MGMA Insights: Protecting Your Medical Practice in the Digital Age
Download MP3Well, hi, everyone, and welcome to the MGMA Podcast Network. I'm your host, Daniel Williams. I'm a senior editor at MGMA and so glad to be here with you today. What we're gonna be doing here today is talking to one of our speakers at our leaders conference that's gonna be coming up in Orlando, September 28 through October 1 is when the conference is. It's gonna be in the, what is it, the happiest place on earth there at Disney.
Daniel Williams:We're not going to be physically at Disney, we're going to be right around the corner, and I expect many of our speakers and guests will probably stop by. Today we have Rana Spadden. She is going to be one of those speakers at our show, and she is a consultant with the Medical Practice Services Department at SVMIC. Reyna, we were moving heaven and earth here trying to get connected today. Sometimes technology is so amazing, and sometimes it just kind of impedes us from communicating.
Daniel Williams:We even made a joke that we were ready to get the Dixie cups and strings out if we had to. So Rana, welcome to the show.
Rana McSpadden:Thank you so much. And I think it's really fitting that we had so much technology issue, and we're sitting here talking today about cybersecurity.
Daniel Williams:Exactly. That's a great point. So bring us up to speed then. I talk to so many people from your organization. Are you located where, in Tennessee, or are you somewhere else?
Rana McSpadden:I am in Tennessee, but I am not out of our Brentwood office. I I am one of our remote employees.
Daniel Williams:Oh, okay. Where do you call in from?
Rana McSpadden:Difficult Tennessee.
Daniel Williams:Are you pulling my leg here?
Rana McSpadden:I am I'm not pulling your leg. No. If you you can Google Difficult Tennessee, and it it's a small little sleepy community, but we're here.
Daniel Williams:That is so remarkable. With a name like that, how did it get its origin? Certainly, y'all all know this. Right? Or do you have any idea how the town got that name?
Rana McSpadden:So the legend goes that when they were trying to name the area, the community kept coming up with different names and sending them into the post office so that we could get our zip code. And the post office kept saying, oh, There's already a town in Tennessee with that name. There's another town with that name. So somebody wrote on there, this is difficult, and capitalized the d. And so the post office said, yeah.
Rana McSpadden:That's about right. So Difficult Tennessee.
Daniel Williams:I know the state a little bit, so I know where Brentwood is. Where is difficult in relation to Brentwood, which is a a suburb of Nashville, right, or a a part of Nashville?
Rana McSpadden:It is. Yes. A suburb of Nashville. I am about an hour and a half Northeast of Nashville. So Okay.
Rana McSpadden:Oklahoma.
Daniel Williams:So are you in the Smokies or where
Rana McSpadden:No. No. I'm not that Northeast? Okay. I'm still in Middle Tennessee.
Rana McSpadden:I'm still in pretty much rural areas.
Daniel Williams:Well when you get a name like Difficult, it's not like Manhattan or something. So I figured it might be a rural community. So even more important to really be talking about cybersecurity and the kind of services that might be available to people. Even though I'm in Denver and you're in Difficult Tennessee, we had a heck of a time getting connected today. So Rana, it is so cool to get to talk to you.
Daniel Williams:So let's go a little bit into your background then. What brought you into the healthcare world in the first place? What was that little spark that got you there? Tell us about that.
Rana McSpadden:Well, I kind of fell into it actually. So back when I was in high school, my then boyfriend, now husband's mother, she ran a radiology billing company, and they were in the process of changing billing systems, and they just needed some data entry people. So I went in, started working for them. It was almost supposed to be temporary, And here I am twenty some odd plus odd years later still in health care and enjoying every minute of it from this perspective.
Daniel Williams:That's so cool. So I know that SVMIC does a lot of things. So what is your role there? How would you define that to our audience?
Rana McSpadden:So I'm one of the medical practice consultants. So with SVMIC, we are a professional liability provider for our policyholders. And one of the benefits to being a policyholder of our company is you they have access to our consulting services, and our consulting services are value added. So they can call in with all kinds of questions about billing and coding. They give OSHA.
Rana McSpadden:I'm making I'm working really, really hard. I'm not making any money. I'm barely making it what's going on. I'm needing help with contracting my insurance company. I'm needing some help with credentialing.
Rana McSpadden:They can call in and get our services value added to their policy.
Daniel Williams:Okay. Now you're going to be talking about cybersecurity. You already mentioned that at our Leaders Conference. We'll get to that, but let's just talk about cybersecurity and some of the philosophy or ideas you have around it. I have some notes here that a lot of people think it falls squarely with an IT department.
Daniel Williams:You have a different approach there. Talk about all the people that are involved with it, the stakeholders, etcetera.
Rana McSpadden:Sure. So a lot of when when you go to a lot of conferences and you talk to somebody that's talking about cybersecurity, they're from the networking side. They're from the computer side of it. And I'll be honest, I have no idea anything about networking. I am not a networker when it comes to computers.
Rana McSpadden:But I come from it from the business side of it. And what the practice needs to be thinking about as a whole, because, really, cybersecurity is a whole system. It's it's all the staff. It's leadership. It's the physicians, of course IT too.
Rana McSpadden:Everybody has to work together in order to ensure that they are doing their part to secure the electronic data of their patients.
Daniel Williams:Okay. I'll tell you in real time, this is such an important topic to everybody that works anywhere because there's all those different aspects of how people try to get into, you know, somebody's network. At MGMA, our IT team sent out something to us today, and because there's some phishing scam that's going out and they showed us a picture of it. They said, do not click on this. So when you think about cybersecurity, what are some of the common threats that you're seeing out there?
Daniel Williams:What would you like to share with our audience about that?
Rana McSpadden:Well, of course, ransomware is really one of the biggest threats, and that's one that we always hear about. But the real threat is is how they access our systems in order to launch that ransomware. And, generally, it's through weaknesses in our systems and general just phishing emails, phishing phone calls, phishing texts, trying to gain access using our credentials. They trick us by sending us a link saying, hey. Click here.
Rana McSpadden:We need you to log in to your cloud system because your password's about to expire.
Daniel Williams:Yep.
Rana McSpadden:I heard. That's the that's the big one that catches catches a lot of of individuals. Here at SPM, I see they actually our our IT department actually will phish us to test to see are we paying attention. And one of the phishing tests that actually caught a lot of us was it looked like it was coming from one of our policyholders
Daniel Williams:Yep.
Rana McSpadden:Saying, hey. I need you to click on this link to see what's going on. And it caught a lot of our employees. So, they're getting really sophisticated with these phishing emails. We are no longer in the days of broken English and misspelled words and all that kind of stuff.
Rana McSpadden:They're using AI to write these things. They're even using AI to prick somebody when they call in, making them think that it's somebody that they know or somebody that they work with. Right now, I'm actually even hearing we've actually had two instances where physicians have fallen for a phone phishing scam where the threat actors pretended to be DEA agents. The creativity
Daniel Williams:Yeah.
Rana McSpadden:Of these threat actors is amazing. You just can't keep up with them. That's the problem. Everything's changing so quickly and so often, there's just there's no way to truly keep up with everything that's coming down the pipeline.
Daniel Williams:You make so many good points here, and there's so many things I wanna follow-up with. I'll just share a couple of them. It's the level of it's the evolution of it, the sophistication because forever, it seemed like. It was, hey. I'm with the royal family in Nigeria.
Daniel Williams:You know? And it's like, okay. That maybe in the dawn of email that might have gotten somebody, but at a certain point that so then they're mimicking your your boss, like this CEO at your company, or like, boy, I better respond to that. I don't get an email every day from my CEO, meaning, Yeah, this isn't your CEO, this is somebody else. But you brought up something else that really got my attention, and that was you didn't say just email, you said text too.
Daniel Williams:And very recently, some bot somewhere has gotten my cell phone number. And so I'm getting cell phone text messages that are from the Department of Motor Vehicles, the DMV. They even got the state right, it's Colorado, that's where I am. It's a Colorado DMV, you've got something going on, you ran through a tollbooth or something, or we got a a charge here for you that you gotta respond to. And I'm going, this doesn't it doesn't pass the smell test, you know?
Daniel Williams:But it's when they're infiltrating the text as well, that seems a little more personal now at this point in our lives than an email does. So what would you say to that? Because you did you were kind of bringing that up first. That's the more sophisticated version of how they're getting after us. So what's going on there?
Rana McSpadden:It's I mean, really, we have to be suspicious of everything
Daniel Williams:Mhmm.
Rana McSpadden:And just be super vigilant. Because, you know, for me, if I'm if I get a text and it's from the Department of Motor Vehicles saying that I have unpaid tolls Right. Well, for me, I I live in a state where we don't have tolls, so that's not a big iffy for me. But, you know, I got one recently from Florida. Mhmm.
Rana McSpadden:Florida. And had I been traveling through Florida, I could have easily followed for that. But it's important to know that if you receive something like that, it feels kinda weird, whatever, don't call the phone numbers on in the email or the text or whatever. Go online, find those phone numbers, and then call them directly. The DMV, DEA, all government agencies, they're not going to call you and say, hey.
Rana McSpadden:You know, you've got unpaid fines. You've got you you didn't show up to jury duty, and now you gotta pay a whole bunch of money. The DEA is not gonna call you and say, your EEA number has been used across state lines, and now we're gonna come for you if you don't pay these penalties or help us whatever. You have to go with gut feelings, unfortunately. It's sometimes it's hard to know exactly when, but I if if something doesn't quite feel right, I always just ignore that source and go to the direct source.
Daniel Williams:Mhmm. You use that term vigilance. So we were talking about it in a lot of cases from an individual perspective as a person, but when you're an individual who is representing a medical practice, I'm sure some of the practices still are at play here, but are you seeing trends then that a medical practice may see so we can alert our listeners here, things that they should be thinking about that are prevalent?
Rana McSpadden:Unfortunately, I'm not getting a whole lot of those calls from our policyholders. I hear a lot of the aftermath.
Daniel Williams:Ah.
Rana McSpadden:What happens, they've been hit with ransomware. Part of if you're a policyholder through us, we we do provide a certain level of cyber liability insurance. So when those calls come in, they go straight to, that that insurance company for them to handle because we we are kinda hands off with that. We don't wanna be the ones really telling them what to do from that point because we're not the experts.
Daniel Williams:Yeah.
Rana McSpadden:We're we're gonna pay the But, really, it's the biggest thing that we're hearing that I'm hearing so really is just they just checking flagging emails. Really, that's where they're coming from. Or system weaknesses where I'm hearing actually a lot, especially with some of these smaller groups. They don't have the funds as of some of these larger groups to be able to pay for large and expensive firewall systems. So their systems are weak, and so hackers are able to access their systems through unpatched security systems, through websites because they they may have open sourcing in that.
Rana McSpadden:So the biggest thing is is do what you can to close off those those systems, getting vulnerability scans, getting penetration testing, because those are those are white hat hackers that are professionals that are are going to hack into your system and see where your weaknesses are. The big the biggest thing is do what you can to protect yourself Yeah. And then train your staff.
Daniel Williams:Yeah. You are gonna be talking, as we mentioned earlier, at that leaders conference in Orlando. You're gonna be talking about creating a culture of cybersecurity. You were getting to it a little bit there about getting into helping the teams and everything. But what does an overall culture of cybersecurity look like in an organization?
Rana McSpadden:Well, with any culture, it's it's in the bones of the the in the practice and the entity. It's part of your mission, it's part of your values. And really to develop that culture, If you want your staff to do something, the leadership has to head that charge. They're the ones who have to show. I take this seriously, and you should too.
Rana McSpadden:Actually, a perfect example several years ago, I was at one of the MGMA conferences, I believe. Where was where were we? We were in Vegas. And our my CEO actually had gone to that that meeting with us. And he sat next to me in a cybersecurity presentation, and I was sitting there watching him just turn white.
Rana McSpadden:Because at that point, he hadn't really thought about cybersecurity. So he came home from that meeting and immediately made sure that our IT department was implementing all kinds of cybersecurity education and going well into making sure that there's no way that somebody can hack into our systems and teaching our staff members what to watch for with phishing, giving them ways to notify, hey. I've got an email I'm not sure about. Can you take a look at it? And so it was definitely a top down mentality.
Rana McSpadden:He started that we have to do this, and so it just infiltrated into the company. And that's really what any practice needs to do. They need to have everybody involved needs to know and show the seriousness of cybersecurity so that staff understand their role in the cybersecurity of the practice as well, and that they feel like they have a responsibility too.
Daniel Williams:Right. Now in researching you and looking at your background, you've also worked with compliance topics like HIPAA and OSHA. So when we think in terms of cybersecurity, how are those other compliance topics similar? How are they different? How would you describe that?
Rana McSpadden:It's just another piece into the compliance puzzle. And actually, with cybersecurity, it is a requirement under the HIPAA security rule. So, yeah, it's kinda tucked in under HIPAA, but it should also be a piece of its own. And it's become such a huge thing that several government agencies have produced multiple cybersecurity tools for entities to use. HHS actually has a voluntary program out there right now for cybersecurity to bolster healthcare security.
Daniel Williams:Okay. Got a couple more questions for you before we sign off then. For people who are interested in your topic and are planning to be in Orlando, what's something they can expect from that presentation? What's something they can take away from it?
Rana McSpadden:I'm hoping to show how important it is to take this seriously. And a lot of, again, a lot of smaller groups, they don't, they feel like they don't have the resources available, and and they may not have the money available. But there are still things that they can do to protect their systems. And I'm my goal is to not really talk about the types of threats that are out there. It's really more about how to recover Oh.
Rana McSpadden:Well, prevent and recover
Daniel Williams:Okay.
Rana McSpadden:From those those events. Because we're in a day and age now, it's no longer if something's gonna happen, it's when it's gonna happen. So it's best to already have a plan in place so that when when something does happen, hopefully, it's something small, you're not trying to sit you know, you're sitting there with your scratching your head trying to figure out what to do next. You already have at least a basic plan in place that you can then adapt from for any nuances that come through.
Daniel Williams:Okay. We're still several months out from that leaders conference. So what are some things that our listeners right now can do today? Maybe taking a step or a couple of things they can do to protect themselves.
Rana McSpadden:One of the first things that I wanna recommend is that they look at their security risk analysis, make sure it has been updated recently and often. HHS and the OCR, they are cracking down right now. They with with earlier this year, they launched a risk analysis initiative, and they're imposing penalties, they're penalizing entities that suffer breaches. And during the investigation process, they find that they didn't have a thorough and system wide security risk analysis. So that's the very first thing I wanna recommend is anybody do.
Rana McSpadden:Go check your security risk analysis, make sure that it is thorough and system wide. Next, look at your training program. What are you educating your staff on? If you're only educating staff on general HIPAA, you're not catching the cybersecurity. So make sure you do have some sort of cybersecurity education.
Rana McSpadden:And in addition to cybersecurity education, have routine reminders throughout the year of, hey. Don't don't forget. Look for this kind of stuff, or this is what we're looking for, know, whatever's going on. Just it's some sort of reminder on a routine basis and make sure you do document that kind of stuff. And then the last thing I'm going to recommend well, actually, a couple other things too.
Rana McSpadden:But the next thing is look at your recovery plan and your response plan. Have something in place, at least, you know, a very basic thing. And when I say recover not only recover, but response plan, is also include in there how are we going to continue seeing our patients when and if we lose access to our electronic data. Because a lot of physicians and nurses are coming out of school and have never charted on paper charts, And they fully rely on that EHR. So having some basic education for your clinical staff on how to at least document that visit with that patient so that you at least got continuation of that documentation in the future.
Daniel Williams:Okay.
Rana McSpadden:But and I said, I did talk about vulnerability scans earlier as well. But also look into making sure that you're you've got enough cyber liability insurance, that you have a open line of credit in case of an emergency, and have business interruption insurance as well and have more than just the minimum policy limits on those as well. I have seen several physician groups that have exceeded their policy limits, and they are now having to pay out of pocket as a result of the ransomware or incident that they have, plus the following class action lawsuits brought on by the patients. So yeah. Yeah.
Rana McSpadden:Very scary out there.
Daniel Williams:Yeah. I said that I was gonna only gonna ask you two more questions, but I thought of something else because you are on top of this topic. This is something that's of top of mind to you. What's something that's caught your interest, whether from a positive side or a negative side that's going on in cybersecurity right now? What's a trend or something else out there that goes, woah.
Daniel Williams:Let's pay attention to this.
Rana McSpadden:Honestly, recently, the TSA's notification about plugging your electronic devices into public facing USBs purging stations. You know, several years ago, I heard about that on episode of CSI, and I just thought it was like Hollywood magic. You know? Because I never even thought about it. And now to see the an a government agency warning about it, I'm like, okay.
Rana McSpadden:That's that's something real that we have to watch for. So that was actually really shocking when when that came out. So again, be suspicious of everything. I
Daniel Williams:think that is the theme of the day, be suspicious of everything. So that is a good example of life imitating art. I mean, you see it on a CSI episode, and there it is. Rana McSpadden, I just want to thank you so much for joining us today.
Rana McSpadden:Thank you so much for inviting me. I really enjoyed this.
Daniel Williams:Yeah. It's been so much fun and not difficult at all. Not difficult. No. Difficult Tennessee.
Daniel Williams:I'm gonna look it up on a map, and it's just been a pleasure to talk to you.
Rana McSpadden:It's been a pleasure for me as well.
Daniel Williams:Alright. Well, that is gonna do it for this episode, everyone. Let's just recap a couple of things here. Raina's session at the MGMA Leaders Conference in Orlando, it's called Leading the Implementing Effective Cybersecurity in Healthcare. The Leaders Conference is going to be September 28 through October 1.
Daniel Williams:Do you know what day you're talking there?
Rana McSpadden:I am 8AM on Monday morning.
Daniel Williams:Bright and early. You don't wanna do cybersecurity like at four in the afternoon. Your brain might that's where you gotta do some leadership pep you up kind of stuff. You gotta be focused with that caffeine, that coffee, or whatever in your system at eight in the morning. So that's fantastic.
Daniel Williams:I I cannot wait to meet you in person, Rana.
Rana McSpadden:I can't wait to meet you too.
Daniel Williams:Alright. Well, until then, thank you everyone for being, MGMA podcast listeners, and please just be suspicious of everything, y'all. So until then, thanks for listening.
