A conversation with George Michelson, a long term executive of LiveWatch Services

George, can you tell us a bit about yourself?

I am an IT professional with over 25 years of experience spanning different industries. From 2008 to 2013 I was serving as a vice president of IT for LIfeWatch Services, a leading cardiac monitoring provider.

We’d like for you to share with us some thoughts on Healthcare security and compliance. For starters, is there a difference between security and compliance?

I don’t think you can say that one is more important than the other. Compliance is something you must do as a medical service provider. You have to comply with all regulations that apply in the market where you’re serving your patients and that is not something that is optional. 
When it comes to security, security is one of the aspects of compliance. However, it is not just an aspect. It is something you must do if you want to protect your patient, if you want to protect your business and how you operate. In today’s world, not having a proper security protection would not allow you to operate.

When we talk about security in today’s healthcare industry, what do you feel are the biggest gaps? What do people not do right?

The biggest gap comes from the lack of understanding of what you’re required to do as a provider of service. Before you can say that you are compliant, you have to say, well, what kind of service do I provide? What is required for me to do from a compliance perspective? What kind of risk do I run as a part of offering my service? And only after you do this assessment you can have a plan on what you’re supposed to do. I think in many cases people try to apply common sense to how they see their business operations and as a result, they don’t have full coverage for what they have to do in a specific business or for a specific mode of operations.

Here in Wallarm when we talk to your HealthTech customers, often times HIPAA regulations comes up. In your opinion, what do organizations have to do to reduce HIPAA risk?

HIPAA is about access to data and it is about data protection. One of the things I feel is very important is to have actionable notifications or something you can act on as a result of their operations. Any monitoring tool can provide you information and there is a lot of information around you, but for the tooling to be useful, it has to provide you with the information you can act on and separate important from unimportant.

So, these customers who have to rely on personally identifiable information and are subject to HIPAA, obviously they can not do everything at once. In your experience, what should be done first or emphasized?

I think there are two different areas they need to emphasize. First and foremost is something low tech and that is learning. It’s important that people who work for the organization understand what kind of repercussions they actions might have. They need to understand HIPAA as it’s applicable to their specific job. They have to remember that HIPAA is not just about unencrypted emails, it’s also about conversations they have on the phone while in the elevator. Information can leak in a variety of ways.
Second, there are many tools in every organization. I think it is very important to catalogue all the tools that are there and you have to monitor any data or any change information related to the tools you use. The industry is not stagnant. Information technology changes every day. You have to be on top of that and if you see any changes that affect your service, you need to be able to act.

Very true. People are central to any process. You can have the best processes, and the best tech, but if there is no learning and if the practices are not followed you are not really secure.
Since we are in early June and GDPR just came into effect, regional differences and the healthcare related compliance regulations in Europe are on everybody’s mind. Can you comment on that?

Well, the latest changes in the regulations are nothing new. If you look at it historically, we’ve always had different rules across different regions. As a multinational, that has to operate across the different countries or different regulatory environments you always have to stay compliant with the local rules. It’s not just the fact that HIPAA is US-based and some laws are European, often times more strict regulations are related to the type of organization you’re working with. 
For example, if you work with the Veteran’s Administration, you have a very specific set of rules that you have to follow that do not apply to any other organization.

It makes sense. So that differences are not just regional, but also related to vertical industries, government organizations and so forth.

So, these are the practices that we all have been following for the large part of our careers. Can you make some predictions on how this environment might change over the next 5 years?

It’s a good question, but 5 years is probably a bit too long of a horizon. One of the things on my “hope it will happen” list, is that telemedicine will finally take off. I really think that as telemedicine spreads out, it will extend medical services beyond what is possible today and make good health care available to the underserved populations who previously didn’t have access to it. In conjunction with that, I feel the Internet of Things (IoT) is very important.
The medical devices are getting smaller, the medical devices are becoming portable, a lot of things that five or six years ago required big machinery, today can be accomplished with a portable sensor and a mobile phone, and these sensors are connected to the Internet and share information that can be analyzed continuously. Related to that and extending the usefulness of this model is data portability. I think patients will be able to bring their data with them no matter where they go. It won’t be sitting in some corporate EMR, it will be in possession of the patient, they would be able to go to any provider they want and bring with them all their information and they will get service of the quality that is not available today.

If you’d like to hear the interview first hand, it is available as a Wallarm Security Podcast episode here: buff.ly/2yst7qf