<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

Ep14 | HIPAA Compliance on the Front Lines: A Day in the Life

Air Date: October 30, 2023

 

With over a decade of Google Cloud expertise, 66degrees has a proven track record of providing innovative technologies and services for healthcare organizations. As a Senior Customer Engineer, Dan Wagner works hand-in-hand with many of the country's largest medical providers, insurance companies, health tech orgs, and hospital systems, helping their IT teams navigate the complex landscape of data security and compliance.

On this episode of “Hash It Out” Wagner joins Virtru’s SVP of Strategy and Field CPO Rob McDonald for a quick dive into the crucial world of healthcare data security and the best ways customers can maintain HIPAA compliance when sharing cloud data both inside and outside of their organizations. Join us as we gain invaluable insights on the challenges and solutions that define the daily life of professionals striving to uphold HIPAA standards in healthcare while still maintaining secure collaboration and speed of care.

Transcript
[MCDONALD] Hey, everybody. Welcome back to another hash it out episode. I'm super excited about this one in particular because I love when we get to talk about topics that touch such a wide range of businesses, and it gets, it gets more real world to me. And today is really about, HIPAA compliance, and I'm very excited and lucky to be able chat with Dan Wagner today is sixty six degrees. Dan, I'm gonna let him talk about himself, but just a quick overview. Sixty six degrees has, like, a proven track record up providing innovative technologies in the cloud predominantly for healthcare organization. And Dan is at the tip of that spear, with a focus on Google Workspace and productivity. Dan, tell me a little bit about yourself and, and sixty six degrees.

[WAGNER] Awesome. It's an honor to be here. First of all, you're saying it's an honor to have me, but I it's really, you know, I love doing these types of things, and I really enjoy, speaking with you and, of course, Virtru itself.


[WAGNER] But hi, everybody. My name is Dan Wagner. I'm a senior customer engineer, focused on Google Workspace and productivity at sixty six degrees. I've been with the organization for over seven years now, seen a lot during that time.

[WAGNER] We started off as a Google workspace, because you could say provider and reseller and, start moving into professional services, helping organizations, like healthcare organizations move platforms like Microsoft into Google. My current role as a senior customer engineer, I've been doing for about, four years now. So I help a lot of, organizations who want to discover or continue to grow their footprint in the cloud, help them design solutions as well as enable them to grow and scale, with the products that they're using today. So before that, though, I was actually at the second second city in Chicago, that's where I cut my teeth in the, IT industry, helped them move from Microsoft to Google back in two thousand nine. I've never really looked back from the Google ecosystem, but Google's really good at, like, working together with, a lot of other different platforms. Virtru knows that too. So that's that's great. And, yeah, it's been it's been a wild ride. And it's particularly around the health care stuff. I'll get to that in a second, but you know, just tell you about sixty six degrees a bit more too. We've grown into more of a GCP. We're we're one of the only pure play Google partners out there. That doesn't necessarily mean we don't work with our platforms, but we're very specialized in what we do, with Google, partner with them very closely, as well as great ISVs like Virtual as well. So, yeah, that's a little bit of history about me and, sixty six degrees. So, but, again, great to be here today.

[MCDONALD] Yeah. And, Dan, I don't I don't you and and you went through a lot there, and I appreciate that, but I already think I went through. Kinda no. No. No. It's perfect, but I wanted to make sure to highlight is that you actually come from the buyer side. Right? You were actually on the health care side in the beginning.

[WAGNER] I was years ago. I in a multiple lives ago, I was an optician for three years at a at a eye care, place up in Gurney, Illinois, was right around the time when HIPAA was really starting to be, I guess required and then you had to be compliant if you were in the health care industry. So we, you know, learned a lot through that process. I learned just from being on the outside through insurance, you know, having to go through insurance, having documents that were, you know, you couldn't really have a file anymore laying out on on on your on your desk. He couldn't have your files showing last names. That type of thing. And that was that was really, not only a a kind of, it overturned kind of kind of what what you had to do as a business, but the end of the day, you were looking at, like, no, this is really good. This is this is protecting people's information, and it made sense, but it was also a bit of a tornado, if you will, of Challenge. Challenge, making things different. Like, oh, you know, we now have to do a little bit more with encryption on email. Etcetera, which was, you know, one of the foundations of of HIPAA and sharing information, of course.

[MCDONALD I I love that. I think that the reason why I wanted to highlight that is I think it's really important to have the empathy for the health care industry in particular because for me, personally, why I love health care so much as the mission is so important. And, everything they do is is around making sure that that patient outcome is a positive one. They really are invested in that in every kinda every state holder in this industry I've ever encountered, they all have a really strong emission alignment. I love industries like that. I know you do too. Probably plate. Yeah. But your empathy for that, I think, is really critical. So when I ask you, and we talk about HIPAA compliance today, which is woven into everything that's going on. And today, There's so much more awareness today around data awareness, data visibility, data protection. These these concepts They just were not in the awareness sphere before, but today it is.

[WAGNER] Yeah.

[MCDONALD] And with your empathy and with your background and and and your years of helping them, I would love to get your feedback on kinda what challenges are these practices today facing with since securing that sensitive location information, what are those challenges as they're faced with the HIPAA regulation requirement and trying to move to some of these cloud native experiences. What are those primary challenges that you see?

[WAGNER] I I don't think it, you know, we're saying HIPAA HIPAA, and I don't think it just applies to HIPAA, you know. I think it's it's That's like HIPAA started this. Like, it for for the better, I think. Like, it's more or less of understanding First of all, your identities and who's using what and who's working, your lines of business, and what do they need to be to be successful while being secure and compliant and protecting the organization and the people that you're helping. Right? Be it, a patient or be it someone that's buying shoes. You know, it's still it's still relevant. I think it personal identifiable information or PII as we call it, you know. So I mean, anything, from a from a from a patient perspective and understanding the transition for being compliant, you know, we're obviously, in a remote world. Right? There's a lot more remote help being done. There's a lot more remote communication being done. A lot of that stems, you know, as far as what we're seeing today. It's like, how can we be, secure, flexible, an agile, all the buzz words we wanna use there, but still at the same time, you know, sure that there's no impact. There's no disruption. If anything you wanna make it easier on people, like, tell me

[MCDONALD] Do you feel like The Yeah. No. I think that makes a lot of sense. Do you feel like, and I I I think a lot of these buzz words get, complicated for a lot of the buyers, they see a lot of these things. But the truth is, you know, in many ways, it's it's never changed too much. It's like, hey, here is this cadre of technology, how does it make my business better? My business is improving the outcomes for patients. And today, we're living in a predominantly remote and decentralized world, which complicates it. Right? So you're you're the kind of practitioner helping translate this language. And I'm curious though, know, in health care today, are you seeing a lot of the reputational awareness? Like, which is, hey, you said HIPAA started it, and that's true. I think there's gotta be this catalyst, But I've always found and you tell me what you think about this, at health care, in particular, they really care about those patients. And because there's an awareness around the data protection, are they starting to see? Do you feel awareness around? You know, this reputation of protecting this PI and making it aware that we're doing the right thing is important. It's important to my to how we're doing business. Do you find that that has changed, especially since you've been with this for so long?

[WAGNER] I do. I think a lot of a lot of people, like, that are out there that are needing help they wanna make sure that they're all of this is new to them. A lot of it is new. So when you think about, like, even, like, the older generation that they're they're wanting to get the help, but they're still very protective of of who they are as very well. Everybody we wanna make sure that the data that's being provided is is being used appropriately. And I think organizations could lean into that and say, like, listen, we do care about that. It's not it's not just a form you fill out. You know, how many times I get a new doctor, and you have this the the HIPAA sheet. Right? You have to say, like, I understand that you have my data, and you're going to be responsible with that data. So it's like that mutual agreement. But from that piece of paper, where where does that where does that leave the patient? Right? Sure. They put their the ink in on on the paper, but exemplifying that as an organization. [MCDONALD] I think I think that's what you're saying too. Transparancy. Yeah. Exactly.

[WAGNER] Transparency? Right. Right. In a sense of, like, where we care about that, not only we do care about your health, but we care about who you are, from an identity perspective, you know.

[MCDONALD]And I'm curious. What are what are some of those, strategy? What are the strategies that you kinda help these organizations implement so that when they say, I am, I am, I you're trusting me with this information. I am doing what's best I'm I'm here's what I'm doing to protect that data.

[MCDONALD] How does encryption play a role in that? And has that changed now that error was trying to be more cloud native? Like, what What what is your feedback there? Where are those strategies that you're kinda helping them implement?

[WAGNER] It's about understanding them first of all. Right? I we need to understand what business you're doing, what your lines of business are doing, what are specifics about that organization? Like, if it's if it's nurses, versus opticians versus whatever. Like, we need to understand their role to be successful and helping people in your business as well as, you know, what's the security aspect? How How are they working with customers? Is it strictly through telepresence? Is it strictly through video? Is it strictly through chat? Is it strictly through email? So once we help identify those, I guess you could say, you know, workflows and use cases, that's when we're like, hey, you're using email. You're using x y z mail platform. Here is, for example, Virtru, you know, again, a quick little plug. It works really well with Google Workspace. I love the way it lays on top of everything. I'm not being paid for this, everybody, just so you know. It is

[MCDONALD] Well, I do appreciate that though. We try to work very hard on that interoperability, but I do appreciate that there.

[WAGNER] But in that case of email. Right? So there are some there are some practices that might, like, the the baked in encryption from Google, Microsoft, etcetera, is we'll appease them. But if there's specifics, from our requirements, then we're like, okay. We understand this tool was gonna fit your need Let's put it in place. We'll let you use it. Let's see how that works and make sure it doesn't impact or is we want it to be non destructive if if, like I said, if anything, we want to be more productive at the end of the day. Cause, you know, old school platforms, you have to have a separate server somewhere. There was a portal you had to log into, and you had to remember the password for that and all that stuff too since the products have grown over time. That's what we're we're looking for, to meet honestly, just meet the customer where they're at, and see what we can do to help not only solve for that, but also help them grow, and and not be an impactful, thing as as they grow a business too.

[MCDONALD] Yeah. A quick quick comment on that. I love your approach, because we have this saying at VIrtru. It's a respect to data. But the truth is, data is just a proxy for a human. We're respecting the human. And by understanding what they're doing, what their business is, how they're carrying that out, the connection, the relationship between that practitioner and the and And the patient, you really have a much deeper understanding of the sensitivity of that data, where it came from, where it's going. And then ultimately, you can define some kind of risk scenario. Well, here are the areas where risky. And one really risky area, and I I don't know your I I'd love your thoughts on this. It's, you know, it's why I'm asking, but I think historically, you have a lot of box checking going on with HIPAA and things where it's like, okay. We're checking docs. I feel good about it. But the reality is, like you said, sometimes these these baked in solutions don't meet all the need because data has to move. Data has to be shared. Right. I gotta share it externally. I gotta receive it from someone external. These boundaries where some of those built in ecosystem solutions don't, fit the bill. Tell me a little bit about data sharing, like, how are your, what you're hearing, what you're seeing, how are they sharing the data? We like to think that we're really sophisticated today, but email's still, like, one of the primary ways in which we share information. Right? Tell me a little bit more about the comp the complexities of this data exchange and and how you're addressing those.

[WAGNER] Yep. And I love this conversation too. You know, I was talking about the people side, like, understanding how they all work and lens of business, but Yeah. Like, it is driven by and how they work, and you need to understand without without getting too into it. You'd be surprised at how many organizations are like, well, I don't we don't know how our data is structured. We don't know how this is. We we we we don't have these controls in place Yeah. To to do these types of you know, driven by compliance. Right? And that's really where you started untangle the the the rope and and and try to figure out that from a complexity standpoint. You know, what I try to approach that as is, like, you know, there's no way if if a company has, like, ten terabytes of data of file storage, and they're wanting to say, like, I need to do x y z, and I'd probably walk that back a bit. It's like, okay, First of all, why? Right. Why are we looking at that? Second of all, can we look at a data set or a line of business again to see if we can help classify, right, data in a way that's gonna be useful to the company and the end users, then I take it back even further in the sense of, like, identity management because when when you're working with cloud based platforms, right, you you're you're having an identity, a user, right, that you're, as an organization, supplying them access to your organizational data. So to me, it starts there. Make sure correct security controller in place there too. To us, you know, two step verification is a must these days. Right? I know that some change you know, like, it's a a change for some organizations, you'd be surprised and there's some organization that still won't have that. And it's like, well, we kinda try and start. You know, we also if we're wanting to begin there, right, we do a security posture review. Right? Let's see how you are across your your whole organization. Is it, you know, how how's identity set up? How's your admin policy set up? How's your drive sharing set up? How, you know, application management set up? Owe off, like, those types of things. That's what we start to, like, again, untangling that rope. So to speak, to try and identify how you can start to classify data, go by role based and group based permissions. Right? So if we're looking at, having to segment that out, really doesn't matter what platform you're on. You know, the tenants of principle of least privilege are still there. Right? So once you identify, like, access requirements and then go into, let's see how we can classify data. I know with Google Workspace, and Virtru as well has a DLP element as well, where you can, you know, help flag things, like, say, if you're going to send an email that has x y z information in it, you're either gonna get a warning or say, like, you can't do that with an external party. So Right. That's that's kinda I mean, that's pretty much I hate to again use, like, the the high level overview of, like, how we would kind of approach these complex situations. You need to see where they're at again from a technical standpoint, identity management, group management, how their organization is set up. What tools they're using, you know, if they're using a multiple, you know, they might have box drop as one drive, drop Google drive, like, what what are we doing over here? Why are we using many different tools. Can we consolidate? Because there there are definitely valid reasons to have multiple products, but let's see what we can do to help minimize, either those I like to call them points of failure, or points of success depending on when you look at it. Yeah. Yeah. Exactly.

[MCDONALD] Yeah. What I what I what I love about that though is, you know, you're meeting them where they are. In many ways, I think this journey for data protection, security posture is very similar to the industry area. And you don't go in as a patient with an issue and immediately be be better. There's a journey. Right? There is a path to it, and you have to start somewhere. You said something though. You said you'd be surprised And I think we we do this a lot in in the tech industry. Right? Is we'd like to say, well, obviously, you should be doing these five things. And I think sometimes, I'm speaking for myself. I just wanna be really clear. I don't think you're doing this. I'm not that I think we come off, the wrong way. Oh, there are these baselines that you should be doing, but it does not mean everybody is ready or prepared or can be there. And and and it's that lack of sensitivity, I think, sometimes in this industry, that makes it even more difficult for organizations to adopt these things, in my opinion. So I love the fact that you're starting with and meeting them where they are because that's the only viable path to a better security posture in my opinion. So I think that that's a great approach.

[WAGNER]I agree with that opinion, and I stand by that too. It's it's and you have to remind yourself. I mean, I've been doing this for some time, you know, and I try to be I try to do a reset, you know, almost every day. I think to myself, I look at my schedule, I look at my calendar. I'm like, who am I speaking with today? Like, if they're how am I going to approach this conversation? You know, I I try to to, you know, there's an old adage of saying, like, you wanna be the smartest person in the room. I don't believe that for my role. Like, the smartest in the purse the smartest person in the rooms is the actual is the customer, because they're gonna tell me what is gonna make them successful. I'm only gonna help them kind of find their way to it. You know what I mean? Yeah. So, like, I, like, I don't wanna be like, Eyore, I mean, like, do you have two step verification set up? Do you have DLP set up? It's Or or or, you know, I can't believe you don't have that, which is such that you're right.

[MCDONALD]I remember I was I was in the acute care space for a good while and And I remember being in the with those physicians that were doing amazing things every day. And, you know, I'm coming in there trying to impose certain practices while they're trying to save lives. And I think myself I'm I'm still thankful for that experience because technology in any in in in every aspect is meant to support and facilitate this process. And then and on the cyber side, we talk about encryption. Encryption has a very negative past. It has a a past where it's very difficult to use. I mean, if it gets in the way of everything you're doing, no one can open it. Right? And we've really and and I'm speaking for Virtru now, like, in in our mission in particular, we've tried to overcome that and be sensitive to the practice and say, totally get it. But that control and visibility you get with encryption can be had in a way that's easy to use. I see more of this today. Right?

[WAGNER]I see a shift in this aspect today where, that focus on the user, the focus on usability is better across the industry. I I see more of that, which I think is great. And it and, hopefully, it re it results in more. Now, and I want this to comment on any of this, but this one particular part where we used to say, block. You cannot do this. You cannot share that data. Right? Whereas now, because some things like the data centric encryption are more accessible accessible and easier to use, you can actually allow that to happen. You can let it go and you can let it share and you can let the business work. But what do you think about that? I'm curious if you agree and you don't have to. I just love your feedback on that. No. I I do agree with you again. I hate to agree with you all the time because sometimes disagreements are fun in these conversations, but, but no. I I do I do agree, in the when you when you were gonna say you said something like, it's gonna say block or something like that. I thought you were gonna say, you know, there was, again, an old phrase of, you know, function over form. Right? There's that, like, you want to make it work before you make it look good or work good. Right? Right. I I and I've I've always, like, kind of you know, back in my days of of web designing this stuff. I'd wanted to make it look good first before I'd actually make it work. I think that's terrible. It's a it's a absolutely terrible way of But I I think, like, nowadays in the sense of, like, they can run parallel in in production, right, in development, I should say. So it's it's the the end user experience is is highly considered, so important because if they don't know how to use it, and they don't know how to use it well, they're not gonna use it well. You know?

[MCDONALD] Oh, amen. I I mean, how many times have you seen that? How many times have you seen an imposed policy. This is what you should do with no accessibility and what people do. They just don't do it or they find a way around it. If I feel like we're, like, we've got this broken record in cyber, and it's, like, the last twenty years that was the that's the that's the song playing. Which is I think we're overcoming that though. You know, clearly your empathy first approach to, process, person, and data alignment has helped you address that. I so I so appreciate your feedback. I've really enjoyed this conversation. I'm just curious, you know, you know, in the little bit of time we have left, What do where do you think this is going? Tell me a little bit about your end you spend a lot of time in health care, a lot of time in security and compliance. You've seen a lot of the merging technologies, like, data set security and encryption allowing things to be shared. You even see some of these big providers railing against interoperability in health care, which is crazy to me. I think that they're not gonna waive long term. But I would love to get your feedback on Where do you think these trends are going for health care, data security, and compliance? Give me give me your your your two or three bullet points there.

[WAGNER]I I think a lot a lot of it's going to be still focused, on on re re architecting some some internal stuff. A lot of these health health care organizatio ns are still a legacy platforms for legacy systems. So they they're having to, you know, I've managed an active directory many times in my past, like, or how where are they at? Like, there there's a lot of fear, like unraveling that. So I think but they're going to have to make a choice one way or the other. Or they're gonna have to invest another on prem and manage that internally But I think it's been proven that the cloud is actually more secure, and it there's more benefits to go into the cloud rather than having to manage your own infrastructure in your own data center, colo, whatever. You're gonna be doing that. And so I think there's still gonna be discovery. There's gonna have to be alright. It's a user word, but empathy and understanding where they're seeing like how we can help them move to the cloud in a confident and, positive way. Right? The second point is is looking at different types of communication. Yes, I'm going to drop the AI, fit conversation into here too. I think everybody's very excited to see what they can do with conversational and generative AI. So while they're Well, that first bullet I mentioned, they're gonna have to play catch up. Like, if they're wanting to be competitive too, as far as a health care provider, they're probably gonna have to look at that too. What is the safest and most secure way that I can leverage these new tools that has been bestowed upon the earth in the last, you know, ten months, or so.

[MCDONALD] It feels like it feels like this AI is is as busy as us from another planet and so mute everybody, but that's it. Exactly. Yeah.

[WAGNER] Well, I mean, that's a whole other podcast. Right? But, I mean, it's been very rare. That's right. Yeah. And I mean, there's email organizations that are they're they're not locking down their applications. So I think that's the other thing too is like identity. I I I said that by this for years, It's like, really look at your identity, look at your application management, SaaS management, etcetera. So it's and then I think AI is also considered a kind of a SaaS product because they're starting to have the startups that are using specific tools or or or or use cases and workflows, and they're doing really good, really fast. But how is that safe for the organization? Right? I do personally I'm a little biased, but I think Google is really taking a very responsible approach for that in their in their paid product. In Workspace and duet and all that. So, just think about that as as we move along. It's gonna be like this, the next couple. It's gonna be this. It's gonna be nuts. But,

[MCDONALD] you know, I I I think that's right. And the and the pace is just picking up. And Dan, I gotta say, you know, with that reality facing, the health care industry and and the health care industry being at varying degrees of adoption, which I would say predominantly is early in the adoption phase. I am personally thankful and glad that you and your organization is there to help them along the way because they need that help. And it's not because they're not capable. They're focused on a different domain, and they need our help, on the technical side to, to to make those outcomes better. I really enjoyed our conversation today, Dan. I appreciate you taking the time.

[WAGNER] Likewise, Rob, I I honestly wasn't sure what to expect, but it's I I hope we could do this again soon, or, a a medium, relentless input. This has been really great. Thank you so much for having me.

[MCDONALD] Yeah, Dan. You have a good day. You too. Take care.

Enjoy a coffee on Virtru!

Fill the form below to claim your gift.