Dan Sosnoski: Welcome to “The Future Adjustment,” Chiropractic Economics podcast series on what’s new and notable in the world of chiropractic. I am Dan Sosnoski, the editor-in-chief of “Chiropractic Economics,” and our guest today is Ty Talcott , DC. He is the president of HIPAA Compliance Services. And he’s a certified HIPAA privacy and security expert. He’s consulted with thousands of health care practices related to business development, and protection strategies. And Dr. Ty is here today to talk to us about some of the threats and risks facing today’s health care practices and how you might go about mitigating them and remaining compliant with regulations. Dr. Ty, welcome to our show.

Dr. Ty Talcott: Thank you so much.

Dan Sosnoski: All right. Well, just to kind of get going here, in your experience, what are some of the major threats facing practices from a security standpoint? Is the risk mainly digital?

Dr. Ty Talcott: Well, that is kind of a yes and no answer. The most serious thing is digital because that would be your ransomware attacks that completely shut down your business, hacking attacks that steal your data from your electronic devices, but, realistically, actually I just returned from the Washington, D.C. Cyber Security Conference, boy, there’s a snoozer, two days with those folks. But, anyway, I learned a lot of information, and as of now 39% of the risk that you run is still direct theft, people stealing your laptop computer out of Starbucks when you set it on the table and go to the bathroom. People breaking into offices and physically stealing, and only about 17% of attacks that are happening are hacks, you know, electronically coming in to your electronic digital devices. But the point there is that just a couple of years ago it was only 2%. So that’s the growth industry, the cyber-attacks, the electronic hacking into digital items, the ransomware attacks.

these are the things that are just raising…causing havoc in chiropractic offices and of course nationwide in all types of businesses, and that’s the growth industry. If you want to look at what’s the growth industry in attacking data, that’s it. That’s it.

Dan Sosnoski: I’ve read in some of the security literature that medical records tend to be among the most valuable on the black market. Is that correct?

Dr. Ty Talcott: That’s correct. You can get about $5 per name on the black market for identify theft type information, name, social security number, etc. You can get almost $500 per file for a full health care file because of all the information and data that it contains and the information we gain from our patients. What we gather and collect, it is just…it’s so massive that it’s worth a lot more on the market. And you know what they do with this information? The reason these people keep stealing it and they get all this money, they do identity theft, they make insurance cards and ship them overseas. People buy these insurance cards and come get care on your group policy.

And you don’t know that they are getting care on it until you get the EOBs that come in. I’ve never been to this doctor. By then they are back out of the country. The other thing they do is they take all your patient’s information and they file their tax returns. And if they have a refund coming, they collect those tax refunds.

Dan Sosnoski: Yes.

Dr. Ty Talcott: And that’s where they make their big money on this stuff. And that’s why this stuff is so valuable and sometimes people go, “You know, why do they care about my stuff? I am not sure they are really so interested in my data. I don’t know that I’m at risk.” No, they want your data because they can make lots of money on your data.

Dan Sosnoski: That’s the point I really wanted to make very clear to our listeners today, that if you’re running a medical practice, you are the whale in the water. You are the target that they are coming for, so that’s why you want to be really careful. Hey, Dr. Ty, you mentioned a term just a little while ago, you mentioned ransomware. That is a particularly nasty kind of attack. There was a hospital that got hit in California. They had to pay the cyber criminals something on the order of $17,000 in bitcoins to get their data back. How can a doctor defend against this if even a large hospital couldn’t?

Dr. Ty Talcott: Well, the reason…I mean, it’s actually harder for hospitals. They’ve got hundreds of staff, people running around that can get in that data, share that data, share their passwords with other people, who then get in and you don’t know who was in there and who wasn’t. They have way more devices than the typical office that they have to protect and keep everything updated, the patches and the firewalls, and all the things that they have to do. And they have more exposure because they have more data transferring back and forth and going everywhere. It’s actually easier for a typical doctor’s office to protect that than it is for a hospital to protect it. It’s a massive thing. I mean, I have a video interviewing a woman who…a small chiropractic practice in the Pennsylvania mountains, who was hit by ransomware.

A screen pops up on your computer and says, “We have your data. You’ve got five hours to pay us $5,000. If you don’t, you’ve got five more hours to pay us $25,000. If you don’t, we’re going to sell or, you know, expose your data on the Dark Web. We’re going to weaponize and destroy your computer. You will never get your data back again.” They even have worms that can go backwards into your backup data so your data is completely gone. You’re shut. Now, that is also a HIPAA violation so you have to report it to HIPAA. Now you get fined by HIPAA, probably a minimum of a $50,000 fine for what’s called willful neglect. And then you have to turn around and monitor the credit of every patient who was exposed for a period of at least one year, about $10 per patient per month, and so the chiropractor that got hit in Kentucky had 5,000 patients or $50,000 a month.

That can be a practice shutting issue. This is a huge, huge problem, and what you have to do in an office to protect against ransomware, is you have to have an entire HIPAA program in place. By putting in a HIPAA program, getting it in place and then following your own policies and procedures under that program, it’s a de facto thing. You can’t be hit by ransomware, you are protected. That is why if you get hit by ransomware, it is automatically a HIPAA fine. So the solution is to get a HIPAA program put in place, make sure all of the factors of the HIPAA program are covered and implemented and then you both guard against ransomware. You also guard against those fines if you were to be struck.

So it’s a…this particular woman actually shared information which you can’t get people to do because under federal investigation it could affect your license, your PPO contracts, all this different stuff. And the world changed last year on May 20th. The WannaCry virus hit a 115 countries at once, and this ransomware disproportionately hit health care. Health care was at the top of the list of what got hit, and so the world changed. The Industrial Revolution, the invention of electricity, the invention of the Internet, these are all world-changing effects. Well, now there is one that goes with it called Cyber Attacks. And it is a world-changing event, so you’ve got to change or you’re going to get left behind or swallowed up by the world.

Dan Sosnoski: Right.

Dr. Ty Talcott: It’s a major change.

Dan Sosnoski: And a little bit earlier you’d mentioned that even though that is a significant risk, and we can all see that it is, that just direct human theft can still be a problem, and another risk to a practice just involves the staff members, the people who are working for you. They can be vulnerable to what’s called a human engineering attack. Are you familiar with that? Can you tell us a little about how a practice can avoid that kind of problem?

Dr. Ty Talcott: Well, in fact, under the laws of HIPAA, you have to do at least an annual training. You have to document who was at that training. Not just that, you have to document the topics you covered, because if you get hit in a certain way with an attack and you can’t prove to the government when they investigate that you trained your people how to not do or do the things they are supposed to do, then you have full liability. They will give you no slack at all.

Dan Sosnoski: That’s right.

Dr. Ty Talcott: That’s why you’re required to issue periodic security reminders to your work force that have to do with things that are in the current news of potential attacks, and if you don’t do that, you have to do that at least on a monthly basis. That was the opinion of the cyber security symposium, is the law says