Meet Adam Zeineddine and Gil Vidals from HIPAA vault. Their mission is to provide healthcare organizations with a secure, compliant platform for storing electronic protected health information of all sizes- whether you’re small clinic or large hospital system they’ve got the perfect solution!
Transcript:
Adam
Hello and welcome to the HIPAA Vault podcast with Adam and Gil. My name is Adam Zeineddine. I’m your Cohost. Today, I’m joined by Gil Badals. Hey, Gil.
Gil
Hey, Adam. Yeah, I’m Gil Vidals, CTO and founder of HIPAA Vault. So glad and excited to get our first episode off the ground.
Adam
Yeah, awesome. Our first episode. What I’d like to do today is maybe give some introductions about who we are, what we do, and what can listeners expect from the podcast moving forward. Does that sound good?
Gil
Yeah, let’s do it.
Adam
Okay, so HIPAA Vault is a managed security service provider, and we’ve been in the space for a while. Could you tell us a little bit as CTO and founder, about the origins of HIPAA Vault, how it came about, and maybe a little bit about your background as well?
Gil
Sure, I’d love to do that. So again, my name is Gil Fidels, and Hipavault is a company I founded many years ago in 1997. Now, I didn’t start off as HIPAA Vault. I was selling domains. And back in the day, the question at that time was, should I start a business on the Internet? And some people were like “Time out. What’s the Internet?” And some people were saying, “Time out. What if that’s just a fad?”
Adam
What if it’s and you knew you were onto something.
Gil
Well, I was scared because I thought, what if these people are right? I mean, what if the Internet is not something that’s going to be popular? And at that time, it was actually illegal to do commerce on the Internet. It was only the government and the military that could do that. The Internet was not set up for commerce. It was set up for transacting documents. And it was really by DARPA. That was a defense project and so on. Of course, e-commerce came along pretty quickly, and you didn’t get in trouble if you did commerce, but you weren’t supposed to. But I started back then and wasn’t making any real money until one day someone says, hey, can you sell me a domain? And then I thought, oh, there’s going to be some money involved here. This is a good thing. And over the years, I got into hosting and search engine optimization.
Gil
But it wasn’t until 2012 or so that one of my customers said to me, do you know anything about hosting medical data? Because they had a project where they wanted to introduce patient health information. And I told them, honestly, I didn’t know a HIPAA from a hippo. And they liked what we did, so they decided to go ahead and give me that opportunity. And I’m glad, because at that time, Adam, it was a race to the bottom. By that I mean those that had the cheapest lowest price won. And you don’t want to be in any industry where you’re just by virtue of being the cheapest, you’re in business because that means your profit margins are razor thin. And it’s not really a good business model.
Adam
So were you up against hosting providers like GoDaddy and the like?
Gil
No, not at that time. There weren’t big names like that. Everybody was just getting started. I think the big one back then, or one of the first ones that had name recognition was called simply Net. And they did really well. They sold the GeoCities. But when I realized that it was all about pricing and one of my customers said, hey, why should I pay you $200 a month for a dedicated server? Because this is all rack and stack when I can go over here at this competitor and pay half as much $100 a month. I knew that something just wasn’t right. This was all about just the cheapest game in town. So I pivoted away from that, and went to the HIPAA focus for hosting and protecting health information in the cloud. And I think that was a good decision at the time. Now that I look back, I was really happy I did that because now we’re servicing clients that know it’s valuable, what we do for them.
Gil
It’s not just about what’s cheap, it’s about really what’s secure and giving good.
Adam
Service to them and what goes into that in general. Why is healthcare a pretty tricky industry when it comes to technology and security around technology?
Gil
Well, healthcare records are protected by HIPAA and high trust regulations. So that puts more pressure on the technology where you have to secure it. Now, if you don’t have sensitive data, let’s just say you have a brochure website that just has pretty pictures, but there’s no e-commerce, it’s just a brochure. Where then if somebody were to break in? There’s nothing to take. Everything’s publicly available, all the pictures, there’s no liability there. But as soon as you have patient records, there’s a liability. If those records were taken, then the patient can come after you and there could be a lawsuit because of that. So that liability causes a lot of angst and it builds the pressure up to have to secure that data and do a good job of it.
Adam
So if the website is just a home page and about us, and maybe here are the services we provide, then there’s no patient information to secure. But as soon as you start getting things like contact forms where patients are going to be submitting information and that’s stored in the database, then the warning signs should start flashing, right?
Gil
Yeah, that’s exactly right in the audience. This is good for the audience to know because our audience is healthcare developers, healthcare app developers, and medical practitioners. So if you’re a medical practitioner and you have a beautiful website, I’m not taking anything away from this site. It might be very professional, may have been expensive to develop it, and all of that could have videos, lots of pictures, and all of that stuff is great. You don’t need to worry about HIPAA compliance. If there are no transactions happening on the site, there are no patients that are logging in, there are no forms that they’re filling out. Now there could be a basic contact form, but we’re talking about a form that would be more about asking, well, what’s your condition? Yeah, that kind of a thing. So I would let our audience know that if there is no sensitive data, all that means is they could leave the site up and do some kind of security review, but it’s not as intense as if it had sensitive data.
Adam
Yeah, and just on that point, podcast@hippavault.com is a good email address to reach us at. If you do have any questions about securing that healthcare information, maybe you have a website you’re not quite sure whether HIPAA applies to it, then you can reach out to us at podcast@hipvault.com and you never know, you might get one of the questions on a future episode and we’ll answer it. Okay, so that’s a nice introduction to HIPAA Vault. What aspects, if we look at today, what aspects of security are particular notes that web developers and healthcare companies need to pay attention to when it comes to locking them down and securing them for patient information?
Gil
What comes to mind is a couple of things. One would be the data has to be encrypted. And that’s something that I think our audience, in general, should know about this. So encryption means that you take data that’s legible plain text data, and it’s essentially scrambled with the security key. So when you look at it’s nonsensical. Only if you have the key can you unlock the code and read it. That’s encryption. Well, there’s encryption at three different levels. When the system is powered off, the computer is powered off, that’s at Rest, and then there’s encryption and transport. That’s when the data is being sent from point A to point B. So let’s say you’re on a web page, you’re actually pulling data. You don’t think about it that way. You just see the screen all there’s, the data, but it’s coming from somewhere. So that connection has to be encrypted that’s in transit, and then there’s one in use that you don’t hear about a lot.
Gil
So what that means is that the database where the information is, that could also be encrypted. So that’s called data or encryption in use. So it’s only decrypted the moment that it’s needed. As soon as it’s not needed anymore, it’s put back in an encrypted format. So the audience should be aware of that kind of encryption at three different levels. And whoever they talk to, whoever you’re working with to provide your technology and your application, you should ask them and say, hey, are you encrypting my data in all three? And it’s not very common, by the way, to have the data encrypted in use. 90% of what I see the databases are not encrypted. In other words, the data is plain format there. HIPAA does not require that it is encrypted in use, it’s required that it be encrypted in general. So HIPAA is kind of a loose guideline.
Gil
They just say to have encryption, but they don’t say, okay, does it have to be in use as well? And most 99.9% of people have it encrypted through HTTPS. If you notice when you go to a website, you always have HTTPS, so that.
Adam
Has a padlock, right?
Gil
So that’s kind of a no-brainer in terms of encryption, that one. And then at Rest, usually systems in the public cloud. When I say systems, I mean the virtual machines are usually encrypted when the virtual machine is powered off. So that handles that one. But the middle one in use is the one that people kind of stump people like, well, what do you mean? Well, talk to your developer and ask them. Say, hey, when you have my data in the database, is it encrypted in the database? So that’s something to think about. And if it is, that’s a good thing to have. The other thing I was going to mention, it’s really important is when you’re shopping around and you’re looking, where do I put my medical website? If you’re a healthcare app developer, where do I want to host my customer’s applications?
Gil
And when you’re shopping around, ask one question that I think will be very telling, and that is say, hey, I’d like to have a meeting or know the name of your compliance manager. And that’s important because the compliance manager is the one that’s typically in charge of scanning your website to make sure that there aren’t any high-critical vulnerabilities. That’s his job. And then if he finds one, he assigns it to an engineer. So what could happen is this you ask the question and then the guy on the other end might say, compliance manager. We don’t have one of those. That’s a red flag. Or he might say, well, we have a compliance manager, but he’s not available to talk to you. It’s like, well, why not? He’s going to protect my dad. I’d like to talk to this guy. And by the way, if he’s too busy, maybe they don’t actually have one.
Gil
So that’s kind of a clue. So you really want to ask that question. That’s a really good question to ask. That’s a very encompassing question. It means that they’re well organized, and they have someone in charge of that. So it has a lot of insinuation by asking that question.
Adam
Okay, so encryption compliance manager, what about users? Is there any kind of security around users and access that we should consider?
Gil
Sure, yeah. You have to be careful with you want to restrict the users to the back end. That back end is a common term used in technology to mean the non-public facing side of your website. So the public-facing, obviously that’s the public. Anyone who has a laptop can hit your website. But the back end means the developers, the engineers, and the support staff, come in through the back door to make changes to the website or the programming. So you want to make sure that the back end is well protected, and you don’t want to let people in there unless you know who they are. If it’s somebody working on your site, you know who they are, that you give them access to that, and they really should be using some kind of two-factor authentication to access your database. The back end, all of that needs to be protected with two-factor authentication.
Adam
Two-factor authentication. So my understanding of that is you’re trying to reduce the amount, reduce the likelihood sorry. Of people sharing passwords and logins. Right? Is that about right?
Gil
I think that’s true, what you said is. That is true. But that’s more of a secondary benefit. The real benefit there is when someone logs in, they have to provide a password, just the normal username password. But then there’s a six-digit token. It’s typically a six-digit token that’s sent to a phone or it’s sent via email. Sometimes it’s like a Google Authenticator, where you have the app that’s every 60 seconds it produces a new string of numbers. And that’s even better. So what that’s doing is essential, as we all know, unfortunately, the bad guys can steal credentials, and they do steal them all the time. So let’s say a bad guy steals your username and password. Well, when they use that, then they get the prompt saying, hey, look at your phone and give me that token, that six-digit code that’s on your phone.
Gil
Well, they don’t have your phone. So they’re done. They can’t get through.
Adam
If they do have your phone, you already know something’s wrong, right? Yeah.
Gil
If you lost your phone and your credit cards, you’re going to deal with that. You would call your phone carrier or you would call your boss and say, hey, I lost my phone, and they can wipe your phone remotely, and you’d have to deal with that.
Adam
Okay. Yeah. So encryption, compliance manager, and two-factor identification.
Gil
Yeah, those are some of the high-level things. And I know you and I discuss what’s the goal of our podcast, and I’d like to share with the audience that what we want to do is talk about all things HIPAA. And in particular, we’re very interested and we want to lean into what WordPress? Because WordPress hosts a high number of websites that are at least in the US. And I say worldwide, I think the statistics are something like 43%. Oh, it’s higher. Okay.
Adam
So it’s close to 50%.
Gil
So that’s why our bent is going to be toward HIPAA compliance in terms of the WordPress ecosystem. So we’re going to be talking about things like plugins, which plugins may have some special benefit. We’re going to be talking about the WordPress core and updating it and essentially protecting that from a HIPAA standpoint. And I’m really excited to do that with our audience. I’d like to talk about practical things, Adam, that they could take away. They can actually do something, not just we’re talking heads and it’s just high level, but we want to come down with some real nuts and bolts where they could say, hey, I got something valuable. And even in this podcast we talked about, well, if you’re shopping, what’s a good question to ask on the other end? Well, do you have a compliance manager? I mean, that’s a great question that’ll really help you make your decision as to where to host your valuable content.
Adam
Definitely. I’m sure the audience will look forward to us going a little bit deeper into WordPress specifically because, as you said, it is a very popular way to manage websites. Okay, well, I think that’s all for the intro episode. Be sure to check us out on Hippavot.com, our latest news. You can reach out to us at podcast@hipaavault.com. And until next time, thanks for stopping by.
Gil
Thank you, everybody.