Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:20  

HI, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified Information Privacy professional and I provide practical privacy advice to overwhelmed companies.

Justin Daniels  0:35  

Hi, Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical solutions as a cybersecurity subject matter expert. I also am the cyber quarterback helping clients design and implement cyber plans as well as helping them manage and recover from data breaches.

Jodi Daniels  0:59  

And this episode is brought to you by Red Clover Advisors, which just celebrated four years this week, actually, as a recording. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, fast ecommerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit So who do we have here today? Today’s an exciting podcast every day is an exciting podcast.

Justin Daniels  1:40  

Yes, but this is our first one. Because we’re now enjoying our new reality with two kids at

Jodi Daniels  1:46  

two different school enjoying is kind of the wrong word. It is a little bit more like it. So we’re a little out Bixler words, everyone, bear with us.

Justin Daniels  1:56  

But anyway, we have Tammy Taylor today and Miss Taylor serves as the president of Advantum Health. She is a veteran leader in revenue cycle management. She has held senior positions in corporate compliance hospital and physician revenue cycle and large group practice management. In addition, she proudly served in the United States Navy. Well, we have the healthcare Top Gun, Welcome to the show.

Tammy Taylor  2:17  

Thank you. Thank you to both of you. It’s a pleasure meeting you, Jodi and Justin, nice to see you. Again. Thank you for having me on today. And this opportunity to talk about privacy and security.

Jodi Daniels  2:30  

Well, we always like to get started with understanding how you got to where you are. So seems like you’re gonna have to explain what you did in the Navy a little bit as to how we’re in a health care company and revenue management. I’d love to hear that story.

Tammy Taylor  2:44  

So Jodi said, This is about a 20 to 30 minutes.

Jodi Daniels  2:49  

This is like the cocktail version story.

Tammy Taylor  2:51  

cocktail version. I like I love that. So yes, I did start my career in the United States Navy. I was a corpsman or a medic, as some people would call it. I started up in near Seattle, Washington and Puget Sound at a submarine base. One of my first jobs was going out on a ambulance ride to the airfield there. And we called it the shovel crew. And I asked them why they called it that and they said, Well, if a plane crashes, we just go shovel the body, right? And I thought, Oh, this is tons of fun. Okay, I moved from there to be operating room. And my last duty station was in Japan, because Japan had a great time, delivered lots of babies via c section in the operating room, that was an experience and then did a lot of sleeping on a cot in the room because you pull duty about every three days. So I said, You know what, I think I’ve had enough of this went to got out of the Navy, and after about 10 years, went to the DC area and became an administrative, you know, finish college, went into administration and started working for a hospital system in Northern Virginia, where I did their business office for about a year then got moved to the IT department looking for systems for them and purchasing and then went into compliance. And that was that was a bad 1996 I’ve been doing this since I was 10. Right. So yeah, and about that time the Privacy Act came out and and we were put under a corporate integrity agreement with the government and you know, probably along with about 200 other health systems or laboratory unbundling. So got to learn a lot then a lot of time, coming up to speed have a lot of great help a lot of assistance bit learned about the OCR, the O g, all of those types of things. I definitely learned about HIPAA and in the privacy act as a whole and lots of different experiences got to you know, really get my feet wet there, but then I thought you know, I’m fixing problems on the back end. I really really like to fix problems before they happen, right? So went into operations on the business side into the revenue cycle world where most of the audits were taking place. And I’ve just grown from there to my current position.

Jodi Daniels  5:13  

Well, thank you so much for sharing. It’s really always fascinating to hear people’s stories, and very, very different from delivering babies in Japan to, to vote we’re going to be talking about here today.

Justin Daniels  5:24  

I think, to me, where I wanted to start, you talked about when the Privacy Act came out, and HIPAA, and I think that was around 1996. If memory serves, and now we’re in 2021. And it’s interesting to me that when Jody and I went to look at a Sleep Number bed, they’re like, Oh, we collect all this data about you that that data that they cover, with my heart rate and all these things, that’s not even HIPAA protected data. And I’m just curious as to your thoughts, having your long history in the industry? How is HIPAA really falling behind the times when it comes to what you see every day? And how you manage privacy for Advantum Health?

Tammy Taylor  5:58  

You know, I think, Justin, that’s a great question. Because we we think of sometimes in my world, we think of the medical record, and that’s HIPAA, right? We don’t think of anything else. You know, we do a lot of phone calls, we take credit card numbers over, you know, secured lines, we have people that have been in the business for six months looking at pH I or protected health information all the time, we’re still in this world I feel in our industry, where if it’s not in a medical record, then it doesn’t really mean anything. So you know, it’s just, you know, you bring up the Sleep Number, but then I think about like, my scale at home, is Bluetooth, you know, I think about my Fitbit, I think about my Apple Watch, I think about all those things that are capturing how many times I sleep, what I’m you know, if I’m breathing properly, and all of those things, and what happens to all that information in my world, it’s still about the age I just recently, I was saying the last couple years, we’ve brought in PII or protected information, you know, because we’re getting social security numbers, we’re getting phone numbers, we’re getting cell phone numbers are getting your education, your DEA number, those types of things for providers, and how how do we keep on top of all that, and when I asked out there, and in my world with other leaders, they’re like, Oh, we have a great attorney. Are we have a great CIO, or we have, you know, somebody that’s looking out for all of that, but isn’t really embedded. And that’s where that’s where I think the problem lies is it’s not embedded at your, at your lowest, you know, level possible in the company. It’s always done. We’re, you know, ethereal pie where we’re trying to determine what’s best,

Justin Daniels  7:49  

I want to ask you a follow up question to that one. And that is, I know, in your career, you’ve handled data breaches. And yet, we just talked about how there’s all this new information coming on the scene with the scale, the Sleep Number, and yet we’re already in a situation with healthcare, healthcare, has the highest cost for breaches, and has so many legacy systems. We’re now about to compound the problem with all of telehealth and whatnot, how can we better navigate?

Tammy Taylor  8:15  

I did a lecture A while back on prevention, right? Because prevention to me is key. It’s a it’s it’s it goes so much more than just training. It has to be truly in Britain embedded in every breath we take. And people just love that they love sitting through two or three hours of security training a month, then they just live for it. I mean, they were asking me for it, you know, of course not. But I sat in front of a group of about 400 telecom people. And I started off with you know, with all flown over to Portugal, it was wonderful, you know, you do these security things for the trips, right? So, flew to Portugal, Saturn is amazing conference in over 400 people. And we talked about, I asked him how many people flew here, you know, 99% of the people gotten on the plane. And I said, you know, you, I know everybody sits there, and they listen to the flight attendant, go through the otu mass, you know, in the seat belt, and how to do all of those things. And, you know, just becomes if you fly a lot, it just becomes, you know, you just sort of tune it out, right? I said, but everybody here, raise your hands if you know that you put the mask on the child before you put it on yourself. And all the hands went up in the air, right? They’d all been through that. And then I stopped. I took a moment I looked at them, and then all of a sudden I get ci eyes lighting up, right? And they’re like, wait, wait, no, you put your mask on first and then the child and I said, Yeah, that’s right. You know, and you get that lecture all the time. But when it comes to it and crisis hit, are you ready for that? Right? And you know, Airbus did a review and there’s only been about 67 incidents a year on average of IoT mass going off, you know, are coming down and most of those are accidental, but they still do that because you never know when it’s going to happen. Right? And that was the lead in for my discussion, you know, then we talked a little bit about seatbelts and why we have to wear seatbelts. And I think, I think the Highway Transportation Security people did a study back in 2019. And they had about somewhere around 22,000 deaths, that could have been avoided because of seatbelt, you know, wearing your seatbelt. And then in 2020, they did another study, and they had about 90.3% of people were wearing their seatbelt. And I thought, oh, wow, that’s great education. Let me look into this and see how they got him to do this, right? Yeah, we put an alarm in all the cars that goes off until it drives you nuts until you put your seatbelt on. Right? So, you know, when you start applying that to just something as simple as email phishing, right? And how you avoid that, you know, we think of like spam filters and antivirus protection. And all of this, I still get I count it yesterday, 107 emails that were just spam, right? And if I open any of them, does that put me at risk? Or should I just avoid the spam? or Why don’t I have rules and preventing this bam, and some of its sales 90% of its sales, right. And I know they have buried text, I know they have all of this. But at any point, if somebody opens that, and has happened in my past lives, right, where a person 3am in the morning is going through their emails and open something and sets something off, and you don’t have to know all the details, right? You know that it causes havoc, and all of a sudden, you’re in a situation where it’s sprawled across your entire network, and things happen. And and that’s where we are today. Right? So how do we prevent it? How do we make sure it doesn’t happen?

Justin Daniels  11:42  

You know, Tammy, I thought about the forerunner of your idea about the beeping, it’s the nagging wife that makes you go to the doctor. The same way, right?

Jodi Daniels  11:52  

Yes, you could build in training. And you could have it be bells on your computer, if you don’t, you know, it can just be maybe the whole screens blocked, or something like can’t go through the same equivalent of the nagging might work. So Tammy, as you were talking about, you know, the kind of the preparation, right, you you’ve heard it, so you know what to do, managing an incident is sort of the same, you really should have some type of plan and practice or knowledge for when it happens, you’re more prepared, you at least can remember Oh, right. I’m supposed to do this. And hopefully you get the order, right. Kind of like your oxygen mask. Can you share a little bit about what has worked for you and how you approach incident response planning and preparation? I

Tammy Taylor  12:36  

think, unfortunately, because it happens more and more these days, whether it’s a small incident or it’s a large incident, I worked for a healthcare system, I was in the revenue cycle that they were they had a breach that ransomware I think it was the Locky ransomware. At the time. This is many years back, but um, someone had came in through an email when across the system, and we were a hospital, and we went down for about 10 days. And you know, I’m old enough to remember when putting an electronic medical record was the end all for all the physicians in the world was indane. And all of that, will you take that away from them now? and ask them to go back to paper and then it’s not happening, right. So 10 days, I saw a lot of things that were done correctly, that I saw a lot of things that were not like, you know, the security person who was not an IT person at the time was more like a physical security person put a banner across the hospital website, alerting everybody, we have the media out in the parking lot. We made the CNN, you know, my mom calls it the CNN like, though. And so, you know, there was a little alarming, I think what I’ve seen that works, the best is, number one, gather the facts, right? Get get everything that you can together. I think a lot of people feel like speed of sending out the information is the most important thing, honestly gathering the facts, knowing where you are knowing your situation is, to me the most important part assess the situation, is this an internal thing? Is this going to affect the external? Where are we do we know where we are? Do we have a good hold on it and then have a communications person have somebody that’s, that’s what their job is, needs to be a senior person it needs to be somebody that has decision making authority, even if they’re not going out to make a decision. If something happens on the fly, they have that ability to do that. That person needs to be cool, calm and collected as the story goes. They need to be able to you know comfort people but at the same time, be steady and firm in what they’re sharing. And then I would say talk to your internal team First, make sure they’re not hearing it through the rumor mill make sure it’s not gossip, make sure that they don’t hear it from their client before are any external vendor or anything like that before they hear it from their own leaders. And then I would say, you know, communicate over communicate, be proactive with the communication.

Jodi Daniels  15:06  

I’ll excellent points. Thank you so much. I don’t know how to improve on what you just say no, that’s why I said just excellent point. Sometimes I call you can I would, if I could drop my mic right now I would turn to that you have to guess

Justin Daniels  15:18  

I’m trying. So, so Tammy talking about kind of how healthcare is evolving with now we have telehealth, you know, we have even other things to manage. Where do you see when you talk to senior leadership, you’re at these conferences? Where do you see their thought process going and how they deal with all of this new technology on top of the fact that HIPAA is pretty outdated for the kind of data we have. And now we’re having all this new type of technology, any thoughts you have around when you’re going to these conferences, how executives are thinking, Wow, we

Tammy Taylor  15:51  

really need to manage this privacy and cyber thing differently, because we keep getting hit, um, you know, there’s always this need to use the keywords, right, like multi factor authentication. And I look and I and I keep on top of that, just because I’m sort of a little bit of a nerd. But, um, and I want to know, how is that helping? You know, there was a lot of free telehealth apps that were rolled out during the COVID, initial parts of the COVID endemic and we were very fearful as a billing company for some of our users that were using these free apps on how that was coming back in, can we segregate it? Can we keep it? You know, and and the very first question we asked was, is there multifactor? What’s the security around that? And we were able to convince quite a few of them, this isn’t the app for you, right? These are not the droids you’re looking for. So you know, you know, they were pretty good. And they listened to us, because they see us as advisors, right. And that’s, that’s our goal is to be that trusted advisor. I see a lot of fear. Still, I see a lot of people that don’t understand what you know, MFA is I see that they don’t understand controlled rules, that she can put rules on your systems, those types of things. So I think I think folks like you are helping immensely. I think that we just have to continue to work together to get this message embedded.

Justin Daniels  17:20  

Well, as a follow up question, Tammy, I’m just curious, because I now have this more and more where I’m working on deals where if the other side is not using MFA, we won’t even do the deal. And I’m curious as to whether or not you’re starting to see that in your business with vendors that may want to work with you, or hospitals that may hire you. Are you starting to see things like MFA being table stakes? If you don’t have it? There’s no deal.

Tammy Taylor  17:42  

I’m definitely and we’ve been very lucky that they’ve gone along with it, you know, so I know that there’s some out there that want I think empowering my team and you know, advance team, right? To tell them why it’s important, why we have to have it. And if this is not a discussion, you know, we’re not giving you access to our portals without you doing this, we got a lot of pushback, both internally and externally, with with people that it’s just a pain, I have to remember 47 passwords, you know, I didn’t have to make hard passwords, or I have to go into this other application. I don’t have any more room on my phone. You know, I think I’ve heard them all so that we we don’t do it without MFA. And we don’t do it. Honestly, without some conditional access rules to

Jodi Daniels  18:29  

we’re talking a lot about health data and and the privacy world. So much of what I’m dealing with is health data, less than you had kind of mentioned pie. In the privacy world. You could even have chopped the identifiable piece, just personal information, visiting a website, all the digital identifiers that could be personal information, just the name and an email can be enough for personal information, even if you don’t have social Are you starting to see either in your company or you know, at conferences and leaders, like Justin had asked discussion around the privacy pieces, because HIPAA, as we were talking about just controls the slice of the pie. And there’s all this other data that companies now need to also be considering from various privacy law obligations. Is that a topic that comes up? Or are we still kind of hanging out in HIPAA land?

Tammy Taylor  19:16  

No, I would say especially with the larger organizations, right, those with the 1000 plus employees, we see a lot more requests for our sock to documentation, we see it for how we handle risk assessments, they want to see policy and procedure. The we are seeing a lot of that I would say from the smaller shop, you know, financial restrictions come into play or just lack of knowledge. Sometimes we don’t see it as much but definitely from the larger health systems or provider groups, that type of thing. We are getting those requests.

Jodi Daniels  19:47  

Well, thanks for sharing that’s consistent with what I see is the continued push from the b2b context. And it will be interesting to see if you start to have more, not even just the security side, from a sock to person. But the privacy side really understanding the kind of information how you’re using it, not just protecting it. And we’ve had, we’ve had definite risk assessments done on our websites, our, you know, even our collateral. And you know, I have a whole sales team within the event system. And you know, we send out emails too. So we’re on the other side, making sure that we’re protecting that information from clients, those types of things.

Justin Daniels  20:26  

Those are interesting points, because I think after listening to this, Tammy, I think my next step is for you and I to co write a screenplay on all of the reasons why we shouldn’t do MFA phone was a good one. No, this is not the MFA you’re looking for is not is not?

Tammy Taylor  20:45  

No, they I’ve got complaints like it. I can’t speak through this security presentation that the security officer sent out. I’m like, what, it won’t let me fast forward mic because it wants you to listen. And and I know, these are adults, these are, you know, very educated adults. But I’ve had executives that are like, I don’t need to do that. Right. Because I’m an executive, you know, and, you know, I mean, that’s what it is, you know, going back to the seatbelt analogy, you know, when you get on a roller coaster, you do not even think about not putting the seatbelt on, right? You make sure that harness, you’re checking it, you’re you know, ready to scream. That’s where I think we need to be, you know, we need to make sure the harness is on and that we’re prepared to go up that hill and down that curve.

Jodi Daniels  21:27  

That’s a great analogy. Absolutely.

Justin Daniels  21:30  

Jamie, I will be stealing multiple things you said from my next presentation, because I call how do we make cybersecurity the 21st century digital seatbelt? But I never thought about the roller coaster? I mean, that and the one about being on the plane with the the mass? Where do you come up with this? That’s just just fantastic metaphor. Yeah,

Tammy Taylor  21:49  

I sleep a whole lot. I sit there and think, you know,

Justin Daniels  21:55  

well, maybe I’ll have to send you the right meditation app. Exactly. Both could use it.

Tammy Taylor  21:59  

Is it tracking anything? Absolutely. I could tell you all about that. Well, we always like to wrap up with the same two questions. And the first one is what is your best personal cyber tip? prevention. Prevention is key to me, you know, make sure that that cybersecurity isn’t something you have to do every year make, or every month or every week, make sure it’s actually part of your culture.

Jodi Daniels  22:25  

I have a follow up to that, can you share something that you have found successful to infuse that into a company culture?

Tammy Taylor  22:31  

Absolutely, if I’m in a healthcare system, I find a champion and that champion should be a senior doctor that everybody respect, if I’m in a business, it should be a senior executive that everyone respects and they have to be enthusiastic. They have to believe it is not just a job, it’s not something they have to get through. It has to be it has to be part of their heart and soul.

Jodi Daniels  22:53  

That’s really important. I think champions for all different types of projects are critical to getting the message across. And thank you for sharing really, really helpful. Now. We were joking around meditation and sleeping and fun. So when you’re not preventing data breaches, or responding to data breaches, or creating cool metaphors on digital seatbelts, what do you like to do for fun?

Tammy Taylor  23:18  

I would like to be on a large ship out at sea. Where I don’t have to drive I don’t have to worry about cooking or cleaning or anything like that. So I love the cruise life.

Jodi Daniels  23:31  

Yeah, we have to be able to get back to a cruise that keeps getting delayed.

Justin Daniels  23:35  

See, I was gonna say she was gonna say ship but not an aircraft carrier.

Jodi Daniels  23:39  

No, not an air carrier. Not a submarine either. I think that I already knew is the cruise relaxing, hanging out in the ocean. Beautiful water

Justin Daniels  23:48  

all around. We toured a submarine once a world war two vintage and that was not Jodi’s thing. It’s just amazing to me, the people who serve on a submarine because it’s very tight quarters and water getting into the sub. Just major respect for that all volunteer force.

Jodi Daniels  24:05  

Well, Tammy, thank you so much for joining us today. If people would like to connect and learn more from you. where’s the best place to do that?

Tammy Taylor  24:11  

I would say through our website. And we are URL is Wonderful. Well, we’ll

Jodi Daniels  24:19  

be sure to include all of that in the show notes there. Thank you so much.

Tammy Taylor  24:23  

Thank you guys. Have a great day. Good luck with the two schools two children. Yes,

Jodi Daniels  24:28  

we definitely need lots of luck with the two children and two schools. You know, it might be three children. Have you met this one over here?

Outro  24:37  

Thank you guys for having me on. Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.