Situational Awareness: Assessing how to Comply with Both the 21st Century Cures Act & HIPAA (Video Transcript)

Bill Russell (Interviewer): Welcome to This Week Health Community. This is Town Hall, a show hosted by leaders on the front lines with interviews of people, making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors, Olive, Rubrik, Trellix, Medigate and F5, in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now, on to our show.

Frank Nydam (Tausight CEO): Welcome everybody. My name is Frank Nydam. I’m CEO of Tausight. And with me today is Aaron Miri, I’ll let him introduce himself.

Aaron Miri (Senior Vice President, Chief Digital Officer, Baptist Health): Hey! How’s it going everybody? Aaron Miri, Senior Vice President, Chief Digital Officer here at Baptist Health in beautiful sunny, Florida. Good to talk to you. It’s good seeing you again, Frank. Long time no see.

Frank Nydam: It is. I’m looking forward to seeing you at one of these conferences coming up.

Aaron Miri: Absolutely. Well, come down to Florida. It’s always sunny here. It’s beautiful beaches. Got to love it.

Frank Nydam: Come up to Boston. The humidity is great.

Aaron Miri: I will absolutely come to Boston, not in the winter, but yes, absolutely.

Frank Nydam: Listen, we’re going to have a quick conversation today. So, what’s top of mind? What are big initiatives you’re working on? And question over the top – how do you prioritize all these priority initiatives?

Aaron Miri: Yeah, great question. So obviously right now we are hopefully (knock on wood) on the tail end of the COVID surge, so it’s now back to healthcare as normal. However, we learned a bunch of things these past couple of years that we are trying to transact. One, obviously the way we did business in the past, particularly managing risk and managing EPHI assurance has to change. When folks left the hospital started working from home and you really started sharing data really across, outside the four walls, we realized just how healthcare systems has been designed to transact EPHI. So we are laser focused on third party risk assurance, knowing where our data is, where those crown jewels are and understanding truly how to manage risk appropriately and managing the way that’s transparent and easy to understand. What I appreciate also is the knowledge of our board of directors and boards of directors across hospitals everywhere have realized the importance of cybersecurity assurance.

You saw this with the university of Vermont attack that occurred right around the presidential election time. You see what happened to Boston Children’s a few months ago when they were attacked by that Iranian malware. You keep seeing this over and over again with state-based threat actors. So the awareness factor is now definitely there at board of directors. And unfortunately, insurance companies are saying…hey man, we can’t cover your cyber insurance liability coverage anymore. Those umbrella coverages you got in the past, those days are gone. So hospitals have to get real. So that’s what we’re starting to look at when we look at cybersecurity is really upping the ante but we don’t have the margins that say a for-profit development company does. So we have to get smarter about using automated machine learning and intelligence that we maybe not have historically had.

Frank Nydam: Fair enough. And it’s amazing to hear that projects are prioritized at the board level these days. Amazing

Aaron Miri: They are. And what’s also, I appreciate is a transparency aspect that it’s no longer that it can be the iron box that just keeps things running. It’s what is my return on value? I keep hearing that word over and over again, which I’m so glad to hear it in healthcare that has not been here traditionally. It’s always been a return on investment. What’s your ROI? What does your break even? What’s that performer look like? All those things are important, but now it’s about answering the why. And particularly shifting back into the cybersecurity space. Boards of directors want to understand where are our investments and what’s going on. How are you managing risk thoughtfully, proactively and being transparent about it? I will say I remiss that CIOs historically and CDOs maybe haven’t had that relationship with boards of directors in the past, and that’s been an encumbrance. Nowadays, that’s absolutely a requirement. Can you talk to a board and show them in plain English just exactly what’s going on? That has to be front and foremost in your arsenal.

Frank Nydam: Fair enough. So here’s something – conflicting ideas, information sharing, data blocking, compliance, sharing PHI, not sharing it. All these terms are in block with each other. They seem to conflict with each other. So you’re speaking with your board, you have to share information, you need to secure information. How do you rationalize those both ends of the spectrum?

Aaron Miri: Great question. So you’re exactly right. You have the 21st Century Cures Act, which is a law that basically gave assurances to the public, to a patient, that your information as a patient is accessible to you on demand where you want it, how you want it, where you want it. Then you have HIPAA, which says, all right, covered entity, a.k.a hospital, or healthcare delivery organization. You’re accountable if you inadvertently disclose patient Aaron’s information. So then you’re looking as a hospital going, wait a minute, I’m doomed if I do share all the information, I’m doomed if I don’t. So how do I do this? So what we’ve begun to do is crosswalk and look at exactly what the criteria is for how you share appropriately. In the information sharing regulations, you are allowed to delay sending information if you can prove reasonable harm and also for other security concerns, but you have to work with your patient. That’s asking for it to teach them, “Hey man, you don’t want to put this data in this app that’s guess what, hosted in China because of potential concerns.”

But the problem is we’ve never had real visibility to where EPHI is going. So now think about, I’m patient Aaron presenting to Baptist Health saying, “Hey, I want my data sent to this app.” How do I know as a CIO that the data made it to that app or should not be going to that app. And more importantly, where all of patient Aaron’s information is? Today you think about it, you’re like, “Oh, it’s an electronic health record.” Actually, it’s not. It’s in hundreds, if not thousands of other systems that surround the EHR. While the EHR is important, it is not the end all be all. So, this October, information blocking actually antes up the rules. On October 8th of 2022, this year, there’s now a full definition for EHI – Electronic Health Information; that is HIPAA plus the designated record set, which is all the other information contained about Aaron, plus anything else that is contained in that?

And so when you look at the total spectrum of data, that is a tremendous amount of data points. It’s not just what’s confined in HIPAA, it’s everything. Now you really raise the stakes because the penalties are a certification of completion and it’s a certification of accreditation that could be in jeopardy, and making sure that as part of the process when you attest to CMS is that I am actually following this. You know it’s only a matter of time before there’s regulation out there. It’s already being composed and it’s going through rulemaking of just what that’s going to be. Is it the OIG that shows up and knocks the door going, hey man, we want to know what Baptist Health does – or what’s going to happen? We will find out soon, but right now we are trying to get our act together and preparing for that because of a condition of participation issue that could happen if you do not comply with information blocking. And of course, we all know what the penalties are for not complying with HIPAA.

Frank Nydam: So where do you start? Speaking with CIOs, chief privacy officers? We don’t have trained staff. We’re short staffed. Where do you start? And what’s your notion of this basic cyber hygiene, like 405d. Is that a [unclear07:26]?

Aaron Miri:  So the typical way it goes as CIOs, the first thing you do is you weep and you sob uncontrollably for a little while, realizing that it’s a pretty, pretty deep hole, but no, I’m kidding. The reality is the first way you start is identifying where your crown jewels are. Do you know your systems that transact your data. Here at Baptist I have a giant – think about architectural diagram that connects all of my applications, servers, databases, infrastructure, to understand these are the systems that could house data, and these is where the data should be going to. The problem is, looking for anything that’s outside that norm, right? How do you figure out, because we all know how apps work. There’s open up this port, open up this port, send this FTP out, send this via HL7. So even though on a map, on an architecture map, you may think, oh, it’s this database transacting to this application, which goes out to this.

It’s actually hundreds of not thousands of spider webs of connection going across most of the time over port 80 or port 443, over the internet, hopefully encrypted. But how do you check for all of that? How do you know for sure? That’s the gap right now is we think the level set is this, but the actual set is this, and looking at that Delta, today, that’s a manual process where you have armies of people often tremendously understaffed, there’s nobody can afford it, including myself; trying to figure out what is the reality of it. So we’re trying to get smarter with automation and looking at things, but that’s where you start, is looking at the crown jewels, transacting that, and then honestly, QAing that right? Is that really happening or not? Happening today in a very manual process? Tomorrow has to be automated.

Bill Russell: We’ll get back to our show in just a bit. I’d love to have you join us next Thursday for our webinar Don’t Pay the Ransom. Cyberthreats are mounting everywhere, especially in healthcare. Leaders from Thomas Jefferson University Health, as well as St. Luke’s University Health System and Rubric are going to join us to discuss solutions around protecting all healthcare data, even epic in operations on Azure. This webinar will be on Thursday, August 18th at 1 p.m. Eastern Time. You can register now at this week, health.com or by clicking on the registration link in the description below. Now back to our show.

Frank Nydam: So it sounds like you have situational awareness up to a point, but let’s bring up this term we we’re starting to talk about – situational awareness of your protected health information. If we were to poll the industry, what percentage of folks, friends, family, industry, call wards out there would have situational awareness of their PHI, where it is, where it’s going, who’s touching it?

Aaron Miri: Such a great question, Frank. So I’ll tell you, what’s interesting is that NIST has published a new bulletin, really diving deep into EPHI situational awareness. There’s a recognition that the industry simply doesn’t have it as part of the standards. Most of us mapped the NIST Cybersecurity Framework, however, NIST Cybersecurity Framework really didn’t reconcile with the necessity for specificity around EPHI detection and logistics, basically, as I call it. Where’s it going? Who has it, who’s touching it. And so, there’s actually now a rag that’s running through the process that really starts to put some teeth around this and truly in plain English, transact and tell the CIOs, this is what you need to be doing with EPHI. It’s always been about protection of data confidentiality, the CIA rate confidentiality, integrity and availability, but now it takes a new level by specifying around EPHI, the crown jewels.

So to the degree of it, that’s the root of your question, which is how do we get there? It’s those adoptions of those standards, like NIST which enable us to hold our vendors accountable to a standard benchmark ourselves towards something. And I would say today, it would be maybe 10%, if not less, which is why NIST which is funded by the federal government has a bunch of smart people, brilliant people working on it, going, we got to be really, really clear because guess what? The attacks are not stopping. They’re increasing. And it seems like every single day I’m getting a flash bulletin from the FBI or from HHS in general, saying, Hey, watch out for this new threat, this new malware, this new attack. And I mean, it’s overwhelming at times.

Frank Nydam: Fair enough. I’m going to hold you this one. What percentage though, of folks out there really have an idea of their situational awareness over their PHI?

Aaron Miri: Yeah, so like I was saying, less than 10% in my opinion. I’m probably being very generous because I know a lot of the CISOs across the country and they’re phenomenal people doing heroic job, understaffed and overworked, but I would say 10% or less. And the other 90%, honestly, probably don’t want to know because once you have an accountability to do something, however, the federal government is mandating it, so we will do it because what drives a healthcare industry better than compliance regulations. So that absolutely over the next 24 months I predict will become the number one issue that folks want to know is truly in reality, where are we from a situational awareness perspective around EPHI?

Frank Nydam: Well, listen, Aaron, thank you for your time. It’s always so great speaking with you. I always learn something and I’m sure everybody that’s going to listen to this are going to learn a lot as well. And thanks for bringing your passion, your big heart to healthcare.

Aaron Miri: Thanks Frank. And thanks for all Tausight is doing and everything you’re doing for the industry as well, my friend. Good seeing you.

Frank Nydam: You as well. Take care, have a safe trip.

Aaron Miri: Cheers. Bye.

Bill Russell: I really love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our host who continue to support the community by developing this great content. We also want to thank our show sponsors: Olive, Rubrix, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. If you want to support the show, let someone know about our shows. They all start with This Week Health, and you can find them wherever you listen to podcasts. There’s Keynote, Town Hall and Newsroom. Check them out today. And thanks for listening. That’s all for now.