John Martinez doesn’t have to go far to find an example of why cyber security is critical in the healthcare industry.
Even a simple trip to the dentist with his wife yields proof. While waiting at the dentist office the other day, he discovered that the office’s wireless network was basically unsecured and left open for the taking.
“I noticed — and this is from my iPad, it’s not even my laptop — that they had an Apple Airport, and I started noticing that I could actually configure this Apple Airport through my iPad and set up different accounts using that wireless,” Martinez said. “I could actually manipulate their wifi, and I could have named it whatever I wanted.”
His partner, Christopher Hegg, slowly shakes his head in disbelief.
“He could have been very malicious and taken that entire network down and locked everyone out, because it wasn’t configured correctly,” Hegg said. “There weren’t passwords, so that leads you to believe ‘Well, what else isn’t configured?’ What else in their network is open?”
Luckily for this dental practice, Martinez and Hegg are the good guys and far from malicious. Finding these kind of lapses in cyber security is what they do professionally at CoreRecon. CoreRecon is the brainchild of John Martinez, Christopher Hegg and their other partner, Patricia Luttrell. All three are retired from the armed services, in which they all worked in cyber security. Luttrell is the company’s chief technology officer, Martinez is the chief executive officer, and Hegg is the company’s senior security engineer. The Corpus Christi-based security company specializes in cyber security, IT solutions and Cloud solutions. They are one of the few companies in the country which offer Cloud assessments, Cloud security and Cloud implementations.
They also specialize in helping medical practices reach and maintain HIPAA Compliance.
HIPAA is the Health Insurance Portability and Accountability Act, which is meant to protect patient privacy and healthcare information, especially electronic information.
“That’s who we are…We’re the security guys who know security.” -John Martinez, CEO of CoreRecon
HIPAA Compliance is at the center of CoreRecon’s largest ongoing project. The team is working with Amazon Web Services to create a HIPAA compliant infrastructure in the Cloud that can be leveraged by software companies. The goal is to provide a common form of security, which is essential to securing data.
“This way, we can create a uniformed approach instead of having 1,000 different practices doing security their own way,” said Hegg, explaining that, “We can provide a singular solution that is within compliance that they can continuously replicate. Everyone has the same requirements to fulfill, so we can implement security one way instead of a thousand people doing security a thousand different ways.”
Often times, medical practices are so small or unequipped to properly handle the security of information. Data which should be encrypted usually isn’t. Information is also often handled or transmitted improperly by unsecured emails and even cell phones.
CoreRecon’s solutions are meant to get medical practices up to date with technology and of course in compliance with federal regulations.
“Part of HIPAA requires a contingency operation plan and a recovering plan,” Hegg said. “Unfortunately, a lot of practices don’t implement theses processes. You know, ‘Everything will be fine. We have a back-up.’ But their back-up may be on-site which recreates a single point of failure. They may not even be protected correctly on-site, so one of the things we’ve done is developed a redundant storage device on-site. So if one hard drive dies, another one still has the
data near. Additionally, every night, it gets encrypted and sent to the Cloud for an off-site back-up solution.”
“The medical industry as a whole is the number one targeted industry because they’ve been operating a certain way for so many years, or they think they’re a small practice” -Christopher Hegg, Senior Security Engineer
All of these measures may seem redundant or even overkill on CoreRecon’s part, however, they warn that havingpersonal information like that of medical records can lead to identity theft, which can be more damaging and costly than having a credit card or bank information stolen.
According to a report by the Medical Identity Fraud Alliance called “The Growing Threat of Medical Identity Fraud: A Call To Action,” the number of data breaches in the medical sector has quadrupled in the last five years. The healthcare industry is again on track to lead in data breaches this year, according to the ID Theft Center.
Hegg said the trend is a byproduct of practices simply handling information like “it’s been handled for years.”
“The medical industry as a whole is the number one targeted industry because they’ve been operating a certain way for so many years, or they think they’re a small practice,” he said. “Once someone steals your identity, that can go on for years. It can become a huge headache for your entire life. You won’t be able to apply for a credit card, buy a house or do anything, because you’ll have to go through additional steps to prove your identity.”
Most practices, and many of CoreRecon’s customers, already have IT personnel on staff, but Martinez explained that often times someone who handles computer hardware and software may not be adequately prepared to handle cyber security.
“Not to knock the IT industry down,” Martinez said. “I think they’re great at what they do. We’re not saying that all IT guys don’t do a sufficient job, because they do. I’ll break it down to you like this… there’s general dentistry and everyone has one. Those are your IT guys. Then there are oral surgeons, and there’s not that many of them because they specialize. That’s who we are. We’re the oral surgeons. We’re the security guys who know security.”