Pairaphrase Founder & CTO Rick Woyde appeared on Podcast Detroit with Joe Dylewski, President & Owner of ATMP Solutions. In this podcast episode they talk critical components of HIPAA and how various types of cybercrime and human error can threaten healthcare data security, privacy and electronic data exchange.

Listen Here

Rick Woyde (Left) and Joe Dylewski (Right) discuss HIPAA

Transcription (first 10 minutes)

Intro
You’re listening to the podcast Detroit Network visit www.PodcastDetroit.com for more information.

Rick Woyde
Hello again. This is Rick Woyde, CTO at Pairaphrase. And today my guest is Joe Dylewski with ATMP Solutions. Hi, Joe.

Joe Dylewski
Hi, Rick.

Rick Woyde
Thank you for joining me tonight. I really appreciate it.

Joe Dylewski
Thanks for having me.

Rick Woyde
Tell us a little bit about yourself and your business, Joe.

Joe Dylewski
Sure. I am an IT professional by trade. I’ve been in the IT business for approximately 30 years, doing a variety of things. Back in the days where Novell Blue and Redbox networks were part of the mainstream. And for the past 13 years, I’ve really focused my career on cybersecurity and really it started with a lot of the work that medical professionals were doing to convert a lot of their paper records to electronic and really started working with them and other companies who were handling sensitive information.

Joe Dylewski
And really the focus of what I’ve been doing is more on the business risk side and teaching and educating people about how cybersecurity affects their business. So the ability to look at a business’s overall risk posture relative to the information that they store, process, transmit, and then help them put a plan in place to to remediate that. We tend not to get involved in a lot of the technical implementation. And at the end of the day, my goal is to educate people and teach them about what’s going on.

Joe Dylewski
And also, from an educational standpoint, I have a bachelor’s degree in business administration and a master’s degree in mathematics. And so in addition to this, I’ve also taught at the college level in math. So teaching is what I really try to accomplish with all this.

Rick Woyde
Terrific. And if somebody wants to get a hold of you, how would they get a hold of you?

Joe Dylewski
The best way to do it is our website, which is ATMPGroup.com. And from there there’s information about the company and a contact page to reach us.

Rick Woyde
Terrific. Thank you. So let’s let’s get right into it. And tonight or today, our topic is HIPAA. And full disclosure here, Joe’s firm is helping Pairaphrase with an audit right now, a compliance audit. And it’s been a very fascinating and educational and very valuable experience. But I think there’s a lot of mystery is what I would say around HIPAA.

Rick Woyde
So please tell us what exactly is HIPAA.

Joe Dylewski
Sure. So HIPAA just recently passed its 24th birthday and you have to go back to ’96 to to kind of look at the roots of HIPAA. Basically, HIPAA was designed, believe it or not, to help reduce costs in healthcare. And the healthcare industry in general, sometimes people look at them and think that they kind of lag behind in technology implementation. And one of the problems that we had in healthcare back in the 90’s and before that was these organizations communicated by paper.

Joe Dylewski
So if you put it in simplest terms, if you were to go to the doctor, they would record your insurance information and they would keep ledgers of all the procedures, all the diagnoses, and they would package that up and then send that to an insurance company through mail or courier, where the insurance company would then unpack it by paper. And that was very costly. The administrative overhead and all of that was very costly. So they had to come up with a standard to be able to take this information, make it electronic and be able to communicate between doctors, hospitals and insurance companies in electronic fashion.

Joe Dylewski
Well, the problem was there was no real standard to do that. In addition to that, it brought up a whole lot of other implications around the privacy of that data. So once it became electronic, who could see it? The security of that data in its electronic form, what rules were in place to make sure that if a doctor, an insurance company had it, that they took care of it, that they were good stewards of that data.

Joe Dylewski
So in the process of taking and implementing these methods of being able to take that information and move it places and share it places, they also took and implemented the whole idea of insurance portability, right. So when you look at HIPAA, HIPAA is actually the Health Insurance Portability and Accountability Act. So there were a number of titles in the whole HIPAA law that was passed in ’96 that dealt with things like being able to take your insurance from one company to another or being able to carry your insurance.

Joe Dylewski
There were tax implications relative to that. But one of the big pieces was this whole idea of administrative simplification, so they agreed on information exchange rules, but they also agreed on things like the privacy and the security of that information once it was there. So that then really led to the propagation of those rules, not only to doctors, hospitals, health insurers and providers and so forth, but it also led to the further propagation of that into the supply chain.

Joe Dylewski
So, for example, if I was a company providing services to an insurance company or a doctor, then I was really expected to live by the same set of rules that they were, because the data, whether it’s at a doctor’s office or it’s at a company providing services, it’s still equally important and has to be protected the same way. So over time, the HIPAA rule became more pervasive throughout a lot of different companies within the health care industry.

Joe Dylewski
And when we think about it today, most individuals that think about HIPAA, they tend to go towards that form. They sign when they get to the doctor. Right. That’s our that’s our knowledge of HIPAA. But there’s as you’ve learned, there’s so much more behind the scenes that deal with some of the rules and guidelines that have to be followed to protect it. So that takes us up to where we are today. And in between ’96 and today, there have been a couple of different updates in additional guidance provided by Department of Health and Human Services.

Joe Dylewski
But kind of encompassing all of that is really what’s gone on the last 24 years. But now with how much we hear on a daily basis about security breaches, all of the standards, HIPAA included, have gotten a lot more visibility and exposure, and they’re taking it much more seriously than they ever have. And that is ramped up over the years.

Rick Woyde
Well, I think cybersecurity today, especially during our current time of this pandemic, is more important than ever because I’m under the impression, it appears to me that cyber crime is just exploding right now.

Rick Woyde
There’s all kinds of fraud going on. There’s all kinds of phishing, which still remains a huge issue for everyone because it is so pervasive and the ones that are really good at it are really, really good at it. So how does HIPAA exactly keep you more secure?

Joe Dylewski
Well, there’s within HIPAA I talked about that administrative simplification title, or rule. And within that administrative simplification, there are actually three sets of different rules.

Joe Dylewski
One of them is called the security rule. And the security rule lays out a number of administrative, physical and technical safeguards that organizations have to follow. They have to be able to attest that, yes, I do this, yes, I do this. And for the layperson who might not know cybersecurity, there might be things within that rule that they never knew about.

Rick Woyde
Yeah, we all take it for granted. And we cross our fingers and hope that companies and websites and wherever we’re entering our personal information is safe.

Joe Dylewski
And I’ll give you an example of something that really stands out. I could be a typical physician, right. A provider that’s running a practice. And I run on my electronic medical records software, but I also on my laptop have worksheets, spreadsheets with patient names. I may also have images of that patient. And not a lot of people realize this, but that is also protected health information. Okay, so I’m putting a lot of focus and attention on that medical record software, which might be up in the cloud wherever it’s located.

Joe Dylewski
But I tend to lose sight of this information that’s sitting on my laptop. So to use your example of phishing, generally what phishing does is it’s targeting the potential for human error. Okay, because I get a phishing message, I click on a link, and it either imports some type of malicious code which can encrypt my workstation, i.e. ransomware, or it puts something on my workstation that can capture my credentials. And phishing is part of it. But the other is voice.

Joe Dylewski
I mean, how many how many stories have we read about people, people I know who have gotten calls from Microsoft support. And they say, I need to get on your computer type this LogMeIn.com and they take remote control of your computer. But these are all exercises designed to exploit human error. And so I think a lot of HIPAA and I always say a lot of HIPAA is designed to prevent or really to add human fault tolerance to prevent human error.

Listen to the Full Podcast Episode