“The work the people in the DD community do isn’t always easy, but it’s work that makes a tremendous difference.”
John Gambill, Jr. interviewed Gary Pritts, President of Eagle Consulting Partners, Inc. in Cleveland, Ohio. They are a HIPAA consulting and compliance firm working with County Boards and DD-related organizations throughout Ohio, who have worked with many of the same clients as [VC3] and have audited our services in the process.
Over the last 18 years, Eagle has worked with more than 70 of the 88 County Boards of DD in Ohio. They often work hand-in-hand with them to ensure their clients achieve their outcomes through efficient and secure-running information technology.
Gary also consults with other HIPAA-regulated entities, including physician practices, hospitals, insurance companies, and a wide variety of HIPAA “Business Associates”.
He serves on the board of Lakewood Hospital (a Cleveland Clinic Regional Hospital transitioning to an outpatient facility), is a founder and past president of eHealth Ohio, and is active with numerous professional organizations.
Gary served as product development manager for the EDI clearinghouse division of Quadax, a regional clearinghouse, and understands provider organizations from his 6 years as President and owner of Premier Rehab, a Medicare Certified Rehab agency with two Cleveland locations.
His technology background includes 15 years in various computer and computer service organizations. Gary has a B.S. in Computer Science from Purdue University and an M.B.A. from Harvard Business School.
How Did You Get Started With Technology, Healthcare, HIPAA, And DD Organizations?
Gary: My career began with several computer jobs spanning 15 years. I was a programmer by training. Back in the day, we would install Unix boxes, comprehensive software for businesses, and provide full IT support for offices.
I got involved in the medical side of things when my wife and I started a physical therapy practice. We sold this business after about 6 years, and I returned to my roots in IT, but also married it with what I had learned in the healthcare industry. I got involved in working with a healthcare clearinghouse (an electronic medical claims business).
During this point in time, in the 1990s, the clearinghouse industry lobbied for the HIPAA regulations and promoted expanding the use of electronic claims in healthcare. Their goal was to ensure the insurance companies used electronic claims and accept them in the same format.
This would, in turn, increase the revenue and profits for the healthcare clearinghouse industry. They convinced the politicians in Washington DC there was a lot of waste and inefficiency in healthcare claims processing. Standardizing this would solve the problem. Congress agreed, but since everything was going through cyberspace, insisted that privacy and security be ensured.
I was the point person at my company and participated with the lobbying efforts. So, I was on the front lines during the implementation of the HIPAA regulations.
In 2001, when the HIPAA Privacy Rule was rolled out, I saw how complicated HIPAA compliance was, so I started Eagle Consulting Partners to help healthcare organizations address this challenge. I supported organizations with implementation, and one of my first engagements was to assist 55 of Ohio’s County Boards with HIPAA Privacy implementation.
In 2005, when the HIPAA Security Rule rolled out, I worked with the Ohio Association of County Boards of DD to provide implementation support for HIPAA with 60 of the boards. My partners and I performed risk assessments for the boards using a sophisticated automated program. This proved to be an invaluable service for the County Boards.
At this time, I also worked with individual group homes, DD agencies in other states and Special Olympics International. So, I was pretty deep in the DD world.
Working With So Many County Boards, What Do You Think Is Their Biggest Risk?
Gary: The biggest concern I have for them is the ransomware epidemic. We especially see this with the County and City governments because they are a soft target for the profiteers.
Ransomware has been around for many years, but in 2018 it started being virulent and targeted; the ransomware programs became more sophisticated, encrypting databases and infecting entire networks. This was happening across all industries and throughout the world.
This year we’ve seen very successful attacks where small city governments in Florida were paying ransoms of more than $500,000. The State of Louisiana’s governor declared a state of emergency because their schools were being shut down by ransomware attacks. Then, most recently, we had a coordinated attack in more than 20 cities in Texas. They thought they had good recovery plans, but they discovered they didn’t. Here in Ohio more than 6 government agencies have publicized serious ransomware attacks.
So, what are my concerns for DD Boards? They have backups, but do they have recovery capabilities? Are their backups safe and protected? Are they isolated (air-gapped) from the network? If it’s connected to your network, the ransomware can encrypt the backup as well.
DD Boards are coming to us to assist with Disaster Recovery Plans, to ensure that backups are being performed properly and tested to ensure recoverability.
John: This is an extremely valid concern. As an IT provider we see this a lot. One of the biggest worries for us, and for me personally is the ill-preparedness that I’m sure you see, with lack of understanding, not having the right systems in place, no education for their employees, lack of backup solutions that are regularly tested for disaster recovery; all the things you touched on and more.
I must agree with you on ransomware being a major threat and worry for DD organizations. It really needs to be taken more seriously than it currently is. The governments always seem to be late to “come to the party” in this respect. The federal government level is starting to take ransomware more seriously. I’m hoping we’ll start seeing this urgency on the local government level.
One of our customers had a breach before they engaged us. It was the reason they contacted us in the first place. They were one like you described that thought they were fine with their backups and recovery option, but they were not. The backups hadn’t been tested and they weren’t reliable.
Gary: As I mentioned, I was in the IT business quite a few years ago. Back in the day before RAID (redundant array of independent disks) was around, disk drives would go bad more frequently, and each and every time I was nervous; I worried if the backups would work. Fortunately, during my six years in that business we were always able to successfully recover our client’s data.
But now, we have hackers who are actively working to damage your data. Things today are much worse because you have someone with malicious intent. For example, the NotPetya attack was orchestrated by the Russian government to harass the Ukraine. But, because we have multi-national companies that operate in the Ukraine, it spilled out.
Companies like Merck and Kraft Foods had major financial repercussions from this ransomware and malicious act. Their computers were fried to the point where they weren’t usable. Making matters worse, their cyber insurance didn’t cover this because it was considered an “Act of War” which was excluded by the policy.
Not only do you have to worry about the profiteers, you must worry about the nation states that are simply trying to destroy your data.
So in addition to ransomware I’m also concerned about other destructive, malicious software. The United States has many weaknesses that nations states like Iran can exploit. With this destructive, malicious software they could hit us very hard.
John: Absolutely! This is why we try to shift clients’ mindset from IT being a separate department to it being a layer in their organization that touches everything that do, every day. You must look at how this impacts risk and compliance and educate your staff so they are prepared. One employee can circumvent all your cybersecurity.
People are going to make mistakes. We must educate them, so they know what to be on the lookout for. Then we look at how we can best mitigate this destructive, malicious software by being proactive and having everything in place to stop it when someone does make that mistake.
Gary: The Security Awareness Training GO Concepts offers is an excellent service offering. The research shows that most of these attacks originate via email. The greatest technology, such as email filtering and firewalls, is never going to be perfect. So, the final line of defense is going to be humans.
The security training you offer with the simulated phishing attacks will train users what to watch for. It’s one of the top recommendations when we do risk assessments. We also recommend layers of protection, including managed patch updates, email filtering, good firewalls, but that last layer of defense is to train our “soldiers,” our staff.
John: In addition to this, we provide Dark Web Scanning and Dark Web Monitoring because the ongoing breaches are out there. We’ll watch to see if credentials have been compromised and are available.
What Do You Think Is The Most Common Misconception About HIPAA?
John: We spoke to a potential client in the DD space who said they weren’t sure if they were bound by HIPAA. Can you speak to that possible confusion?
Gary: It’s interesting because in some cases it can be complicated. First of all, there are four different kinds of entities that are required to comply with HIPAA:
1. Payors like ODMH or DoDD, who provide Medicaid funding
2. Clearinghouses that transmit the electronic claims
3. Providers that use electronic transactions like healthcare claims and remittances (there are 6 transactions)
4. Business Associates, who are typically contractors of one of the three types of businesses above
HIPAA regulates “healthcare providers who use HIPAA electronic transactions”. “Healthcare” has a broad definition and includes support services to enhance function. So, DD boards various support services meet the broad definition of “healthcare”. They do their billing electronically, so they are HIPAA “covered entities”. Consider, however, a small direct care provider who submits their claims on paper. Since they don’t use the HIPAA electronic transactions, they are not obligated by HIPAA.
In conclusion, the County Boards and most of the service providers in the DD world that are submitting electronic claims are HIPAA covered entities.
What Do You See Are The Most Common Issues With DD Boards?
Gary: Lack of funding to do everything they’re obligated to do. These agencies are heavily regulated under HIPAA, Medicaid, DoDD, Department of Education and more. It’s tough to keep track of what they must do from a regulatory compliance standpoint. Plus, they’re limited with what they can spend on IT resources.
Most of the County Boards I’ve worked with are well intended to do all the right things, but there simply aren’t enough resources for them to do everything they’re required to do. Most of expense comes in the technology area regulated by HIPAA Security.
There are 45 different standards in the HIPAA Security Rule, and they don’t reflect some modern concerns because they were written back in 1998. It took 7 years before they were promulgated, and they haven’t been substantially updated. For example, the word ‘firewall’ isn’t in there.
As a result, when we do our security risk assessment work, we need to explore safeguards that aren’t explicitly mentioned in the regulations. For Boards that are medium-to-large in size, we’re looking at about 120 controls. For smaller ones, we’ll narrow it to 50 or 60 controls to keep costs down. That’s a lot of things to assess. Let’s just say, we haven’t found an agency yet where everything was perfect. No one has the money to ensure this.
The HIPAA security risk assessment is one of our core service offerings. They are very hard to do. You must estimate the probability that specific incidents will occur during the next 12 months. There does not exist precise actuarial data for these risks. Then we must estimate what the impact is if a failure does occur, which is also a challenging process. Part of the difficulty with impact estimates is that there exist a wide range of potential impacts. To be useful to decision makers making budget decisions, it is essential that they know how costly the failures could be and what the probabilities of failure are.
What Services Does Eagle Consulting Partners Offer And How Long Does It Take?
Gary: There’s a range of services we offer. We’ve already discussed our Risk Assessments. We can complete one of these in a month for a small agency, and two or three months for a larger one. A client may need to do more research to answer our questions so there can be some delays. These are exacting studies which then take a while to write up. It’s a complicated job.
We also offer Policy and Procedure Customizations. We’ve done a lot in the DD area, so we have a standard set of policies and procedures that are fully compliant for County Boards of DD in Ohio. While this core of work is already done, the labor-intensive portion of the job is to integrate them into the agency’s existing manual. For the manual to be useful, we need to review the entire manual to ensure that there are no conflicting and/or overlapping policies.
We serve both large and small/medium-sized counties. For small and medium-sized counties that can’t handle everything on their own, we generally recommend that they engage a reputable IT Managed Service Provider (MSP). This ensures they are doing everything they should be doing when it comes to IT. A good MSP will standardize and automate a lot of processes for efficiency, where on their own a small or medium County Board couldn’t do this. We’ll also specify what things should be included in their managed services contract.
John: Coming from this side of things, we certainly see the value in this. Whether they have IT in-house, completely outsourced, or in a co-managed situation to assist their IT staff, this is key for them to be able to address the enormity of requirements.
Are There Things County Boards And DD-related Organizations Can Do To Be More HIPAA Compliant?
Gary: It starts with the Superintendent of the County Board. They need to be involved with the HIPAA compliance process. In the era of ransomware, HIPAA compliance has also become good business—this is because the HIPAA Security safeguards, properly implemented, will help prevent ransomware, and if a ransomware does occur, HIPAA safeguards will help a county board quickly recover.
The top leadership and the Superintendent need to be educated about the risks. They need to know about risks like losing all your data, data breaches, having their information on the Internet or sold on the Dark Web. They know that these incidents are both embarrassments and breaches of public trust.
Only when the Board is educated will they be able to make those difficult tradeoffs when allocating resources. It comes down to, are you going to put enough financial resources in this area? Unfortunately, historically the answer has been no. They need to up the level of commitment to address the problems of today.
Agencies can also ensure that their HIPAA privacy and security officers are educated about what they’re supposed to be doing. There are a myriad of specifics involved with HIPAA compliance. To name a few at the top of the list:
- What is a robust patching strategy and how often should patching occur?
- How can employees be trained for Security Awareness?
- What is an appropriate backup regimen?
- How should the backup be tested and how often should this occur?
The value of the Risk Assessment is to help pinpoint the key areas for resource allocation. There’s never enough money to go around, and this will help the focus on the most pressing needs.
A Risk Assessment will be a small fraction of the total spending, and it’s a good investment so that no matter what the total budget/spend on IT is, it will be spent in the most intelligent way.
John: The first two things involve people, and the next three are technical. We put a blog series out to help address these concerns. We had several people contact us, after being referred by clients, asking how they address these exact issues. So, we wanted to cover the technical issues they were dealing with. But to complete the culture requires the involvement of the people at the top that you mention.
We were talking with your staff about Warren County Board of Developmental Disabilities, a mutual client, discussing why they have such an extremely low risk profile. One of the reasons for this, as pointed out by your team and clearly support by your comments here, is that their leadership is fully invested in this effort. The Superintendent and IT Manager make HIPAA compliance, especially where it involves IT, a priority, and that helps ensure they protect the data of the individuals they serve. In the end, they don’t have to worry about how they look to the public in this aspect and if they’ll be supported as a result of it.
What Does Working In This Field Mean To You?
Gary: The one thing I’ll say is, personally, my family has been affected by developmental disabilities. I’ll share my nephew, who is 31 years old, is profoundly disabled. He hasn’t spoken, moved or eaten by himself his entire life. He’s living in an ICF/IID. I can tell you personally about the stresses, challenges and hardships faced by families who have members with developmental disabilities.
The work the people in the DD community do isn’t always easy, but it’s work that makes a tremendous difference. So, it’s really a pleasure that I have the opportunity to provide services to the people doing this hard work. I appreciate the work they do, and I thank them for their kindness, support and loving care.