The HIPAA Journal has spoken with Jonathan Goldberger, Senior Vice President of Security Practice, at TPx, a leading provider of managed IT services, unified communications-as-a-service (UCaaS), secure networks, and cybersecurity services to find out more about his experiences as an MSP providing IT services to healthcare organizations.
Tell the readers about your career in the healthcare industry
My security career started with financial services. I worked in Wall Street for four years, and after I left, I got involved in risk management consulting. This was around 2000 when HIPAA started going into effect, and it was here that I started working with healthcare organizations to help them incorporate HIPAA controls, secure their networks and perimeters, and implement risk mitigation. From that point forward, I continued to work with security companies, helping healthcare organizations with the complexity of their IT and security infrastructure.
What was your first position?
I graduated from the University of Alabama and was offered a role working on the university’s mainframe center. It was where I began my passion for IT because it combined something that is very technical in nature with the ability to work with people. Since that time, I’ve held several different technical and leadership roles in the IT and cybersecurity space.
What is your current position?
I am currently the SVP of Security Practice at TPx, where I lead a team of technical resources who partner with companies in all industries to create a security framework that works for their organization. When it comes to cybersecurity, there is no one-size-fits-all approach. Companies need to customize their solutions to meet their specific needs, and every business is different. The healthcare industry has a very particular set of challenges they face daily, and there’s a wide range of compliance requirements that IT providers must know to be effective in the industry. It’s not just HIPAA either; now, state and local governments are passing their own data privacy laws that organizations must comply with on top of federal and industry regulations. Working for TPx, I’m in a unique position to shape technology and security solutions that will help healthcare organizations be strategic in solving the IT challenges they face, strengthening their cybersecurity, and complying with industry regulations.
Tell the readers about any significant event in your career.
During my career, I ran consulting for a very large security and network company, where I worked with a prominent nationwide healthcare organization that was implementing security controls and protections across its network. One of the solutions, Network Access Control (NAC), was implemented with the goal of ensuring no unauthorized devices could gain access and traverse the network. This was a way we could prevent any malicious traffic from getting on the network. I remember sitting down with the CISO and her saying you must capture all the medical devices; you can’t miss any of them. If a medical device can’t get on the network, it affects people’s lives. There is no room for error. We have to make sure that we’re allowing the right devices on the network while still inhibiting malicious devices from gaining access. It was truly an eye-opening experience. In any other industry, having a false positive and not allowing a machine on the network may not have life or death consequences – but in healthcare, it does. If a machine can’t get on the network, there are significant repercussions that are much more than just financial. As a security professional, it made me realize the role we are playing in making sure that the IT is secure and optimized so that healthcare providers can focus on patient care.
Are you working on any interesting projects?
What makes my role so unique is that everything I work on is interesting because no two projects are the same. Every organization has a unique set of circumstances, and while we’re all working toward the same objective — keeping organizations and their data safe — how we get there is never the same. Take small and medium-sized healthcare organizations, for example. They often don’t have the capital to hire all these IT experts and security strategists, so the work we’re doing at TPx is vital. We’re able to address these unique IT challenges organizations face and create more modernized solutions for them to achieve secure outlines and compliance with evolving regulatory requirements.
What products/services do you provide for the healthcare industry and what is unique about them?
TPx offers a full suite of managed IT services, including internet, networking, cloud communications, and security. Our HIPAA-compliant solutions help healthcare providers improve the operations and security of their IT infrastructure. We also offer comprehensive Security Advisory Services that help hospitals, doctors, and mental health professionals understand their security vulnerabilities and identify gaps in their organization’s cybersecurity. The information gained from those services and assessments helps healthcare organizations to define a security strategy and become defensible for the compliance that is required of them. It’s important that organizations are not only being defensible but can also show their defensibility when needed. That’s why we offer a security program dashboard so that organizations can quickly and easily see the state of their security program, what security controls they have in place, and how they are meeting compliance requirements for HIPAA, Sarbanes Oxley, and more in a single place. When an auditor comes in, organizations are at an advantage and can quickly show their defensibility through this dashboard. But beyond the technology, TPx acts as a partner for healthcare providers and provides “wellness checks” to ensure their IT infrastructure is healthy, networks are optimized, systems are secure, and compliance requirements are being met.
When did you first get involved with HIPAA compliance?
I first got involved in HIPAA compliance when it first came out. At that point in my career, I was working in risk management consulting and had been using industry best practices as a baseline for our consulting services. At the organization I worked for, we had a healthcare expert on staff who sat us down and really went through all the HIPAA requirements and how they translated to an organization’s IT needs. Her name was Mame Gordan, and she really gave the best advice I’ve ever received associated with compliance, which is it’s hard to be 100% compliant. The goal of any compliance program should be defensibility. That’s really the goal of any security program or gap assessment. Are you defensible to the regulations required of you? Because when an auditor comes in, they have an interpretation of what they see, which ultimately leads to their findings. Organizations should always focus on the outcome of being defensible because that level of defensibility ultimately helps protect the organization and results in better audit outcomes.
What are your main challenges regarding HIPAA?
Too often, we see that organizations just want to check the box when it comes to HIPAA compliance. When really HIPAA should be one aspect of a security program. The real outcome is about protecting patient data and the healthcare organization through a comprehensive security program, but a byproduct of it is being defensible to various regulatory requirements, like HIPAA, that providers need to meet. Many organizations need to shift their thinking when it comes to HIPAA compliance. It needs to be less about checking the box and more about protecting data and being defensible. When you have a broad security program that encompasses security controls and protections, you can show your defensibility to the regulations of today but also the regulations of tomorrow. Regulatory requirements are constantly adapting and evolving, so having a strong security program in place ensures you may only have to tweak certain aspects versus doing a heavy lift to comply with new regulatory standards. Organizations should always focus on their program versus the specific controls of compliance – it ultimately puts you in a better position as regulations evolve.
Do you have any predictions for the future of HIPAA?
As cybersecurity threats continue to evolve, HIPAA regulations will evolve as well. There won’t be less requirements. This will really be the case for all regulations, not just HIPAA. Healthcare providers must adopt security programs that can continue to evolve and mature because there will only be more regulatory requirements that organizations must meet. It’s not enough to say you have a policy or a program – you must prove that you’re actually doing it and have been doing it consistently. That evolution we’ve already seen in other regulations, like the Safeguards Rule. It’s now equally as important that you show there is a security practitioner who is maintaining the program as having the program in place.
Do you have any predictions for the future of healthcare regulation?
Healthcare regulation will also continue to evolve. I think we will see that the complexity of these regulations will only increase. Now, more and more states are driving their own data privacy and security requirements, so if you’re a healthcare provider that has citizens in different states, you will have a much more complex regulatory landscape. Predicting the requirements of these regulations might be difficult, but that doesn’t mean organizations can’t prepare for what’s to come. That’s why, when it comes to technology, they must put in place a security program that can grow and evolve as their company and regulatory requirements evolve.
Do you have any predictions for the future of healthcare technology?
Healthcare technology is going to continue to evolve to provide greater efficiencies for healthcare organizations, from adding in automation as much as possible to continuing the evolution of virtual healthcare. Automation will also utilize more AI to make them as cost-effective as possible. I think there is a very realistic scenario that we will call into a provider and have AI that is helping us deduce what the actual issue is and make recommendations without being an actual doctor. Technology will continue to evolve, but the security concerns won’t go away. Healthcare organizations must continue to prioritize their security programs and adapt them as new technologies emerge.
Do you have any predictions for the future of the healthcare industry?
Privacy and security are becoming a daily topic for so many healthcare professionals, especially with information existing in so many different places and technologies. All healthcare organizations will need to prioritize a comprehensive security program as they adopt new technologies and modernize to the cloud. And security and compliance are no longer just for large organizations. Every healthcare organization must make it a top priority to become defensible.
Do you have anything else interesting to share with readers?
Achieving compliance and maintaining cybersecurity doesn’t have to be an unattainable prospect. Companies need to look to the right partner — one who knows the landscape, one who looks at compliance as a program versus an action, and a partner who seeks to incorporate automation and orchestration in their solutions. Defensibility and strategic success are closer than companies realize.
You can contact and connect with Jonathan Goldberger via LinkedIn: https://www.linkedin.com/in/jonathangoldberger/
The post Interview: Jonathan Goldberger: SVP of Security Practice, TPx appeared first on HIPAA Journal.