“The biggest security breach in any company starts at the end user level.”Jack Smith, President & CEO of Initial IT
And we’re all about challenging the status quo here at Maverick’s Headquarters! Welcome to the Challenging The Way We Age podcast by the Mavericks of Senior Living. We are two innovators and entrepreneurs who have huge hearts and passion for our older adults. And we see all kinds of opportunities to improve today’s system and create hope for the way we age. We tackle hard topics with the goal of creating conversation and generating curiosity and ingenuity to solve these problems.
This episode is brought to you from Colorado Assisted Living Association’s Fall Conference 2019, where we spoke with Jack Smith, President and CEO of Initial IT.
Watch, listen, or read below to:
- Learn about the basics of cyber security in Assisted Living
- Understand where senior living stands relative to most business operations
- See how third party vendors can “cross contaminate” our cyber security
- Hear how you can have better cyber security today
Want to join the Maverick Movement? Have a story on how you or your team are fostering ingenuity. Share it with us and check out our other episodes to light your innovation fire. Don’t forget to subscribe for more great interviews.
Below is a transcript of the episode, modified for your reading pleasure. For more information on the people, sources and ideas in the episode, see the links at the bottom of this post.
Katherine: Hey, all you Mavericks. Welcome to our podcast. We are here with Jack Smith, President and CEO of Initial IT. Welcome to the podcast, Jack. Thanks for joining us today. We are at the Colorado Assisted Living Association conference. And Jack just came off stage speaking about cyber security. This is a topic that we don’t talk much about in the senior care world. And it’s a very, very important one. So, Jack, tell us a little bit about your presentation. What were some of the highlights that you talked about?
The Basics Of Cyber Security In Assisted Living
Jack: So our presentation really just focuses on the common sense of cyber security. A lot of the time in this day and age, how we operate, we’re quick to click without reading and slowing down and looking for things that don’t make sense.
Katherine: Too quick to click.
Jack: Yes, that’s exactly what it comes down to. So we really just focus on how you can slow down and what role the individual user plays in cyber security. So you don’t have to be an IT person, a member of the IT staff. We also talk about that, that you can’t defer to the IT staff. Right. We have an IT guy. He’ll take care of it. You play a role in it, right? The biggest security breach in any company starts at the end user level.
Katherine: Say more about that. The facility plays a role in it and the end user plays a role in it? So how does that breach take place?
“The way we look at it is that we all have responsibility in the scenario. The facilities have a responsibility to have the infrastructure in place, and policies for users, whether they are employees, residents or guests. “Jack Smith, President & CEO of Initial IT
The way we look at it is that we all have responsibility in the scenario. The facilities have a responsibility to have the infrastructure in place. We have to have firewalls. One of the big things is that we have to have policies for users, whether they are employees, residents or guests. And it has to be conveyed clearly to them that they play a role. They have a responsibility to not do things that they shouldn’t do on the Internet, and pay attention to what they are doing on the Internet.
Jack: Then the company, the infrastructure backs that effort up by you know, we’ve got things in place, for example, data backup. So we’ve got it in the cloud so that we create that air gap between our facility and the cloud so that if we get a ransomware attack here, we have an air gap. It can’t get to our data in the cloud. Okay. If we keep the data in the cloud safe, then we don’t have to pay the bitcoin ransom. We can just rebuild that device, download the data from the cloud and we’re up and running. So we talk about, you know, what’s your backup policy? And procedures and business continuity. And we also focus on making sure that the companies have a disaster recovery plan in place.
Are We Behind The Times?
Francis: Are assisted living communities behind in times with this data plan or cybersecurity in general?
Jack: I would say from what I’ve gathered talking to people here that they are. I saw a lot of raised eyebrows while we were talking because like we talked before, like a lot of people think that because a facility offers Wi-Fi, that it’s just you just put it out and everybody’s happy. Remember that at the end of every one of those Wi-Fi connections is a user, just like you are at home on your machine, just like you are in the office, on your machine, the same things can happen here that happen there. So if you have somebody who’s not as astute when it comes to computing with a wide open connection to the world through the Internet, somebody has to step in and make sure that bad things don’t happen.
Katherine: It’s about protecting the residents who are using it, and their guests. Because I do that. I go to my father’s assisted living and I connect to my work. And I am in the tech industry and I know better. But we do it because sometimes it’s convenient. I would echo what you just said about the fact that the industry is behind in this. I think that there are several things technology wise that the industry is behind. And we were on a panel, both Francis and I, at Denver Startup Week with some other assisted living and big box facilities and a couple tech people. And I asked the owner, operators and executive directors, do you guys feel like you’re 10 years behind, five years behind? And they all kind of went 15 years behind. It’s really an area of opportunity. And I think this is something Francis and I have a lot of passion about. People who are looking at getting into the aging services and looking at all the different ways that they can be in the aging services. It’s not just caregiving. This is a huge, huge opportunity.
Jack: I mean. Look at me. Look at you and obviously you. Yeah. Eventually we’re gonna be there and. We’ve grown up having Internet, having everything in our hand. Well, when I’m 75 and 80 years old I hope to still have faculties to do that. And I would hope that somebody is looking out for me in that respect. That the facility that I’m in has that taken care of.That I can do what I need to do and not have to worry about it because I spent my whole career worrying about it. I’m going to be the one guy who asks them. Hopefully we can we can change the standard by then and then it becomes very common place.
What About Third Party Vendors In Our Facilities?
Francis: I mean, hearing you talk. I just had all these thoughts running through my head. And the big one is we’re moving so much to electronic medical records, and accessing them on our phones, our handheld devices to enter tasks or data? And what if we’re not securing those?
Jack: We can have some pretty negative consequences occur from 3rd party staff using devices across different communities — cross contamination, if you will, like we were talking to a caregiver going from one facility to the other to the other to the other and having open connections on each of those Wi-Fi systems there in a coffee shop later. And they go on and it connects for some reason somehow because maybe they’re in the coffee shop right next door to the facility.
Jack: The other thing that people don’t fully understand in facilities is that your Wi-Fi signal goes as far as it wants to go. Now you’ve got potential breach because you’ve got somebody, an ex caregiver, employee of the facility who’s a little disgruntled sitting in the parking lot in the middle of the night, knows the password to the Wi-Fi, has plenty of signal strength, knows how to get into the system, knows that it’s unsecured. Goes in and does damage, drives off into the night. Nobody knows what happened the next day. So, you know, the concept of we just live in an in an environment, a world now where we all expect Wi-Fi. We expect that like we expect our phone to ring when it you know.
Jack: And the facilities have to really start to look at and then decide how can we not only protect the residents, but protect the facility? Because you’ve got HIPAA, you’ve got all these other things that that facility is liable for. In the presentation, we talk about the personal identifying information and PCI, if they’re doing any kind of transactional transactions, things like that all come into play.
Francis: It sounds like there’s a lot that with the progression of so much electronic data that we haven’t thought about securing that data almost.
Jack: Right. And when you transmit that data, you’re responsible for it. That’s like if back in the day when we had paper records and you were going send it to another physician’s office or something. You’re responsible till it gets there. You know, it’s the same thing with electronic records. But storing them as well. That’s really the key thing.
Katherine: So it has to be encrypted at rest and in transit. And really you have to have these in place. But so many communities don’t know that. I’m thinking about something I find myself saying often. We have tools in the corporate world that we don’t have in senior care. You would never have an unsecure Wi-Fi in a corporate office. It just wouldn’t happen. If an employee leaves, you would change the passwords to the Wi-Fi and remove access all the systems they have access to. You have someone looking out for that. The communities that we’re talking about, they really don’t have that IT infrastructure to that level yet. And it’s really important that they get there. So how would what would you say to them? What is the very first thing that they should be looking at?
How Can We Improve Our Cyber Security?
Jack: I think the first thing that they need to look at is internally. They need to look at themselves, their own internal policies, procedures, things like that. If they’ve even sat down to map those out. So it starts from within. They need to get an IT professional to sit down and understand how they’re operating and then have the deep conversation that this is probably not the best way for you to operate. Here is the best way or a good way for you to operate. And then it kind of grows from there. It grows from inside to the outside. Down the hall to the residents. And we have to put something on the residents. Like whether it’s a piece of paper in the residence packet that says we’re providing this for you. This is the intention of this. We’re going to put some responsibility on you to act correctly. Now, to go hand-in-hand with that facility has to give services, have services available for the residents. Here’s the problem, if a RESIDENT clicks on suspicious e-mail, they don’t have anybody to ask. They don’t have an IT person in the facility to come down and say, yeah. Don’t click on that. So I think the facility, it all really falls to them where they have to figure out, OK, if we’re going to provide this level technology, we have to find a way that it is. Whether that’s an internal IT person or an external outsourced IT person so that we can make sure we’re doing what we’re doing. Because their focus should be care. Their focus should be the facility.
Katherine: And they should not try to do IT unless they know IT and are certified in some manner and that they have the ability to have that infrastructure and the support on site. Or at least a phone call away. And that’s where I say, given my background in software and in the technology world, I say that’s the easiest thing for them to outsource. They don’t need to have it in-house. But it’s something that they definitely need to have in place. I’m even sitting here as you’re talking thinking about all the kids, the grandkids who come in. They have their devices and they’re playing on them.
Jack: And who knows what they’re clicking or they hop on grandmas laptop that’s sitting there connected to the to the facility Wi-Fi. So I really feel the onus falls on the facility to go so far as to the end users end point and say we’re going to provide antivirus for you. So that we know that when your grandson gets on it, we’ve done everything we can to protect really the facility that’s in the residents.
Katherine: And it can be as basic even as a starting point as change your passwords often.
Jack: Yeah. That the Wi-Fi can be set up to prompt the user every 30 days. The new policies and I look at it as it’s no different than a corporate environment.
Francis: Yeah, well that’s I think that mindset is that there’s this always a stigma within living of are we going to be more hospitality based or we’re gonna be more corporate based or we’re going to be more care based. And I think what that hospitality element, it’s so much about the service that we’re just giving the Wi-Fi. Give them this. Give them that. We’ve got to have it. It’s kind of an afterthought.
Katherine: Right! And when you travel in the corporate world, we travel a lot and we go to a hotel and we check in and we have the Wi-Fi here. Most business people that I know have a VPN. What’s your recommendation for that? Is there a way to bring what we do when we travel to hotels into assisted living?
Jack: We talk about that in the presentation as well. Coffee shops, hotels, airports, things like that. Be cognizant that the person that you’re sitting next to in a coffee shop may not be there doing anything other than trying to get onto your machine. It looks like they’re working, but they’re actually waiting for unsuspecting people to sit down and get on.
Katherine: I like what you said at the very beginning. Don’t be too quick to click. So it never hurt anyone to not click for 30 minutes while you look at it. And I have fallen prey. I have definitely fallen for it and clicked on something suspicious. And I had a weird feeling in my stomach. So what I will say for the women out there, because most of us will have this experience, if you have a weird feeling, don’t click it just yet. Hang tight. Just don’t do it. Think about it. Think why? Why is that? Why do I have this weird feeling? Because there might be something there.
Jack: We know that the kind of our tagline is the human side of IT. I’m kind of the anti-IT guy because I love it. I love technology, but I don’t necessarily love where we’re headed with it, meaning that we’re we are giving ourselves up too easily. And we need to take some of that back. I said earlier, you know, it’s time to get your brain back, try to stop relying on auto dial, stop relying on cache, the information for browsers, because even though we all love when we hit the bank site and it knows who we are and it logs us in, it gives us that warm, fuzzy and also gives the hackers and so forth the warm fuzzy, too, because you can get to your machine and there you have.
So we need to be careful with that. We need to take our brains back. We need to take our information back and control it instead of it controlling us.
Francis: Yeah. That’s good. So a couple of things before we end. How did you get in IT? How did you get into, almost, this health care, right?
Jack: Yes. So the interesting thing is my background is mechanical plumbing, engineering. But when I went to college, it was when CAD computer aided design was just starting. And we used to do it on monochromatic monitors. And it was like you had to know what you’re doing. I’ve witnessed a lot of this technology emerge and that sort of thing. And so I was in engineering and I became the de facto IT guy in my office who, you know, the server died. What do we do? I guess I’ll figure it out. So I figured it out. And then ultimately, I was presented with an offer to go into IT for health care. And it’s always interested me in a way because of the things we’re talking about. I remember when we had a we had a doctor’s client and HIPAA was coming and he was just adamant against it. And I understood why. We’ve seen the emergence of wireless. We’ve seen the emergence of cell. Of what you can do over cell data and over cell signal now is nothing. I remember when we had the flip phones and we were texted by just pushing buttons. It’s archaic. So having witnessed all of that, I feel like my company has a better purpose now of just trying to educate people and to try to bring the human side back in the IT of let’s slow down and not get consumed by the technology that we love and has made life a better place.
Francis: I have a love hate relationship with technology and tech because I not stuck in the office. I hate it because I feel like I’m constantly content, constantly connected to things. It’s a constant.
Katherine: And I think you’re not alone. I think that’s a whole other podcast that we can talk about. I’m the outlier here. I absolutely love technologyI’m a gadget girl. I love everything it can do.
Jack: But in in moderation.
Francis: Yeah. Like chocolate. (laughing)
Katherine: I don’t even know what you mean by that. Don’t you speak such words! (laughing)
Katherine: So I think that there’s opportunity here, really. And that’s where we need help. So our listeners are everything from family members to assisted living executive director. And hopefully to the corporate level as well. And so what would you want to say to each of them?
Jack: Well, again, I think that everybody plays a role. Everybody has to play a role in cybersecurity and protecting your own information as well as your loved one’s information, you know. And I think that, too, we have a line in the presentation to be naïve is to be vulnerable, and to be vulnerable is dangerous.
Francis: How do they find you? Your company? How can they get a hold if they want to dive deeper into this?
Jack: Our Web site is InitialIT.net. You can also reach out to us. My e-mail is firstname.lastname@example.org. And our phone number is 303-893-4350.
Francis: And we’ll leave those show notes. You’re doing great work. I can tell you from senior living, I’ve been doing it 10 years now, it’s an afterthought. Cybersecurity right now is an afterthought for a lot of health care.
Katherine: We, as family, come in and we use the WiFi and we don’t even think twice about it. So, yeah, you’re right. It’s everybody’s responsibility. And this is a huge area of opportunity. So if there are any students out there, any people looking at getting into the aging services and you have a technology background or interest, this is a fabulous area to get into.
Jack: Yes. Good. Give us a call. We would love to have an intern. We’d love to have a recent college graduate who has an interest in this because there’s so much we could do. We can reach out to maybe do some connecting at Metro State.
Francis: Thank you so much, Jack. We appreciate your time. I enjoyed it. Have a great day.
Announcer: Thanks for listening. The Mavericks want to hear from you. Leave us your comments, questions and ideas for future podcasts.
Mavericks of Senior Living is sponsored by Serenity App, Inc. and Assured Assisted Living. This episode was produced by Katherine Wells and Francis LeGasse. You can subscribe to Mavericks for Senior Living on Apple Podcasts, Google Play or Stitcher. You can also find us on Twitter, Facebook, or via email at challenges@mavericksofseniorliving.
Here’s where you can learn more about the people and ideas in this episode: