. It’s kind of like your DNA in your body. When a virus infiltrates it, your alarm goes up, you start hacking, sneezing, coughing, your body wants to start to immediately defend, that’s what these systems do. And for what you get out of them is a good peace of mind. Right? How many of us want to go to bed and have a good night’s sleep and not, you know, be wrestling at 2am in the morning thinking? Am I going to be up and running tomorrow or not? So it’s something to look into.

Michael  29:44  Yeah, that’s it makes sense. And it so there’s two topics that you made me think about that I want to approach and one of them is kind of a bigger philosophical question. So I’m gonna maybe get a hold that for a second. But the other term that I hear A lot is the Internet of Things. And I’ve seen it abbreviated as IoT. And so what does that mean? And why do I care about the Internet of Things, especially in relation to security?

Jason  30:19  Well, here, I’ll give you a definition of it. That’ll maybe kind of blow your mind. And I’ll put it in layman’s terms. The Internet of Things, of course, is a system of interrelated computing devices, mechanical and digital machines, objects, animals, or people that are provided with unique identifiers, you IDs, and the ability to transfer data over a network without requiring human or human to computer interaction. So basically, what that means is it’s a vise that’s connected to the internet. It’s a maybe your home nest system that’s connected to the internet. If you have, everything’s connected to the internet, so you can download an app and control it your water system, your sprinklers. Everything makes it easy for us as consumers to be able to control that. So in healthcare systems, it’s medical devices, medical devices will connect to a wireless access point. So it can information into the system. Any of those pieces. So when we had the Internet of Things, attack, so to speak, some years ago, with a lot of these devices, comes an admin username and an admin password. And usually it’s defaulted. Usually, it’s admin, or admin password, something just that makes it easy for out of the box, the IT person or the consumer at home, can log into with a browser to access that device to then control it, set things up, configure it, what have you. Well, with everybody knowing pretty much what the username and password was, that’s where these hackers went out and really started connecting to these devices and using the default. I mean, you can go out and look on the web and Google, hey, what’s the default password for my home Netgear router or the business router, you’ll see a list of them, they’ll come up with all the default username and passwords. The thing is, once you get it out of the box, you need to change that username and password. Some of the devices will only keep the username of admin but you need to change that password. That’s just that’s smart. That keeps you just one step ahead.

Narrator  32:50  Encompass aims to put the provider back in control of the healthcare equation. The payer enrollment and provider privileging service takes advantage of long relationships with both private and government payers to help reduce the cost of avoidable denials. The largest denial classes appear identified credentialing error. Encompasses team focuses exclusively on satisfying the re attestation needs means of expired and complete taxonomy accuracy for your providers to help capture all that is due to you from each payer. Some of our current clients have seen their provider revenues increased by up to $50,000 a year by having the encompass payer enrollment and privileging team focus on management of the intentionally complex cumbersome and payer enrollment process. Contact us today to learn more about Encompasse’s payer enrollment and privileging process and how we can help improve your revenue capture your strategic Infosys focused payer enrollment management. For more information, go to encompasshbs.com select credentialing and enrollment, and click the Learn More button to schedule a discovery call.

Michael  34:06  So another way to think about it to use your analogy is that all of these different applications in our devices that have applications that are connected to the internet are in essence, a one other way into the building into your home. And, and the fact that there’s these default usernames or passwords makes that brute force attack a million times simpler. And so people are wiggling through the window that no one ever thinks to close or lock to get into the That’s incredible. That’s incredible.

Jason  34:41  It’s like that mouse looking for a piece of cheese. It’s going to go through any crack any little hole finds it. We got to find that hole and that crack and seal it you know from day one.

Michael  34:55  Well, it’s it’s a, so So this kind of naturally leads to The next question that’s been bubbling in my brain and not just today, but for a while, is, by definition. If everyone took this seriously and enacted all of these things that you’ve talked about, whether it’s white hat phishing, or, you know, technological standards and making sure you got the appropriate backups in your, how you’re storing them, and all of these different things to mitigate, or eliminate the risk, we wouldn’t be seeing all these stories in the newspaper, especially in healthcare, it seems like every other day, someone got either a health system or a practice, you know, got hammered. So why don’t people do these things? I don’t, it doesn’t make sense to me. What What, what stops people from saying, it’s real? I’m seeing it all the time. I’m one of the people that by definition, isn’t doing what I need to do? Or maybe they don’t know what’s going on in there. Do you think in their heads? Or what do you hear?

Jason  36:05  Well, I feel a big part of it. Is that no, is it folk who want to come in and fix people’s computer problems. And that’s, that’s the number one thing to do, right? We want to keep people working. If they’re not working, it’s not good for business, so to speak. So I think we get caught up in that, to actually take a step back and look at the Foundation, we want to build a house and we want to build on top of that house, we want to go in and do the repairs. We don’t want to step back and look at the foundation to see if there’s any cracks in it. Why? Sometimes for folks, that’s boring, right? Again, you know, when I first got into it, what are the two things that an IT person, or at least me, I didn’t want to do when I first started documentation and backups. And it’s, it’s not it’s not the true funess of it for a lot of folks. So I really feel that it again, there’s the you know, you don’t know what you don’t know, maybe it’s an IT person in house. But you know, I truly feel that it’s not on people’s list to do or it’s on their list, but it’s way at the bottom. And by time they get to it, it’s too late.

Michael  37:25  So, you know, it’s interesting, because it was interesting hearing your answer, because you took like a personal responsibility as the IT person. And given my past roles where I was responsible for the whole organization, I’m looking at it and going, Well, why does the organization not tell the IT? You need to do this? But in hearing your answer, I’m wondering if there isn’t also this kind of unhealthy feedback loop that happens, right? The IT team doesn’t want to do it in may or may not be keeping up on their skills, right and paying attention to that threat. And so even if I’m, if I walk in as a CEO and say, Hey, guys, I’m concerned about our vulnerability, or this or that, and IT tells me we think we have everything handled, how do I know that what they’re telling me is incorrect. Right? I have to trust a wizard. Right? And there’s this lack of knowledge, but it’s, it can be so I guess it can be so at some levels, technically complicated. And I can’t become an expert. And I have to rely on my experts. But I have no idea or no way to know if my expert is up to speed. And so how do you overcome that loop? Can they go out and get independent? Like, audits? Or how do they check the checkers? Exactly.

Jason  38:55  So like your car, right? Let’s say you don’t you don’t know anything about the engine, especially nowadays without electronics? And what do we do you take it into the garage, they hook it up to a system, it shows you everything that’s going on with it and what’s not going on with it. So for us, we can easily come in and do an IC IT security risk assessment, which will give us a gap analysis, it’ll actually show the pieces it’ll look at the foundation and actually show the cracks in it. Then at that point, you have a list of to do’s whether you want to do them or not. But at least you know, what’s underneath the hood in that engine and what’s not working or what’s getting ready to fail.

Michael 39:43  That’s it. That’s it. And I’m assuming those are not cost prohibitive, right. They’re pretty straightforward. You can do that relatively quickly. And then many institution doesn’t have the ability to say I didn’t know or her. We weren’t sure it’s not it’s not expensive. And it’s they’re pretty straightforward. 

Jason 40:02 You can do that, relatively quickly and then institution doesn’t have the ability to say I didn’t know, or we weren’t sure it’s not it’s not expensive, and it’s just it’s a one time fee. I mean you can get that one snapshot of time where you’re at. Currently, and then have your internal stored addressing those pieces or of course you can engage us to come in and just take care of those pieces, we love to work alongside with your internal IT person, you don’t have to be your it solely, you still want an in house IT which we work with several clients that still have internal IT personnel, and we just love working alongside and be in the team to just add that much more information and knowledge to the whole process and flows. 

Michael 40:55 And I would imagine if you’re working shoulder to shoulder with that team, they’re also learning and getting up to speed by definition just hearing and seeing how you guys approach and think about new information. Yeah, that’s a nice value add you know the thing we haven’t talked about too is we’ve talked we focused on the economic impact when you’re hacked in the financial liabilities of shutting the business down from ransomware but the other one I think a lot about too is reputational liability that for healthcare practice, or medical center or hospital gets hacked, it’s also going to have a chilling effect on people wanting to give you their information and commentary, especially if they have a choice and that could be a differentiator to shifting referral patterns. And so, it’s not a question, filibustering is really long has a long tail to it and you might not see it for a long time. So, Yeah, so there’s a whole part of it I guess about, you have to manage the reputation too Right?

Jason 41:45 Yes. Oh yeah, because we know that reputation, equals marketing, whether it’s good or bad.

Michael 41:51 Jason,  you know and as we’re talking I was thinking about. So, when I was in the school, they. We talked a lot about the psychology of organizations and individuals leading organizations and one of the concepts that we talked about was a thing called optimism bias, which is, you know, how available the information is, and we overestimate the likelihood that good things are going to happen to us and we underestimate the likelihood that bad things will happen to us and it really goes back to this because you really don’t do anything until either it happens to us or we know somebody that does happen to right and so that’s that optimism bias that we all think it’s not going to happen to us but it’s happening all the time. You see that they tend to downplay the risk when you talk to them.

Jason 42:45 Yeah, I mean I’ll give you example years ago when I was working at one company. We had an exchange email system on site. And, and we were a small company and I was the only IT person in. I wanted to implement backups for that email system, and constantly would go to management to the Financial Officer and say I want to implement backups. And of course, they didn’t want to spend the money at the time for it. And I would constantly educate them. Well, one day, the exchange database got corrupted, we got Microsoft involved, they could not restore it. So we were out of all of their emails the whole email database and that wasn’t a hacking job or anything, just the database went back. So luckily, at that time, I had set up on all the computers that the emails were getting saved locally, so I could do a restore that way. Of course, what happens next. The next day after a guy says “Jason. Can we give you that money to get those backups” 

Michael 44:55 That’s like closing the barn door after the horses run free. 

Jason 45:05 Kudos they learned and recovered. Shame on us, when it happens once we don’t do anything. And it happens twice, you know, and just that second time could just really be fatal. You know, financially.

Michael 45:30 I’m looking at the clock and I realized here. You pointed at your watch and made a face at me so appreciative of that. So Jason thank you for donating your valuable time and hard won knowledge. You see a lot of stuff out there and sharing it with me kind of breaking this down to some elemental levels maybe will help better understanding and educate and overcome some of those hurdles actually getting safer. What I’d like to do is, if it’s okay with you, I’d like to get people a lot of phone numbers so if they want more information can I do that is that okay or are you bet. 

Jason 46:54 You bet I’m a people person. Please call me.

Michael 47:02 You can tell on this interview he said his goal is to help. So if you want to learn more about these issues if you want to talk to Jason about maybe getting one of those security assessments so you can know once and for all, graciously allowing us to call him directly at 970-226-6777 mentioned if you leave a message that you heard him on the Health Care Huddle and you’re calling right back or talking to you directly, or you can visit his website his company’s website at encompass medical.com and that’s encompassmedical.com, or reach Jason directly at 970-226-6777.  He as you can tell he’s very knowledgeable. He’s very focused on customer service so Jason, maybe we can have you back at some time in the future, and talk about some of the other things that are going on in healthcare with regards to it and some other topics, would you be willing to do that. Give back. Thanks again for your time.

Jason 47:51 Really, we love what we do, right, I love getting up every day it’s my passion, it’s what I was put on this earth to do, and I love helping folks out so even if it’s just enlightening them. You don’t know you don’t have to call me thinking that I’m gonna sell you something, just call let’s talk. Let’s see what we can put you on the path to greatness security-wise. So thanks again, thanks for your time. 

Michael 48:05 Thank you, Jason appreciate it. 

Back to News