 ThinkTec Hawaii, civil engagement lives here. Welcome back to the Cyber Underground. I'm Dave the Cyber Guy. This is the Cyber Underground. I'm your host, Dave Stevens. I teach with the University of Hawaii, Kapi'olani Community College. I teach ethical hacking and IT. And I'm here with our guest from the UH System, University of Hawaii System. That's the 10 campuses of the Hawaii System. That's a public university. And this is JT Ash, HIPAA Compliance Officer. How are you? You got caught up with the question. I know. Yeah. Sorry about that. Well, welcome. And let's start talking about who you are and then what you do. So who you are, you know, where'd you grow up? How'd you get educated? How'd you get into this business? Okay. Because this is kind of a weird business. Crazy business. Right? It's a crazy business. So where'd you start out? I always like to say that I'm in chapter four of my professional career once again. I did 20 years US Navy, retired. I retired as a senior chief IT specialist. So I started on the good side of the world. So I did IT and networking and help desk and all the rest of that stuff. You applied technology. Yes. All of that good old stuff. Retired. And then the old normal thing was to basically go into the federal government. So I did nine years in the federal government, different places, such as Veterans Administration, Army Intelligence. And I actually worked at a data center over at Pearl Harbor. So that was fun. I got a phone call one day where I had a financial institution downtown said they needed a chief information security officer. I said, okay, sure. Why not? What year was that? 2014 was actually when they called and it was one of those things where I went. It was supposed to be an interview, but I think three hours later after his wife interrupted us after the phone call going, you're going to come home for dinner type of thing. I said, well, you know, I'm comfortable where I'm at. It's been fun. Let's go have a beer one time. I was a 49er fan, so I was very happy to know the guy. And then he made me an offer that I couldn't refuse at the time. How dare he? Yeah. Then I decided to open up my own consulting business. And then I got another phone call, Garrett Yoshimi, the CIO over at the University of Hawaii, bought me a cup of coffee, which is my total weakness. You buy me a cup of coffee. Crypto night. Yeah. I usually give you anything you want. He goes, hey, we're going to start this HIPAA program. I need somebody to start it, run it, and figure it out. So let's talk about, OK, first of all, I'll get a backtrack. OK. You're a Niner fan, so you're from the Bay Area. Yes. Right, OK. Yes. East Bay. Oh. A's Raiders Warriors. I like the A's. Bitter rivalry, right? Yes. Yeah. So the audience knows there's a chance that people break into fighting over those two teams, right? Very, very much so. That's a bitter rivalry. Just to stay off topic and all that stuff, how do you feel about the Raiders leaving and going to Vegas? You know, good for them. Good for them. So let's go to a city that really wants them and is going to pay for a great stadium. I think they're going to put that thing up in like five years, and I love staying in Vegas. Yeah. I go there every year for Def Con and Black Cats. So awesome. Awesome. I like it. What do you think about them going down there? I was a really big Raiders fan back in the early 80s when there was Kenny Stabler, Dave Kasper, and all the rest of those guys. They broke my heart when they went to LA and after that I ran across the bay to the 49ers when they had Jim Plunkett and O.J. Simpson before the days of Joe Montana. You just went with the action one. Hey, once again, when the 49ers went to my hometown of Santa Clara, California and put their business there and now there's stadiums there, I've been to Levi's Stadium, the 49ers were where my heart is. Sounds like you fell in love. I did. Joe Montana is the best. Hopefully it's going to be beautiful in Vegas. Yeah. It's going to be a great game after we do the conference or something and we'll hit it up and we'll tell our audience, hey, the Raiders are cool here. Of course. It looks like it's going to be a beautiful stadium. Yeah, let's get back on topic. So Garrett Ushimi hires you for the UH system to do HIPAA compliance. Let's talk about HIPAA, Health Insurance Portability and Accountability Act. When did it come about? Why is it important? Okay. How does it do anything with cyber? Well, actually, it came back in the mid-1990s, HIPAA came around and it was for HIPAA Insurance Portability. So a lot of people think that it's about health information and health information. It kind of morphed because the security rule for the electronic portion of it didn't come around until 2005. And breach notification, I think it was about a couple of years later, I think 2013. So once again, it was always about the privacy rule from like 1996 or 2007 to 2005. It was about protecting the rights of the patients to control their information. And if they were going to go from job to job, they were able to take their health insurance for them. So once again, a big thing about HIPAA is about insurance and insurance companies. Okay. So how does that have to do with cyber? Okay. So there's three rules when you're talking about HIPAA. There's a privacy rule. There's a security rule and there's a breach notification. Security rule is when you have electronics. And everything nowadays, you don't have paper. You have electronics. So if you're sitting there and looking about cyber, there's a certain what we call admin technical and physical safeguards that you have to do in the security rule. And once again, with the push for electronic health care and health care records, that seems to have morphed into a more important rule when it comes to HIPAA. When I read the HIPAA rules, I think it's, you know, my read is it's almost all access control. I would say yes, because once again, if you're talking about a privacy, because the privacy rule is actually about access, consent, authorization. And once again, if you're looking at that, I could understand you don't want people to see your particular health care record or anything like that. But it also has to do with access. Once again, on the black market, a social security number is about worth a dime. A credit card is worth about 25 cents. An electronic health record can be up between $300 and $1,000 per record. So two real reasons for that. One, heaven forbid you have something that's really embarrassing in your past or whatever it may be. So yeah, you wouldn't want somebody to sit there and say, okay, you had a STD or whatever it might be. But I think second and most important, it's what really drives me is, say you were diagnosed with cancer or something like that and you were getting ready and you were working with your oncologist, go over your protocol and they said, hey, we've talked to your insurance company and we can't cover you for this because you've already had this particular coverage and you know you haven't. So once again, the black market for people taking care of benefits and getting benefits and getting medicines and whatever it may be. So consider yourself if you're sitting there and having to fight a terminal illness or whatever it may be and then actually have to fight an insurance company to get the coverage you need. I mean to me that is just overwhelming to sit there and see when you're at your weakest, I'm taking advantage of you. That's terrible. Yeah. So you came aboard as a HIPAA compliance officer for the University of Hawaii. Now let's see how HIPAA relates to the University of Hawaii. This is where, okay, HIPAA, it pertains to two basic people. You've got to either be a covered entity, covered component underneath our system or a business associate. So there's two ways you can have to get the HIPAA obligations, one by policy and one by contract. By policy, you have to be one of three things. You have to be a health care provider, a doctor, a dentist, a nurse, a chiropractor or whatever it may be, but you also have to charge. So once again, if you are a doctor or a dentist and you're not charging through HIPAA, then once again you'd still have health information, but you wouldn't be covered underneath HIPAA. Same thing for a health plan and a health clearinghouse. Well that's interesting now. So that sparks my mind. Free clinics? Yes. Don't fall under HIPAA? No, they don't. So that's scary. People go to free clinics and they do want confidential information, but they're not secured through HIPAA. But I hear you, but I understand we also have regulations here at the University of Hawaii, even though you have state privacy laws that will actually cover that. So once again, regardless of if you're covered with HIPAA, there are still data protection requirements from the University of Hawaii to protect health information that might not be covered underneath HIPAA. But statewide you're saying there's also protection, so other than the University of Hawaii, a free clinic would still be required to keep those records private. Very much so. Well thank God. 47N. There might be people that don't seek health treatment because they think their records might be shared. There's a big concern now I've read, and I'm not going to tell you where, because we read stuff that not a lot of other people read, but there's a concern out there that the health information can be used by businesses to exclude you from things, charge you more for things or to sell you things. So for instance, if you worked at, I don't know, a construction company or a bank, and the health insurance provider got a hold of all those records for all your employees while you're negotiating your medical rates, they can say, well, look, I got not only do I have all your health records, but I also have Amazon shopping records that indicates that 25% of your employees that shop on Amazon buy plus-sized clothing. We think you're a diabetes risk. We're not going to sell you diabetes medication. Well, I hear what you're saying, but the HIPAA privacy rule does prevent you from sharing it for certain purposes, and I think that would be actually one of those purposes that they would either have to have your authorization or consent to do. So once again, just like if you're sitting there and having a fit bit or whatever, maybe if you're sitting there and getting a free fit bit to provide people your medical information, you have to sit there and do the cost-benefit analysis. If this is going to make me healthy, I'm willing to give them my medical information. Now, they can share it for research purposes, but they have to anonymize the data. Is that right? There are certain different ways that you can do it. Anonymizing, or we call it de-identifying information, which is basically, we have 18 personal identifiers that would you use in HIPAA. Oh, you know exactly how many there are. I know they are, and once again, I won't sit there. And bore you with the numbers, but once again, there's two ways to actually de-identify information and to make that available for research. But understand, people can use medical information for research if you give them consent to do it. This is basically if you de-identify information, that's basically like say if you're going to do a research with about a million patients. It might not be who of you to sit there and go and get permission from a million people. So you actually de-identify the information where you don't have to get authorization or consent to actually get the information. But there's still enough information in there to have a good population for a decent study. Of course. But no problem to identify with. Actually, I'm in favor of that because most of the research that I see, just reading, you know, just health news, I usually drill down to see what the study was like and the populations of the studies are beneath 10,000 subjects always. And I don't think that's a huge population. That's enough to justify further research, maybe, from a statistical standpoint. But some of these research projects were done with 150 to 2,500 people. That's nothing. Nothing. And so it's good to hear that we can get sample populations of one or two million people and drill down to gender, race, and other different factors without fishing out that person. Yes. And 18 different things. Can you give us an example of the name? I think email is actually one of them. Oh yeah, that would be identifiable. The vehicle ID number is one of them. Well, sure, you could cross-reference. Yes. Yeah. So that is actually one of them. I think if you have a URL to a homepage or something like that, I think that's another one of them. But name, address, date of birth, all of those particular things. Yeah. So if somebody's health profile was identifiable like in a study, but they left in the state, would that be a risk? Because that could help with the research, right? That could help with the research in a study. I think anything below this state is actually unidentifiable. But once again, you have to look at your population. If you only have one under five-foot Tongan, then once again, you could easily figure out what it was. Yes. Well, once again, I'm trying to give you an example. Right, right. I would hope that someday we'd have a way to de-anonymize the data and de-identify people so that we could study cities. For instance, the population in and around Three Mile Island would be one or in and around Baton Rouge or anywhere in Louisiana that was hit by the hurricane or Houston. How about in California when they were sitting there and doing the things with the PG&E? That would be great. Thankfully, they got a water sample from the property, though, and that's what did in PG&E. Hopefully, that's not still happening, but something tells me we're still going to deal with that in the future. There's just money talks, right? Yes, very much so. Money removes morals, unfortunately. So let's talk about, good. That's a great thing to talk about, money ethics HIPAA. Connect the dots for us in the academic world and what you deal with. The wonderful thing about HIPAA at the University of Hawaii is what is called a hybrid entity, which means that we have the College of Education, the College of Engineering. They don't have to comply to HIPAA because, once again, they don't have to deal with health information. So we actually have designated entities that are actually HIPAA-covered in that have to comply with them. We currently have about 10 of them. So once again, not everybody in the university, a couple of people in college, there are certain people over there. Oh, we have a nursing program. You have a nursing program and they might have health information, but they're not charging people for it and putting in insurance claims so they're not covered underneath HIPAA. That's not HIPAA. Yes. Okay, let's talk more about that. We're going to take a break and pick some bills. We'll be right back. Till then, stay safe. Hello, I'm Yukari Kunisue. I'm your host of New Japanese Language Show on Think Tech Hawaii, called Konnichiwa Hawaii, broadcasting live every other Monday at 2 p.m. Please join us where we discuss important and useful information for the Japanese language community in Hawaii. The show will be all in Japanese. Hope you can join us every other Monday at 2 p.m. Aloha. I'm Jay Fidel, Think Tech. Think Tech loves energy. I'm the host of Mina, Marco and Me, which is Mina Morita, former chair of the PUC, former legislator and energy dynamics, a consulting organization in energy. Marco Mangostorf is the CEO of Provision Solar in Hilo. Every two weeks, we talk about energy, everything about energy. Come around and watch us. We're on at noon on Mondays every two weeks on Think Tech. Aloha. Welcome back to the second half of the show. This is the Cyber Underground. I'm your host, Dave the Cyber Guy. And my guest is JT Ash, HIPAA Compliance Officer from the UH System or University of Hawaii System. And we were talking about Kinectodots, money, HIPAA Compliance, let's add management to this. Yes. And so you were talking about all the entities that are in your hybrid organization. Certain ones do not fall under HIPAA Compliance, right? So let's talk about the ones that do and how do you handle that? We actually have a program, we actually have HIPAA coordinators that we work with. We work with them to make sure that they have all of the compliance issues in place. We've actually gone out and bought them templates to work on their policies and procedures and try to provide as much support that we've had. We visited every nook and cranny so far in the first year I've been here. And once again, when we go out to the different clinics, the first day we don't even talk about HIPAA, we don't even talk about IT, we talk about business processes. We talk about when a new student comes in to get checked out by you, what information do you take from, how do you take the information? Where do you put it? What do you process it? Where do you store it? Well that's critical. In any security organization, it's not the encryption, it's not the VPN. It's the process by where you employed it, which might have cracks in the armor, right? You wanna look for those kinks in the armor. So the first thing you're gonna do is, how do you do business? So that's a good thing, you're going out there, just show me how you do things, right? Very much so. And once again, it's actually had a good effect on, we sit there and we look at business processes and we actually go, hmm, maybe we should do this a little better, faster or whatever it may be. So we've actually had some second order of effects out of that that have been pretty good. Well that's a great secondary effect, right? That's a side effect of more efficiency, good on ya. But that's one of the things where you're sitting there and HIPAA is an IT and business, they all have to work together. Once again, we're all here because we're trying to educate a population and do that. So once again, that's the business and the mission that we have here. So that's a tough one, isn't it? Trying to get those siloed organizations to work across boundaries and to play as a team. Did you have any difficulties with that? It's trying to have a conversation with those entities and have them understand that we're here to help them, whether it's IT, whether it's cyber. So once again, IT and cyber risk is business risk and it's all about the business and how they are supposed to do work. So once again, the IT will hopefully make their lives a little easier. Once again, cyber will make that a little more secure. So once again, you're working all together as a team to where business have different objectives in cyber. It's always gonna be a fight because once again, if you sit there and put more stringent controls on it, it's gonna be more difficult for the business and there's gotta be a... There's a balance. Yes, yeah, there's gotta be a balance. But it's all about the risk, right? What's the acceptable level of risk? You've got laws to comply with and then after that, you've got other risks that you have to mitigate and then just stuff happens all the time. You have to adjust your scope based on to the current affairs, current political climate, what kind of a target your institution is, right? That's one of the things I tell my students frequently is when you're building a security plan, be sure you're aware of current events. You are in current events, whether you like it or not, and the bigger your organization is, the bigger footprint you have in current events. If you're a bank, North Korea is a concern, right? Because every time we put another sanction on them, they need money, what do they do? They go out, they hack the banks, they got the SWIFT system, and they got what, $80 million before we shut them down? I think it was more than that. Was it really? Yeah, I think it was about 270 million. Oh my. Before someone said, hmm, that's odd. Yep, yep, yep, I understand you. So you gotta be aware, so as an academic institution, you have a risk model based on threat modeling that you did and what's our risk analysis, right? But when you put all these pieces together, that's how you sell it, isn't it? We've got a certain amount of risk, we have to mitigate it, but we can't slow you down. Very, very much so, and the big thing that I always like to stress is, we have to get beyond fear, uncertainty, and doubt. Can you? I believe you can, I definitely believe you can. That's a noble goal. Well, let me ask you a question, have you heard of this before? You go walking in the woods with a bunch of friends and you come on a bear. You just gotta be faster than the guy next to you, right? And I've heard that before, I've actually used that before, but when you sit there and you actually break that down, that's a bear fallacy, because once again, if you come upon a bear, if I come upon a bear in the woods, I wanna be scared. And so once again, I'm gonna be fearful and all that stuff. If I only have to be faster than the slowest person with me, that's under the impression that I think we're gonna be all running in the same direction, or the bear might not be hungry or whatever it be. There's only so many things there, there's so many uncertainties and doubts that you have. But if you get beyond that and actually can provide the business folks with a business related money, dollars and cents, risk assessment, a quantitative risk assessment, I think you can get past the fear uncertainty doubt. And I think the business people are ready to have that conversation. So let's talk about quantitative versus qualitative data. And there's audience members here in the cheap seats. So let's explain, quantitative is numbers. Solid numbers that you gather, this is actual data that you can analyze, you can crunch the numbers, you can come up with statistical models, right? Qualitative, a little bit fuzzier. It's opinions, it's the feelings of the crowd. But you have to combine the two somehow into a reasonable model to assess the current situation, right? So when you go out and you say you need quantitative data, what kind of numbers do you gather and do you gather qualitative data as well? I think there's always gonna be qualitative involved, but what I can tell you this, and that's probably another show that we need to have about quantitative risk assessments. What I can tell you is that if you're not, if you're gonna go into a boardroom, if you're gonna go into the Board of Regents or whatever it may be, if you don't talk to them about dollars and cents, if you start talking to them about threats and vulnerabilities, they're not gonna hear you. If you sit there and you tell them, hey, this particular application supports this particular business process, this process brings us $250,000 a month. If we actually put in this control, which is about $20,000 a year, we will reduce the risk 78%. If you can sit there and have that conversation with them, fear, uncertainty, and doubt, go out the window. They stick to the numbers. Yes, stick to the numbers, because once again, when you walk into that boardroom, when you walk into those people who actually control the risk, control, own the risk, you usually can get what you need. You use a lot of pictures and graphics because I know the board members I talk to, three seconds in there, they're like, squirrel. Yes, definitely. I've had those people, but once again, when you start saying, hey, you have a million dollar exposure by having this out here, ears perk up. Once again, when you sit there and I've had it both ways, when you go, okay, we just got a finding on an audit and the audit committee is really upset about it, but when you actually sit there and break it down to numbers, this is only actually a $20,000 exposure. Oh, we have a cybersecurity insurance plan worth $50,000. You good with accepting it kind of thing? It's been counting at that point. It's always been counting. Everything's about being counting, you know that. Well, let's talk about, this has been your first year, right? So I know organizations out there that have to be HIPAA compliant or SOX compliant or they have to do a PCI compliance or they have to do a NIST or something like that. When you go out, say next year, you're gonna have to audit yourself. You're gonna have to perform an organizational analysis to see, did I do my job? Are there gaps? How do I fill my gaps? And when I fill my gaps, when am I gonna pay for that filling of the gap, right? Is it in this month's budget or is it next quarter? And when can I buy that firewall that I've needed for so long? First of all, how do you do the audit? Actually, the Health and Human Services and the Office of Civil Rights actually provides you an audit. So once again, you can actually read to the test type of thing. Get out of here. That's my tax dollars at work. Hey, it actually works really, really good. But if you- Good job, Hawaii. Good job. If you sit there and you think about it, we're actually going through an annual report for the first time and we're gonna actually provide this to the council of chancellors. And we're gonna sit there and have a conversation with different stuff like UH policy, where we're exactly at with the UH policy, how we are on our self-assessments and where we think we are in that particular process, how our corrective action plans are, how many incidents or breaches that we have. So once again, having that conversation to make the upper management aware that this is actually an issue here at the university. Now, you've brought up some interesting statistics that you've brought to that conversation, right? How many breaches we've had and so forth. So you do need to talk with IT and the cyber guys to find out what their IDS, IPS logs say. And you need some log analysis. You need some data analytics and all that doesn't come cheap. All that doesn't come cheap and actually that's one of the most expensive things that people have a hard time with because it is so expensive. But once again, just like the NIST cyber framework, identify, protect, detect, respond, recover, it's kind of like a rolling framework. First you have to identify, then you have to protect the protections and if you don't have any detections, once again, having zero breaches for a year doesn't mean that you're actually doing your job. If you're not looking. I've actually had conversations with health and human service auditors and they love the conversation. Oh, we haven't had a breach in three years. And their first question is, how do you know? How do you know? And the look on most people's faces. Oh, I don't know. Good question. And then we started having this conversation with, has anybody ever emailed a record to the wrong person? Has anybody faxed a record to the wrong person? Has anybody, can you show me your firewall logs to see if you had any intrusions that you're concerned about? Now this happens in software development all the time because I was in software development for 20 years. And even in the most secure situations, there's always someone that says, from another vendor, hey, via email, I need some sample data. Sure, here's a spreadsheet of some sample and it's real people and real information. And we just sent it open over the email and then you have to have the conversation and you know, it's not encrypted, it's not secured, it's over, you know, port, you know, whatever you're sending over through the firewall, but it's open. And we're not encrypting or securing that email. SMTP, port 25 probably. Is that the one that's encrypted? SMTP? Is it? Oh, okay, sure. I don't know my ports and protocols, you just caught me. Yeah, sorry. I need to go back and review, it's been a while. Shoot, yeah. And so, but that actually goes into the framework that you're talking about. Once again, and once you have the detection, breaches are gonna happen and once again, you have to understand and you have to accept that particular fact that somebody's gonna, you know, I believe that everybody goes to work every day wanting to do the right things. Sure. But as long as you have people and as long as you have processes and mistakes are gonna happen. Well, you're a human. Yeah, you just have to have processes in place such as, okay, if I do this, what is my response? Who do I need to contact? What do I need to do? Is it like above 500 records? Cause if it's above 500 records then you're a hip-hop person. Oh, it sounds like you have to make this whole plan. There is an incident response plan and that's actually one of the safeguards that you have to put in place. But once again, if you have the detection in place and you have the response in place and you have your disaster recovery, you can actually... Follow the book. Yes. What a novel concept. This has been a great episode. Thanks for coming. We're out of time and sir, I hope to see you back. Let's have those episodes you say we need. I would love to have episodes about quantitative risk assessments. It's one of my favorite topics. How about incident response? That's another one I have out there. That'd be fantastic. Okay, thank you. You're a great guest. Thanks everybody for joining us. This is Cyber Underground. We'll be back next week with another great episode. Until then, stay safe.