Posted By Paubox, Inc. on 04/09/2020

HIPAA Critical: Episode 12 | Zoom Security, COVID-19 Spear Phishing Attacks, Medical Supply Chain Solutions, an Interview with Jason Seidel

This week we chat about the impact of COVID-19 on mental health, telework, communication, medical supplies and if Zoom is safe to use. Plus an interview with Jason Seidel, Director of The Colorado Center For Clinical Excellence on measuring outcomes to improve mental health.

Rather read?

Here’s the full transcript of this episode.

Olena Heu: Welcome to another edition of the HIPAA Critical Podcast. Joining me, Chief Operating Officer of Paubox is Rick Kuwahara.

Rick Kuwahara: Hi, Olena, great to be back again.

Olena: Thank you and of course we wanna thank all of our listeners for subscribing and tuning in each week. We’ve got a lot going on and ironically, we’re gonna talk about Zoom and what’s happening with them in terms of privacy and security.

Rick: Yeah. So, Zoom had good and bad… a lot of growth due to what’s happening with the coronavirus as more and more people are going remote, they need a way to communicate with each other. And Zoom has been a beneficiary of that move to more remote work.

So, Zoom if you haven’t heard, is a web video conferencing platform and they have added about 200 million active users. They’ve reached that benchmark in March, which was more than they’ve had in the past year. So they had a lot of tremendous growth really fast and they weren’t quite ready for that growth.

So there has been a lot of stuff in the news lately about security and privacy concerns around Zoom, especially since a lot of hackers are focusing on it now. So, Zoom announced last week that they’re going to halt any feature development for 90 days so that they can improve their privacy and security.

Olena: Excellent.

Rick: Yeah. It’s good for them to focus on. They found that when they had all these new users, they’re using Zoom in different ways than they intended. So that was bringing to light new privacy and security concerns that they weren’t aware of.

Olena: Not gonna lie, my family has been utilizing Zoom once a week to keep in touch. And just this morning, one of the cousins sent out a report about the FBI urging people to use caution and talking about hackers. And so, it was pretty interesting, and then the discussion thereafter was like, “What do we do?” And then I think we just decided to continue to use Zoom.

Rick: Zoom is still a safe platform. Even a couple of the vulnerabilities that were made public last week, one of them required a hacker to have physical access to your computer, which is not likely to happen.

A lot of the other security and privacy concerns are really settings related.

Zoom is really easy to use but unless you actually look through how to set it up and secure everything out of the box, it could have some vulnerabilities. So they weren’t quite ready for the casual user to come in and try to use Zoom.

So a lot of their default settings weren’t set for maximum security. One simple thing for example is if you’re hosting a web conference with a lot of users that… You make sure that only the moderator has certain admin rights like controlling who can share the screen by default, controlling who can moderate the chat, that there’s a chat option, so that people aren’t dropping in malicious links.

And there’s a setting also that people weren’t aware of, that if you boot someone out of a conference that you can actually have a setting there to make it so that they can’t rejoin later, because some people are finding that there are people who are Zoom bombing a meeting and they’d kick them out, but they just come right back in.

Olena: Yeah, that’s been a buzz word, Zoom bombing. [chuckle]

Rick: But there’s things that are… There are settings in Zoom to prevent all these things. It’s just that there’s not necessarily easy to know how to do it. All tech platforms can have vulnerabilities but they all can be shored up usually.

For example, Amazon Web Services, AWS, a lot of people use it, but it’s really easy to configure wrong and have a lot of security gaps in it and it’s not necessarily that AWS isn’t secure, it’s just that you have to make sure you set it up in the right way.

So, Zoom can still be a secure platform. You just gotta really learn it to understand how to make it as secure as possible. And then Zoom on their side, as these vulnerabilities do pop up that are within the code, and not something that users can control, that they do fix them quickly and timely, which it seems like they have been doing.

And I think that with this focus on privacy and security, it’ll be a good thing for all users, because it is a good product. We use it at Paubox. And again, it’s just going back to understanding the settings and how to make everything as secure as possible.

Olena: Definitely. My cousin was saying, she signed up for it and then thereafter, she kept getting notifications of someone in Vietnam trying to hack into her email. And I was thinking, “I don’t think that was associated with Zoom at all. That was probably some other thing where she inputed her email,” but I didn’t know what to say…

Rick: Yeah, probably.

Olena: ‘Cause I didn’t wanna be mean about it.

Rick: Yeah, it goes with a lot of things. A lot of people download something new. You don’t remember about all the other 10 things that you’ve downloaded at the same time or websites you visited. Yeah, just always being safe, being cautious and making sure that…

Olena: And check your settings.

Rick: You have Zoom set up. Yeah, just exactly. Check your settings. Learn how to use the tool.

Olena: Excellent, great advice. And as we continue to work from home and stay at home because of COVID-19, we have something in the news that’s in response to the COVID-19 pandemic, as well.

Rick: Right. So the Office of Civil Rights, who does a lot of the enforcement of HIPPA regulations, they issued a notice last week where they were going to have enforcement discretion for business associates during the pandemic.

So what this means is business associates, for people who don’t know, are companies and organizations that help covered entities conduct their business.

For example if you are hosting data in the cloud, like on AWS like we had talked about, Amazon then becomes a business associate of that hospital. So what this discretion… What this notification of enforcement discretion does is it’s making it a little bit easier for business associates to operate in good faith to disclose and use PHI if it’s for the public health and health oversight activities for the pandemic.

So try to make it in simple words, it’s kind of like during this emergency, if FEMA comes over and says, “Hey, all these people who are affected here, we need to know how many people are affected and all the statistical information.”

If there’s a business associate who is helping run that data, that they can then disclose that quickly without having to worry about HIPAA regulations. Is this covered, is this okay, or is it not? And which could slow down treatment of patients and quickly helping these organizations, government organizations really make quicker and faster decisions.

So that goes to agencies like the CDC, the Centers for Medicare and Medicaid. There’s a lot of these oversight agencies that are trying to make decisions as best they can with as much data as they can.

So this rule is really to help those business associates kinda help give the data as fast as they can without having to worry too much about, is this covered under HIPAA or not? Is this a violation or not?

Olena: Excellent, it helps expedite data and information that can be used to help us.

Rick: Right. So for the vast majority of business associates, this notification really doesn’t apply to them. Like for Paubox, we’re a business associate for our customers and clients. It’s business as usual for us.

Olena: Okay, excellent, and what other kinda news headlines do you have for us?

Rick: Well, an interesting one that’s been coming up. As we know there’s been a lot of phishing attacks lately because of COVID with hackers trying to take advantage of it. One that came to light recently was a phishing campaign that was pretending to come from the World Health Organization.

So hackers would send these out and pretend that, “Hey, these are some new points about infection control, and best recommendations as put out by the World Health Organization.”

They put an attachment on that email so if you actually click on the attachment, it actually downloads a piece of malware called LokiBot, which is an info stealer and it basically goes into your system, and it can pull out your passwords, even passwords on your browser, and just take that information which can then be used against you, or sold on the dark web.

Olena: Unreal. And so is spear phishing different from regular phishing? Is it more targeted?

Rick: Yeah, spear phishing is more targeted. It’s not necessarily like your spam email from a Nigerian prince. It’s really more targeted and usually more sophisticated.

And so in this case trying to pretend that it’s coming from the World Health Organization. And it really is… They’re probably picking what companies they’re trying to send this to and targeting, for example they could be targeting different departments within the organization.

So just something to keep an eye out on and remaining diligent as far as making sure that you read the emails. Because this particular attack did have grammatical errors that would have kinda raised a red flag if you read it carefully. So make sure that you’re reading it and you’re being aware of what you’re downloading and clicking on.

Olena: And also be aware of people who are forwarding this to you because they didn’t read it, and they think it’s valuable as well.

Rick: Right. Yeah, you always wanna be diligent for yourself and don’t just assume something is safe just ’cause it was forwarded to you.

Olena: Thank you, Rick. Well on each episode of the HIPAA Critical podcast, we focus on the latest news headlines and then transition over to who’s winning and who’s failing. And so now, who is winning this week?

Rick: So for winners this week, we have a great collaboration that’s coming to help a lot of healthcare providers get the critical medical supplies that they need.

As we know in the news, a lot of providers and people on the front line are just running low on supplies and it’s really urgent that they get the medical supplies they need in order to triage and treat everyone.

So Premier and Resilinc launched an online exchange to track medical supplies during the crisis. It’s a cloud-based platform and it was developed in collaboration with Stanford Medicine, and it basically it lets hospitals submit requests for specific items and then be matched with other organizations who can provide them.

So Resilinc is a supply chain mapping and disruption monitoring service. So they specialize in these type of exchanges and they teamed up with Stanford Medicine and Premier, and they call this platform the Exchange.

It’s going to let hospitals and frontline healthcare providers to submit requests for the items that they need so that other organizations can come in and provide those supplies. So hopefully it can really expedite the communication between saying, “Hey I need this. Who can help provide it?” And just link that supply and demand better and get supplies faster to those organizations who need it the most.

Olena: Fantastic. That is brilliant.

Rick: Yeah, it’s really exciting, it’s great that is happening so fast and that there are a lot of companies and individuals really as well coming together to try and solve this growing need that we’re seeing of providers really needing critical supplies to deliver care during all the craziness with coronavirus.

Olena: Wonderful. Well, that is definitely hands-down a winner.

Rick: Yeah.

Olena: And who would you say is a failure?

Rick: This week we’re looking at the Otis R Bowen Center For Human Services where they actually notified that they had an email security breach that affected over 35,000 patients.

So this is an Indiana-based provider and they said that they had unauthorized individuals gain access to email accounts of two of their employees.

We’re not really sure how the email breaches happened and there’s not a lot of detail yet as far as what’s been accessed. We just know that it’s over 35,000 individuals, and that it was revealed that the hack happened around late January this year, and that PHI could have been accessed as a result.

So they had to report this to the OCR, and they’re currently reviewing as far as how many people are affected.

They’re going to notify each individual and also help with any credit monitoring and identity theft protection services. So yeah, again, we just talked about phishing earlier in the show and there is… You can guess, 90% of the time a breach like this, probably was also a phishing attack.

Olena: For sure. But they’re also saying that there isn’t any evidence that the PHI has been misused or anything yet.

Rick: Yeah, not yet, but again, you don’t really know until… You don’t know if that gets sold somewhere and maybe then attack on those people or identity thefts happen on that. It could happen months from now, right? People could just be buying up the data and just not using it yet.

So we don’t know. It’s really good that they are offering the complimentary credit monitoring and identity theft protection, because really that’s the only way to make sure that any PHI that was stolen doesn’t get actually used or if it does get used that you as the consumer are protected and can know right away when it happens so that you can take steps to kind of address it.

Olena: Excellent. Well thank you so much Rick. And you also have been pretty busy.

You also had a chance to chat with Jason Seidel, Director of the Colorado Center for Clinical Excellence, a group of Denver psychologists and psychotherapists who provide exceptional therapy by measuring their outcomes using diverse treatment approaches and honoring their client’s preferences.

Now, in this interview, they discuss what it takes to measure outcomes for mental health and how they’re adapting technology to still deliver quality outcomes during the COVID-19 pandemic. Take a listen.

Rick: A huge focus you have is on measuring outcomes. Can you tell me more about how you do that and why it’s important?

Jason Seidel: Yeah, so we measure outcomes really on two different levels. We’re measuring the outcomes for each client so we could think of that as the client level, where we’re interested from session to session, whether our patients are getting better over time.

And not that it would go in a straight line, but just to see overall, whether people are improving. And so that’s a way we’re using it on a clinical level, just to adjust if we need to, how we’re doing the therapy with this particular client.

And then we also are measuring outcomes on the clinician level.

So we’re looking at each of us as a therapist in our group to see overall what do our data look like. Are there areas that we’re weak in that we need to do more continuing education?

Are we getting certain patterns of feedback from our clients about the way we’re engaging with them that we need to look at as therapists? So I might talk too much, or I might stir people up too much, or be too focused on the past.

And if I’m getting feedback from an individual client about that, I can adjust that for that client, but if I’m getting consistent feedback from a number of clients that I’m doing something in a way that’s getting in the way or that just doesn’t feel very useful, then that really can direct me to do more of my own training and development as a therapist.

So we’re looking at the statistics much more on the therapist level. We don’t wanna over-interpret on the client level ’cause it can be so variable on the client level.

We just use it on the client level to adjust with that client, how we’re working together and whether we’re doing the best work we can with that person.

Rick: Great, and we talked a little about this before, maybe we can go into it a little bit more, how different that really is, that approach to measure outcomes for the therapists and using that to improve how you’re delivering care. Can you talk a little bit about how that kind of shift is and why you think that it can be so helpful?

Jason: Yeah. And, I mean, this is such a big topic because there’s such a movement right now both in medicine and psychotherapy toward outcomes-oriented care or patient-reported outcomes as a way of measuring quality, and there are so many landmines in this field.

And so in my world of psychotherapy outcomes, one of the biggest difficulties in getting clinicians to do this is the fear of what’s gonna happen if your outcomes aren’t so good? Because we can’t all be above average, right? So the idea is, if you’re a below-average clinician, what do you do with that? Or worse than that, what would insurance company do with that?

So there’s a lot of fear around just knowing how we’re doing and then making adjustments along the way.

What I do as a practice owner, first of all, is make sure that my therapists know that we’re using the data about how we’re doing as therapists to support them, to not punish anybody or bonus people for doing really good work.

And so not tying it to some sort of punishment or reward, but rather using it to improve their training or direct their continued education efforts.

So there’s a sense of support around it, rather than using it as a carrot or a stick.

And I will tell you that there’s been a number of insurance companies and agencies who’ve tried to use it as a carrot or a stick or both, and it blows up in their face every time because clinicians don’t like that.

None of us are in this to make money. There’s a lot easier ways to make money than being a therapist.

We’re in it because we really care about helping people. And when you have someone saying, “Well, if you’re not doing a good enough job then it could hurt your pay or something like that,” it really hurts people’s morale.

And really all therapists really want is to be supported to do the best work they can because that’s really all we’re in this for.

So having this as a tool to do that, and when therapists really truly can believe that that’s what it’s being used for, then they tend to be a little less scared and more willing to jump on board and make use of the feedback they’re getting.

Rick: Right. I mean, that makes sense. If you’re using it as a personal improvement tool, it’s much easier to wrap your head around, you’re just trying to improve yourself, and it’s not a competition with everyone else.

Jason: Yeah, exactly.

Rick: So obviously, a big thing in the news right now is COVID-19 and it’s a big concern, and we’ve seen a lot of shifts in how technology can help you with still delivering care, even though people are having to stay at home and shelter in place. So how are you utilizing technology to help you achieve your outcomes?

Jason: Well, we have definitely made the shift to doing teletherapy or tele-mental health with all of our patients, so we’re not doing any in-person work right now, it’s all by video and some folks actually do prefer phone rather than video, so they will do that with those people.

And so right now what we’re really focused on is how to use the video technology in a way that still allows us to feel connected with our patients and do good work.

One of the things about doing therapy is we’re really using a person’s body in the room. In other words, we’re reading their body language, and you can get so much of a sense of someone being in the same room with them in terms of just how people are breathing, if they’re tensing, we’re constantly using that feedback, and with a screen, that is so limited.

And so what we have to rely on much more is facial expression and also asking more questions than we might have to ask if we were in-person.

So I might notice that something seems to be happening where I’m looking on my screen and I see someone seems to be breathing in a more shallow way, but I can’t quite tell, I think I’m seeing it.

So I might not be able to rely on my intuition about what I’m picking up, I might actually have to come out and ask, “Hey, I’m noticing your breathing seems a little different. Am I seeing that right?” So more checking in.

But on the other hand, with a video, we also often, if the quality is good enough, we sometimes can see more in terms of a little micro-expressions on people’s faces, and that can make our job even easier.

So, we’re just adjusting a lot to how to balance out the information we’re losing with information we’re gaining by doing the video and just again, continuing every session to get feedback to make sure we’re staying on track.

Rick: Very cool. So now looking into the future like in 10 years, how do you see more data being utilized to help specifically in your area, psychotherapy or mental health? How do you kinda see data being utilized?

Jason: Well, that’s a good question. Because I started doing this one way or another about 20 years ago, and I was sure that in 20 years, it would all be ironed out and being done. And we are still super far away from this being used throughout mental health.

And so I guess… What I’m thinking is that we’re gonna continue to stumble through as an industry, where I imagine that insurance companies and third-party payers and folks who are driving the desire for the data, because frankly, those are mostly the folks who are driving it, are going to get smarter about how they train clinicians and how they support clinicians to get clinicians to do this.

Because over the last 20 years often they just, with varying degrees, they’ve tried to support or educate, but still there is a sense of real fear among clinicians who will continue to sabotage it because they don’t believe it’s gonna be used in a good way.

There’s ways of using the data in very helpful human ways, and there’s ways of using the data in really stupid and dehumanizing ways.

And people rightly worry that the data are gonna be used in dehumanizing ways that are gonna water down the effectiveness of therapy, cause people potentially to fake data, things like that. So these are all very real concerns.

So I think it’s really gonna be a much slower slog up and down to find our way through to a method of doing this that still has a lot of integrity and honesty, and real use for the consumer to improve the quality of the care they’re getting.

Olena: Thank you so much, Rick. Of course, another insightful interview.

Rick: Yeah, thanks, it was really fun talking with Jason, and he’s really passionate about what he’s doing, and I think that hopefully he’s able to advance that measurement of outcomes for mental health. It just makes sense.

For other health care disciplines everybody’s always measuring outcomes, so it makes sense to do that for mental health as well. And people can learn about that and see the full interview on our blog.

Olena: That’s right, visit us online at Also wanna mention what are you doing to ensure your mental health and stability?

And if I caught you off guard, Rick, I can start with myself because I’ve been at home since early March.

So for me, I started to feel a little bit of cabin fever, maybe last week, and I found that if I went back to what I used to do about a year ago, which was about 30 minutes of yoga each day at home, it really does help with my mind, my body and my energy levels and just taking that time to know that that’s a moment for myself and also a little bit of a workout.

So if I can encourage anybody to do something for their mental health, that’s my tip of the week.

Rick: That’s a good one. And I think it’s important when people work from home, there’s two types. I’ve been working from home for a couple of years now.

And there’s people who get distracted easily and it’s tough to focus. So the best thing for that is usually to have routines that you can stick to and a quiet place to work from.

Then there’s people who work too much and too hard and never take a break. And so you don’t know how to clock out.

So I fall into the latter usually, so I’ve found for me, it’s just really being focused on taking breaks every now and then, even if it’s just 10 minutes.

There’s something called The Pomodoro Technique that people use, which you have a set amount of time to focus, then you do a quick break and then you transition.

So I think just finding out what works for you. But definitely people can get a little cabin fever, maybe throw a screensaver or something on of the outdoors, try and get some green in your life.

Olena: Yeah, for sure. Well, thank you so much, Rick, and of course it’s a pleasure. And if you enjoy listening to the Hypocritical podcast, be sure to subscribe and tune in every week. Until next time. Thank you.

Paubox Marketing is an email marketing platform built for healthcare. Our solution allows healthcare organizations to securely send PHI in marketing emails to drive more engagement and grow busines... Read more

More by Paubox, Inc.

HIPAA Critical

HIPAA Critical: Episode 11 | COVID-19’s Impact on Technology in Healthcare, Securely Working From Home, Interview with Paddy Padmanabahn

HIPAA Critical: Episode 10 | COVID-19’s HIPAA Impact, Increased Risk From Remote Work, Interview with Carrie Nixon