71. HIPAA Violations: From $141 to $2.1 Million Per Record Exposed - with Milan Rogers
Justin Shelley (00:00)
Welcome everybody to episode 71 of unhacked guys this week. We are here to talk about the new improvements and advancements in healthcare pertaining to baldness. ⁓ just kidding. Listen, before we got the cameras rolling in the, we sat around, there's two guys in here that are bald. One guy who was afraid of being bald or something. And then a third or fourth guy that just likes to brag about how he's not. And your terms common body anyways.
Bryan Lachapelle (00:24)
You
Mario Zaki (00:26)
.
Bryan Lachapelle (00:27)
Ugh.
Justin Shelley (00:28)
We're
not really here to talk about that. We're talking about cybersecurity, everybody's favorite subject. We're here to help business owners prevent game ending cyber attacks ⁓ specifically in the world of healthcare today. So I'm Justin Shelley, CEO of Phoenix IT advisors. We're going to run around the room and do some quick introductions. My company helps businesses build wealth using technology and then protect that wealth from who Mario the Russian hackers, only the Russians ⁓ government fines and penalties and class action lawsuits. Mario, do you have anything to say about that?
Mario Zaki (00:53)
⁓
No, we'll keep it like that today. We'll just focus on the Russians today. We won't mention all the other countries.
Justin Shelley (01:01)
Okay.
Fair enough. Alright Mario, tell everybody who you are, what you do, and who you do it for.
Mario Zaki (01:10)
Mario Zaki, CEO of Mastic IT located in beautiful New Jersey, right outside of Manhattan. I've been in business for 21 years, helping small to medium sized businesses stay safe from those other countries that we were mentioning, along with Russian hackers. And we specialize in giving business owners the ability to sleep better at night, knowing that their business will be there tomorrow morning when they wake up. That was a mouthful.
Justin Shelley (01:39)
That's always a
plus. That's always a plus. I love it when I wake up and my business is still there. And sometimes it's a roll of the dice guys. And I mean, in reality, and that's why we are here to, to increase your odds. Brian, your turn. Who are you? What do you do and who do you do it for?
Mario Zaki (01:46)
Ha
Bryan Lachapelle (01:46)
Yeah.
Well, sometimes I wonder who I am, but today I'm Brian Lashrow with B4 Networks CEO. We're located in beautiful Niagara, Ontario, Canada, and we help business owners remove the headaches and frustrations that come with dealing with technology. And we do that by being your guide and implementing a plan to get from A to Z.
Justin Shelley (02:16)
Beautiful. Beautiful. All right, guys, time for special guest introductions. I'm really excited to have our guest today. Today we are introducing Mylon Rogers, who I'm going to give a quick story today. We're going to talk about how he got there today. Mylon is a full-time consultant for Complete Healthcare Business Consulting. Perfect, because we do so much work in healthcare. I've always wanted a guest like this on here. So Mylon, thank you for being here. Really appreciate that. ⁓
Milan Rogers (02:42)
Thank you for having me. Thanks. Yeah.
Justin Shelley (02:45)
Now
let me tell your story and you, you correct me where I get it wrong, but you got into this world kind of in a roundabout direction. And I, I think we could all, maybe we all have some version of that story, but you are an occupational therapist by education, correct? And then took the natural progression into, Unix sys administration in the IT world. That makes perfect sense. You, you managed ⁓ a knock, which is network operation center. For those that don't know.
Milan Rogers (02:52)
I did. Yeah.
Yes.
Yeah.
Total sense.
Justin Shelley (03:14)
⁓ you love that. And I think, I believe your favorite part of that was getting woken up at three o'clock in the morning. Is that correct?
Milan Rogers (03:14)
That's right.
All the time, yeah. Sleep deprivation, it's my favorite.
Justin Shelley (03:25)
Right. And so since you were having such a good time there, you switched into healthcare administration, healthcare management, MBA. You went back to school, got some additional education, ⁓ practice manager, HIPAA security officer, and then ⁓ to where you are today. Did I get it all right?
Milan Rogers (03:41)
Yeah, that's a pretty good summation. Yeah. Yeah, it's been an interesting ride for sure. No, I mean, I just have to go back to the where I the transition from occupational therapist to to Unix. I how do you make that left turn? So basically what happened was I couldn't get a job as an occupational therapist because of some stuff Congress did and everybody was on a hiring freeze for therapists. So my friends said, hey, I can get you an interview with this company and
Justin Shelley (03:45)
Anything you want to
Milan Rogers (04:11)
I sat across from this guy and goes, I notice here you don't have any technical experience. like, ⁓ yeah, I yeah. And he goes, that's all right. You have a master's degree. We'll give you a shot. We won't be worth anything to us for like six months, but whatever. I just bought stacks of books and dove right in and kind of figured out and, and, and embraced my inner nerd. So it was good.
Justin Shelley (04:27)
alone.
I mean, hats
off to you there. listen, the world of technology is like that. I remember reading those books that were 1100, 1200 pages long, ⁓ you know, and then you'd go take a test and get a certification. And that was the education back in the day. There wasn't really school for it.
Milan Rogers (04:41)
Yeah
Yeah.
Mario Zaki (04:48)
Ten minutes later you'll
forget everything you read.
Milan Rogers (04:51)
You
Justin Shelley (04:52)
Dude, I had my very first employee would get through one of those books in a weekend and pass the test. ⁓ like Monday or Tuesday, ⁓ dude was a genius, ⁓ crazy. I can't do that. I can't, it takes me so long to read. That's my ADHD. We're not going to talk about that. Anyways, guys, let's go ahead and get started today. We're going to talk about, and, and Milo, and when we did our little strategy session, there's one line in there that really caught my attention.
You said with emphasis, you have to have a plan and you have to be compliant. And again, we're talking about the healthcare world, but I'm going to say this applies to all of us. If you have technology, you better have a plan and you better be compliant. Now, tell me a little bit about why you said that. What, kind of got you to that point?
Bryan Lachapelle (05:31)
Mm-hmm.
Milan Rogers (05:31)
yeah.
Yeah, so I mean there's you see it on the news. We're to talk about some examples of that, but you know, I guess maybe it was last year, year before we had a medical billing company locally that was managed the billing for, you know, all the processing, all the claims for a bunch of medical practices in the area. Well, they got had a ransomware attack and everything came to a screeching halt. They wouldn't pay the
the money and they couldn't get their data they lost two years worth of medical billing data and so was it they're just the vendor but all those all those practices had to take out lines of credit just to cover their their their you know payroll all that kind of stuff and so just to see just locally just one example of how just the devastation because you know cash flows everything in a small business and so you have these medical practices and they just
Justin Shelley (06:15)
god.
Yeah.
Bryan Lachapelle (06:37)
You
Milan Rogers (06:40)
there a lot of them are just you know white knuckling and they're just hanging on the cliff you know and if if you have any disruption in payments from those claims any at all it can just have this cascading effect that's just devastating we saw that while the billing company shut down they they didn't communicate effectively with their clients with the medical practices and they didn't follow the breach notification requirements from the government and so they got a lot of hot water and they eventually
Justin Shelley (07:06)
Mm.
Milan Rogers (07:08)
were shut down but I haven't really followed what's happened after that like if there's any class action lawsuits or anything like that but that's that's just one example but the really the reason why as a consultant I say this to my clients all the time you got to have you got to have something in place got to be on top of this because health care has the biggest target on its back across any sector and the reason why is because if you
medical records on the dark web you you buy they have the highest value so just a complete medical record is worth between two hundred fifty dollars to a thousand dollars per record and if it's a highly sensitive information like oncology genomics anything with like your financial you know in insurance details between one and five thousand dollars per record how much is it for like a credit card number like two bucks right you can buy a whole list of them
pretty inexpensively. So this is like premium data, right? So another thing is the cost for breaches in healthcare are higher than any other sector by far. I'm almost double, probably almost double from the closest, next closest one.
Mario Zaki (08:19)
And
that's because of the stuff that you have to do afterwards, right? Like you have to get like credit monitoring for every patient for I think a minimum of one year or something like that.
Milan Rogers (08:31)
Yeah, so there's all kinds of requirements under HIPAA that you have to follow when there is a breach. There's a whole protocol that you have to follow to do that. ⁓ So let's just go ahead. Yeah.
Mario Zaki (08:45)
Now, I
know I'm cutting you off. just have a question for you. those high value charts, like the $5,000 charts, what do these guys use those oncology records for?
Milan Rogers (08:49)
Yeah, yeah.
That's a,
that's a, yeah, that's a, I'm gonna get to that in just a second. I'm gonna talk about.
Bryan Lachapelle (09:02)
was gonna ask the same question, why is it worth so much?
Justin Shelley (09:07)
Yeah, because
I honestly, I just want the credit cards. And they're they're cheaper. I get them in bulk and I get a discount. shit. Are we recording? I shouldn't have said that.
Bryan Lachapelle (09:09)
Yeah.
Milan Rogers (09:10)
So
Mario Zaki (09:10)
It's cheaper.
You
Milan Rogers (09:16)
Well, yeah, right. So
we're going to talk about the types of frauds, including what they could use that information for in just a second. But what I wanted to do is the health sector leads with the highest breach costs at, on average, $10.93 million per breach.
Justin Shelley (09:35)
Okay, so here I've got a question on that because ⁓ as a small business myself, a lot of my clients are very small businesses. When I hear that number, it's like, can't cost me $10 million because I ain't got it.
Milan Rogers (09:45)
Now it's
it's hospitals. It's I mean, of course, but still it's all relative, right? I mean, if it's 25,000, 50,000, I mean, those could be like, well, I think I said to the to this to you, Justin before, which is these can be door closing events. These will close you. These can shut your businesses down if if you have to pay these kind of fines, not just to those that have, you know, the the hackers, but it could be.
Justin Shelley (09:47)
Right.
It is.
Milan Rogers (10:14)
All the other stuff you have to pay the fines and things like that. It just is massive. The next closest sector is the financial sector and the average is like 5.9 million. yeah, half as much. So let's talk about like, so that's massive. We're talking massive amounts of money. And again, it's all relative. It doesn't matter if you're a small business or if you're a large organization, it's still gonna hurt. That's just the bottom line.
Justin Shelley (10:26)
Really? Half as much?
Bryan Lachapelle (10:40)
Mm-hmm.
Justin Shelley (10:40)
You I would
love to see it as a percent of gross revenue, honestly. That's a number that would be more meaningful. I wish they would publish it that way.
Milan Rogers (10:44)
Mmm, yeah that would be-
Yeah, that actually would be super interesting. Okay, so let's talk about the different types of fraud schemes that can be perpetrated using medical records, right? Well, the obvious ones are like identity theft or medical identity theft where they can go in your name, they can receive care, they can fill prescriptions, they can open up insurance claims in your name, can collect on those, they can do phantom medical billing.
⁓ And I was looking more into this, there's something called synthetic identities. And you guys might be familiar with this, but you can take ⁓ that information from the medical records and fabricate using real medical record data to create new identities for long-term fraud. you can, you have the keys to the kingdom. When you have medical records, a complete one, you have family members, you have dates, you have, you just have details.
Justin Shelley (11:34)
wow.
Milan Rogers (11:44)
that you otherwise would not have that you can perpetrate so much more in the way of identity fraud, right? You can have what's account takeover, know, or payment diversion. So if you are submitting a claim, they can divert the claim to the payments to them. They can exhaust a patient's benefits, but, you know, and so when the patient comes to use their benefits, it's already been used up, right? You have...
⁓ provider impersonation you know for whatever reason you can get maybe open up credit lines or and get you know this kind of things or you can ⁓ it's just whenever you have a provider's ⁓ information and you can impersonate them it opens up a whole other level of of fraud and then you of course tax and financial fraud targeted phishing so think about this if you have a medical record you have all that information
how you can socially engineer just by calling that patient directly or calling somebody related to that patient to extract more information or that you need or want for a fraud or to ⁓ make some money off of them. And then of course, the genomics stuff, you guys asked about that, ⁓ extortion. So if you have genetic information, you have oncology information,
Bryan Lachapelle (13:02)
Right.
Milan Rogers (13:08)
let's say this is a public figure this is somebody that is a pillar of their community what if you have psychiatric information or reproductive information you find out that for some people and maybe in the political circles they find out that ⁓ this political candidate had had an abortion
Mario Zaki (13:24)
I had a bastard son.
Milan Rogers (13:26)
Right? just opens. So extortion is one of those. I'm not saying it's the only way to use that information, but it's big ticket item. So those are some areas where you see fraud using medical records. You just think about you have a Visa card number or you have the keys to the kingdom. You might even have Visa. You might even have some of that information in these medical records if there's financial data involved as well. So.
Mario Zaki (13:27)
You
Justin Shelley (13:28)
Yeah.
Bryan Lachapelle (13:48)
.
Justin Shelley (13:53)
Yeah. Crazy stuff. know, when you, when you opened up, you talked about that, ⁓ the breach that happened to a billing company, right? And one of the, it's, not a direct relation, but one of the, biggest frustrations when I'm talking to people about, Brian, you were saying before, like you're up in Canada, you guys don't have the same amount of teeth in the law as we do down here, but regardless, I see a general sense of apathy. It's just like,
Milan Rogers (13:55)
⁓
Justin Shelley (14:22)
Either it's not going to happen to me or we're too small. We're not a target. ⁓ I don't have anything they want. That's my favorite one. We just don't really have anything that they want. and my answer to that is always, well, you have money, right? You have a bank account. They want that. And they're going to find a way to get that. 100 % of the time they're coming after your money. But what I really would like to drive home and I, you know, I feel it myself and I wish more business owners felt this is that we are.
Bryan Lachapelle (14:29)
⁓ yeah.
Justin Shelley (14:51)
stewards of our clients and of their information. And, you know, in that billing company situation, it's not just your problem. The people that you take money from, and that's if you don't care at all, but I hopefully you do. So the people you care about, the people you serve, the people that you are passionately trying to help run their businesses. Damn, I mean, you just took them for a ride and it's your own fault. I don't know the case, you know, in this particular case, but almost always.
Bryan Lachapelle (15:00)
Right.
Justin Shelley (15:21)
the 97 % of the time, roughly these things are preventable with basic security measures. Not even talking about the fancy stuff, just get the basics in place and we're going to prevent most of it.
Bryan Lachapelle (15:27)
Yeah.
Milan Rogers (15:29)
Yeah.
I love that you said that about your connecting it back to the people because in healthcare it is, I'm focused in healthcare every day and it is about the patients. It always is about the patients and these are people's lives we're talking about. And there's a real world impact to that both financially and socially and there's every other aspect of this. It's pretty serious business, honestly. ⁓
Justin Shelley (15:42)
Right.
Mm-hmm.
Yeah, I mean,
you see people, ⁓ you know, on social media, broadcasting their vacations to Europe and all this kind of stuff, but they don't have money to protect their business. You know, it's like,
Bryan Lachapelle (16:07)
Hahaha
Milan Rogers (16:10)
Yeah, well, and honestly, a lot of them say, I don't have time. There'll be excuses about why they haven't done it. But the truth is, with HIPAA specifically, the stuff we're talking about here, you really do need to have experts coming in to help you with this. This is something that you do need help with. It's not something that you can just manage on your own and just shooting from the hip. It just doesn't work with something as highly regulated as health care.
Justin Shelley (16:21)
Mm-hmm.
Bryan Lachapelle (16:37)
I'd like to add something and ⁓ it's basically something you just said, I don't have time. And maybe I could relate it to something that ⁓ doctors and the practice managers can relate with. A lot of people say they don't have time to exercise. They don't have time to take care of their health. They don't have time to eat right. They don't have the money to buy good food. They don't have the money or the resources to be able to take care of their bodies the way they should. And right. And as doctors and as medical practitioners,
Justin Shelley (16:54)
Mm-hmm.
Mario Zaki (17:01)
Yeah, who has time for that shit?
Justin Shelley (17:04)
You
Bryan Lachapelle (17:07)
they're telling their patients, you need to do this to survive. Well, we're basically saying the same, you need to do this security for your business to survive. Right? And it's the same thing. You don't have time, you don't have the money. Bananas, you have the time, you have the money, it has to be done. Whether you're in Canada or the United States, the rules still say you have to protect your data just because there are no teeth here in Canada.
Milan Rogers (17:19)
Yeah. Yeah.
Bryan Lachapelle (17:34)
doesn't mean that you should have apathy and not do it. Because if you're preaching to your patients that you need to take care of your bodies and your health, we're preaching that you need to take care of your company and its health. So just wanted to throw that in there.
Milan Rogers (17:48)
Yeah.
Yeah.
Justin Shelley (17:50)
Very good point.
Mario Zaki (17:52)
Well, you know one thing I do want to add into that, you know, we mentioned or we, you know, we're obviously blaming ⁓ the billing company for not taking the proper precautions no matter how basic they are to protect themselves and protect the doctor's office that they serve. But I'm also going to blame the doctor's office in this because they need to vet the vendors that they're working with, you know, because
Justin Shelley (18:18)
Yeah, yeah
Milan Rogers (18:18)
Great point. Great point.
Yeah. Yep.
Mario Zaki (18:21)
Because
we see it all the time, I'll speak for myself, we have customers all the time that says, we want to work with this new vendor or this new customer. And they provided us a list of cybersecurity checklists that we need to make sure we're compliant to even do business with them. And it's our job to make sure like, yeah, you have this, you have this, you have this. You don't have this, we will get it for you. This, this, this, and this.
Doctors offices, unfortunately, sometimes they will say, okay, well, this medical billing company is gonna charge us 1 % less to do the same work, so we're gonna switch over them. But they don't vet them.
Justin Shelley (19:03)
Right.
Milan Rogers (19:05)
All right. Yep.
Justin Shelley (19:07)
Yeah, why are they less? There's a reason that they are cheaper.
Bryan Lachapelle (19:11)
I want to highlight to just something we all just did. We all just did it. Every single one of us blamed the company, the medical practitioners, and they are the victims. They are the victims of a cyber crime. And none of us, and this is just natural, like we're blaming the victim for something that in reality, we should be blaming the cyber criminals, but we have no control over that. It's such a wild west out there. The only thing we have control over is what we
Justin Shelley (19:18)
huh. I was gonna... Yep.
Bryan Lachapelle (19:39)
as individual companies do to protect ourselves. That's not to say that you follow all the rules, you will never be breached. But if you follow the rules, Justin hit the nail on the head, 97 % of the time, you will be fine. There is that 3%. And that's what insurance ultimately is for. But there is that 3 % that no matter what you do, you may still be a victim of cybercrime. But if you're not that low hanging fruit on the tree, you're way ahead of the others. And they'll go after the people who are.
abdicating or have apathy in their businesses. And so it's like the bear thing, right? You don't have to outrun the bear. just have to outrun the slowest party that you're with.
Justin Shelley (20:18)
Yep.
Milan Rogers (20:19)
Right. That's crazy because even,
you could talk about resources and time, but even those organizations that have the resources ⁓ aren't doing it. Like, I wanna talk specifically around change healthcare. This was probably one of the largest, if not the largest ⁓ breach in healthcare in history. ⁓ It happened last year, like February of last year.
Somebody attackers stole the credentials of a remote system for Change Healthcare. Change Healthcare is owned by United Healthcare, which is the largest out there. They're the biggest healthcare organization, healthcare company in the United States. And so they own Change Healthcare. Well, somebody got in, did not have multi-factor authentication enabled, right? So basic. And it was a legacy technology. So they had, was probably sitting over here on a...
Bryan Lachapelle (21:06)
Ugh, so basic.
Milan Rogers (21:13)
older system that hadn't been updated, didn't have MFA enabled, and they got in. Well, they got, they had, it was ransomware, and they were, so they stole the data, and of course encrypted it, stole it, and then they got extorted twice by two different organizations from that data. Yeah, so it's like the pay and still get extorted, right? They paid like, think the United Healthcare Group, they paid like 22 million.
Justin Shelley (21:31)
two different orgs that's wow yeah yeah
Milan Rogers (21:40)
to, I don't know this through this group, you might know it's Alpha ALPHV, like upside down, Alpha. And then Ransom Hub was the second organization, criminal organization that extorted them with, because they got the data too. So double whammy, right? So that was just from the extortion that they had. so that was 22 million. Well, let's talk about the effect. We talk about patients, okay?
Justin Shelley (21:46)
Hmm.
Milan Rogers (22:08)
the people affected were they say was around 190 to 193 million individuals. Just insane. there's also, let's talk about the financial impact. Now, UHC, think they're direct and sort of near term costs. They're estimating it between 2.3 and 2.45 billion dollars. Well, that's what that started with. And then it went up to 2.87, almost
Justin Shelley (22:14)
wow.
Wow.
Had to be with a B, yeah, wow.
Milan Rogers (22:38)
three billion dollars and in direct near-term costs now that's that's just and they were separating out the cyber attack direct response costs and that's probably not even including like all of the you know finds everything else I mean I mean just you know Mario you were talking about what are the expenses that around the cost of all the stuff yeah after the breach so
Justin Shelley (22:55)
Yeah.
Mario Zaki (23:03)
After the bridge, yeah.
Milan Rogers (23:07)
This is just such a massive deal, let's talk about what happened, the actual downstream effect, because... Yeah. Yeah, yeah.
Justin Shelley (23:13)
Real quick, before you go there, I do want to go there.
But another thing that isn't always taken into account when you're looking at the cost of a breach or when you're looking at the risk, because everything we do in business, we have to weigh the cost versus the risk versus the benefit, right? These are not simple decisions. ⁓ So anybody here familiar with SEO, search engine optimization, marketing, right? We spend a lot of time and money trying to show up in Google listings.
Mario Zaki (23:36)
I've heard of it.
Bryan Lachapelle (23:41)
.
Justin Shelley (23:41)
just for
fun, go ahead and Google search change healthcare. You know what you don't see? What a great company they are. You know what you do see? Massive breach. Like their reputation's cooked. So, I mean, like there's so much that goes into this to not have the budget, to not have the time, to not have the passion and Jesus, have some fear.
Mario Zaki (23:52)
Mm-hmm.
Milan Rogers (23:53)
That is so true. That's true. Yep.
yeah.
Justin Shelley (24:08)
Like I don't like spreading fear, but damn it have some fear people because this is, this can be bad. All right, go ahead. Let's talk about how it happened.
Milan Rogers (24:15)
Yeah, no, that's
actually such a huge, huge point. Yeah, your name is Mudd, this billing company, their name is Mudd, right? I mean, the one locally.
Justin Shelley (24:21)
Yeah, even Wikipedia
Wikipedia says they're an organization that bloody bloody blah. were breached. You know, it's like
Mario Zaki (24:28)
Ha ha.
Milan Rogers (24:29)
⁓
It's like the tagline underneath the name now, right? I mean, it's horrible. Yeah, no, you're absolutely right. So what I was going to say about the downstream disruption, besides what you're talking about with their brand destruction, is so many, ⁓ they processed claims. That's what they did for massive amounts of providers throughout the country. So what happens when all of a sudden they can't process claims?
Justin Shelley (24:33)
Yeah, yeah.
Yeah.
Milan Rogers (24:59)
So what they had to do was, first of all, CMS, know, Medicare, they opened up accelerated advanced Medicare payments, like paying them in advance so that providers could stay solvent. We're talking about solvency, right? We're not even talking about like, ⁓ you know, this is inconvenient. We're talking about providers throughout the country that are having possible insolvency issues. So Optum, is also under, is the Medicare branch of sort of
Justin Shelley (25:12)
Right, yeah, yeah.
Milan Rogers (25:28)
UnitedHealthcare, they handle all the Medicare claims. ⁓ So Optum did temporary funding assistance, provided no interest advances to these impacted providers. So they're scrambling to throw money at them to help them get kind of an advance. All this stuff was happening. I was helping consult with some of these practices that were dealing with this, and they were stressed out of their minds. I mean, I was only in the periphery. I wasn't like,
deeply involved with it but i was watching and talking to practice managers and administrators about what was going on and it was it was brutal it was brutal
Justin Shelley (26:04)
Well, this
is another point we talk a fair amount and I think you opened with it, Mylan. ⁓ These can be when, when I get, if I get breached, God forbid, ⁓ it could be game ending for me. I do think about that, but what you, the point you're making right now is not only that, but it could be game ending for your patients, your clients, your customers. Like this, this snowballs.
Milan Rogers (26:16)
⁓ yeah.
100%. Yeah. Yeah.
And it sounds like I sound a little like Chicken Little, but it goes back to when you look at the dollar amounts involved with this data and because it's the top data you can get on the dark web. It's the most highly priced. You have the biggest target. I don't care how big you are. If they can only glean a smaller payment out of you as if you think you're too small to be hit by this,
then i think there's some you need to open your eyes because we you see these breaches happening across organizations of various sizes whether it's large or small
Bryan Lachapelle (27:05)
I think the most
Mario Zaki (27:05)
N-n-nothin'.
Bryan Lachapelle (27:07)
common thing to think about is, ⁓ yeah, you might think that you're too small to be breached, but really you're just too small to make the headlines of the news. You're not too small to be breached. Small companies are breached every single day. They're just not important enough to make the headlines. They're just not a big enough company for it to be national news. And so they just go under the radar. And who's going to advertise, yeah, we were breached last week. Sorry, folks. We're just going to put that out there for ourselves.
Milan Rogers (27:21)
Yeah. Yeah.
Yeah.
Bryan Lachapelle (27:34)
Now they're going to want to sweep it under the rug and hide it because it's embarrassing. And so unless they have to disclose it, they won't.
Milan Rogers (27:37)
well it's a yeah well
it's if it's a big enough breach it will be on the office of civil rights website they'll they'll have a press release because they they love to show that they're enforcing and they're gonna they're gonna especially the big ones right and that you're gonna you go on there we'll talk a little bit about maybe some of those but so yeah
Bryan Lachapelle (27:47)
Yeah.
Justin Shelley (27:59)
Quick Mario, did you have something you
wanted to add?
Mario Zaki (28:01)
Yeah, a couple things. Do we have like any public knowledge of what happened, how they started? Was it like one click? Was it a social engineering? Do we know?
Milan Rogers (28:13)
you know maro it's a good question and i didn't get deep enough into the technical details of it ⁓ so that's something that you might be worth looking at to see maybe even like a case study of what what happened and in is kind of a cautionary tale but i mean they didn't have multifactor authentication somebody got credentials and our guest the credentials ready brute-force that whatever they did and ⁓ in got in
Mario Zaki (28:27)
Mm.
Milan Rogers (28:41)
mean, that's a pretty common story, It's brute force attacks, and then there's no MFA, and you're in. But anyway. ⁓
Mario Zaki (28:45)
Yeah.
Yeah. And the
thing is too, part of that after effect too, that we were just mentioning, it's not only just you, your company and your customers, but it's also your employees like that medical billing, you know, it's now they have, I don't know, I'm guessing, you know, a good amount of employees that are literally, you know, jobless. They have no place to go. They probably are not easily going to collect unemployment or not going to collect it for a while.
Milan Rogers (29:05)
Yeah
Yeah.
Mario Zaki (29:17)
You know, and now they probably have, you know, it's their families as well. You know, I know, you know, when you're an owner and you have employees, you know, especially with small businesses, you tend to grow, you know, you tend to have your employees feel like they're part of your family, you know? So now they've, you know, they, they've pretty much not only ruined his company, but they've ruined the livelihood of a lot of their employees.
Milan Rogers (29:17)
yeah!
Mm-hmm.
yeah, I mean, and think about that 190 million, know, 193 million patients data. Like now they're in the crosshairs for who knows what kind of fraud. If they have enough data, they can now go after it. And it just goes on and on and on. The ripple effect of something of an event like this, it can be just absolutely devastating. And it could go on for years, the impact of it, right? Financially and otherwise, so. ⁓
Justin Shelley (30:09)
So let's,
let's accelerate through cause there's, there's a fair amount. I'm already scared and I'm not, ⁓ I don't run an own health care practice. ⁓ so let's, let's go through the rest of this real quick and then let's get into like, please for the love of God, make me feel better. What, ⁓ what can we do? Yeah.
Milan Rogers (30:22)
Yeah, yeah, let's do it.
What can you do about it? Yeah, yeah, yeah,
yeah. So first of all, ⁓ suggested I talked to you about this before we got on. I just want to throw out a couple definitions. So we're all in this kind of level set and everybody kind of understands the language I'm speaking or we're speaking on this call. So the first is, of course, HIPAA is there's the Office of Civil Rights, which is the OCR. They're the primary enforcer of HIPAA under the Department of Health and Human Services.
So if you talk about the OCR, they're the ones with the stick. That's right. Yeah. Yeah. Then you have PHI, which is protected health information. That's basically your medical records, ⁓ physical, mental health, whatever, any care you receive, payments for that care, anything that can identify you. So it's individual identifiable information. I don't go into that, but there's so many acronyms in healthcare, it's just kind of stupid.
Justin Shelley (30:58)
They're the ones that come in and say, hi, I'm from the government and I'm here to help you.
Milan Rogers (31:23)
And then I wanted to actually throw this out because PHI, you think of PHI like your name, your phone number, your email, there's all these obvious ones, but under cybersecurity, there's actually, I looked up sort of what are some PHI specific to information technology. There's actually three I wanted to throw out there. Maybe you guys know, maybe not. There's Mac addresses, like for smart medical devices, that could be considered PHI.
Web URLs that point to patient-specific portals, documents, lab results, that kind of stuff. IP addresses. mean, this goes back to the OCR's online tracking guidance that they have. But if you have any website tracking pixels, that kind of stuff, and you're capturing IP addresses that in some way can be tied back to an individual, then that would be considered PHI. So I just want to throw that out there ⁓ as something to be aware of as you're logging this information in your systems, right?
Bryan Lachapelle (31:59)
Thank
Justin Shelley (32:12)
Interesting.
Right.
Milan Rogers (32:21)
And then the final thing is covered entity. We talk about in HIPAA, what is a covered entity? It's basically any person or organization that creates, receives, maintains, transmits protected health information. And that could be either the organization, the primary organization, or vendors like the billing company to their, you know, that medical billing company or change healthcare to all the practices that use their services. So. ⁓
Bryan Lachapelle (32:44)
I guess that would include
⁓ MSPs because we're storing and tracking a lot of data too.
Milan Rogers (32:47)
100%. yeah.
If you have medical practices and you have a BAA in place, let's talk after. You need to, for sure.
Justin Shelley (32:55)
Yeah. You
know, one, one thing that comes to mind, had a, attorney on here a while back that we interviewed and he talked about the.
the importance of not gathering information and not storing information that you don't absolutely need. Like either don't gather it in the first place or get rid of it when you're done with it. But to keep this stuff wherever you store it, doesn't matter. ⁓ You're just increasing your liability.
Mario Zaki (33:12)
Mm-hmm.
Milan Rogers (33:12)
Hmm.
Yeah, absolutely. Now, I was hoping we'd have more time to do this, but I'm going to skip this part. This is just talking about actual penalties. Just know that with
Justin Shelley (33:35)
No,
don't skip it. I want you to go through this. I'm just like, hey, let's speed it up and then get to like, get me off of this cliff, cause I'm about ready to jump.
Milan Rogers (33:38)
Okay. Okay. Okay, okay. I'm okay. I'm
Mario Zaki (33:45)
Yes, seriously, like...
Milan Rogers (33:47)
so sorry.
I'm so this is what happens when you have the most highly regulated industry in the country, right? I mean, this is this is how it goes. So let's just talk about the HIPAA violation penalties just really quick. It's a tiered system based on there's like four tiers. And there's different a different range of per violation.
Justin Shelley (33:50)
I know. Yeah.
Milan Rogers (34:08)
and of this ⁓ financial penalties so the first one first here is unknowing meaning you didn't know your your either you covered any or your business associate didn't know and couldn't reasonably know about the violation so they're still provides for that even though if you didn't know yours you could still be in violation and still get fine for that ⁓ reasonable cause being the violation was due to reasonable cause not willful neglect so you were trying to neglect that there is of they're still a violation
So maybe you'd made some efforts, but it still happened. Willful neglect is, but it was corrected. So that's the third tier. Willful neglect collected within required time period. So there's a corrective action that happens and they don't get as high of a fine. Or the top tier, you don't want to be top tier. Tier four is the willful neglect and it's uncorrected. And so the ranges from the tier one is from $141 per violation up to tier four up to
$2.1 million per violation.
Justin Shelley (35:09)
violation and a violation is is that per record or is that just per incident?
Milan Rogers (35:13)
It's actually I I prepared a statement for this because I wanted I knew this I was gonna be asked this I'm just gonna read it because I it says it a lot better than it off the top of my head under HIPAA per violation doesn't mean per patient or per breach it depends on what was broken for practice fails to run a required security risk analysis for three years that's three violations if they email 500 patient records to the wrong person that's 500 violations
Justin Shelley (35:17)
okay.
Milan Rogers (35:39)
So the OCR decides the count based on the rule section violated, how long it lasted, and how many people were affected. that's... Anyway, you look at it, yes.
Mario Zaki (35:48)
So you're fucked. Just bottom line, you're fucked.
Justin Shelley (35:49)
You're fucked, yeah? Let's
bring this to layman terms. ⁓ man.
Milan Rogers (35:54)
So where
it goes into criminal violation. So if the OCR sees that a violation that somebody knowingly obtains or discloses the PHI in ⁓ violation of HIPAA, then they will send it over to the Department of Justice and it becomes a criminal violation. So ⁓ like I'm trying to see if I have any examples of that.
Justin Shelley (36:17)
Yeah. Like is that if I, I'm a doctor and I sell my own patient records to somebody for nefarious reasons? Is that what we're talking about here?
Mario Zaki (36:17)
Yeah.
Milan Rogers (36:21)
Okay, maybe
I don't know. here's one. Here's I found one. Well, here's what happened. Actually, one of them is a researcher accessed patients records out of curiosity and was sentenced to four months in prison. This is an important point. So when you look at like electronic medical record systems, a lot of them have these auditing capabilities where they can see. I'm trying to remember which one I was actually as the secure hip security
Justin Shelley (36:26)
I have a storefront on a dark web. Come get my stuff.
Yeah.
Milan Rogers (36:51)
officer I had to have really awkward conversations with providers and staff when they had accessed either their family's records or ⁓ another employee's records or even their own records sometimes like if a physician is going in and messing with his own record. So we called it the break the glass report and I would receive these emails from corporate and they would say you need to go talk to this person and find out what happened. ⁓ But that's
Justin Shelley (37:09)
Hmm.
Milan Rogers (37:18)
You could go to prison. mean, this guy did that. He was out of curiosity. ⁓ you know, that person, I want to find out more about them. you pull up there and you have no reason to ⁓ look at their information. So that's one. So you don't want to access family, coworkers, medical records, that kind of stuff. And then another one was an employee sold their PHI to file fraudulent tax returns. That's another one. That was US versus Ferrer back in 2015. That was a multi-year sentence and restitution.
Justin Shelley (37:42)
Yikes.
And this
comes back to, think you've already said it. know we talked about it in our brainstorming session. ⁓ you not only in, in, in business at large, but in healthcare, not only do you have to vet your vendors, but you have to vet your employees very carefully. Yeah.
Bryan Lachapelle (38:03)
and train them because that's something that a
Milan Rogers (38:04)
Yeah, yeah.
Bryan Lachapelle (38:05)
lot of people might do just out of curiosity and not realize that they're breaking the law, right?
Milan Rogers (38:05)
Well, yeah. 100%. Well, that's part of, we'll go into that, the meat of what Justin's talking about, which is, what do you do? What are the security standards under HIPAA? And how does that overlap with some of the security standards you guys use with your clients? So we need to get there. We'll get there. But what I wanted to do is talk about what the Office of Civil Rights, what their current focus is, because I think it'll,
Justin Shelley (38:12)
Yeah.
Okay.
Milan Rogers (38:34)
help guide us into that conversation. the first one is what's called the security risk analysis, the SRA. They are cracking down on, so that's the first thing they're going to ask for. If you get breached, something happens or they're an incident, even it's self-reported, ⁓ they're going to say, I need to see your SRA. So that's the first thing. ⁓ So that's the thing they're focused on. So that tells us.
Justin Shelley (38:42)
Mm-hmm.
And the right
answer, just to be clear, the right answer is not to look them with wide eyes and say, the SR what? Don't do that. Is that what I'm hearing?
Mario Zaki (39:06)
Ha
Justin Shelley (39:14)
Okay. But I'm, I'm saying this because guys, can't make this up, but I was, I was talking to, ⁓ somebody, this was a while back and I mentioned BAAs and we haven't got there yet. ⁓ and I shit you not. They just said, what? What's, what's a BAA? It's like, you gotta know that you gotta know that. So if you don't know what these, ⁓ acronyms are, yeah, go on, go on.
Milan Rogers (39:17)
you
These are bare minimum, right? ⁓
We'll talk about it. Yeah. Yeah,
yeah, yeah. Perfect. Yeah, so the next part is third party or vendor management, right? And that goes to business associate oversight. This goes into having auditing protocols and making sure that you you vetted. I think Mario will use that word, think vetted. You vet your vendors. Yeah, so that's another focus that they have. They're looking very closely at how you're managing your vendor relationships and that whole thing.
And I mean, have, I mean, I think I have some examples here. I don't think we have time, but I'm just going to focus on what the OCR is focused on right now. Then the other thing, and I kind of mentioned it earlier, was tracking technology. they have updated guidance from last year, I think, prioritizing the security rule around compliance with when regulated entities such as a medical group or whatever, a covered entity uses pixels, SDKs,
⁓ on websites or apps for tracking purposes. So if you are capturing, you got to make sure you know what they're capturing, what kind of information and what's being logged. ⁓ So that's, and it's protected. So tracking technology is another area where they're focused. So those are kind of, it's not all the areas, but those are some of the themes, some of the things that we're seeing with the OCR right now.
Justin Shelley (40:56)
Interesting.
Mario Zaki (41:02)
Well, now you're getting when you're talking about pixels and stuff like that, you're getting Google, you know, and Facebook to have your information as well. so then. Yeah.
Milan Rogers (41:08)
Yep. Meta, anything meta I think they use. Yeah. Yep.
Yeah. So ⁓ the whole thing with HIPAA is they have what's called the HIPAA security role. And they've put in place HIPAA security standards. And they fall into three basic buckets. ⁓ One is the administrative safeguards, is what they call them.
And that accounts for about 50 % of HIPAA security requirements. But these are all your like SRAs, your BAAs. We'll talk, well, let's talk about that right now. Let's just talk about it. The BAA is your business associate agreement. That means that if you're a covered entity and you bring on a vendor that may have access to your PHI, they are also a covered entity. You have to make sure you have a ⁓ business associate agreement with them to protect.
the that they'll protect the PHI as much as you do. mean, that's, that's what a BAA is. And, you know, Justin, you're saying that people just give you kind of that bovine stare like, what, what are you talking about? And, and it's true that these are like bare minimum things, the SRA and the BAA. Many, many practices do not have it and they're not tracking and they're not keeping on top of it. It's not enough. Let's just put it this way. It's not enough just to do an SRA and or to
Justin Shelley (42:07)
Yeah.
Yeah.
Milan Rogers (42:32)
do a BAA and to file it once and never look at it again. You're going to get fined if you do that because you're not staying on top of those either vendor relationships, vendor management, or the SRA. It's a living, breathing ⁓ kind of analysis. It's not something you do one and done. ⁓ So we could talk more about that. I'm sure you guys have some thoughts about that.
The next, there's also, we talked about training, training your staff. That also falls under administrative safeguards, which is one of the biggest things. I remember, I'd be working for a large corporate medicine. One of the things that we did all the time was we'd receive these phishing emails, right, to train us to be able to spot a phishing email, because all it takes is one employee. That's your biggest weakness, right, is the employees in any situation. You can have all the technology in the world and the firewalls and all those, you know,
Intrusion detection, all that kind of stuff. But if you don't have staff that are trained, it's your biggest, one of your biggest vulnerabilities in my opinion. But ⁓ so the awareness of training falls in, and then your documentation, what your plans are and disaster recovery and all those kinds of things. So that's administrative safeguards. The second bucket is physical safeguards. So this is all your physical stuff. So your facility access controls, your workstation ⁓ security, think.
Justin, was talking about like setting up at the front desk, those privacy screens so people, you can only see it if you're standing right in front of the screen using cable locks, making sure that, you know, ⁓ how you're handling your devices and media controls, like how you're handling and reusing and disposing of hardware and media. So that all falls under the actual physical safeguards. And then the final one is your technical safeguards, which has to do with, you know, your roles, your access, you know,
based on roles, your audit controls, integrity controls, your authentication, ⁓ you know, are using MFA. And then how are you securing the transmission of that data? That's the transmission security. That all falls under that bucket. So those are the three buckets of the HIPAA security rule. And they have lots of resources out there actually online. Right now, I just went to the website to, you can download a security risk analysis.
like a spreadsheet or an actual application, it's like an executable you can install in your Windows workstation to actually go through a security risk analysis. And it's a good starting point. I'm not saying it's the end-all, be-all, but it's a starting point.
Justin Shelley (45:08)
The starting point, yeah. Because
it can get some of the technical safeguards, but it can't get most of the administrative or physical.
Milan Rogers (45:15)
Right. Right.
Mario Zaki (45:15)
I think, should we link
that to the site? Can you send us a link to that?
Milan Rogers (45:19)
we can right now
because of the and and this is probably not good age well for this podcast but because of the shutdown of the government shut down right now it's got a little message saying sorry it's something i don't know i i think it's aggressive personally but
Justin Shelley (45:22)
Yeah
They can't afford their hosting fees. Here's what
we will do. ⁓ There is a downloadable ⁓ quick wins kind of guide that I'm going to make available for everybody. So by the time this airs, you can just go to the notes, the details or whatever, and you'll see links for all of us. And there'll be a link for the downloadable. And I'll talk more about that, but yeah, that's a good point, Mario. We want to give actual resources for what can be done. Cause I'll tell you this much.
Bryan Lachapelle (45:58)
Yep.
Justin Shelley (45:59)
⁓ as much fun as we're having here talking about all this stuff, you can't listen to it and then go out and, and handle it and call yourself good. It just doesn't work that way.
Bryan Lachapelle (46:04)
Thanks
Milan Rogers (46:06)
Yeah. So,
Mario Zaki (46:07)
But I could
Milan Rogers (46:07)
so I-
Mario Zaki (46:08)
have swore we promised there was like a light at the end of the tunnel. I'm still waiting for that.
Justin Shelley (46:12)
That's my downloadable.
Milan Rogers (46:12)
HA HA!
Well, Mario,
you're light. mean, come on, you're the guy. now, I mean, my point is you need to hire somebody to help with this. And that's not, I'm not chilling for anybody on this call on this podcast. I'm not saying that. Okay, chill away. That's fine. All I'm saying though is that you got to make sure that you do have, and there are actually, when I consult on some of this stuff, like when I'm doing a practice startup or whatever, there are platforms that help you become compliant.
Mario Zaki (46:19)
You
Justin Shelley (46:25)
Yeah.
Mario Zaki (46:30)
Shit, we are.
Justin Shelley (46:31)
Yeah.
Bryan Lachapelle (46:32)
me. ⁓
Milan Rogers (46:46)
Now, they'll provide like the anonymous hotline, you know, and all these other things that help you stay compliant also with OSHA and other things. So there's compliance platforms that you can purchase. usually a per employee kind of a fee structure, but it's definitely, really helps guide you through and become compliant across the board. It's a good start. ⁓ Stay compliant.
Justin Shelley (46:46)
Yes.
Mario Zaki (47:07)
And stay compliant. that's the biggest thing.
It's not like, and you know, I know Brian, you know, I'm stealing this from Brian. It's not something that you said it now and then you forget it. It's a journey. know, you're gonna keep going. You know, this is not something that you, you know, when you first, as a startup or when you first engage somebody like, all right, get us hip at compliant. Okay, here's your check. You know, we hope to never see you again. You know, because things change along the way.
Milan Rogers (47:19)
100%.
Yeah, yeah.
100 % and in fact, people might use that same excuse, well, we don't have the resources to do this. You can't afford not to do it. That's the truth. But when you look at the actual list of the HIPAA security role and the standards and what they say, there's certain line items that they say are required, it says required. But then there's some other ones that say addressable. What that means is when you say addressable, means we'll leave it up to your discretion to figure out
how to comply with this. We're not going to put any strict requirements around it, but you need to address it in some way, shape, or form. So there's kind of two buckets when you look at this stuff and whether it's required or addressable. I was going to ask this actually. So when you guys look at your protocols, you talked about frameworks. Justin, when we were talking previous to this podcast, you talked about the importance of frameworks. Can you maybe speak to that for a second about how this overlaps with this HIPAA security rule and the standards?
Justin Shelley (48:29)
Well, I can tell you the way we write our agreements, we have some basic controls that we put in place for all of our clients. And number one, I tell them this isn't the end. Like this is just the basics, but every single one of them, their industry standards. And, and I can point to HIPAA. I can point to CMMC. I can point to CIS. can point to all PC, like all these frameworks say in one way, or form that you've got to do these basic things. ⁓ The
Milan Rogers (48:34)
Mm-hmm.
Justin Shelley (48:57)
The reason that I'm so hell bent on using them is because, you know, and this is just like a little dark secret of the IT industry, the MSP industry. Um, and honestly, this is becoming more common, but it wasn't very long ago that we didn't have any real guidance to go off of. And, know, my famous story that I keep talking about as an MSP owner who got on Reddit, which is I love to go on Reddit and hear everybody's trash. A guy had been in the industry for 25 plus years.
And a prospect had asked him, what are these best practices, these industry standards that you guys talk about? He jumps on red and he's like, I have no idea. Like maybe we should all get together and come up with a list. I'm like, dude, they're published. They're out there, but this guy's holding himself out as an expert and taking people's money and promising them security. And he doesn't even know what the hell he's doing and he's admitting it. It's like, damn it. This is what's wrong guys. I know I've been, I've been beating his ass for a year now.
Milan Rogers (49:54)
Yeah. Yeah.
Bryan Lachapelle (49:58)
But it's not wrong, mean, it's true.
Mario Zaki (49:59)
It does.
Justin Shelley (50:00)
I hope he's listening, honestly.
Milan Rogers (50:03)
Yeah,
you know, I-
Mario Zaki (50:04)
We should have him on the show
Justin Shelley (50:06)
I'd love to.
Milan Rogers (50:07)
no it's a bit
so there's there's definitely there's like you said like you said i think what you're saying is there's there's gonna be overlap here but i think that including your frameworks that you use i think you need to just make sure you marry it with whatever the regulations say so that you've got you got full coverage of what you're supposed to your in full compliance it's just a lot of it
Justin Shelley (50:27)
Cause there's,
there's, there's multiple aspects here. We're trying to accomplish a lot of things and it's, it's really, we do it once, but it's where we're really trying to protect. Ultimately, we're trying to protect ourselves, our businesses and our, and our clients, prospects, patients, whatever you call them. Right. Um, we're also trying to protect ourselves. And this is what I always say from fines and penalties from the government, from lawsuits, like all this stuff comes down to, you know, we were just trying to protect ourselves.
And if we don't have a plan, this is your title or the headline I got from our initial conversation is you've got to have a plan. You got to be compliant. You can't just wing this stuff. You can't just make it up as you go.
Milan Rogers (51:06)
Exactly. And based on, hopefully, on this conversation, people can get a ⁓ better idea about how complex it can be and that you do need help. That's the biggest thing is that you don't have to be alone in this. There's lots of resources out there. But even then, having somebody to help you navigate through it and stay compliant as the laws change, the regulations are updated because they're updated every once in a while. have to make sure you're on top of it.
And just like I said, it's got to be a living, breathing thing that you are constantly working on throughout the year. ⁓
Justin Shelley (51:42)
Yeah. And listen, Brian's trying to sneak out, but I'm to make him say goodbye anyways. ⁓ Brian's got a hard stop, Brian. We're going to keep going for a few more minutes. We're almost done, but thank you for being here and give people your sign off. can't go another week without hearing your sign off.
Bryan Lachapelle (51:49)
You
Sure.
All right, fine. ⁓ Okay, so my sign-off is gonna be slightly different this time around because I wanna point out that as much as we talk about the technical controls we have to put in place, unfortunately, a lot of HIPAA, and I'm not, we don't have HIPAA in Canada, but a lot of the, even the CIFs controls, they are administrative controls. They are administrative procedures and policies. So with that said, my sign-off is basically, hey, listen.
Justin Shelley (52:03)
⁓
Bryan Lachapelle (52:22)
Cybersecurity, HIPAA, CIS controls, it's all a journey. It's all something that you will start and you will never ever end. You're going to implement it over time. The things that are critical, you'll implement first. And then you'll continue to implement from basically top down to the least important. ⁓ Not that they're not important, but there are controls that are more important than others. So let us be your guide. Let us be there to help you through the ⁓ mountain of...
the journey that is getting this stuff in place. ⁓ And that's it. That's my sign off. I'll see you guys in a little bit.
Justin Shelley (52:57)
Thanks, Brian. Appreciate you being here.
Milan Rogers (52:58)
Thanks.
Bryan Lachapelle (52:59)
Cheers, thanks, bye.
Mario Zaki (52:59)
Good seeing you, Brian.
Milan Rogers (53:00)
Bye.
Justin Shelley (53:02)
All right, now we can have a real conversation. Just kidding.
Milan Rogers (53:04)
Yeah.
Justin Shelley (53:07)
⁓
yeah. Listen, this, and I, I said it a while ago. I'm going to restate this. There's a lot to this. It's complicated. It's overwhelming. This is not a DIY DIY situation. You, you can't do it yourself. I'm going to tease one more time. We do. That said, we do have a little downloadable, ⁓ quick wins guide. I'm calling it like just, just do a few things to get yourself started. ⁓ so, ⁓
Milan Rogers (53:34)
Yeah. Yeah.
Justin Shelley (53:37)
Well, we've got kind of this little last minute intermission. Mario, do you have any thoughts you want to throw in here before we move to wrap up?
Mario Zaki (53:44)
Yeah, I mean, we haven't mentioned it in a while, you so I'm going to bring this back and, you know, to our earlier episodes is, you know, we're all, we all offer a free security network assessment, you know, and even if you're not HIPAA or if you're, you know, CMMC or not even compliant, but you know, you're still running a business and you still want to see if your IT is up to par or if there's any holes that, you know, we can find.
We offer a free assessment. We'll come on site or do it remotely and help you and go over a report that will show you just some of the vulnerabilities that you can start by addressing and resolving and stuff like that. And we'll give you an entire plan of things that need to be put in place to make sure that you're as secure as you can be without breaking the bank and at least get everything started.
So we haven't mentioned in a while, but that's still spam.
Justin Shelley (54:45)
Yep. Good call. Good call. All right, Mylon, what, we are, we are going to move to kind of wrap this up, but what, what is your word of hope for, because listen, this is while I work a lot in healthcare, I do have other industries that I work in. Mario has other industries, but this is what you do. This is where you live talking to your best client. What's the light at the end of the tunnel for them?
besides overwhelmed doom gloom, ⁓ $10 million gone to 3 billion. If you're the wrong company, what's, what's your uplifting message?
Milan Rogers (55:16)
Yeah. ⁓
Yeah, well, the first thing is that
I reviewed the downloadable you're talking about. that download that first, that has some great starting points. ⁓ But I would say the first thing you need to do is change your mindset. That's the first thing is you got to treat HIPAA like cybersecurity. It's not just paperwork. It's not just checking a box. And it really is. Every policy, every vendor, every log in, everything you're doing is part of protecting real people.
about your patients. But the hope at the end is that there's lots of resources and there's people that end solutions out there that can help you get there. And just know that, you know, when you have anything regulatory, anything that requires compliance, there's going to be money involved. So this is there's, there's cheap and there's free, but you ultimately you get what you pay for. And so I think you need to make sure that you are bringing on the
type of talent and solutions and people and systems and partnerships that are going to secure your practices, your medical business, whatever it might be. The thing is, I guess the hopeful statement here is that you're not alone. You're not alone in this. There's plenty of help.
Justin Shelley (56:44)
Well, I, I,
I want to, we had, you talk about expense, you talk about the investment, the cost, however you want to frame that of, of becoming compliant of protecting your business. That's what you were talking about. Correct. So I used to pitch this as a sunk cost. It's like buying insurance. You know, your, your best hope is that you're lighting your money on fire and you never see anything because you didn't get breached. Right. ⁓ but we had a guest on here that reframed that. And I love it. You mentioned that the.
average breach in the healthcare world is $10 million. Let's say you spend 1 million protecting your business, getting compliant, and you don't get breached. That is a 10 time return on your investment. So, I mean, because the truth is, if you don't do this, there is a consequence coming your way. It's happening. It's not a what if it is happening. It's a matter of time. So
Milan Rogers (57:28)
I like that. I like that.
Right? Absolutely.
Mario Zaki (57:38)
And breach comes in multiple ways. It's not just a ransomware or data leakage. It can be wiring $40,000, $50,000 to the wrong ACH information because one of your customers got breached and they sent you an email and you didn't go through proper precautions to vet that email and stuff like that.
Justin Shelley (57:43)
Right.
Mario Zaki (58:04)
And that $50,000 can be your cost of IT for like three years. But because you didn't have something simple as a $2 a month ⁓ cybersecurity training, now it's costing you $50,000. And some people will have that covered under your insurance. Some people don't have insurance or some people will get their claim denied by insurance because they didn't take the proper steps that they said they did do.
You know, so.
Milan Rogers (58:35)
Yeah.
Yeah, absolutely.
Mario Zaki (58:39)
But you need a consultant, you need an MSP to point you into the right direction.
Justin Shelley (58:40)
Alright guys, well, yeah, yeah.
Yeah, 100%.
Mario Zaki (58:47)
All right.
Milan Rogers (58:47)
I was going
to say also, I work specifically with medical practices, but if you're listening and you're part of a medical practice and just want to have a discussion about it, I'm happy to have that discussion.
Justin Shelley (59:01)
Yeah, absolutely. And, ⁓ Milan, go ahead and just take a minute and talk about your business, what you do, ⁓ expected outcomes, you know, give us your 32nd elevator pitch.
Milan Rogers (59:12)
Yeah, so I would say Complete Healthcare Business Consulting is a full-service ⁓ healthcare consulting firm. And we spend a lot of time with revenue cycle. ⁓ We do assessments there. We help with optimizing the medical practice so that they're getting every dollar they've earned and are owed. A lot of that has to do with ⁓ also doing contract negotiations with insurance companies on behalf of these medical practices.
We also help ⁓ with practice startups. We do a lot of that kind of stuff. we really try to help. We truly try to advocate for our providers and practices so that they can keep their doors open. Ultimately for me, because I was started out as an occupational therapist, I really do care about the patients and patient care. And that's what sort of drove me into this business in the first place.
I feel like I can really help practices to make sure that they continue to provide access to these patients for this critical medical care by making sure they're running their businesses efficiently and effectively.
Justin Shelley (1:00:25)
I mean, listen, doctors are, ⁓ brilliant at what they do, but I just, with my own limited capacity, I don't know how you can be that good at something that complicated and still have time and capacity for all this other stuff that does also similarly complicated and, takes a lot of expertise. So I really appreciate you coming on and sharing that. I think it's a very needed, ⁓ service that you offer. Mario final thoughts, key takeaways, last words.
Milan Rogers (1:00:44)
Yeah, yeah, absolutely.
Thank you.
Justin Shelley (1:00:56)
What do want to say?
Mario Zaki (1:00:57)
I mean, like we mentioned earlier, if you don't do this and you have some breaches, you're fucked. You know, it's not cheap. It's not, it's not one of those situations that you really kind of want to learn from your mistakes because it can be very expensive. And in some cases that mistake can cost you your business, you know, compromise your customers or your vendors or even patients or, you know,
Justin Shelley (1:01:03)
Yep.
Mario Zaki (1:01:24)
the doctors that you're servicing, their patients, it can be a very expensive mistake and doing simple stuff, you know, bringing in an expert, you know, not, it's not gonna, you're not gonna, the cost of bringing in an MSP or a consultant is gonna be far cheaper than what you will have to pay in damages, you know, during and after the fact, you know, so.
Take the proper steps to get everything in place. But you know, as we learned in a previous episode, know, if you are looking into this stuff and you've neglected it, that's a violation. You you can't just look into and say, no, I don't want to do this. You you have to really commit to doing it.
commit to making it better, commit to the safety of your company and your employees.
Justin Shelley (1:02:26)
Yeah. The worst thing you can do is have that email from an advisor, from a consultant that says, you have these gaps and you say, ⁓ not going to happen. ⁓ you're, you're in big trouble if that ever gets brought into the court system. That's, I think that's what you're alluding to. Right, Mario, that, that, that was called the daddy's getting a new boat email, ⁓ spoken by an attorney who sues people. ⁓ God, it's a fun game. play.
Milan Rogers (1:02:40)
Yeah.
Mario Zaki (1:02:40)
Yeah, yeah.
Exactly.
Justin Shelley (1:02:52)
Listen, guys, we're going to go ahead and wrap this up real quick. My line. just wanted to ask, cause Mario did mention and thank you for that Mario that we do offer, ⁓ kind of a free trial of our services. It's, it's an assessment that we'll go through and, and run through whether it's our own internal standards or it's a framework that we're following. And we'll just show you what we see where you are, where you need to be and how you're to get there. And the plan of attack.
Do you at your company, do you have any kind of an initial consultation or anything like that to get people started?
Milan Rogers (1:03:24)
Yeah, well, so yeah, get on a call ⁓ with our prospective clients to understand what they need and walk through what that would look like and scope out the whole project before we engage. We don't have any particular free assessments that we do, ⁓ but we are happy to get on a call and talk through what their needs are and work through it. Yeah, absolutely.
Justin Shelley (1:03:49)
see if it makes sense, see if you can deliver an outcome that's worth the investment, right? mean, ultimately
that's what it comes down to, so.
Milan Rogers (1:03:54)
And staying
focused on what's important to them.
Justin Shelley (1:03:57)
Okay. Perfect. All right. And again, guys, just click over whatever you're listening to go over to the details of this episode and you'll see all the links that I'm talking about in the download guides and all that. So, all right, we are going to go ahead and wrap up. it for this week's episode of unhacked next week. We're going to be talking with Craig Taylor of cyber cute. I said, wow, I'm sorry, cyber hoot, like the owl. ⁓ Craig has a degree in psychology and brings kind of a new spin on
Security awareness training and we talked about that in this episode. So it'll be a nice follow-up I'm really looking forward to that one guys go to unhack my business comm for today's show notes guest links your free one-page downloadable your quick win guide And start taking some action today because tomorrow it might be too late. All right guys, let's go ahead and sign off Mario your final one-liner say goodbye
Mario Zaki (1:04:47)
If you guys want to sleep better at night knowing your business will be there tomorrow, ⁓ reach out to one of us and we'll be more than happy to help.
Justin Shelley (1:04:55)
Perfect. Love it. Mario, as always, thank you for being here. Mylin, final sign off.
Milan Rogers (1:05:02)
Just make sure you change your mindset on this guys if you're if you're on the fence ⁓ It's time to get off the fence and and think very seriously about your HIPAA compliance
Justin Shelley (1:05:11)
Love it. All right, guys, and I am Justin. Remember, listen in, take action, and keep your business unhacked. See you next week.
Mario Zaki (1:05:18)
Bye guys.
Milan Rogers (1:05:19)
Bye.
Creators and Guests
