Safeguarding Your Business: Assessing Security Vulnerabilities and Implementing Effective Controls

Hi, everyone. Welcome.

Let me know if you can hear me. Okay? We’re gonna get started here in just a few more minutes.

So we’ll give it, a little bit longer as I see more people are joining in.

So Just be a little little bit longer, and then we’ll get started.

Okay. Give me a few more time for folks.

As we’re about to begin.

Okay.

So good afternoon for those. And semi morning for others, you know, some of our teams are across, you know, different time zones. So You know, definitely excited for everyone, to be here.

As I see, the number starts joining. So welcome again to Ciox Data Advanced Webinar I’ll be working with Hubert in the background to assist our presenters, kind of with slides and questions. And if you have any questions, please put them in the chat panel and we’ll be able to, help from there. So very excited about this webinar. So there’s over a thousand plus people that registered. So definitely excited. Seems like a lot of people are very interested in security.

So definitely ready to get this started. So this webinar session is security focus. So we’ll discuss how to safeguard your business, assess security vulnerabilities, and implement effective controls in your organization.

And if you stay until the end, we’ll actually shed a little light on the Ciox perspective with real world scenarios. Right? So there’s nothing better than real world, you know, especially when you rent system hiccups. So we all know doing live events or something always down to run into something.

So stay tuned for that one. The other thing to let everyone know is that this is this is approved for one of Hema’s CEU, and the credentials will arrive after the webinar is concluded. And we’ll also have a recording on demand for those that are not able to, view this live. And we’ll also leave room for, Q and A.

So next slide.

But first, I wanna start off and present our excellent, smeeze, Robby and Amy, So Robbie Hudek is our Chief Information Security Officer and Senior Vice President of tech ops and overseas or infrastructure strategy. Architecture and operations.

She serves as a resource for achieving business aligned information and security leadership. Ravi has over twenty five years experience developing effective information security functions by incorporating the right amount of data risk, protection policies combined with effective procedures for organization, and that rate is for monitoring and response management of data incidents.

And we also have Amy Dirling, who’s our director of compliance and privacy for our provider side. Amy has actually been with our organization organization for over twenty five years. She’s been very active at the state and federal regulatory levels and helping us have discussions about HIPAA, high-tech, patient right of access. And even more amazing in twenty fourteen, shows the CIO impact award winner for meeting data network resilience, with innovative technology and their privacy and health information. So both of our, you know, wonderful presenters today bring a wealth of experience.

Next slide.

And this is our OSO, very important legal slide. You know, we do have a disclaimer to provide you If there is a specific legal question, we, obviously, do encourage questions. But if you have a specific legal question, please ask a represent perspective legal department since there are specific state and hospital policies.

So the information provided in this webinar does not, and is not intended to constitute legal advice. Instead, all information content and materials available in this webinar are for general information purposes only.

Information as webinar may not constitute the most up to date legal or other information.

The webinar slideshow might contain links to other third party websites And therefore such links are for the convenience, are for the reader, or user, and Data Van or Ciox Health does not recommend or endorse. The contents of third party sites.

So now getting ready to get to the meat of our, you know, presentation today. So today we’ll cover our security session across three topics. So one, an overview of workplace security training and awareness strategies for effective protection.

Two, the vital role of compliance in securing customer information.

And three, collaboration across IT privacy compliance and risk committees to maximize security and compliance.

And after I kinda live with all that, I’ll hand it off to our presenters.

Robbie take it away.

Great. Thank you, Brent. Really appreciate that introduction.

First and foremost, again, welcome, everybody. We’re excited to have everyone here today, to talk about this information security training and awareness, at least for my half of of of the presentation.

Again, want to remind everybody, please put your questions in chat, and we have time at the end of the session. We can cover those. Okay?

So I have a question. We’re gonna start off with a poll question here around, security training. So if everybody could just take a minute, and we’re gonna launch the poll.

And, we’re gonna kinda kick it off of that. We know security training is boring and, you know, most couple companies struggle with the effectiveness of it and trying to make it fun and entertaining.

We also know that, you know, there are many pitfalls to training as as many organizations are struggling with that today. So we’re gonna cover some of those pitfalls as well as share some best practices to make it more relevant and effective for your organization.

So if we can start showing some of the results, awesome.

Those training at minimum once a year.

And that’s pretty typical of what we see out in the industry today. Again, companies struggle with it, struggle with, you know, trying to make it relevant for people. We’re gonna talk about, as I mentioned, some of the pitfalls in it.

There’s twenty six percent is impressive that at least do it monthly and quarterly.

So, typical, and then I see some that don’t do it at all, which is a very, that people struggle with it. I I know. And that and and so I’m not surprised by that number. I’m not surprised that it’s actually not higher.

So let’s look on let’s go on to the next slide.

Alright. Perfect.

So every one of us are a security staff of some sort. Right? And if you have not experienced at least one type of these. I’m sure you’re going to experience something or have experienced something, whether it’s virus, malware, or With that being said, you know, we these stats can be fun, and there’s a lot of stats out there for us to read. Right? But we don’t wanna be the part of the bad stats. Unfortunately, I can say that we’ll probably all have some level of of a staff somewhere across many companies.

So these are just generic stats, you know, don’t take them too hard that this is absolute numbers. Obviously, on somebody else I’ve seen, we’ll go through some of these. They’re like eighty five percent attacks them for human error. I’ve seen it up to ninety seven percent in in some polls that have been taken by different companies. So keep in mind that these are just for general conversations and purposes to go through the content today.

So let’s talk about that. What is your number one risk today? We talk about assessing security risk, at the beginning of the presentation as part of the title.

Pretty much everybody will say in their company their number one security risk and vulnerability as their users, whether it’s intentional or unintentional.

So why not invest more time in educating and training users to understand how and what to prevent from a security incident happening.

It’s hard, but we’re gonna talk about it.

One out of five companies, as you saw, only deliver training once a year. And as you saw, that stat was pretty heavy in the in the seventy percent. Alright? At minimum do it at least once a year.

We need to be doing it more. We’ll talk a little bit more about that as well.

What’s really interesting is that Microsoft alone was targeted with thirty million malicious messages in twenty twenty to around their products and services using them as kind of a target if you will for companies out in the wild. So whether it was through Microsoft email and somebody saying, hey, you know, you need to log in to your SharePoint site, which is really a malicious bad guy.

Obviously, they’re targeting these companies because these are the day to day software and, you know, websites that we use as normal users in our day to day business. And so it’s nothing for us to think about. Oh, I clicked on a SharePoint site, oh, it’s asking for my credentials, Oh, yeah. That’s pretty normal.

I’m just gonna go stick it in there. Well, lo and behold, the bad guys have gotten very smart, and they’re mimicking, these Microsoft web sites and they’re stealing credentials that way. So for instance, if you got an email and you’ve clicked on a a word document in it, for instance, And it says, oh, you need to re it’s time to re authenticate, go re authenticate, and you actually did. But that was a bad guy, and you just gave your keys to the keys and to that time.

But again, it’s pretty common because you reauthenticate on every so often basis as well if you’re using the cloud based Google or Microsoft products and service.

So there are big targets out there right now.

Ninety three percent, a number of security attacks for spear phishing, but a little bit education about spear phishing.

There’s several different types of phishing. Obviously, just normal email phishing, spear phishing is where they’re targeting you your company specifically because they’ve either found, security holes that they can infiltrate through email. They have found data they want from you and they wanna hold it ransom, and they wanna make a payment out of it. Right? Or they’re just the bad guys in your industry is a high level target right now at like health care. And law firms.

So those are the top two targets this year, and and they’re going hard after them.

So there’s a lot of fear fishing targeting those kinds of things out there today. You may be the recipient of a spear phishing where they’re actually targeted another company, but you’ve received an email to make it look like it’s coming from a relevant company, but the bad guys are targeting one of your customers or your partners.

So in some ways, shape, or form, you may be part of that spear phishing as well.

Alright.

Onto the next one, please. Next slide.

So why is training so ineffective today?

It’s kinda like a shoe. Right? It’s not one size fits all, and not every shoe is comfortable for every single person out there. So you have to find what fits for your organization and for your users.

And this is why a lot of training fail today. We’re putting just very generic, training out there. It doesn’t assign it applicable to us. You know, we’re using something that’s out of the box or whatever.

So we’re gonna talk about these pitfalls.

So first and foremost, let’s start with, annual training.

So if most of you are like me, I don’t remember what I ate for lunch yesterday, dinner last night.

Can’t remember who I talked to a month ago on the phone. So having training a year ago, I surely can’t remember what I went through during that training.

So you have to repeat something ten times if you remember for somebody to pick it up. Right? So more repetitive, short training is gonna be a lot more effective than some two, you know, one hour or two hour training that you do once a year.

It’s not relevant or engaging for that person. So you gotta make it personal. Make it something that they can not only use at work, but used that technique at home in their personal lives or in their kids’ lives or in their family lives somehow.

It is really important that they walk away with something that’s very personal to them that helps them protect their own personal information.

You will get more, involvement in people really engaging when you make it, personal.

The next thing is confusion. They’re confused about the material for this two generics. They don’t understand it, or they don’t understand the guidelines on how to handle it. They’re not gonna go ask somebody because they don’t wanna look like they’re not smart or they don’t, you know, they don’t want people to think they don’t know what they’re doing or or whatever the case may be. Right? So people just won’t do anything.

So they just kind of ignore the training. They’ll listen to it and they just kind of go through go through the motions and stuff that they just ignore it.

It’s too lengthy or complex.

We we get too technical for most people.

You have to keep it simple. Keep getting it technical or making it where it’s very convoluted, and it just it’s too hard for them to understand. They just lose interest. And again, start flipping through the training as fast as they can.

And the last one is is lack of incentives for completing the training. So users don’t like to be forced to do things. Nobody likes to be forced to do things. So why not make it engaging. We’re gonna talk about how to address some of these pitfalls in some upcoming slides, but punishing people all the time and not, you know, just calling them out for for clicking on something or making them retake training all the time or you know, setting, you know, using them as a setting an example for something is is just not a good practice anymore.

So There are ways we can address this, but just a lack of incentives for them to, participate in this awareness and training is is not helping our training situation at all.

So we’re gonna go on to the next slide and take another poll at this point.

Awesome. So what training methods are you currently using in your organization?

I I suspect that a lot of people do this is, you know, PowerPoint are probably it because they’re easy and they’re cheap and You know, people don’t really wanna invest in some of the training tools that are out there.

Other methods could be online, you know, real time fishing next exercises where you’re doing something on a quarterly or monthly basis.

I know Microsoft has it, for free. If you have a five license, or the security packages. So if you’re using that kind of free training, people will utilize that more, or you’re having a third party use you know, doing various training methods, whether they’re videos and you’re having to take a little test and things like that. So there’s various types of training that is out there. So Let’s see what the results are on this.

Obviously, so, so maybe a lot of people out there in my software, if you’re using Microsoft have discovered the the free real time fishing training, which is kinda fun. It’s something our organization uses, and I find it very effective.

PowerPoint sales. A lot of people still are using PowerPoint. Again, people’s budgets are really tight. And so people are trying to find the most effective cost efficient ways to train. But sometimes that cost efficiency cost you, you know, could cost you a security event that you really don’t wanna have to go call your cyber insurance on.

Alright. Let’s move on to the next slide, please.

So what are the four things? This is simple, guys, and and really wanted to keep this simple, because I think it’s important that there are four things you can do to really make your, security training effective.

You want it to be specific, obtainable, and frequent. Right? And so those four things are being brief, right, making sure you’re getting to the point is understandable.

One of the things I I kid with my, you know, I kid a lot with my kids about is, you know, Hey, the average fifth grader could do this. Right? And and they laugh about it, but they know what I mean with keep it simple, keep it, you know, where people at any age or any profession can understand. You have people in finance.

You have people in HR. You have people in IT. You don’t wanna make it too techie, yet you don’t wanna make it, you know, too busy. So you’ve gotta find that happy medium across and just make it understandable.

Frequent training is a must. I know some people are doing at least minimum once a year, but you really should be doing it monthly at minimum monthly. Sometimes, especially if there’s zero days out there, you need to launch some you know, immediate training or immediate notification type stuff out there for your users and what to look for. So sometimes it could be two or three times a month.

Depending upon what is out in the wild. So you definitely wanna make sure you’re doing a more frequent training, to make sure that you’re keeping your users aware of the different things that are out there, and that repetitiveness that helps them remember when they start thinking about it. Oh, yeah. I know what to look for on this kind of email, or I know what to look for, you know, in the header of the email.

Focus targeted at your industry. And be at a specific, like, generic topic. I mentioned earlier about the Microsoft products, you know, hit the real time stuff that hitting your industry like health care and use those Microsoft products for your training to say, hey, these are the kinds of things the bad guys are going after. And so we really want you to focus on just because it says authenticate. If you just authenticated an hour ago and you know our systems aren’t set up to do that. You should stop and ask yourself why it’s asking me to authenticate again. Maybe this is not right.

So make it focused, targeted, and specific, and it keeps it simple, brief, and understanding to that point.

And we talked a little bit about around reinforcement. I’m not saying don’t reinforce. What I’m saying is you need to reward as well. Reward is just as important as reinforce.

So if that certain person keeps clicking on the link, yes, you gotta keep sending them to training But you also need to recognize those individuals that are actually reporting things, especially the stuff that’s real and that’s actually keeping your company out of trouble. And you can do very simple things with, with the rewards part of it. You know, if you’ve got some kind of company points program that they can gain points You can do it. We’ll talk a little bit more about this in in a upcoming slide, but we’ll but you but the reinforcement and the reward needs to balance each other. And hopefully, you’re gonna start rewarding more than your reinforcing in the longer term.

So let’s take one more poll question.

What recommendation would you suggest to incentivize users?

So there’s a lot of things you can do by encouraging, you know, secured practices with incentives and rewards.

You do it through some kind of employee recognition program, whether it’s, you know, in town halls, we’ll talk a little bit about that.

And then there’s other things that you can do. You can offer different types of training options to accommodate those to try to figure out which shoe they want to wear. And I say that because people learn differently. Not everybody learns from a power point five, Some people like to read Powerpoint slides. Some people would rather sit and watch a video. There’s different types of recommendations you could take back and and No videos aren’t that hard to make and they’re quick and easy, to to hit to those brief points focused point, things like that and having a lot of, a lot of little quick snippets that they could just go watch and do, you know, pretty frequently.

So let’s see what, we’ve got out there for some of the the polls. Right. So encouraging secure practices, absolutely.

Again, I’ll talk a little bit more about that and what we’re we’re we’re starting to do in our program, employee recognition, absolutely.

Not only employee recognition, but making sure that leadership is doing that employee recognition. That’s that’s what’s really important.

Offering multiple training options. Again, finding the shoe that fits your users, and maybe you have different types of training for different people and let them pick the kind of training they want to come and do. You wanna watch to put videos on a monthly basis, or, you know, wanna read the PowerPoint on a monthly basis? What what would you like to do? Or you need just sending notes every time.

So let’s flip over to the next slide, please.

Awesome.

So best practices. So let’s talk a little bit about what you could do in your organization, what are some of the best practices that, you know, and these are some of the things that we are also doing in our organization. So I’d love to share things with you guys. So, the fishing exercise is on a monthly basis.

We do them every every month, and I make them very, very hard. So hard that, you know, have a few people who who fail them, and and they call me and go, I can’t believe I failed for that. But it was really hard. We put one change in the email to make it look different.

And if you’re not really paying attention, it, you know, it will catch people. We’re not doing it to to, you know, and reinforce or make people take repetitive training. What we’re trying to do is say, these bad guys are really, really making things hard for you to recognize things, and we want to train you how to recognize it. So, reward these guys in these fishing extra have a drawing, you know, for everybody that reports for that monthly exercise, you know, have a drawing of ten people, maybe, and give them some kind of points.

That they can, you know, get recognized for.

So that’s a great way to do it. And also, you know, have the team If you guys have town halls or whatever, you can have them talk about how how they caught that that actual particular one. Right? Bring them to the table and let them talk to their peers.

People learned from each other, and I think sometimes if people say, hey, this is what happened to me, and this is what what I did to prevent it, This is, you know, people will tend to to gravitate to that kind of information. They hang on to that from a learning perspective.

Real threat.

One of the things that we’re looking at implementing and and that’s starting to implement is gonna be offering send us to users for boarding, actually real tight of rent somewhere. So if they say, hey, I got this email and then report it immediately in our our security operation center. I mean, if this is, like, this is ransomware, we’ve just blocked everything, and we’ve taken it down, blah blah blah, and and nobody clicked or anything. They just probably prevented me, you know, several millions of dollars of dealing with cybersecurity insurance and things like that. So we really wanna recognize those people with some kind of a spot bonus and, you know, maybe bring them to our company town hall and and have some big recognition around that. That goes a long way with people, and people are gonna remember those kinds of things because that one person recorded it. Right?

The other thing is to, you know, organize lunch and learn for town halls to share some of the experiences that, you know, some of the users may have been up against where I actually did click, but I picked up the phone and I called immediately, and, you know, we caught it in time luckily nothing happened, but this is what I experienced. Right? And it was real really scary for me, but, you know, I I knew exactly what I needed to go do to stop it. That’s really important, and people will come talk about that kind of stuff.

Getting your users involved really, really important, encourage your users to recommend talk Right? Like, what is it you wanna hear about? We do some lunch and learn here, once a month, and some of it’s around security training, and we just we’ll offer a couple of quick things that say, hey, we’re gonna be teaching you guys how to look for this kind of stuff. But, we’d also like for you to bring us topics so that we can also address those in that in those launch and learn.

Dad has become very effective for us, and we find that, they have lots of turious questions about, well, how would I handle this, or how do I handle that? And so then we make little quick videos, and we put them out in our training vault for people to go look at, you know, at any given time. So, always interesting to get and some of theirs may be personal experiences that they could experience at home, but it may be also applicable at work. So we wanna make that and and, you know, help educate them as well for those types of things.

We talked about getting the users involved a little more. It’s, one of the things we’ve talked about is, like, hap having them help build, like, a security logo contest for a newsletter or whatever. Or also, during cyber security months, have them come, have users participate in lunch and learn, and have them come speak about you know, certain security things that they experience within their department.

It’s very exciting to get them involved in security awareness on month and October. And bringing the users to the table, find that very effective too, and leadership accountability.

Probably, though, one of the biggest things is, you know, holding the leaders accountable, but also having the leaders hold their individuals accountable and measuring people on it. Right? We wanna make sure that, you know, we build, we build them in your TRAs or your goals for the year, or however you do it for the quarter.

But we wanna make sure that, you know, there is some accountability each and every user in our organization so that they understand how important it is for everybody to be aware. So, again, that biggest risk and vulnerability in our organization is our users. And we have to do everything possible to invest in their training, to invest in their awareness.

There are so many avenues you can do it through doesn’t have to be every time a training class. It doesn’t have to be, you know, once a year. There could be a a weekly newsletter. There could be a background to put on their laptops or their desktops for screensaver set to say, hey, reminder, you know, don’t click on this or be aware there’s the black cat ramp somewhere on the loose.

So be very careful about what you’re clicking in emails. Right? There are a lot of ways to train people versus it being a formalized training that somebody has to sit down and take. It could be a pop up when they log in every morning just to remind them of something.

That’s a quick and dirty little, you know, specific brief to the point understandable, snippet that will educate them.

So that’s kind of the the end of mine. I’m gonna turn it over to Amy now to talk about, compliance and securing customer information.

Thank you, Robbie. And thanks everyone for joining our webinar today. Again, if you have any questions or comments you’d like to make, please feel free to do so in the chat.

My role today is really to talk about how compliance assists in implementing effective controls for safeguarding, you know, your information from a security perspective. The as we talk about, you know, just like the name suggests, Right? Frameworks provide the supporting structure that’s really needed to protect internal data against cyber threats and vulnerabilities.

You know, your organization engages in many activities like, Robbie spoke about, including trainings, etcetera, but you also are gonna audit yourselves, right, and have third party audits, right, to demonstrate compliance with your external security requirements.

You wanna really, number one, create a security framework, which is a set of policies and guidelines and best practices.

Designed to manage the information and security risks within your organization.

And secondly, ensure that the security framework aligns with the security program and the maturity and strategic goals of your organization, as well as like external industry and regulatory standards that are set forth. Such as HIPAA, and ONC, and High Trust, and we’ll talk a little bit about that. And then thirdly, if you do have, you audit your internal security program, And you do that so you can determine what risks you have, right, and identify, measure, and quantify those risks. And elevate them to the c suite to really prioritize and strategize where are we gonna invest our next year or the next, you know, quarter so that we can see how we can minimize those risks.

Next slide.

So when we try to develop a comprehensive security framework. We really look to NIST, right, the National Institute of Standards for Technology Framework. It was released back, you know, twenty thirteen during the Obama administration and the whole purpose of NIST was really to protect the country’s infrastructure in the United States from cyber attacks.

The nest really focuses on risks with five phases of risk. It looks at, you know, the risk management under how do you identify them, protect them detect them, respond to them, and then, you know, recover. How do you recover after you have a security incident?

So, again, this offers, like, technical specifications. They have a lot of recommendations and reference materials, that are written you know, for federal agencies and third party vendors, but they can really help any type of organization, including, you know, the health care industry, especially build a reliable security program, cyber security program.

And then you have your HIPAA standards. Right? They set out to give us our security requirements that we must follow in the health care industry. We could be audited by the OCR on these, any security incidents and our standards.

You know, so it’s really important not only are we looking at at what does HIPAA say, but we wanna also pull in this and even consider high trust. Many of you should know what high trust is. It’s a private organization that was really created its own compliance frame framework the framework really combines multiple security measures, you know, and privacy regulations that apply to any organization that handles sensitive data, like the health care industry.

But while high trust helps achieve HIPAA compliance, it isn’t a replacement, and it really doesn’t prove a healthcare organization is HIPAA compliant. Right?

The company must combine multiple security privacy regulations into a prospect, you know, into the right security framework. That can be used by any organization and handles the data.

It it includes looking at you wanna be looking at federal regulations, right, federal agency roles and guidance. Which comes from NIST. You wanna look at state legislation, you know, like the California consumer protection act, which we are seeing many other states develop and implement privacy consumer privacy acts and protections.

You wanna look at internal regulation. Like the GDPR and then also industry frameworks. Right?

So if it’s all in one approach, high trust really lets organizations select the science requirements for their industry size and systems. And then another area you can audit and use to audit yourselves is having a soc one and soc two, getting certified, and we’ll talk a little bit about that on the next slide.

Next slide, please. So let’s talk about, before we get into some of those standards and how we can look at SOC and Hi, trust. I’d like to have you take this poll on what industry security framework certification your organization currently holds.

We at Ciox are proud to say that we actually hold multiple certifications with FedRamp sock and high trust, so it’ll be interesting to see for those of you attending today.

If you have more than one.

Okay.

So, great. Forty three percent of you have the NICE certification.

High trust and then are certified in all of the above. So, it’s interesting to see not many of you follow the SOC framework. That is a really strong asset of ours that we like to focus on.

But, interesting. So let’s go to continue on. So let’s talk a little bit about the sock.

So, again, you know, we wanna unify our secure security department, our privacy department, our compliance and our IT teams.

So while I hold a role in our compliance pro are really on the privacy side of the house, I work very closely with our, security auditor who does security compliance under Robbie, who’s I’m speaking with today.

As well as, other people in our security department to really establish the list of risks we have or potential risks in our on our, organization.

So again, by collaborating with those individuals in the security and privacy and IT departments, you can help minimize your risks, right, and ensure security.

You should conduct internal audits on yourselves that can help identify potential risk areas. Just our privacy and compliance team, we hold three auditors that go out and do audit our operational practices within our organization as well as our business associates so that we can ensure that we are mitigating any potential risks.

We we, bring those risks to our risk committee. So we’ve established a risk committee that’s led by Robbie Arciso and our privacy officer, Elizabeth Delahoussey, and she’ll they present those risks to our C suite that can really, again, give them an entire of our organization from a risk perspective and what impacts those risks so that they can drive to, help us eliminate.

And improve so that we do not have risks that we are, acceptable to. Next slide.

So I’ll talk a little bit more about SOC and a SOC audit since many of you didn’t, have that as something that your current organization currently practicing. So one of the areas of SOC that overlaps within the privacy department that helps with HIPAA compliance they look at our regulatory policy reviews. So they’re looking at like data classification and retention policy.

They’ll look at our clean desk clear screen policy. They look at all of our HIPAA policies. They make sure that our policies are reviewed annually and updated and that we have strong documented changes. And then they’ll actually have controls around our policies, and they’ll pull that data. So for example, in my role as, in privacy, They will look at our breach notification or HIPAA incident sanctions policy, and they wanna make sure that we are following it down to the t. So if we are we reporting potential incidents to our covered entities within forty eight hours? Are all the incidents logged and tracked have we issued notification letters to our covered entities or retimeliness on those notifications in accordance with the business associate agreements that we’ve signed?

And then, obviously, they wanna look at what of our mitigation efforts, what corrective actions do we have in place? For example, if we have an associate that was involved in a potential incident, they receive, not only corrective action, but continuing education.

Based around the incident type and the root cause. So they wanna see did the employee was the training issued? Was it taken?

And so the by by meeting soc one and soc two, we’re really, demonstrating to our you know, clients, the covered entities that we do stand by what we say we do in our business associate agreements and with HIPAA compliance.

Next slide.

Another example is just a HIPAA audit.

So basically, something that we do in our organization from our privacy department is we use a six sigma approach.

So six Sigma is a data driven methodology to really improve quality and eliminate defects. So it was first introduced an American engineer Bill Smith back in nineteen eighty six.

Health care organizations really can use the six Sigma principles to improve an area such as release of information, which is what we have done. And it’s actually a handout that you’ll be able to take with you today. It’s a white paper that we’ve issued. Because, we’ve been so so, we’ve seen such a great impact from the use of the six sigma approach.

We’ve looked at, basically, you know, the goal is to aim for fewer defects per million of opportunities to help you achieve a higher process, a higher quality process, right? It’s calculated by comparing those flaws or defects in the process against the number of times they occur. Right? So the importance of DPMO is really measuring process efficacy.

So, you know, you wanna look at, how do you determine what your DPMO is. So a higher DPMO means your process is more likely to have errors while a lower one indicates you’ve been able to mitigate the majority of those errors. Those errors. So according to those principles, a highly capable process is one with fewer than three point four DPMO.

So, it’s just interesting to see organizations striving to improve quality really should aim for this number and we’ll see the impacts of it.

Our organization alone since we’ve implemented this six sigma approach, we have decreased our DPMO over by eighty two percent since twenty twenty.

So it’s been really impactful and has just driven our quality up to really a maximum level close to a hundred percent. Next slide.

So before you can really make improvements though, you really need to determine your baseline. Right, in order to take that approach. What is your current DPMO?

And then gather important pieces of the data of the process, like how many times can something happen? And how many times did something happen. Right? So, for, like, we identify the type of unauthorized disclosure that occurred most frequently If you wanna identify that in your organization, then you wanna identify your most common type of UAD and start exploring specific incidents by having one on one conversations with the staff. So that is what we do. When we have a potential incident, we actually do a one on one conversation with the employees, involved and we determine what is the root cause.

So the root cause is what, when, why, and how did this error occur? And then we analyze the root cause through what influences of the program or people or protocols in the process may have led to that root cause. And once you’ve identified the root cause, you can really address it. Right?

So we were able to, actually take and and develop, improvements to our technology solutions. We’ve implemented, like, optical character recognition, verify, technologies that helped improve, our solutions. Basically, you know, but it’s not one and done. Right?

Since we’ve implemented this in twenty twenty, we’ve over four very big, technology enhancements, training enhancements to really continue to drive to a high level of quality.

Next slide.

This is just an example of how we monitored our own improvements As you can see, the dotted lines coming down or when we made changes, that was our baseline to when we determined, okay, let’s look at what is our DPML what is our goal, and then we continue to drive our goal down year over year. And we’ve continued to meet that goal or stay under that DPMO.

So it’s really exciting to see, and it’s it definitely, it has made an impact in our organization. And we actually reward employees based on that DPMO.

So let’s go to another poll.

The poll question is SOC two is a compliance framework. That helps organizations protect their security, confidentiality, confidentiality, and availability of their data. Is this true or false?

Okay. Exactly. The answer is true. You know, SOC two is a set of security and compliance controls that organizations such as, you know, Ciox’s health and has implemented to protect their data. You know, it is not a law. Many have, there’s a misconception out there, but many organizations really choose to comply with SOC two in order to improve their security posture. And really reduce the risk of data breaches.

And our last poll question for today Is health care organizations are particularly vulnerable to phishing attacks? That target their employees’ personal information. Is this true or false?

Yes. And it is true, unfortunately.

Know, many healthcare organizations, including ourselves, right, as a business associate, are very vulnerable to phishing attacks. And the real reason is because of the large amount of sensitive personal information we all hold, right? We hold it not only about our employees, such as social security numbers, you know, dates of birth, health insurance information, but also those patients. Right? So some common phishing attacks really target our employees w two forms, health information under HIPAA, and even, you know, login credentials for systems and applications are often, something that they will try to use a phishing attempt to get so that they can gain access to the to your information.

And into your network.

So we’d really like to open this up for any questions. Any of you attending today may have for us.

You haven’t seen any, questions yet posted in the chat, but, you know, we’d be happy to take questions if you’re interested.

In asking or posing.

So I’m not really, seeing any questions coming through which That is fine. You will see that we have offered to you, that white paper. I’ll let Brent talk a little bit more about that here.

And the closing of our webinar?

Yeah. So you’re gonna go to the next slide. So, again, you know, a brief survey, let everyone know if you continue providing, like, educational resources, let us know what we’re doing. If there’s any topics that you’d like to hear from us, you know, please let us know and we’ll be happy to, you know, provide any feedback. Those of you who have, submitted questions and who will submit questions, we will follow-up later on to give our feedback as well, and reach out to the SMEze on this call as well.

Next slide.

And here’s some helpful resources. Again, we will send, you know, the entire deck to everyone in this call. So if you don’t get the deck, you know, feel free to email us, and we’ll be able to make sure that you, receive this. Next slide.

Again, thank you for everyone joining the webinar as Amy touched on the six sigma process. This is something that we actually compiled together to have as a takeaway for everybody. So after the conclusion of this webinar, you will receive an email of the PDF of this presentation and the key takeaway that we, Amy just mentioned, and also a copy of your CEU, which will be in a separate email that you will receive. So if there again, if there are any other questions, feel free to reach out to us and we’ll be more than happy to respond and redirect your question to the appropriate resource if none of us can answer it, on this call today.

So thank you again for your time, and I hope you all have a good rest of the day. Thank you all for attending.