The HIPAA Vault Story
By Gil Vidals, , HIPAA Blog

Doug: Hello and welcome to the MSP Voice Webinar series. Today I’m pleased to be joined by Gil Vidals, from HIPAA Vault, and he’ll be talking about their HIPAA compliant cloud. So Gil, why don’t you go ahead and take it away.

Gil: Alright Doug, thanks for inviting me. I’m looking forward to talking about my passion. You’re looking at a picture of a guy (who’s not me – but looks just like me) back in 1988.

I was working for Morgan Stanley with their mainframes, so in the background you can see these mainframe computers. My job – which started at 8pm at night – was to run back and forth with these huge tapes which you see in the picture, and load them into the mainframe, then go back, and grab another one. I worked from 8pm to 8am, and then we had a training class from 8am to noon. So it was an insane schedule, we were slaves to Morgan Stanley back in the day.

So that was the start of my passion with computers – it was around 1980 – and a neighbor of mine, an engineer, was putting together a computer himself. So back in that day, 1980, you could buy Commodores and Amigas in magazines, but if you were a serious business guy or an engineer and you wanted a workstation – not for gaming – you had to order all your own parts, and bring them in, and he’d assemble them for you (cost my dad five thousand dollars – I think I was a junior in high school). And what’s really funny was when he got it all together and he went to pick it up, it took two people to carry it, and the sides were made out of pinewood. And so it was like an old station wagon with wood panels on the side – and that was my first computer. So that’s kind of how I got started.

So, in 1994 I lived in California, and there was a program I discovered called Winsock. You know, you’d get a stack of 12 diskettes from Microsoft, and you’d put them in there in this Hayes modem, you know 1200 baud, and it would start beeping and buzzing, and two minutes later you’d be connected to the internet, you know, and what did you do back in 1994? Well, you went to Alta Vista, because Alta Vista was the only search engine of the day! And so that’s how I got started.

So I went to Alta Vista and I thought to myself, How can I get into Alta Vista? So I figured it out essentially, and then I started my own company in 1997, doing exactly that. And companies would call me and say, “Gil, we want to get into Alta Vista just like you got in, how do you do that, and how much does it cost? So I said, it’s $200 a month, (you know, I needed some money to pay for food, so I thought $200 a month), and they paid it. Then the next guy called me and said “I want to get into Alta Vista too – you did it for my friend Larry, and how can you do it for me?” And so I did it for him too. Then he said, how much are you gonna charge me, and I said, “It’s $400 for you.” So I started doubling the price, until I hit the ceiling, because there was no market for this work in those days, you didn’t really compare to competitors, you just made it up as you went. So our business in 1997 was focused mainly on search engine optimization, and also some web hosting at the beginning.

Doug: Wow, so you’re kind of like an SEO pioneer. Back then, we didn’t even know what Google was. Yahoo wasn’t even born yet, I don’t think.

Gil: Yeah, I think Yahoo was around the same time as Alta Vista… So I started the company in ‘97, and it was in 2010 that I turned the corner. And the reason was, it was kind of an unusual conversation with my dad – he helped me finance the business and get started – and he said to me one day, “You know, you’re really basing a lot of your business on these search engines. And of course by 2010 it was Google we were optimizing for, and getting rankings. And our claim to fame Doug was that we had the term ‘Life Insurance’ as #1. That company, in Southern California, was making about $500,000 a month selling life insurance because of its ranking, and we were making like $3000 a month. And I was like, “Wow, I’m an idiot, I should’ve been charging them a lot more! but in any case, I had a conversation with my dad one day, and he said “Son, your business reminds me of an elephant, with a flea on its butt. When that elephant moves, that flea is gonna get squashed.” And I go “Dad, what do you mean by that?” and he said, “Well the elephant is Google, and you’re the little flea on the butt, and if Google decides to change the algorithm, your techniques are going to go by the wayside.” And he was right.

Doug: Yeah, a lot of people got burned by that, didn’t they?

Gil: Oh yeah, and as some of the audience might know, the SEO industry imploded around that time – literally imploded – just caved in, and so some companies said, “Well we’ll do the new social media marketing,” you know, whatever they wanted to call it, and I decided – and it was a tough decision – that I’m gonna continue to do hosting. So I started in the early days, it was a red-headed step-child, and I decided, well let’s pursue that. Let’s not do this SEM business anymore.

So about 2010 I had a client of mine that I was hosting call me, and they said, “Gil, do you know anything about hosting medical data? You have to follow HIPAA regulations – federal regulations.” I just told them, “Look, I don’t know a hippo from a HIPAA, I don’t know what that means, but let me research it.” So I did, I did a lot of reading and I called them back, and said, “Hey, i think I can do this.” And we had a good rapport so they gave me the opportunity. And the neat thing was, instead of charging peanuts for hosting, they were willing to pay a handsome price because of the security involved and the liability of hosting medical data. So I thought to myself, this is an area we need to focus on.

So, HIPAA is basically broken down in 3 areas: administrative controls, physical safeguards, and technical safeguards, so that was what I had to get my mind wrapped around in order to serve that market space.

Doug: We had a guest last week, HIPAA for MSPs, and that was one of the conversation points, you know: “Can MSP’s charge more for their HIPAA clients?” and the answer was “Yes, because the requirements are so much greater when you’re trying to help those companies that have to be HIPAA compliant and conform to the standards” and those types of things. As you said, you can charge more for hosting this data because you had to go through all these extra hoops.

Gil: Yes, absolutely. And you know, one piece of advice I would give to those MSPs who are listening is, don’t compete solely on price. The race to the bottom is an ugly race, and if you win, you lose, because you’ll go out of business. That’s the way it works. So, you want to come up with a better formula. And for us, it was the HIPAA compliance, and that garners a premium. But what we did though was we wanted to be a value leader, and the reason we wanted to be that was that we were used to using open-source. Back in 1997, there weren’t really any commercial products out here. You used Apache on a linux server – everything was free – so, for many years, Doug, we were used to hosting in an open-source environment. We got quite adept at it, and so when we launched the HIPAA and medical services hosting in 2010, we already had this inexpensive platform. And yes, we added some commercial licensed software to it as well, but the mixture, the right ingredients were helpful in keeping our price really low. And so we were able to achieve that and I think that was very helpful in getting a foothold into the market. And so, just as an example, in our market space, if you want to get a start-up plan, our competitors were offering pricing at about $1500/mo. Competition heated up and they dropped it to $1000, now we have some who are competing between $500 and $1000, but we we can go down as low as $299.

Doug: Wow.

Gil: So that’s a great thing, and we’re able to keep that price low, and it’s not a loss leader I would say, but it’s a good way to get those clients. And some of those clients who started off at $299 are now paying us over $5000 a month today. Yeah, I wish a lot of them did that, but there’s a percentage that really mushroom, right, so that’s not a bad model for an MSP, if you can get enough room to convert.

Doug: Yes.

Gil: So Doug, what I want to talk about next for a little bit is what sets HIPAA Vault apart from – I don’t know, how many MSPs are there out there? You probably know better than I do, you have any statistics on that?

Doug: Oh, tens of thousands at least. You know, there’s probably ten within a five mile radius of where you sit, so…

Gil: Yeah. Hey, quick tangent Doug – you could do a whole webinar centered around this, but a guy from Forrester just came out with a fascinating statistic, he said that 96% of the IT service companies (and MSPs are under that rubrick) can’t seem to scale beyond 10 employees. The average IT Service company has 8 employees. They want to scale, but they can’t, and I thought that was fascinating. We’re much higher than that employee-wise, so that tells me we’re doing something right to put us in that 4%. But I asked myself, what are we doing different that sets us apart? And that’s kind of what I want to focus on next.

Doug: OK.

Gil: The attrition rate for us is, or what we we strive for, is less than 5% – that’s our goal. By that I mean, how many customers are we losing per year? I think that’s a worthwhile goal because MSPs that have too high of an attrition rate, they become what I call a revolving door. Y’know, your sales guys grab that sale they got from an AdWords link that cost them $400 to convert that lead, and the next day they lose one for a few months. So you’re a revolving door and your profitability never grows and you’re working your butt off. So that’s one of our main goals at this company, to keep that attrition rate at 5%. And 5% isn’t really very sexy, I’d like to get it much lower, but at least that’s what our eye is focused on. And so the question is, How do we do that? And one of the ways we’re doing it is to use US-based support staff only. And that’s not an accident, a lot of the HIPAA regulations call for US-based, and the federal regulations if you dig into them say, no foreign nationals should have access to medical data for US citizens. So, not every MSP is going to want to play that way, but we did, and we saw a big side-benefit. And so when our customers call, they love it that they can reach us, whereas when I call a vendor who has overseas staff, they tell me, “Oh well, I understand that you’re having this issue, our engineers will look at it tonight.” And I’m like, “Tonight?” And that’s because their support staff is who knows where. So the next day you get a ticket, and the cycle for tickets takes forever, because you’re talking to some guy on the other side of the world. So I think to keep our attrition rate, our “made in the USA staff” has been a key point.

Doug: OK

Gil: The other thing that we’re doing which really made me nervous at the beginning to be honest was to offer a 15-minute response time. Ok, so that means, the traditional IT service companies brag, “Oh, we’ll respond in 24 hours if you open a ticket in chat or email. And I’m like, “24 hours?” Who knows what’s going to happen in 24 hours. So, our engineers are equipped to answer in 15 minutes. Now when I say answer, I don’t mean just an auto responder that says, “Larry, I got your ticket, we’ll look at it.” I mean, a real engineer who’s already looking at logs and digging into it. So within 15 minutes, and our clients love that – they’re buying pizzas for my staff, and I’m like what’s going on out there guys, I smell more pepperoni pizza – and that’s because they can’t believe they’re getting this kind of support.

The other thing we’re doing to keep our attrition rate low is first-call resolution. We decided to not have any tier-one engineers, and that’s because too many times when I would call, I’d get stuck in tier-one land, and they’d say, Oh, we need to escalate it, and it’d go round and round. And we thought, what if we just didn’t have tier-one support staff? Now when you call, you’re immediately on tier two, and what that means is first-call resolution is very successful for us – probably 90% of the time we don’t need to escalate to another engineer. So you’re on the phone, you hang up, the problems is solved.

Doug: And that’s the reason you get a lot of pizza.

Gil: Yeah (laughs). The other thing I do is to keep that staff happy and healthy. And this is not – maybe it’s not a business thing, it’s more of a personal one – but I really take an interest in the life of my staff. I try to help them out any way I can, whether it’s something involved with the company (or not). And we have some of the traditional things like, they’re playing ping-pong, we have competitions here with a pull-up bar in one of the offices, and you know, some of these guys couldn’t do a single pull-up! And you know I’m in there, and I’m 55 now, and I’m like, “Watch this guys,” and I’m showing off, doing about 10, and they’re like, “What? This old dude can do 10 and I can’t do one?” And so now they’re in there and they’re really struggling, sweating every day trying to get up to more than I can do. So it’s a healthy, fun environment where you try to mix it up with the guys, and I think that has led to having a low attrition rate and employee turnover. So we’re keeping our employees for many, many years. And Doug, I don’t know the industry average, I can’t tell you how long a Sysadmin normally stays around, but I can tell you our guys are staying around for years, and they get to know the clients by name. So when our clients call they say, “Oh hi Joe, what’s going on today?” and that gives the client a warm fuzzy feeling, “This guy knows me, I’m not just another customer” – you know, ‘What’s your account number sir’? So that’s helpful.

So, the next thing I want to talk about and what I believe sets us apart is a Security Model of Continuous Improvements. I mean we have a good security model but we’re never resting on our laurels, never just sitting around saying, “Oh yeah, we’re great here with security.’ We’re always questioning our own security, thinking, how can we improve it? What can we do that will help us have better security? So I’d like to go through some diagrams and just quickly show an evolution of how to be an MSP with good security. So this next diagram – I’m gonna call it Security Level 1, (and some of our competitors still implement this

model) – so in this diagram you see on the left ‘Users’ – could be your end users, your developers, everyone on the internet that’s coming through. And this example is a Google Platform example – HIPAA Vault hosts both in private data centers, in Google, and wherever we want. So in this case it’s in Google cloud, and you’ll notice that there’s just a firewall – a Google cloud firewall, and below that you’ll see a web and database server, and as I said, some of our competitors still actually implement this model – and what makes this model very weak is that the Holy Grail, the Golden Egg is the database, because that’s where the important information is – and in our case its the medical data sitting in that database server. So, that database server is sitting at the edge of the internet. And if someone knows how to get to it, they have at least a chance to get to it.

The next model – call it Security Level 2 – shows a simple change, where you separate and isolate the database server. So now you have the web server and the database server, and why is that important? Because the database server is pretty much in a DMZ – the demilitarized zone – it’s isolated, there’s no access to a public IP, you have to have a private IP to get to it. Only the web server could talk to the database server, so if a hacker got into the web server, he hasn’t stolen the Golden Egg yet. He still needs to reach out to the database server to get the data. So that’s a little better.

The next one is Security Level 3 model, in which we’ve interjected a WAF – a web application firewall – and you can find those in the marketplace, find your favorite one – but you put that there between the standard firewall and the web server.

So now you’ve got an extra layer of protection. And this diagram doesn’t show it but we’ve also got an IP Reputation appliance which is focused on looking at basically a glorified blacklist; it knows from a list of millions and millions IP’s which ones are scanning for vulnerabilities, which IPs have hackers behind them, and so on. So having an IP reputation appliance alongside the web application firewall is also another layer.

Now, the Security Model 4 builds up a little bit more. If you notice at the bottom, we’ve introduced a VPN.

And the reason that we’ve done that is because we don’t want the developers (you’ll notice this says Dev. team or DevOps team), we don’t want those guys having to come in through the normal internet port, like port 80, and port 443, and port 22. We don’t want to open up extra ports that everyone in the world can access. So what you do instead as you can see on the lower part of the diagram, is introduce a VPN, and the DevOps team can access and transfer files, and look at the database, run queries directly, whatever they need to do, and so now you’ve segregated things even further by making sure that certain ports are completely isolated from public traffic. So that’s another improvement that can be done. Now, I want to pause here for a moment to recognize that this model costs more that the first model where you had everything in one unit, in one server – that’s a lot cheaper, but again, we’re not competing for just price, we want to assure that the data is secure- that’s our primary goal. So this helps in that regard.

Now the final one – this is the mystery – there’s an additional improvement that we’ve made, but I didn’t want to reveal it in a diagram (and hopefully there’s some MSP’s leaning forward in their chair saying, “Where the heck’s this model?” But we have a little secret sauce, and that secret sauce incorporates more technology. And I wish I could show it, but it does make it more affordable and more secure. And usually when you say ‘more secure’ it means you’re spending more money to make it more secure, and this particular model we figured out a way to make it more secure and spend less money. It’s one of those unique circumstances where it just worked out that way…

Doug: That’s great.

Gil: Yeah, we got kind of lucky on that one. So these kind of models that I’m demonstrating here are things that each MSP has to wrestle with, but the moral of the story is, don’t rest on your laurels, don’t ever think you’ve obtained the the Holy Grail of security – you never can – but the way you keep evolving is, listen to your staff, those guys on the front line. They know. I do a lot of research, I attend other webinars and do a lot of reading, and I’m always looking for the thing that we can test in house, that we can bring in to our company and test on a development server, then meet and ask, “Hey, what do you guys think of this? Is this technology worthwhile?” So we’re constantly doing that. And we’re not big enough of a company to have this official R&D department where you have a whole crew doing that, but it still falls under the category of R&D because that’s what we’re doing.

Doug: So talking about these different levels of security, understanding that we’re talking about HIPAA and compliance, obviously there’s guidelines – you talked about the technical and the physical and those types of things – how much do these security models play into that HIPAA compliance aspect of it?

Gil: Yeah, that’s a good question – actually, very few. They’ll tell you, “Buy this tool because it’ll help you with HIPAA,” – everyone wants to tell you that – though there is one tool that I’ve seen called OpenSAF – it’s an Open source tool that anyone can use – and OpenSaf will actually query a server, and if you have an agent on the server, it will actually come back with a really neat report saying, here’s all the regulations on one part of the chart, and it will say here’s the problem on the server – we found a package that should’ve been installed, and it’s not – SELinux, SEVault, whatever, and it will tell you – you can’t meet this regulation because it’s missing this package. And that’s more of a reporting tool to let you know where your vulnerabilities are, but as far as a commercial tool that you can go out and buy – you know they’re all going to be useful in some regard – but there’s no silver bullet that says, “Install our tool and now you’ll be compliant for HIPAA across the board.” I haven’t seen that.

Doug: Yes, and like we said, there’s also no HIPAA certification, so if someone says, “Well we’re HIPAA certified,” well there really is no government certification. If someone decides to look into your HIPAA compliance, there going to look, and you’re either compliant or you’re not.

Doug: Yeah, well I can tell you’ve done your homework, because a lot of people don’t understand that. We get some calls asking, “Are you HiTrust certified?” – and HiTrust is a good company, I think they’re smart and they kind of cornered the market on certification – but if you look at the government regulations, they even state that there is no company in the United States that certifies HIPAA. This is not about paying for certs, it’s all about due diligence. Interesting story – if you’re a health app developer for medical or a hospital, and you’re audited and they find out that your website isn’t up to snuff, you can get fined of course, up to $5000 per patient record, up to 1.5 million dollars. If you have an x-ray and you send that out by email, and someone takes that email and forwards it to somebody else, and so on, that can multiply up to 1.5 million dollars. That’s pretty steep, so you really have to pay attention to the HIPAA regulations.

Doug: Yes. So obviously you’ve set up the security model to be secure, but what about your customer and clients? Do you provide HIPAA education for them – you know, what to do, what not to do? How do you handle that aspect?

Gil: Yeah, that’s a really hard one, because what the customer usually wants is just to say, “Look I hired HIPAA Vault to do this stuff for me and make sure we’re compliant, now we’re done.” And that’s kind of their emotional state, they say, “Hey we pay you guys, we’re finished, but what they don’t realize is that HIPAA is a business operations regulation – its not just your website. So the story I like to tell is, you have a developer who is working on this workstation developing your website code, and he has some patient information that he happens to pull up on his screen. He decides it’s lunchtime and he walks away and leaves his screens unlocked, and there’s a window right there on the first story of the building and someone walking by can peer in and say, “Hey look there’s someone’s x-ray right there on the screen!” Well that’s a big HIPAA violation. So that guy didn’t have the training, didn’t realize he needed a screen lock on his machine – that’s a very simple example. So I use that to tell my clients and they realize and say, “Oh, Gil, you and HIPAA Vault can’t control my staff who are sitting in my office,” and I say, “That’s right, I can’t.” So you have to train them to be HIPAA aware and get certified – that’s up to them to do. But they’re reluctant, because it’s more hassle and cost. The bigger companies tend to embrace it, but the smaller the company, they tend to want to do less and less. The bigger ones have more to lose – so they’re willing to do more work.

Doug: But even the smaller ones, if they get hit with a violation, they could be put out of business right away.

Gil: Yes, you’re right about that – absolutely.

Doug: Great. So, if people want more information about your HIPAA compliant cloud and hosting, where can they go –

Gil: Yes,, and also LinkedIn. We’ve been very proactive with Linkedin, doing a lot of videos about what we do and how we handle things, so they can go there. And we’re very easy to get a hold of – I know people like to say that – but literally, we pick up the phone when you call. There is a trend in the industry that companies are removing all forms of contact. I run across that more and more recently, where you can’t dig in and find a phone number or email. We’re doing just the opposite, saying, here’s my cell phone number, call me anytime you want. That’s something else that MSPs can take away: make yourself really reachable. That’s a distinction that isn’t that hard to do.

Doug: Yes, I know if I want to reach someone, it’s really nice to have their number to get a hold of them.

Gil: Yes, definitely.

Doug: Well that’s about all I have, anything else you want to say?

Gil: Well, just that it’ a pleasure to be on and able to talk about these topics, hopefully some of the MSPs listening will have some takeaways, and if any of them want to leave me some comments, that would be great. And we’ll post this on our own site as well.

Doug: Gil, thank you very much for your insightful presentation, it sounds like you’re having some good success with your HIPAA compliant cloud and hosting, and wish you more success in the future.

Gil: Thank you Doug, we really appreciate it.