Part V: The Pursuit of Humane Technology in Health Care

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses on how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Show Highlights

In the fifth episode of this series, Matthew D Edwards and Brent Willett, President of the Iowa Health Care Association, discuss opportunities for humane technology to improve care and increase interaction with caregivers and family for patients in long-term care.

Key Takeaways

  • How patient vitals collected in electronic charts can be mined for predictive diagnostic care and planning, and how COVID-19 has created urgency for this technology to improve care and the spread of infectious diseases.
  • How wearables can protect patients from a security standpoint but also improve their quality of life and care by providing real-time insights on their vitals.
  • Monitoring devices that educate, remind, and confirm health care programs can be a game-changer for long-term care patients to remain in their homes.
  • Identify activities, such as sorting medication, to enable caregivers and nurses more 1:1 time with patients.
  • Providing more dignity in the dying process by using technology to connect them to loved ones and reconnect them to their past.
  • How the roles of chief information security officers and privacy officers are evolving in order for the organizations to remain compliant as new technology is adopted.

About Our Guest

Brent Willett is President & CEO of the Iowa Health Care Association (IHCA). IHCA’s more than 1,000 member organization spans the continuum of long term services and supports health care in Iowa. In his role, Willett is responsible to the IHCA Board of Directors for overseeing the strategic vision for IHCA and the Iowa Health Political Action Committee.

IHCA and its affiliates and divisions, the Iowa Center for Assisted Living, Iowa Center for Home Care, Iowa Center for Post-Acute and Long-Term Care, Extended Care Services of Iowa, and the Iowa Health Care Foundation, serve the long-term services and supports the profession as a nonprofit trade association.

Read the Transcript

00:05 Matthew D Edwards: Welcome to the long way around the barn, where we discuss many of today’s technology adoption and transformation challenges and explore varied ways to get to your desired outcomes. There’s usually more than one way to achieve your goals, sometimes the path is simple, sometimes the path is long, expensive, complicated and or painful. In this podcast, we explore options and recommended courses of action to get you to where you’re going now.

00:36 Announcer: The long way around the barn is brought to you by Trility consulting for those wanting to defend or extend their market share, Trility simplifies, automates and secures your world, your way, learn how you can experience reliable delivery results at

00:58 Matthew D Edwards: This episode continues a series focused on how technology can improve the lives of our aging population and those in our population who require long-term care, in particular, we focus on the use of monitoring and remote monitoring technology solutions using the Internet of Things or connected things technologies, while also ensuring purposeful, comprehensive privacy and information security practices along the way. Brent, welcome to the show. Thank you for being with us today. So Brent, you are the President and CEO of the Iowa Healthcare Association, and we’re here to learn from you. That’s the summary. So thank you for being with us today. What we’d like you to do is start off by teaching us about your organization, your product services, where you’ve been, where you’re heading, teach us, and I know there’s a whole lot to that, but you probably have a practiced… A message that you could pass along just to teach us about your house and your vision, your future, please and thank you, sir.

02:01 Brent Willett: Matthew, thank you for the opportunity to come on and talk with you. I’m privileged to help lead an organization called the Iowa Healthcare Association, and what we are is an association of healthcare providers that work in the long-term care healthcare space, that means we’re providers of skilled nursing care, assisted living care, home care, so folks receiving healthcare in their home, as well as a number of other constituency groups which participate in that sector, we tend to call it post-acute care, so really anything that happens after the hospital, the hospital and the docs take care of you when you are acutely ill and need immediate service we’re there to support your typically longer journey, hopefully back to health, but also in situations that lead to compassionate end-of-life care, and so our association is fairly broad in that sense, we’re the only association in the country that represents what we call the full continuum of care.

03:13 Brent Willett: Meaning starting in the home, receiving medical care in your home from dedicated nurses and physicians through a potential next step being in assisted living environment where you may need some assistance with activities of daily living, maybe some assistance with your medication, maybe some assistance with shopping, maybe some assistance with getting around and socializing with others, and then into skilled nursing care, which is a more medically intensive model where folks need medical care on a regularly routine basis. And so we operate in all 99 counties here in Iowa and about 254 cities and towns, and we are a state affiliate of the American HealthCare Association, which is a national group, which does a lot of what I just described.

04:05 Matthew D Edwards: You, having been involved in all of these different areas of the healthcare industry, all of these different facets and segments, you’re probably aware of all different types of operational challenges that people have, a lot of forward-thinking companies are trying to create new technology solutions to be used in senior care, long-term living solutions organizations, so remote monitoring, geo-fencing, predictive analytics, wearables, medication management, so forth, you’ve probably heard all of these things and are probably doing… Many of them are heading there in some way, shape or form, are there types of technologies or innovations that are actually exciting to you today, where you’re like, Hey, that is something we wanna go explore, that’s something we need to be doing yesterday… Teach us about that.

04:56 Brent Willett: Yeah, no question, Matthew. Probably 10, 15 years ago when we were talking about innovation, technology innovations for long-term care, we were talking about how do we install ramps on to people’s homes so they can get in and out of those homes if they’re in a rehabilitation situation and maybe on crutches or a wheelchair. Things are obviously quite a bit different, a lot more exciting now in terms of using technology to enable a better experience for folks that are going through some of the most difficult times in their life. They need long-term care. A couple of things, areas that I know my members and as a result, we are very interested in and we think holds a lot of promise, and I think we’re gonna hear a lot more about in the coming years.

05:36 Brent Willett: One of those is very top of mind, I think for everyone right now with respect to what’s going on with the COVID-19 situation, what we sort of call diagnostic analytics is something that clearly has a huge future here, and what I’m talking about when I say diagnostic analytics, I’m talking about moving from a model, even in some of the most sophisticated healthcare environments that we know today, which is collecting what we call vitals or medical information about a patient, we’re recording that now probably in electronic chart at least, but in a lot of cases, we’re not mining that data to understand particularly well, what might be happening in the future with that patient, or more importantly, what might be happening from an infectious disease standpoint for that community or for that facility itself, and so obviously the COVID-19 situation has brought that home in terms of how can we anticipate, how can we get ahead and identify markers. Which are leading us to an expectation that we are facing an enhanced risk of the spread, for example, of a disease.

06:45 Brent Willett: And so there’s a ton of work being done on that right now. Epic Systems is a company that’s doing a lot of that work nationally and internationally, but a lot of players in there, and really we’ve taken the first step, meaning that we moved everything into electronic health records by now, but now it’s how do we actually leverage that data to tell us what’s going on in a way that human beings just can’t do from a processing standpoint. So I think that’s really exciting. Another one I’ll mention, and then kick this back to you, wearables is kind of a niche term, and I’m the furthest thing from a technology person. Forgive my layman’s terms, but in a long-term care situation, particularly for someone who lives in a nursing home facility, in many cases, 30, 40, 50% of the folks who live in a nursing home have some level of cognitive decline, whether that is a diagnosis of Alzheimer’s, disease, another dementia diagnosis. And unfortunately, for a lot of reasons, we don’t have time to talk about today, folks today are being diagnosed in developing symptoms of cognitive decline much earlier in life, meaning that we have folks that are entering nursing facilities a lot earlier in their 40s, in their 50s, which really breaks your heart.

07:58 Brent Willett: But they’re gonna be living there for a long time, and one of the primary things that happens with someone with cognitive decline, is they begin to wander, they don’t know exactly where they are all the time, and so if we can enable, for example, them with a wearable… So that not only do we know where they are in a facility, but in a worst case situation, if they were to get to a point where they’re outside the facility without supervision, or if they were on a visit with another supervisor or a family member who doesn’t do a great job of keeping track of them, we can not only track them down, obviously, that’s really, really important, but we can understand what’s going on with their vitals at that moment, and we think that that’s exciting not only just protect them from a security standpoint, but to improve their quality of life, because it probably means that they can have more visits, they can probably spend more time with loved ones outside the facility, as long as we can have a good handle in real time on what their medical vital signs are doing.

08:54 Matthew D Edwards: So the wearables, that has a lot of possibilities for you, do you see that that could also apply for in-home care solution or are you thinking on-prem stuff primarily? What’s your thought on that?

09:07 Brent Willett: Absolutely. In an in-home situation, I’d expand that even from a wearables standpoint for in-home because… where I think maybe perhaps where you’re going from an in-home standpoint is, can we make sure that these folks are equipped with something that’s not invasive, but something can give us a really good handle on what their medical condition is in a dashboard situation. I’d also say one of the primary obstacles to being able to stay at home, which is where we want everybody to be as long as you can receive care at home… That’s where we want you to be. That’s where you wanna be. That’s where I wanna be, that’s where I want my family to be. If they need that kind of care, one of the primary obstacles is medication taking, so folks that have complex medical conditions typically have fairly complex medication regimens, and they can be very confusing, and they can vary in application the way to take these medications, those kinds of things now, if we can develop a program which not only educates that individual on how to take their medication, when to take it, but monitors that they’re doing it correctly, is a game changer for folks to be able to stay at home.

10:11 Brent Willett: And I just caught my eye, I have no idea if this has actual applicability, but I saw the announcement maybe last week, maybe a couple of weeks ago, Amazon has its in-home echo product that looks like at certain times and actually exit the stand that it sits and fly over to an area of the home and record something, that’s the kind of thing that I can see being used in combination with a number of other things to actually physically record to ensure that person has taken that medication at the right time and enable… Less visits from a nurse or a doctor, enable them stay at home.

10:47 Matthew D Edwards: Those are examples of how you could possibly influence the lives of our aging population, or those people who are post-acute care, they require some attention and need… How do you think technology or how do you anticipate or what are you excited about as it relates to how technology could actually change the lives of healthcare workers, the people who are providing the services, loving these people, where they are enabling them to get their jobs done well, what are your thoughts on that?

11:16 Brent Willett: Absolutely, I think we all look to technology in terms of how can technology serve us, serve humanity, serve the folks that we’re caring for in a way so that we can maximize our time. And we want caretakers that work in long-term care and healthcare in general to maximize their time by taking care of people, and so if we can ask technology and develop technology to take care of a number of the tasks that are non-care-centered, that means more time for direct care for those residents, for example, things like sorting medication, that’s a very, very time-intensive, and right now, from a regulatory standpoint, really, really requires human beings to be involved in, I could see that going away with the right kind of technology and making sure those nurses that are spending time actually helping that individual take that medication or care for them at the bedside, and those kinds of things, and the other thing from a caregiver’s, and that’s what… By the way, that’s what caregivers wanna do, that’s why they’re in the space, these folks are not in long-term care for the money or the hours they’re in it, ’cause they’re a very, very special type of person who is a caregiver in their heart, and that’s what they wanna be doing.

12:33 Brent Willett: And again, when we… It’s very difficult to put anything through a prism that doesn’t involve the current state of the world right now, we need to do, we need to develop technology to protect our healthcare workers in a better way. We’ve had 57 individuals who work in long-term care in Iowa die of COVID-19 since February. That’s certainly 57 too many. And those are folks that were doing their job, they were exposed to the virus and ultimately succumb to it. Many, many more have developed symptoms. How can we look to technology, again, going back to predictive diagnostics and some of those other things to keep healthcare workers safer, not only so that they can be on the job because we have a serious healthcare worker shortage, but their job can be more fulfilling, more dignified and doing more of what they were there to do in the first place.

13:21 Matthew D Edwards: That’s outstanding. And when you talked about the analytics predictive conversation, is that something that your organization is explicitly pursuing and doing and implementing, is that something that… Do you anticipate all of the different facets of the world that you’re living in the organization that you’re leading, would be leveraging as predictive analytics, the dependency of courses, EMR, as you mentioned, but then the dependency after that is ongoing data collection as well, that’s some place you wanna be, it sounds like.

13:53 Brent Willett: We are pursuing it absolutely where we wanna be, and we’re working with a number of partners to figure out how this looks in terms of a product category for our members to take advantage of one of the challenges and opportunities simultaneously with this kind of thing is what pipe does all this data come from? Iowa is a state that about 90% of nursing homes use one particular product for their Electronic Health Records, it’s a company called PointClickCare, great company. And so we’re interested in products obviously that can interface with that particular system, so in some ways, little associations like us, we’re somewhat dependent on these folks figuring out how the handshake works, but we’re working to prepare the ground for our members for the eventuality of this kind of thing rolling out, I’d say in the next six to 12 months. And I really think it’s gonna be a game changer, and it’s a perfect role for an association because our members are fighting a fire right now, they don’t have time to think about the future, and we’re working to do that for them.

15:07 Matthew D Edwards: So one of the things you mentioned earlier too was the number of healthcare workers that have passed away since earlier this year, due to the pandemic experience that we’ve been going through all of us, so a more difficult conversation maybe contextual to that is Dying with Dignity and my original thought on that conversation was, as a customer, client patient, does someone that your organizations are taking care of, and it hadn’t occurred to me to also discuss the healthcare worker themselves. Do you see… How do you see technology helping enable… That’s a tough conversation, but how do you see technology enabling people to die with dignity better tomorrow than we’re able to enable today.

15:52 Brent Willett: How do we help people pass through the other side in the most dignified way? And I think that if we suggested that technology has no role in that, that we don’t have our eyes open… One of the things that our hospice caretakers, our hospice nurses tell, and by the way, you wanna meet the most incredible people in the world, talk to a hospice caretaker. These people are incredible. One of the things that they tell us routinely is that folks that are… What they would say, actively dying, so folks that are dying is a process, it’s a biological process, for some people it happens more quickly than others, but it’s a process… One of the things that people that are actively dying tend to do is if they’re able to, they have the physical strength to do, they will hang on until they get what our hospice care takers would say, until they get permission or until they get the okay from the loved ones that they care about the most, to pass on and to, and no one knows exactly how this works cognitively, but to make the decision to let go, and that’s very, very difficult in an interconnected world where family members and loved ones more and more live farther away, are less able to be present physically, and so I’m not talking about a Zoom meeting to family members, but I think there’s some amazing things that could be done to…

17:20 Brent Willett: I mentioned 50% of the folks that are dying probably have some level of cognitive decline and they have memory issues, how can we… How can we help them reconnect with their past as they’re moving through the dying process, how can we create an experience for them that’s human and real, but also enabled by technology to leverage those tools to remind them of their past, I don’t know exactly how that looks… But I think that certainly… We never wanna get away from a day where an individual is surrounded by loved ones as they’re dying, but unfortunately that doesn’t happen for everyone. For lots of reason. And so how can we probably address the folks who are having the most lonely dying experience, a little bit less lonely. I think that’s a good place to start.

18:11 Matthew D Edwards: So I suppose it may make more sense for me to say that technology is not a solution, and that you’re looking for to replace a human connection, the human care, the humanity part of this, but rather the technology that you’re interested in enables the humanity… It enables us to be more human with each other, enables us to focus on more of the contact, more of the experience, more of the journey, so not a replacement of people in order to provide care and not an automation of things in the care, but rather to enable more opportunities for humanity, which probably then leads to more dignity on the journey.

18:54 Brent Willett: That’s right. I think the tech now… I mean, this is somewhat existential topic, but I think technology is with us and designed to serve us if we do this correctly, and we should ask and design technology to do the things that have the lowest level of human utility for us. Delegate those tasks to technology solutions so that we can spend more time being humans with each other, and I think that a long-term care, healthcare situation is a perfect example of the kind of benefit that technology can produce because it would allow people, caregivers to be closer to the folks that they’re giving care and less of those… As you said, less of those, more automated task.

19:46 Matthew D Edwards: It’s an interesting conversation to have, and we don’t need to get lost on the existential part of what I agree with you. It’s easy to create technology and it’s easy to tell or communicate, “Hey, this technology exists, therefore, it’s useful,” but it’s a really hard conversation that people often… That may be lost in excitement sometimes when people say, “Ah, this is interesting technology, but what’s it good for.” And those are hard conversations. So just because technology exists doesn’t mean it’s useful, and just because someone has created it and tried to sell it to you, doesn’t mean it’s actually going to solve a problem for you. As it relates to your company and the industry itself in context of adoption readiness, the pandemic certainly has changed people’s perspectives on adopting technology solutions, how do we rethink companies, how do we rethink operations? Do you think that long-care industry… How does the long-care, I guess how does the industry itself even find out about new technology opportunities that, are you guys constantly forced to invent, are you so busy that you don’t often get to see some of the newest ideas and figure out how they might be applicable? How does it actually work for you on a regular basis? How do you even find out that something’s out there that might be useful?

21:06 Brent Willett: I’ll be honest with you, long-term care for many years has been, I think, at the back of the bus when it comes to technology adoption. I think there’s a lot of reasons for that, one of the reasons in a state like Iowa, where we have about 300 nursing homes that are independently owned and managed, which means that it’s a single facility in a very rural area in most cases, it was built by a collection of community members who had the wherewithal to build a nursing home. And they don’t have a lot of connective tissue to the greater sort of healthcare system, with the exception of the association. So we do see the association as a linchpin and as sort of a mesh to pass these opportunities through, and so we have invested in the last few years at our association in solutions to bring and do a better job of really vetting vendor and technology opportunities that are presented to members and be the vetting mechanism and then pass that on based on our findings.

22:09 Brent Willett: That has taken a pronounced new role for us in the last six, seven months because of the shortage, for example, of personal protective equipment, which you wouldn’t particularly consider to be technologically advanced, but when you have hundreds of thousands of new vendors coming online claiming to have a line on this critical equipment, we’ve seen a role for the association to vet that out and make sure who’s who and who is relevant. I would say that with increased… Look, there are certainly downsides to increased consolidation in any sector, one of the benefits as more of the long-term care facilities become connected in families of companies is that, there’s a little bit more weight, there’s a little bit more technology-focus at a corporate level that’s being pushed down to those local facilities, but it’s still really hard in a state like Iowa with a lot of small places that are… If they’re not relying on the association, they’re just reading about it on the internet.

23:13 Matthew D Edwards: So to some extent, that puts you in the position, you and your organization’s position where somebody has to be looking for and paying attention to on purpose, you may even have someone who… And that could be you on your sleepless nights maybe, or there may be other people in your organization, they have to think about how to invent or innovate on purpose on a regular basis, is that… That’s pretty much what you’re saying, I think is, this has to be done on purpose, it can’t be accidental.

23:42 Brent Willett: Absolutely. It’s a healthcare setting because it’s long-term post-acute care, it means everybody typically has a fairly complex medical condition, and so everything has to be done, as you say on purpose, and it can’t be particularly experimental because, not only because we don’t want to experiment with folks’ medical conditions, we haven’t talked a lot about this, it’s a fairly dry topic, but the regulatory environment around healthcare has the potential to be a net positive for technology integration in the long-term care, but it also has the potential to be a huge barrier, and so navigating those waters is another challenge.

24:28 Matthew D Edwards: So, historically, and for good reason, to your point, the long-term care industry has been pretty conservative on adopting new technologies, new ideas, not because they’re opposed to new ideas, but rather, hey, first and foremost, we’re talking about people’s lives, and second then, that probably suggests that your adoption curve is long on purpose, am I characterizing that correctly?

24:57 Brent Willett: Yes, I think you hit it spot on.

25:00 Matthew D Edwards: But you do have to go find out new ideas on purpose, you do have to innovate, invent or otherwise explore and test on purpose, but it’s in a moderated pace because people are first and technology is supposed to enable. That makes sense to me. So, different question for you is, in organizations since the technology is changing, the need is changing, the desire to enable and equip healthcare staff continues to evolve, the needs of people you’ve mentioned even with different forms of dementia has changed, the profile’s changed, everything is changing all of the time in these organizations, that suggests then that your risk exposure risk profile is changing in terms of what data you collect, how much of the data you collect, how is it being handled, how is it being shared? And one of the things you mentioned earlier too, was that, for example, in the system PointClickCare, one of the things that is a positive is if you’re able to take additions or modifications to your operating environment and it integrates with PointClickCare.

26:07 Matthew D Edwards: So your profile, your operational profile is continuing to change as we would all hope it would be, and it would be evolving as we would all hope it would be. Are you finding that organizations need to hire things like Chief Information Security Officers, Privacy Officers, have they already existed, or do you see this changing now where there’s a more data privacy confidentiality focus in the org and somebody’s hired for it?

26:32 Brent Willett: Yeah, I think that for a long time, organizations have had privacy security folks, and those are typically folks that are in compliance work because the dictates of HIPAA, so the Health Privacy Act that we’re all under, highly complex and really drive most decisions as it relates to technology integration and privacy protections. So folks have been in that space for a long time. I think that some of the larger companies that are perhaps a little bit more forward-facing, you are starting to see Chief Information Officers, you’re seeing Chief Security Officers who are in that C-suite level participating at the same level as an operations financial type of person, but it’s been slow. I think that’s still a lot of smaller business, smaller companies are trying to do this with the existing staff that they have. I think that we probably run the risk, not only of an increasingly complex regulatory environment that’s hard to comply with, unless you’re really pay attention to things, but also missing out on some opportunities.

27:46 Matthew D Edwards: Yeah, agree, the profile changes a little bit, and to be a regulatory compliance-focused individual is of course required and spectacular, so where is my organization in relation to where it should be according to this standard, this expectation, when you start adding more and more of the technology in there that forces the compliance person to first acknowledge, but then second to either become savvy and what’s actually going on in the technology side, indoor, you may have to consider when you need to hire an additional or different technology experienced person. ‘Cause it does change a little bit. There is a technical regulatory compliance conversation as well as a general operational, and I’m curious if you’ve been seeing that or how you anticipate that happening in the future, the two seem to be the same, but they’re actually not… What are your thoughts on that?

28:44 Brent Willett: I totally agree they’re not the same at all. They’re equally important, but compliance is about complying with the now and complying with what exists, and it’s purely a risk management endeavor. When we’re looking for folks to enhance the technological profile of a facility or of a company, we’re naturally asking them to reach forward and they have to collaborate with those folks in compliance and regulatory, but we always… Even around here, we’ve got great compliance people at our association, we’ve got attorneys, lawyers are gonna lawyer, regulators are gonna regulate, and innovators are gonna innovate. This is not the same thing.

29:27 Matthew D Edwards: There’s a lot, you have a lot of fun things to work on and evolve and improve and enable and equip and a lot of organizations, you’ve mentioned a couple of times, a small organization like yours, but you led this conversation by talking about the breadth of the responsibility, which pretty much spans the entire State of Iowa at multiple levels of healthcare as well, so I’m sure that there’s an amazing reason why you say a small organization that could just be humility, but it doesn’t sound small to me, it sounds pretty darn important and it sounds huge. So I’m curious, how could technology companies approach you or come alongside you to add value, in other words, if somebody shows up and says, Hey, I have this idea, what do you view as a good interaction, what do you view as a poor interaction, and they just shouldn’t show up?

30:24 Brent Willett: A poor interaction is, Here’s a product I developed. Would you like to sell it to your members? The sector is far too… It’s very cliche, but no provider is the same, has the same needs, so that’s a poor interaction, we’re probably not gonna be very… We’re not gonna do a lot of work together. A good interaction is, we’re aware of this opportunity or this challenge in the sector, and again, I’ll go back to predictive diagnostic analytics, we’re aware of this opportunity, tell us what your members are telling you and let us work on something and bring it back to you, not because we’re some kind of king maker we’re the farthest from it, our members are voluntary, they can be members of ours, they can listen to us if they want. Sometimes they do, sometimes they don’t. But from a technology standpoint, and I think Matthew you… And I appreciate your approach to this, or your philosophy on this, is that just because something exists doesn’t mean it’s good, and we’ve made that mistake here at the association just to operationally here, and we’ve invested in technology that was a waste of time and money. And so it’s very difficult to find the interface between technology and healthcare right now.

31:39 Brent Willett: That’s absolutely changing. I spent this, I took a few minutes this morning, I voted for the top 100 most influential people in healthcare by a publication called Modern Healthcare, which is like an industry publication. You know, some of the people that are on that list. Jeff Bezos, the head of healthcare at Google, Warren Buffett… Names you wouldn’t typically run into in a list like that, and so it was telling to me when I saw those… So it’s changing, but finding somebody who’s willing to say, Look, I know technology, but I don’t know healthcare, or I know healthcare, but I don’t know technology. Those are the people that I think can actually get work done if you’re pretty dyed in the wool. It’s probably not gonna work.

32:22 Matthew D Edwards: Are there any things that I haven’t asked you that you think is important to talk about or you wanna augment or revisit anything and particularly that we’ve talked about so far.

32:32 Brent Willett: I guess the only thing I would add because it surprises so many people when you don’t think about long-term care until you need it… Right, I get that. Why would you… Everybody’s busy, everybody’s got lives, when you need it is when you need it, or when a family member needs it, and the thing that we run into a lot with families is how shocked they are at how complex the environment is, how dynamic long-term care can be have the number of choices like building a house, or it ends up being 100,000 more choices than you thought from door knobs to floor tiles. And so doing what you can to begin as soon as you sort of have the feeling, if you have parents that are just starting to get older, I have parents that are starting to get older, start thinking about the kinds of decisions you’re gonna need to make as a family and getting yourself ready because it’s a very, very complex… We can innovate ourselves into oblivion, but it’s still gonna be a very complex and very difficult decision matrix for families, and so beginning to educate yourself about the sector is something I would advise, certainly not everybody in the world to do, because I’m realistic and everybody has lives to live but if you have a reason to, it’s gonna be more complicated, more challenging and more expensive than you expected, and there’s a lot of resources out there to educate yourself. I just encourage people to do that.

34:00 Matthew D Edwards: If people wanted to learn more about you, your organization and the services that you provide, where would they go.

34:06 Brent Willett: They can just go to We’re an open book over there, everything about us, and a lot more for members as well, but that’s a great way to start

34:18 Matthew D Edwards: Brent, thank you for your time. This has been an outstanding teaching conversation, I very much appreciate it.

34:24 Brent Willett: Had a blast, Matthew, thanks for having me on.


Part IV: Enabling Home Care Services with Technology

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses on how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Show Highlights

In the fourth episode of this series, Matthew D Edwards and Mark Goetz, President of The HomeCare Advocacy Network, discuss how technology plays a role in empowering seniors to age in their homes.

Key Takeaways

  • For successful outcomes overall, companies must include training and education for everyone involved – from the caregivers and families to the seniors themselves.
  • The next big disruption or evolution is to establish more interconnections and connections to the actual care through a “virtual private network” for the family – from fall risk technology to a comprehensive communication suite.
  • In recent years, home care technology has developed due to a competitive marketplace, and COVID-19 has sped up new purchasing by senior living providers missing communication links.
  • Collecting data enables more opportunity and also increases responsibility, accountability, and liability 100 percent, so companies must have more in-depth organizational plans for data management and data privacy when adopting technology.
  • Address the diminishing returns on the data collected and ensure only necessary data is collected and stored to serve the clients and improve decision-making.
  • Letting the client and caregiver connection drive your mission forward when it comes to technology and how it can improve that connection.

About Our Guest

Mark Goetz, President of The HomeCare Advocacy Network, a premier provider of home care related benefits and services, ensures the organization delivers what people need to live their best life and enables local franchise owners to leverage the HCAN brand.

Read the Transcript

00:00 Matthew D. Edwards: Welcome to another episode of The Long Way Around The Barn. My guest today is Mark Goetz, the president of Home Care Advocacy Network, whose mission is to enhance the lives of aging adults and their families. This episode, continues my conversation on how technology can improve the lives of our aging population through the use of remote monitoring solutions using Internet of Things or connected things technologies, while also ensuring purposeful comprehensive privacy and information security practices along the way. Mark, good afternoon.

00:34 Mark Goetz: Hey good afternoon Matthew.

00:39 Matthew D. Edwards: Mark, the name of your organization is HomeCare Advocacy Network, and people can obviously go learn more about your org by visiting your website, What do you offer folks today? Where do you wanna go? What do you wanna be. Teach us.

01:03 Mark Goetz: Alright, well, thanks Matthew, it’s an honor to be here today. The HomeCare Advocacy Network was created… We really started the creation of it in 2018 with a vision of becoming the world’s leading source of home care connections for seniors and their families. The way we see the home care world today is that generally speaking, you have 45- to 64-year-olds who are trying to set up services for mom, and that’s usually when the care processes start, our company gets involved in helping them find ways that they can age in place. We decided on a decidedly franchising route for our business model, so we do sell territories to do business as the Home Care Advocacy network. We sell those to individuals and entrepreneurs who generally speaking, are mission-oriented people, they wanna own their own business and they wanna do good in the process.

02:05 Mark Goetz: The other side of our business, which is very closely related to the entrepreneur side, is the white label franchise model, and so through my experience with other large franchised organizations that do in-home care, and as well as working with senior living, we realized that senior living needed an option to be able to provide consistent, successful and competitive in-home services, to be able to expand their marketplace. The place for senior living in the in-home services world is, I would say a fractured one, at best about 46% of the revenue coming into home care companies today comes from the senior living referral that is most of the time made because there is a vacuum where the senior living company just doesn’t provide or maybe doesn’t quite know how to provide successful competitive in-home services in a local market. So we provide both options, you can own your own business doing business as Home Care Advocacy Network, or a senior living provider can own their own in-home services business under their own name, supported by the Home Care Advocacy Network.

03:20 Matthew D. Edwards: Nice. That’s a nice approach. That’s interesting. Ultimately, your goal is to enable age in place or people to stay home basically for as long as possible. Overall, that’s what you’re trying to enable is people to stay home and maintain their integrity, their autonomy, their independence as long as possible. That’s really interesting.

03:46 Mark Goetz: The way we see it, in the past, the continuous care retirement community was defined as Independent Living, then when you lose your ADLs as a senior, you move to assisted living, and then finally you move to skilled and then hospice, so that’s pretty much been the standard continuum. We believe there’s a step missing, and that’s the in-home services to independent or that gray area between in-home services and independent living. We have over 93% of consumers right now who want to, if they could, age in place in their homes. So we believe there’s a big opportunity to empower senior living to capture more of this market and have a much better, more succinct client nurturing program for themselves in the process.

04:41 Matthew D. Edwards: Okay, interesting. That’s all good stuff. So given where you’d like to head, what you’re doing, taking in other considerations such as needing to have staff, medical care staff, experienced people to do these types of things, complicating it with pandemic-type considerations whereby human touch and contact is challenged or complicated. I’m curious then, how do you see the use of technology changing the way you provide home care services or how workers do their jobs in the future, or have you already started making changes. Teach us about that a little bit.

05:27 Mark Goetz: Sure, so between eight and 10 years ago, there were a number of disruptions in the home care market, many home care companies up to that point had created their own proprietary scheduling software, and there were a number of people from Silicon Valley that saw that as an opportunity where you had companies that had their own home-grown services, technology services, and they created some of the world’s finest software to manage in-home services, but it required a different level of connectivity with caregivers for the first time in the marketplace. So this technology really caught on, and I would say today to do in-home services well, it really takes a digitally connected caregiver with a client that’s attached to a care plan.

06:28 Mark Goetz: And in the marketplace over the last seven, eight years, that technology has really caught on. Very few providers today are old school, just running their business on a spreadsheet and having caregivers call in and not having it all connected into one tight little box. So technology has really been probably one of the biggest change agents, and the ability to get that technology for a relatively low price has been one of the biggest innovations in the home care world. How we see that in the future, as we see the next evolution, is for families to be more interconnected and connected to the actual care.

07:16 Mark Goetz: So you’ve seen other disruptors now or disruptive companies come into the marketplace that have taken the standard Home Care software and they’ve said, “Hey, there’s something missing in this”, “Hey, we’re missing falls technology”, “We’re missing a greater family virtual private network in the technology.” And so I think you’re gonna see some of the larger scheduling, all-in-one billing companies look to probably either purchase or create their own virtual private network family-connected technology, so families can stay more in touch with what’s happening with their loved ones care.

08:04 Matthew D. Edwards: So does that then suggest the virtual private network, which I get is basically for those that are unfamiliar, it’s a dedicated private secured tunnel from one point to another, as opposed to just data traveling across the Internet wild and open for anybody to look at. So virtual private network. But Mark, in that illustration that you’re talking about, are you talking about just providing communication links between family members, or are you also talking about sharing health status or living status through other types of monitoring and measurement solutions as well?

08:42 Mark Goetz: It’s a little of both. So I think when we look at it through the home care lens, we see some people that really need a fall risk technology, and there’s some really good services out there and good companies out there, but that particular technology may not be all inclusive of a full communication suite, and I think there have been some really strong players enter the market. In that, a particular service company that comes to mind is LifeLoop. What’s interesting is it isn’t necessarily directly connected to the home care technology that we see.

09:23 Mark Goetz: So home care has created its own all-in-one service, most, all of these companies that serve the home care market. So what is happening within the homecare space right now is that it’s oftentimes missing out on that complete picture. The complete holistic picture, but it’s still far better than much of the technology, I would say that a senior living community actually runs on. So, outside of a senior living community technology system, home care technology has developed, I would say, quite a bit faster over the last seven, eight years, because they’ve been pushed by a more competitive marketplace.

10:08 Matthew D. Edwards: So you’re thinking that based on what you’re communicating, technology has helped facilitate a change in the industry, and that’s a positive thing. And so some of the things that you’re observing or talking about things like communication pipes, the virtual private networks, how existing software providers might augment their existing solutions to include some of these ideas. You’ve mentioned fall detection. I’m wondering, as you see technology evolve, do you see a difference or is it the same, a difference between new technologies enabling a change in the way home care providers provide their care, and does that look different than the technologies that are changing the quality of life, quality of home care experience for our elders? Is it one and the same or do you see two different things going on at the same time?

11:07 Mark Goetz: You know what? We’re seeing it go on, like multiple things happen at the same time. And the reason being certain companies, so for instance, we’ve seen a massive, over the past seven, eight months with COVID, you’ve seen massive new purchasing of technology by senior living providers, many of those senior living providers were missing that communication link. So before, maybe COVID, it was a really good idea, it was maybe on their overall tech road map to get in, COVID helped speed that up and it helped speed up that integration and even the adaptation to it.

11:49 Mark Goetz: What has happened though, is that home care still in large part exists outside of senior living, and so home care technology was already pretty much there, but new providers without a home care perspective have crept into the senior living marketplace, so now we do see two siloed very good products, generally speaking, at play, whether or not a client has… They could be at a senior living provider, and this is kind of a misnomer, you think well when we move mom into a community, then we can be done with having her own caregiver from an agency. Oftentimes, when mom has a caregiver before she moves into a community or senior living provider, she will generally speaking keep that caregiver when she moves.

12:44 Matthew D. Edwards: Okay.

12:46 Mark Goetz: So now the community’s trying to solve for its own communication challenges, but the client exists between the family and the home care service provider. So, we have created two different communication channels when that situation exists.

13:04 Matthew D. Edwards: So as an industry, as an industry overall and/or specific to home care, would you consider the industry that you’re in, the segment that you’re in are companies like yours generally ultra conservative in adopting new technology. Are there some companies that are ultra aggressive, like bleeding edge, like somebody had an idea and they’ve already tried to implement it? And as an industry, do you find that technology exists and then there’s variable speeds of adoption? Is there a general profile, how would you even profile your perspective on things. What makes sense, what’s safe?

13:47 Mark Goetz: Very good question. So we see there’s generally speaking, two different mindsets. So our industry in general, in home services, primarily, we monetize ourselves by being really good at recruiting caregivers and applying their availability against need, against the hours that a client or a client’s family wants. And so I would say there are certain companies in our space where they see technology as a threat to that business model, and so there is, I would say, on one side of the camp, it’s highly cautionary, many of the leaders in our industry. And there’s another side that really understands the future is technology plus caregiving, so we believe that it’s not just caregiving that’s going to solve the problems that face us with aging, but it’s caregiving plus technology, and I would say that’s where our company is standing pretty firm on, we realize that there are many quality players in this market. So right now I would say there’s a lot of right answers, and I think that is one of the things that’s happening in the marketplace when there is a lot of right answers, it can lead to inertia.

15:23 Mark Goetz: So you kind of wade through it with leaders to say, is this a fear that you have generally of technology, or could it be that you’re being bombarded with so many good options, you don’t know what the… You don’t wanna take the wrong step because there’s a lot of really good options there. I would say where we’re at, what we wanna do is find a real quality technology provider that could deliver on our service model, and then we’re on the lookout for quality providers that can help augment that and create another dimension of our business that helps the caregiving services just be that much more effective for families.

16:05 Matthew D. Edwards: That’s fair. So that segues then to another question I have based on what we’ve been discussing, which is, you know in many industries through the years, we would see chief information officers, chief technology officers, and then CIOs, EOs, FOs and so on. But over the last number of years, in many industries, we’ve seen them start to bring on chief information security officers or chief privacy officers, are you seeing the same types of things or perspectives or movement in this industry, or what is the general outlook on that idea?

16:46 Mark Goetz: Yeah, absolutely. I think if you’re naive to it, you find out relatively quickly and you usually learn the hard way, if you err on the side that a Chief Information Security Officer isn’t as much of a need, because the systems are just so well-developed, I think you can’t underestimate your organization’s need for that type of leadership, and I think we’re playing a catch-up game to the HR… On the HR side, to actually be able to find those qualified individuals who can help data architect your system, so not just through…

17:31 Mark Goetz: And not just from HIPAA violations or some of the things that we have going on in the States, it’s nefarious individuals who are out for information and sometimes just looking to take down a company because it’s part of what they do, it’s creating chaos, which creates more business opportunities for the nefarious individuals they work for, so I don’t think you can underestimate the need for Chief Information Security Officers, chief information officers that have those folks very tightly tied to the very… The highest echelons of any organization.

18:09 Matthew D. Edwards: That makes sense. So when I talk about readiness to adopt new methods of monitoring and data collection, like you’ve mentioned fall detection a couple of times, there are companies out there that actually have some really cool and innovative next gen ideas, and they have the working hardware to show it but one device in a room, it collects data about you and your movements all day, every day, all of the time in order to establish and understand patterns. Then after it understands patterns, it’s able to start doing predictive analytics to say, “Hey, this seems to be an out of ordinary walking behavior as compared to other data we have, this has the probability or at least possibility of leading to a fall.” Having that type of technology potentially is magnificent and wonderful and amazing in understanding behavior and habit and results and state and all of the things, however, it’s also lots and lots and lots of data that we would now be collecting 7 by 24, so not just when a healthcare worker comes in to collect it, but all of the time.

19:19 Matthew D. Edwards: And we already do that with today’s medical devices, but now it becomes multi-dimensional, if you will. Do you think that… Is that… Are you seeing the adoption of these types of ideas, and tell me too, if you think I’m talking crazy, but like the idea of geo-fencing to understand where people are in relation to where they shouldn’t be, or understanding when healthcare workers did arrive or when they left, or those types of things. Do you think the organizations are entertaining these things, actively reviewing, adopting, have already implemented, and I’m behind the curve here?

20:00 Mark Goetz: So it’s a great question, and it’s a fantastic discussion, so I’d say the first thing, that was probably the biggest innovation when it came to homecare was the adoption of geo-fencing, to whether or not a caregiver was actually at the client’s home or not. Prior to geo-fencing technologies or telephony, that could be tied to even a phone number, so caregivers at a client’s home, they call a number, they check in, but then also on the back end, you can geo-fence where that phone is, so you can ensure that the caregiver is actually at the client’s home, so I think that’s step one, and that is highly active within the home care world. And I think other technologies like Kronos and whatnot is widely used within senior living. The challenge with Kronos is that it doesn’t attach to multiple payers, it’s built for a single payer system, but they have also advanced their technology, so at least they’re on mobile and they have geofencing ability. So I think, on the HR side, absolutely at work, and getting better day by day.

21:15 Mark Goetz: On the client side, I think the challenge is, in what I’ve seen in the industry over the last 10 years as these technologies have developed, is I’ve seen attorneys mesh with executives inside of organizations to say, if we get a certain amount of data, who is going to respond to it, and how are we gonna respond? And in what period of time? And setting the criteria to responding to data anomalies and an algorithm, that’s the real challenge, I think. And some of these technologies have done a really nice job of kind of self-regulating that and becoming a system to itself, but I still think organizations wrestle with their overall liability when it comes to taking in too much data. So if I don’t get the data, then then they’re less liable for their organization to say, “Well, you have the data, you had the alert and you didn’t respond,” and so the back side of that is that most of these organizations haven’t done a great job of separating sales from operations, and that’s a challenge because you generally speaking, are driven by whether you say you’re in a 513c3 and you’re completely a mission-oriented, you’re still driven by a board who wants results.

22:44 Mark Goetz: And so you still have operational leaders who are maybe running skinny on staff, and you have people and then one day you have somebody call out and you have to reapportion staff to fix an emergency, and then all of a sudden they can’t sit in front of the monitoring technology and respond to an alert. It comes down to prioritization in organizations and risk management, and some are more ready for that than others, but I think COVID has shown that organizations have to prioritize this, they need to prioritize this, and they can solve some of that peace of mind that’s inside of a decision maker’s head, in terms of the quality of care that their loved one’s being provided.

23:32 Matthew D. Edwards: That’s fair. You’re right, you haven’t set all these things, and we’ll add a couple of things to what you’ve mentioned, but I think that… You’re right, I agree with you in that a lot of the technology adoption considerations, really, it comes down to who’s going to be responsible for deciding what you’re going to do, what problem are you solving, what are the solutions that are available to help you solve the problem? And then if you’re going to implement it, how do you operationalize that? And more and more, a lot of the new Internet of Things, connected things technologies, remote monitoring, geo-fencing, fall detection, all of these types of things are designed to be collecting data all of the time, which requires its own on-purpose plan.

24:18 Matthew D. Edwards: How much data are you getting, where are you putting it, how do you secure it? Who gets to use it? All of those things, those are organizational problems to solve. But you have additional challenges, which is how many people do I need on my team to do this stuff, like if I’m primarily a healthcare provider, my job is to love people with the mission for independence, autonomy, dignity, and in the medical care space, that may not mean then that I’m also technology savvy, which means I have to bring on more technical staff, I have to have a more in-depth organizational plan for data management, data privacy. This looks like adopting the technology could be a double-edged sword, which is enabling more opportunity, but also increasing responsibility, accountability and liability.

25:14 Mark Goetz: Yeah, 100%. And I think just from a basic leadership encouragement for organizations, what I would say is an area to focus on would be to help your employees overcome the, “I’m just a” kind of syndrome. Well, I’m just a nurse, I’m just an LPN or I’m just a director. Oftentimes, when people say that it’s a cry for help, that you’re asking them to get into something that they don’t fully understand, and so helping them along saying, “We’re gonna walk through this with you, we’re gonna learn this together,” and then relying on your partners who are providing the technology for service is critical, and I think…

25:56 Mark Goetz: I don’t know of anybody in the space of technology or the provision of technology services that is succeeding and thriving without having an extremely strong support team. People they can questions, people that offer 24/7 support and with a smile. The industry is really getting better at this, but employees still need a lot of encouragement because it still is relatively new, and you are looking for oftentimes that person who’s wanting to step forward and raise their hand and say, “I’ll take that on.”

26:31 Matthew D. Edwards: So Mark, that brings me to a different question, given that you mentioned earlier that this is a franchised-based model, which understandably, everybody understands that in order to have a business, anybody can start a business, but in order to keep a business, you have to take into consideration a lot of things, which is, if we want to continue to exist, I have to continue to make money. And the amount of money I make has to be greater than the money I’m spending, so profitability, everybody gets that.

27:00 Matthew D. Edwards: But there are additional things as well, especially in a franchise model, which is how much responsibility, accountability, autonomy is provided to the franchises. In other words, do they get to make all of their own decisions on tools and privacy and security, or is there some level of things that’s passed down from the enterprise that says, “Hey, this is yours, but you have to follow these 10 privacy and confidentiality expectations, or we have a problem.” How do you balance that? Or how do you see that happening?

27:39 Mark Goetz: Sure, so I can speak from my own experience, and then a few places that I’ve worked before, so we created our model at HomeCare Advocacy Network based on a lot of what we saw was missing between the two worlds, both the home care world, and the senior living world, so the start start with a couple of broad statements. In general home care is fairly poor at document management, so we saw this as a real challenge when I was working with franchise owners and in the past with other organizations. One of the worst things that can happen to a franchise owner was when you let him know that the standards team was coming out, even though the standards team was well-meaning, they were coming out to check on their records, to look into things, and there was always a mad scramble to make sure we had documents all in line because they wanted to do well for the franchisor, they wanna present well.

28:37 Mark Goetz: And they wanted to have the best processes. So we created a system that’s required, we didn’t create it, we purchased it, and so we require an HR management system that we provide at an extremely low cost, it’s called Ease, and that’s a required system. The other required system in our ecosystem is ClearCare Online, and this is just me speaking to the systems that we’re utilizing. What we liked about that is that when it came to decision-making, we were able to see from headquarters perspective what our franchisees were billing, and then we knew that the system we chose at every opportunity for our franchisees to abide by the local laws that governed their individual business. So I think that’s some of the challenge that’s in our marketplace is where you have a system like ClearCare Online that’s clearly built for home care with the proper rules and settings in place. And home care is a decidedly territorial, unique business, so the laws in Philadelphia can be extremely different than the laws governing that business in California.

29:58 Mark Goetz: So you have to have a system that is able to operate within the territories that you as a franchisor want and need to operate. And so we had to pick systems that, one, could help get our franchisees in elite class of document management, and we believe that the system we chose with Ease. And two, ClearCare Online was the largest provider of in home services technology and billing, payroll, caregiver and care plan support in the industry. So we have those two as requirements within our ecosystem.

30:34 Mark Goetz: And I think where we go with franchisees, if there’s something outside of those two systems that a franchisee seizes an opportunity to augment their system or add their own technology or add a new provider into the way they’re approaching the marketplace, we like to have, first of all, conversations and relationships with our franchisees to understand if that’s something that is going to detract from the mission or it’s something that’s going to augment the mission, and so we like to start there and if it’s something that we’re missing, we’re open to it, we’re open to hearing or seeing their perspective on things, but we definitely wanted to control the two core systems that our franchisees operated under.

31:27 Matthew D. Edwards: Okay, that makes sense. So I imagine that as that… Basically, what you just said was, you do have a baseline, a baseline expectation, but the franchise may have additional different or augmented ideas, if you will, that… And you’re willing to hear those and evolve with those. Technology changes all of the time anyway, and so the thing that made sense now may not continue to make sense six or 18 months from now anyway, so it’s good that you’re constantly evaluating and listening.

32:00 Mark Goetz: I’ll tell you just a quick story. About five years ago, I was working for an organization and we surveyed… We had 180 caregivers locally, and we surveyed 100 of them, and we asked them what their number one technology challenge was that they encountered in their work day with clients. And you would think it would be something like something kind of grandiose, but in large part, what our caregivers came back and said that it was the remote control. [chuckle]

32:33 Mark Goetz: Before we get too far down the road and get two grandiose in talking through technology and making sure where end users are really at. So it’s five years down the road, and our caregivers still may be struggling with, how do I change the channel after one caregiver leaves? What’s that button? What’s that input button again, and how do I navigate just the basic daily activities of technology? And so it’s important to keep good relationships with both families and caregivers, just to make sure they’re getting everything they need right now, before we start adding and layering further things that could complicate their jobs or their daily lives.

33:16 Matthew D. Edwards: And that is a really good call out. I did not think of that, Mark. That’s just generally operating the household in which they’re supposed to be helping, there are fundamental things that… Now, that’s a good call out. So like a long time ago, people used to complain about programing the VCR. Now people are saying, “Hey, there’s 75 different types of remotes, and I can’t even turn on the TV.” That’s a good call.

33:43 Mark Goetz: If you could program a VCR back in the day, if you could get it figured out, you were a genius and you were probably calling your neighbor who was good at it to come over and program yours, and so… You’re absolutely right. So the basics of daily caregiving are challenged with some basic technologies. So it is as well just from an Aging in Place perspective, if you’re a senior in the home. So smart technologies, I think will, of course, continue to be an important factor in aging in place services.

34:16 Matthew D. Edwards: It’s a good call though. We’ve done some work in past lives with care centers, customer care centers across the US and internationally, and one of the problems that they ended up having to solve was, we can have all of the software and we can have all of the technology solutions and the ability to receive the calls and help the client, but all knowledge is not common, and so there would have to be intranet sites or frequently asked questions sites where anybody who’s on the phone could go look up anything, not just what was being sold, but all the unexpected crazy things as well.

34:53 Matthew D. Edwards: That’s a really good amplification there. So when you’re working with different technology organizations, you’re looking at software, you’re looking at hardware, you’re looking at communications solutions, your organization’s focus is loving people, and that may mean that not all of the people in your house are actually technology savvy or even desire it and that’s understandable. So when you do have a technology company, when you’re looking for technologies, what are you looking for in the companies? What would be an ideal scenario? Forget, you find a device, you find this device, the device looks amazing, but you meet the people in the company and you actually don’t wanna work with them at all.

35:35 Matthew D. Edwards: So a device or some solution that they sell is one thing, but what types of things in a technology company would you actually find valuable and what influences you to make a decision?

35:48 Mark Goetz: What we look for are tech companies that understand how a franchise owner would position their particular technology if they’re asking us to include it in our service model. Oftentimes, they just want corporate to buy it. Well, in a franchise world where there’s a gross margin that you’re managing with each service hour, every incremental step up in cost, either raises the cost of care, or if you get technology to get cheaper over time, you can drive it down. So we look for technology companies that are empathetic and that understand and that are really trying to understand the business model, that these are primarily it’s 98 to 99% of our clients are private paid clients, and everybody’s trying to figure out how to deliver more and better care for less.

36:47 Mark Goetz: So if they come at us with, “Hey, let’s go ahead and we would like to sell this to you for $30,000 a year,” and they really haven’t put much thought into it on a per franchise basis, that they almost kind of self-select out of the process for us to consider their technology. Or if they approach you to say, “Well, Mark, maybe your franchisees could add an extra $10 per day to their care,” like they clearly don’t understand that generally speaking, it’s not billed on a per-day basis, clients get 20 to 27 hours a week, so there’s a lot of self-selecting out when we’re looking at what companies have really tried to understand the model and which ones haven’t.

37:34 Mark Goetz: Now, there’s certain technologies where we’re working on the other side, really trying to figure out also how could we get this technology to make sense for our business model? Our question is now, how does that change the pricing scenario with a local family until either that technology is paid for in a similar way to remote patient monitoring has kicked in for certain technologies, but that’s based on Medicare and it isn’t based on generally a private pay model.

38:08 Mark Goetz: So that’s kind of the first thing we look at. The second thing that we’re really looking at is, is it applicable, is it something that we’re seeing consumer demand for, or is it just a really great idea that might be either… Might be too soon to the marketplace? And there are a number of those companies that have just arrived maybe a little too soon for consumers or for home care businesses, or even senior living providers or whatnot, and so there’s just a balance there, and we try to balance our consciousness with optimism at all times.

38:48 Matthew D. Edwards: So technology providers that approach you from your perspective, and we tend to agree as well, on our side is really what you’re asserting is, if you don’t understand my business model, it’s gonna be pretty hard for you to actually say words that resonate with me, because I understand my business model, I need you to also. So that was first and foremost, what I took was, you need to understand how I operate as opposed to just trying to sell me a new widget.

39:24 Matthew D. Edwards: Then the next thing that I heard you say as well, if I could restate and tell me if I get it right. For all practical purposes, it’s important for you guys to know what problem you want to solve, or else you just have to look at this as, “Hey, is this really cool or is it actually going to change how we do business?” But you can’t answer that question unless you already know what problem you wanna solve, and that’s one of the things that we see a lot. Which is, it’s interesting to look at new things, but if you don’t know what problem you wanna solve, or if you don’t know what it’s good for, then you’re just spending money.

40:14 Mark Goetz: That’s right. Yeah. And we have some very important colleagues that we work with. We also have created a 501c3 professional caregiver support fund. And someone who we’ve worked with quite a bit here in the state of Nebraska, Dr. Joy Doll, she works for the Nebraska Health Information Initiative, the health care collaborative here, and she’s written white papers for us. She has a great TED Talk out there, but she challenges me often to think differently about the changing world we live in. And one of the things I’ve really learned from her is there’s a point where you’re collecting too much data as well in your… There is diminishing returns on the data that you’re bringing in.

41:03 Mark Goetz: Do you need to bring in all the data that is available to you for decision-making? And so I’ve had her join me on some calls with tech providers, and those are some of the questions that she comes back with, whether or not they’re really a savvy person who understands a healthcare space, or if they’re more purely on the tech side, they’re a newbie to the market, and they have a really cool idea, but they haven’t figured out where those boundaries are. And to real practitioners within the healthcare space, as you get further outside of home care into healthcare, they’re looking for some of those boundaries. They’re not looking for every single piece of data necessarily, because they know there’s a challenge to then managing that data.

41:48 Mark Goetz: The fact that you have that data now becomes something that your organization may have to manage and act on. So I try to arm myself with people like her in my life that can sharpen me in areas and keep me on my toes when I’m… As I’m thinking about technology as well.

42:06 Matthew D. Edwards: That makes a lot of sense and you’re right, if you don’t know what you wanna do with the data, then it’s just noise. And if you’re collecting it, now you have to store it and pay for the storage and pay for the management, even though you still have no idea what you’re gonna do with it. So it just goes back to know what you wanna solve, and then go looking. Do you believe the home care industry right now, do you see any risks in the future? In other words, do you see cause for concern or risks or things that really make you uncomfortable in the future as it relates to melding new technologies with home care teams and our elders? Do you see things that make you say, “That could be cool, but I’m gonna wait a little bit and see how this pans out”?

42:56 Mark Goetz: Yeah, absolutely. So I think as we’re looking down the road, the natural biggest risk is actually what our business model is. So if you ask people, generally speaking, in the home care world, what they need as a franchise owner or somebody who operates a homecare business, they would say, “Well, I need more caregivers. I just need more.” They’re always talking about needing more caregivers, and so I do think the biggest risk, I would say in our industry is overall, as it comes to technology, making sure that caregiver workforce is educated, is in touch, is able to adapt to new technologies so our industry doesn’t get out paced.

43:48 Mark Goetz: So what you have happening right now is you have oftentimes home care agencies where demand is high, just running forward trying to meet demand without being able to step back or not taking the time to step back and actually work on their business. And that would be coaching, developing, training caregivers on the importance of technology, bringing them in, focusing on training with their caregivers so that they can have the opportunity to adapt to new technologies and feel taken care of. So that’s one of the larger risks, I would say, that’s out there in the industry.

44:26 Mark Goetz: I would say there’s generally speaking, more opportunities than there are risks, because when you’re selling a service where 93% of the people that you are working with, they don’t want to move somewhere and you’re offering them the opportunity to age in place. It’s something they want just whether or not your service and their needs match up somewhere in the middle. So generally speaking, a more optimistic and less risk-heavy in this, but managing, not just getting caregivers, but then managing them, training them, staying connected with them as it goes with the technology, is gonna be key for the future of home care.

45:13 Matthew D. Edwards: That’s a really good call out, that’s pretty insightful. It would be a normal thing for a technology company to arrive at some type of software or hardware or combination service, product and service and try and sell that thing and to add it to the existing operation, to be used to take care of our elders, that would be a focus of a sale many times. But to your point, I think, is value is defined by not only providing seven-star service on a five-star scale to your customers, your clients, our elders, it could be my mom, but it’s also making sure that the franchise owners, the home care providers, the healthcare services folks aren’t left behind along the way, or the business itself could just implode.

46:04 Matthew D. Edwards: Which is, you’re doing spectacular, amazing, cool things for the people at home, but the healthcare providers are having to bear the weight of being left behind and becoming less and less relevant or aware of how to do a good job, so it’s gotta be holistic. This comes back to your business plan. Know my business plan… You didn’t say this, but more or less, know my business plan or stop talking. Similarly, if you’re gonna bring me a solution, make it a holistic solution, take care of my customers, take care of my staff. It’s the same conversation, not two different conversations.

46:45 Mark Goetz: Yeah. And I would also say, that to add to that, it’s not just home care companies and senior living providers, but it’s… When I worked for an organization based out of Maryland, I worked a lot, pretty heavily with the Department of Aging in the State of Maryland, who was looking for a strong technology platform that could help keep their seniors in their homes, interconnected with high-touch, high-value services, from a command center. Because they knew that a lot of times people’s general reaction is when something goes wrong to call the doctor or call 911, so you see emergency room visits, you see readmissions go up when people aren’t connected socially. So I think maybe not one of the risks but a competitor almost in our business is going to be other people like state governments and what not actually pursuing innovation harder than our own industry is, as well. So there’s maybe a little bit of caution there because everyone is trying to figure out how to keep a senior population that’s aging fast, better connected, feeling better about their decision-making when it comes to healthcare, and even state-level organizations like the Department of Aging for Maryland is…

48:12 Mark Goetz: They’re trying to find opportunities. They actually came up with a grant program, we worked within called Community For Life. And it was that they were challenging local organizations to try to figure out how to… And giving them a territory, it was very similar to franchising. Giving them a territory and a grant in helping them figure out and paying for them to figure out how to keep seniors better connected in the community, and they wanted to see the best creativity rise to the top.

48:40 Mark Goetz: Well, that in part really inspired the HomeCare Advocacy Network because I was a part of the development of that, of many of those discussions in the state of Maryland at the time as they were launching that program. And so what we saw broadly in the marketplace was you had this private market that’s growing, but then also you have the public sector that’s trying to figure out very similar issues, and they may be lacking awareness about home care and how flexible and creative we’ve already been and how flexible and creative in some of the vast technology enhancements we’ve already made. And so I think at some point in the future, we have to meld those worlds, but I like to stay on our toes, ’cause everybody’s going after very similar solutions.

49:36 Matthew D. Edwards: Any parting thoughts for us as it relates to today’s internet of things, connected things, technologies or risks and liabilities or data, or senior leadership, anything else you’d like to teach us or share with us?

49:52 Mark Goetz: I think there’s one thing, and I learned this a long time ago, that home care and caring for a senior is as simple as a caregiver and a client. So never underestimating the power first and foremost of human contact, human touch and the value of having another human say, “You’re important, I value you. I’m taking the time out of my day to let you know that I value you, and I’m here with you.” You can’t understate the value that that brings to the human condition. So I’d say, first and foremost, I would encourage leaders to just… If you’re gonna boil down, what you can do is figuring out how to make that caregiver, client, caregiver, receiver of services connection happen, and let that passion drive your mission forward when it comes to technology. How to augment, make that connection even better between a caregiver and a client and a family member, that’s what life is all about, is helping make the experience here on earth just a little bit more hopeful, a little bit more empathetic, and we’re all happier at the end of the day when that happens. So that’s my closing words.

51:12 Matthew D. Edwards: That’s outstanding. Mark, thank you for taking the time to get together with us today to teach us and give us insight into what you see and experience, and we look forward to learning from you and watching your company’s growth and evolution into the future. Thank you very much.

51:30 Mark Goetz: Mr. Edwards, thank you.

51:35 Speaker 3: The Long Way Around The Barn is brought to you by Trility Consulting where Matthew serves as the CEO and president. If you need to find a more simple, reliable path to achieve your desired outcomes visit

51:51 Matthew D. Edwards: To my listeners, thank you for staying with us. I hope you were able to take what you heard today and apply it in your context, so that you’re able to realize the predictable repeatable outcomes you desire for you, your teams, company and clients. Thank you.


Part III: The Future of Technology in Home Care Services

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses on how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Show Highlights

In the third episode of this series, Matthew D Edwards and Jeff Huber, CEO of Home Instead Senior Care, discuss how the traditional business model must adapt and evolve in the face of three megatrends: 

  1. The fastest-growing age segment is 85+ and its effect on every developed system. 
  2. Healthcare delivery is moving from a fee-for-service and volume-based model to outcomes.
  3. Digitalization of everything and this industry’s ability to adapt and succeed.

Key Takeaways

  • Leading a cultural change of a large distributed network that needs autonomy and a certain amount of uniform systems and processes to unlock a digital future that meets business and security requirements.
  • The foundational work required for a future where big data and artificial intelligence analytics truly play a very predictive and prescriptive role.
  • Getting an organization and its people to leverage digital-enabled tools and think differently about how care is provided – while ensuring regulatory compliance.

About Our Guest

Jeff Huber, CEO of Home Instead Senior Care

As Chief Executive Officer of Home Instead, the leading global provider of home care services for older adults, Jeff Huber leads the company and its franchises in their commitment to addressing the challenges of the aging global population by promoting consumer choice in care. In his four years as CEO, he has also increased the organization’s commitment to leadership development and training to empower professional and family caregivers and to advance the mission of Home Instead Senior Care: To enhance the lives of aging adults and their families.

Read the Transcript

00:05 Matthew D Edwards: Welcome to the long way around the barn, where we discuss many of today’s technology adoption and transformation challenges and explore varied ways to get to your desired outcomes. There’s usually more than one way to achieve your goals, sometimes the path is simple, sometimes the path is long, expensive, complicated and or painful. In this podcast, we explore options and recommended courses of action to get you to where you’re going, now.

00:58 Matthew D Edwards: Welcome to another episode of The Long Way Around The Barn. My guest today is Jeff Huber, the CEO of Home Instead, whose mission is to enhance the lives of aging adults and their families. Jeff, good morning.

01:09 Jeff Huber: Good morning. It’s great to be with you, thank you.

01:11 Matthew D Edwards: This episode continues my conversation on how technology can improve the lives of our aging population through the use of remote monitoring solutions using Internet of Things or connected things technologies, while also ensuring purposeful comprehensive privacy and information security practices along the way. So Jeff, the name of your organization is Home Instead Senior Care, and people can learn more about your organization by visiting Teach us a little bit about your organization. What are your organization’s aspirations? What do you offer folks today? Teach us.

01:52 Jeff Huber: Yeah, great. First, I’m really pleased to be with you, so thank you for having me. Home Instead Senior Care is the world’s leading provider of in-home care for seniors. We were founded right here in Omaha in 1994 by Lori and Paul Hogan out of a very personal need they were experiencing. Paul’s grandmother, Eleanor Manhart, was the matriarch of a very, very large family. She had 12 children, 50 to 60 grandchildren, and as many great-grandchildren. She was widowed, living alone in her apartment in downtown Omaha, and was in her late 80s and was in failing health. She couldn’t even get out of a chair. She was becoming very frail. And so the family surmised that Grandma Manhart, she only has a few more months and so let’s make those the best they can. They made a couple of decisions, the first one is there’s not gonna be any nursing home. The second was they were gonna move her into the home that Paul Hogan grew up in, down at 38th and Cass, his mother’s home. And third, they were going to surround her with a schedule, they’re gonna take all these cousins, aunts and uncles and put together a schedule and figure out how they could be with Grandma Manhart, to get her engaged in things that really gave her meaning and purpose, like getting to daily mass or those kinds of things.

03:26 Jeff Huber: And what they found, instead of having just a couple of months to live, Grandma Manhart did a remarkable U-turn when she got really plugged back into and having a support system around her, and she actually went on to live 11 very fruitful years. And that caused Lori and Paul to just wonder, first, what do other families do that don’t have 50 first cousins in town and all these resources? But also they saw the power of socialization, interaction, things like making sure she had three square meals a day, and how that had a transformative effect on Grandma Manhart’s life. And so, Paul had always wanted to have his own company, he’s an entrepreneur heart, he was working for Merry Maids, which was an Omaha-based franchise home cleaning company, where he learned franchising and he learned home services. And so he put together a business concept and struck out on their own with three young kids and one on the way and being the sole bread winner, classic American entrepreneurial story.

04:40 Jeff Huber: That was 1994, so fast forward to today, we’re the world’s leading provider of home care services. We have about 1200 franchises operating in 14 countries around the world, we’ll provide more than 90 million hours of care to our clients. Today we’ll be in probably 85,000 or 90,000 homes around the world. We’ll employ more than 100,000 caregivers this week through our network of independently-owned franchises. We have a particularly heavy emphasis and expertise in caring for people with Alzheimer’s or other forms of dementia and multiple chronic conditions. So that’s a little bit about Home Instead and our 26-year history.

05:25 Matthew D Edwards: Yeah, that’s outstanding. And all of those things being focused on in-home care or aging in place.

05:33 Jeff Huber: Exactly. So the name implies, it’s home instead of a nursing home or something. The truth is, we can provide care to clients wherever they call home. Most of our clients, it’s the traditional home that you would think of, but we provide an awful lot of care to clients who live in a facility of one sort or another.

06:00 Matthew D Edwards: Very good. So you very well know how times have changed through the years, and the needs of people, and the logistics and complications of home and staff and training and verification of quality of service, and all of those things have impacted your business and likely a lot of other people’s business, to just say, “Hey, what we did yesterday still works well, but now we need to consider these additional things or different things as well along the way.” And even this recent pandemic, if you will, has probably, I would guess, impacted in some way, shape or form some of the decisions that you and your teams have to make in order to take care of people and just love them in place.

06:46 Matthew D Edwards: This podcast that we’re working through is really talking about of the technology that continues to be created and adopted and evolved and available in the home care space and the senior living space, just to people in general. We spend a lot of time just talking about, “What is available? What do you do with it? How does it work? What are the risk exposures? And then what are the decisions that leaders need to make in order to provide the best quality of service using the newest sensible technology while also having the right protections in place along the way?” Specifically around privacy and information security, because they’re more difficult than just a Saturday afternoon jaunt and they’re getting more complex. In the world that you live in, the work that you do, the folks that you work with on your teams, your leadership teams, your operational teams, as well as the clients that you serve, do you see technology changing the way home care service providers and workers do their jobs today different than yesterday, or do you see it changing even more drastically in the future?

07:57 Jeff Huber: Well, there’s a lot to unpack there. First I would say, the way we look at the world is at the intersection of three global mega trends. The first is what you talked about, which is aging. We’re about to undergo the most massive demographic shift in the history of the planet. For the first time there are more old people, in developed countries at least, more old people than young. That’ll be true within 10 or 15 years across the board. 85 plus population is the fastest growing segment of the population. So we’re really at the very front edge of a 30-year surge in the oldest of the old, and that’s having ripple effects on every system that’s been developed. I like to talk about the inversion of the aging pyramid, right? So if you think of the traditional age pyramid where the oldest is at the top and the smallest segment of the population and the youngest is at the bottom, that’s literally going through a period of inversion. And so every system that we have today has been built for the traditional pyramid, whether it’s transportation or retirement systems and savings, vehicles or education, it’s all been built for… So that’s creating all kinds of pressures on those systems, and the world needs to rethink, every system needs to re-think. So, that leads me to the second major global trend, which is the transformation of the healthcare delivery system, that’s where it’s gonna be felt most acutely.

09:40 Jeff Huber: So not only do we have this massive population, but they’re living longer. The life expectancy is up more than 25 years since the end of the Second World War. With that brings a huge influx in multiple chronic conditions. And so there’s this big movement in healthcare delivery moving from a fee-for-service or a volume-based model to outcomes. And what we know about our types of services is that when we’re part of the care equation, our clients’ usage of that healthcare system go down dramatically, particularly with someone who has Alzheimer’s or other dementia, and we can care for them at home more cost-effectively, better outcomes and higher quality of life. So I like to say the future of the hospital looks a lot like your living room, because the home is really gonna be the only scalable place where we’re gonna be able to care for this massive influx of seniors. And then the third, getting into your world, the third global mega trend, is really the digitalization of everything. Now that the Internet’s three decades old and we’re seeing the transformation that’s happening on every business model, radical new business models disrupting old, and those companies who can lean into those changes and adapt are the ones that are gonna have success in the future.

11:16 Jeff Huber: So that’s sort of the context in which we’re looking at the world and this whole big question that you’ve posed, and I think it’s just… With all of that, technology absolutely will play a role in helping to solve that. So we talk about we need to expand the capacity of the world to care for seniors. Technology should do just, it should enable us to expand capacity. So the big challenge for us is taking… We’re a very high-touch organization, a very high-touch approach, we’re in our client’s home, in the US at least, on average about 25-26 hours per week. And we like to say we’re barely not analogue, we’re so high-touch. So the challenge for us is to take that footprint that we’ve spent 25, 26 years developing and retrofit it with some digital-enabled tools, giving our caregivers and our franchise owners some new tools and capabilities to deliver more care and more effective care, do more with less, more predictive and prescriptive types of care. So is technology gonna play a role? Absolutely. What that looks like precisely is yet to be told, but we can get more into our experience and learning so far.

12:44 Matthew D Edwards: That makes sense. So you’re expecting out of those three ideas that you brought up, the three things that you’re paying attention to, you’re expecting that the technology is not only going to impact the operation from the perspective of your company, but it’s also going to impact how the elders are able to take care of themselves through the years, as well as how they engage with your organization. You didn’t say all of those things, but that’s an extrapolation that I’m reading, it sounded like you’re asserting technology is one of the three legs that are going to create change ripples, and you’d like to be at the head of it.

13:22 Jeff Huber: Yeah. At the intersection of those three, we looked at that and said, “Okay, our traditional business model, given those three global mega trends, we need to evolve our model.” And what remains true for us is the delivery of highly personalized care at home. How we do that going from a purely caregiver, physical presence in the home at all times, needs to evolve and we need to give our caregivers and their families who provide most of the care some new tools and capabilities and the ability to use data and to provide insights in how we can do all of that better.

14:06 Matthew D Edwards: From your perspective, do you think the home care industry itself, the senior industry itself and/or your organization from a risk appetite perspective, do you think in general that the adoption of new ideas like new tech, is the industry ultra conservative? Is it somewhat moderated? Is a leading edge? How do you see it today versus the future?

14:32 Jeff Huber: Well, I think the aging space itself is garnering a lot of attention in innovation and technology and how we care and keep people safe and secure at home, or care for them in different ways. I don’t know that I can speak for the entire home care industry. Our experience has been in leading a large multinational franchise company that has an awesome group of franchise owners, but they’re also very entrepreneurial. I’m confident we’re gonna be able to solve the technical challenges ahead. The big issue that you’re really asking about is leading a cultural change of a large distributed network that we have some controls over, but it’s franchising. And so, there’s a large underlying cultural shift that needs to happen and a mentality that needs to be open to doing things differently in new ways around technology. That’s a journey we’ve been on. I think this Covid situation has really opened the minds of our network and softened maybe some of the defenses against those things, and has actually helped us with the adoption of some of the digital tools we’ve been rolling out.

15:56 Matthew D Edwards: Sure. So Jeff, based on the things you’re talking about then, entrepreneurs obviously are, by definition, moderated or managed risk takers themselves trying to understand, “How can I provide value? How can I enable a profitable experience all at the same time?” Otherwise, they’re no longer in business. But they need to offer a value, a good value proposition, or nobody’s gonna come calling any way. So while Home Instead is enabling basically an oversight or portfolio management or an enterprise view into how to franchise and enable home care, does that then suggest that a lot of these different franchise owners may adopt some of these new ideas at different velocities? And then does that different velocity… How much autonomy is there and how do you regulate or normalize those things?

16:50 Jeff Huber: Yeah, we could have several podcasts on that topic alone, I think. I sort of view the first 25 years of our existence as really establishing this business model, bringing it to scale, creating this massive footprint that we’ve developed. We’ve got a ways to go in the expansion, lots of room there. But in that, we have learned so much from our franchise owners and provided enormous amount of autonomy to them, to help us learn and create the model. I think we’re at a point now where we really understand that and we’re… Part of the cultural shift I talked about is really moving them from running this business however they want, I’ll put an asterisk there ’cause I’ll come back to that, to a more uniform way of doing things, more uniform systems and processes that are really gonna be essential for us to unlock a digital future. We can’t have thousands and thousands of iterations of how this business operates.

18:03 Jeff Huber: The asterisk I wanna come back to is while we’ve provided a great level of autonomy, we also have had a very finite set of standards, but we’re extremely serious about them at how the business operates at the local level, that really all have to do with the safety and security of our clients. So we’re very uncompromising on those things, yet at the same time, exactly how the business operated was a lot of latitude granted at the local level. So again, we’re moving from sort of choose your own adventure in terms of systems and tools and processes, to a much more uniform, digitally-enable future. And we’ve had some challenges in leading people there, but now the network is really starting to get it and embrace it.

18:56 Jeff Huber: And part of your question was… There’s always a bell curve with adoption of anything within our system, and so we’ve got the early adopters and we know who they are, and many of them oftentimes are out ahead of us, frankly, on ideas, we don’t pretend that we have all the best ideas, we really try to tap into the ingenuity of the local franchise owner, who was on the front line solving very real problems and they’re incredibly innovative and smart. And so we try to tap into what they’re doing, breaking those best ideas, and then your resources and bringing them to scale, but so when we’re trying to introduce a major change, we really focus on what we call the ready and the willing, which are that front end, help us learn and iterate, and then usually there’s a big group in the middle that is waiting and seeing…

19:46 Jeff Huber: They might have some skepticism, wants to see what the ROI is, or how hard this change is gonna be, or those kinds of things, and then usually if we do our job right, they come on board pretty quickly. And there’s always a group at the end where we have to get them on board by mandate, so right now, we’re really moving in our digital transformation, I’d say from the early adopters to more moving that big middle group on board, we’ve got a lot of the things figured out, ironed out, we’ve done a lot of the hard internal work to sort of enable scale. And so we’ve been sort of setting the table for this for years now, and now it’s really time to start leaning into it and accelerating that transformation.

20:33 Matthew D Edwards: Is it accurate then for me to summarize some of the things that you just said to say that as an enterprise organization, you’re working to normalize or streamline some things for a number of reasons, and that can be a cost of ownership or general in economic considerations. It may be for regulatory compliance or privacy or confidentiality or those types of ideas as well. But at the same time, you’re still wanting to enable autonomy and independence or independent evolutionary thinking at the franchise level. So you’re working to, which is a continuous job, evolve both what can be normalized and what should be independent or individual and when? And that’s kind of the model that you’re evolving on right now. Is that a good summary?

21:22 Jeff Huber: I think that’s a really great way to summarize it, and another way to say it is that there’s this constant tension between those two things, and at different points of your evolution, you’re sort of setting the dial, either more towards autonomy, more towards structure. So that’s where we’re at. Yeah. That’s a great summation.

21:42 Matthew D Edwards: Okay. That sounds like a kind of a normal model for larger organizations anyway, where that cost intention of, “Yes, I want to enable you to do what you need to do, however, also I need to make sure that it’s predictable, repeatable, audible, compliant.” Let’s be responsible here, we wanna be in the newspaper or the media for the right reasons, so let’s make the right decisions together, so that makes a lot of sense and it’s hard all of the time, as I’m sure you and your team would communicate. So as it relates to the home care industry, a lot of these new technologies that are coming out, there has been technology available for long time in various iterations.

22:28 Matthew D Edwards: Some of the newer things, for example, companies that are implementing connected things or Internet of Things solutions, for example, a single physical device unit that goes inside one room that doesn’t touch anyone, but it monitors all behaviors all of the time, collects all of the data, patterns, it finds patterns, it makes decisions, it asserts potential, but it does predictive analytics as well, for example, gait analysis. In order to predict a fall, there needs to be data, the data has to be collected across time, which then creates patterns, which then elucidates or reveals a possibility, which then alerts people so they can make decisions, and that actually sounds spectacular.

23:15 Matthew D Edwards: So that you could know in advance, “Hey. It looks like mom’s having some trouble right now, and maybe I’m just gonna go hang out with her for a little bit and we’ll go see how the day goes together.” With that though, comes a ridiculous amount of information, so for example, when you’re talking about your organization and multiple franchises, multiple countries and all kinds of clients, if all of those were operating together and all of that data was being collected just to do predictive analytics on a fall, do you think or have you perceived or do you understand in your own house or in other organizations, how people might be prepared to start collecting more data more often? It is a little bit of a paradigm change between, “Here’s what I entered at the end of my shift.” Versus sensors that are collecting data 70 by 24 x 365.

24:17 Jeff Huber: Again, you ask really big thought-provoking questions. I think there is absolutely a future where big data, artificial intelligence analytics is gonna play a very predictive and prescriptive role, and for those of us who are out there looking at the future like that, our minds tend to go right there. And in fact, my mind has been there for a while, I’m very fortunate to say that some tables where they’re sort of cast in the future for healthcare and those kinds of places. The challenge is, we got a lot of work to do before I think that can happen, and we can’t put the cart for the horse.

25:07 Jeff Huber: In fact, in our business, we’ve had to go back and do a lot of the really nitty gritty, un-sexy work, to lay a foundation that would eventually unlock the kind of future you’re talking about. I’m talking about… And this might sound really rudimentary, but remember, we’re barely not analog, things like single sign on or those kinds of things. I’ve learned more about those kinds of things than I ever thought possible when I was wanting us to have a dashboard that said, “Hey. These five clients are at a 95 probability for a fall today, we need to do something about that.”

25:52 Jeff Huber: So we have to really start at the very foundational level, so we’ve spent the last few years really putting in the stuff that doesn’t really… Isn’t real sexy, you don’t really talk about it at conventions to your people, it’s quietly happening in the background, but we’re starting to sort of come out of that phase, and now we’re starting to be able to deliver some of those more value-add things. For us, we’ll get there, but we’re really starting more with enabling, giving our caregivers new tools so they can do their job better, connect with the office better, connect with family better, having some remote capabilities so we can be more efficient with our limited human resources. So we can get eyes into the home without having to send a nurse across town to be there and evaluate a situation, we can do that remotely.

26:54 Jeff Huber: A lot of the things that require a lot of time and manpower and a lot of friction, we’re able to begin to automate and streamline, so that’s really where our immediate focuses. But we do have our eye on that end game of being able to use huge data sets, you know $90 million of care and 85,000 homes, and then you give it in 25 hours per week that should… We should be able to unlock, use very powerful data sets to be able to provide more predictive, more prescriptive care. It’s just we’re not there yet.

27:35 Matthew D Edwards: Yeah. No. The idea of digital transformation is actually an interesting and also useless word, like saying cloud or quality, those words mean something different to anybody that you talk to, and so it’s difficult to talk about. But the idea behind digital transformation is really multiple things, and it’s the process is it’s the tools, it’s the people as well as the company as a whole. And so, to just pick up a new Internet of Things device and call that digital transformation is actually completely miscommunication, the whole idea.

28:12 Matthew D Edwards: It’s how do we take our entire organization and optimize how we get to the desired outcome, which is to enable people to age in place, to love them where they are, to be helpful when they need us and be out of the way when they don’t. And that requires us to talk about everything, not just a trip to the Home Depot or a trip to Best Buy and buy something really cool and plugging into the network, so it’s a lot of work, and so you’re talking about a lot of behind the curtain stuff that then nobody wants to talk about, that everybody has to do, that maybe some people haven’t had to do yet. So yeah, there’s a lot of work for the no contest.

28:51 Matthew D Edwards: So when someone like you in a leadership role sees something in a magazine or sees a commercial or an advertisement in an article or whatever it is, along the way of saying, “Hey. Look at me, I’m technology company 12, I’ve developed this brand new and amazing device or this new software or I have this new widget. And then someone like you and your role probably is inundated with 10, 20, 50 or 100 different companies all coming to you with their particular widget. And some companies will assert, “We have a comprehensive solution.” And some will say, “This will fit into your solution.” If you take all of that and just say, “Hey, that’s fine.” Let’s put it to the side. In order for you to do what you need to do to love and engage and care for people, what would be, from your perspective, an actual useful way for technology solution providers to come alongside you and work with you and help you solve problems?

30:00 Jeff Huber: Well, that’s a good question. And you’re right, we are inundated with all kinds of opportunities, and the big challenge for us is sorting through those. So the main thing I did, or we did, I should say, when trying to solve for this, was to really formalize our innovation function. We’d had a lot of innovation, and like I said, we’ve got hundreds and hundreds of franchise owners out there solving problems. And so we try to tap into their ingenuity all the time and bring the best ideas to scale. And that worked great, but when we were thinking about, “Okay. We really need to take our footprint and our high-touch approach and give it in some digital capabilities.” The possibilities for that were endless, and to try to solve that problem, I wanted to formalize our innovation function, so we acquired a digital marketing company that we had a lot of experience and trust with, and kept the digital marketing function alive, but also gave it a charter that said, we need you to help us think about what a digital enabled future looks like for Home Instead, I wanted it to be outside of our organization, because I wanted them to be free of legacy thinking and systems and tools.

31:31 Jeff Huber: And so, that I think it served us really, really well. We’ve sort of wound down the digital marketing part, we really built up that innovation function, and now that team is part of us, just on the outside still, so they can sort of be free of to, “This is the way we’ve always done it.” thinking. But they now have a charter and a process and a way to evaluate all those, and they’re going after sort of stop doing activities, kinds of innovation, that sort of incremental innovation. But there’s also the big sort of game changer types of innovation, that’s how we sort of think of it, and they’ve got a finite budget and a charter to do that. And so I sort let that group take on the challenges or sort through as they get process. So to get specifically to your question, if somebody wanted to come alongside us and maybe pitch something to us, the best way I think would be to go through our innovation group who has a formalized way of evaluating all of that.

32:43 Matthew D Edwards: That’s fair. So you have an incoming process to filter and prioritize? That’s a really great way to do that. Very often do you hear about people saying, “If I buy this tool then… ” Or, “If we change this part of our business, then… ” And in many cases, they may not fully understand what they want it to look like on the other end of that, but they absolutely feel like if they make this change, then whatever change happens is probably gonna be good. So it sounds like you guys are on the front end of that, you’re saying, “Hey. We know we need to evolve, but it needs to be on purpose, so let’s go do this on purpose.”

33:28 Jeff Huber: Exactly, they’ve got their charter and where we started, there’s about a two-year process. Well, after the acquisition, it took us a couple of years to sort of get the right people and talent in place and sort of the structures in place, and then the big charter for them was like, “Okay. How do we create a digital pipeline into our client’s home?” We knew we wanted to get tools into the client’s hands, into the home. So then we started looking and knowing that we’re a home care company, we’re not a tech development company, so we tried and failed at that a couple of different times, so knowing that we really… This is gonna be about partnerships and funding, so that process, we evaluated it, electricity ran through it, and it was aimed at the senior space, I think we took a good hard look at just about everything out there, and at some point you gotta stop evaluating and put in, and understand this is a journey, there’s no end point, this is just a continual evolution.

34:38 Jeff Huber: But we made a big move with a company called GrandPad, made a strategic investment in that organization that, one, had a really, we thought elegant solution, they took a very… With a very mature tech leader, founder, so many of these organizations are… Solutions that come forward come from really bright young minds, but it might really be a tech innovation challenge as opposed to trying to practically solve a solution. So this was a very mature leader solving a very practical solution, or problem that he had found in his own life, figured everyone else is dealing with it too. Great value alignment with our organization, and it’s been wonderful, and now we’re starting to…

35:31 Jeff Huber: We’ve had to make some adaptations to that tool to make it really a good tool for our caregiver workforce, but also understanding that this is this is an entry point for us, this is not the end, and they’ll always be something next, and that’s why I’m grateful we have innovation team in place to sort of always be evaluating what the next thing is. The big thing for us, as though we have to begin getting our organization used to using digital-enabled tools and thinking differently about how they provide care, because the current model of one caregiver for one client, going back to these global megatrends, isn’t gonna be scalable in the future, we have to create scale and increase capacity.

36:15 Matthew D Edwards: Right. That makes a lot of sense. So Jeff, last question, and this has been outstanding so far, thank you. What we’ve seen in many industries is a shift to now include on-purpose, amplified and communicated, the role of chief information security officers or some senior leadership role whose job is to enable and ensure regulatory compliance, ideas, information security ideas, privacy and confidentiality in particular. As the industry has changed and even as your own organization has changed, how do you see the role, the public role, the amplified role of information security and privacy changing from yesterday to day and tomorrow, if you will?

37:09 Jeff Huber: Yeah. Well, again, you’re asking really big questions and that one, we could go down a number of different paths with, culturally speaking, just as we’re all wrestling with our individual rights and privacy and security of our information in this new world, but yeah, part of the nitty-gritty, un-sexy work I referenced earlier had to do with creating a data governance program and understanding how we were gonna collect, normalize, store, secure, and then finally analyze and use appropriately this various data that we’re anticipating collecting. And then multiply that against operations in many, many different countries, all with different security acts.

38:10 Jeff Huber: And so, it’s been a huge focus for us. And our regulatory and compliance group here, part of our legal team, has grown significantly, we’ve made big investments and bringing on personnel who can understand and help keep us safe and get the appropriate certifications in that area. So that we are safe and secure, we’re using information securely, not invading anyone’s privacy or overstepping their… Trust is so important to us, having a philosophy that this is really gonna be all about enhancing care and providing more personalized services, we’re not looking to sell this data or use it in some sort of commercial, we’re not looking to monetize it in any way, we just wanna do a better job of what we’re doing, so that’s a bit about… We had to sort of get right in their own minds about this philosophy and approach, and then make big investments in all of those different pieces I just referenced, including making sure we have people who understand that world really well and can keep us in track.

39:25 Matthew D Edwards: Yeah. It’s a lot of work, it’s a lot of work for everybody. Not just you, whether you have country by country governance, you also have the state-by-state governance, and then you have industry governance on top of that, it’s a lot of work and it has to be done on purpose.

39:42 Jeff Huber: It’s enormously complex. I think the most important thing is you have a… Really, a philosophy and approach, so many people sort of get big eyes and see dollar signs in when they think about monetizing data, that’s not at all been our approach. So we had to get aligned philosophically on all of that and then put those pieces in place. Yeah. And it’ll be never ending, and one of the internal challenges is getting… We’ve been a care company, we support franchise owners in providing care who… These are people who recruit clients or train caregivers and pair them up in a very high in-touch way.

40:31 Jeff Huber: So getting internally an understanding about, “Hey. What the future lies, we have to continue to evolve our business model.” Which involved investments in these things that maybe our frontline folks didn’t quite get like, “Why are we hiring all these lawyers and what’s all this data stuff about?” So it’s been a huge internal education, I’ve had to learn a lot, our whole teams had to learn a lot, we’ve brought in a lot of talent to help guide us there, we’ve brought in some outside resources to help guide us there, and then internally and I…

41:07 Jeff Huber: What’s really exciting about that is it’s been frustrating at times. It’s been a learning curve for everyone, but I think we’re all starting to get it now, and where I feel like we’re starting to reach a tipping point within our network. So that’s been a really rewarding journey, and I know we’re gonna have other setbacks and other frustration points along the way, but I think we’re now aligned as an organization, so that’s been a very gratifying experience.

41:40 Matthew D Edwards: That’s great. The net of the whole conversation that you’ve communicated is, “We’ve had a great journey, and we want to continue having a great journey, and that means we never get to rest.”

41:53 Jeff Huber: It proves that constantly, we’re constantly having to evolve. And so the key competency for a good home instead team member is the ability to adapt and change and look at that not as a threat, but as an opportunity to grow and evolve. And so I think we’ve got our collective mindset right there.

42:14 Matthew D Edwards: Very good. Well, Jeff, this has been outstanding. Thank you for taking the time to meet with us to teach us about your organization, about the journey that you’ve been on and where you guys intend to head and are heading. And man, we look forward to paying attention and seeing where you go and learning from you again, and look forward to talking to you again. Thank you.

42:36 Jeff Huber: Yeah. Well, I appreciate the opportunity.


Part II: Putting Together Information Security and Privacy Plans that Matter

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Show Highlights

In the previous episode, we focused on purchasing and securing IoT monitoring devices, implementing platforms and securing the data associated with them. This time, Rebecca Herold and Nathan Gibson join us as we explore the role and value of whole organization information security and privacy plans. Do you have them? Should you have them? And what do they look like?

Key Takeaways

  • Creating an Information Security Plan that achieves compliance and ensures the data is protected in the manner the organization needs. 
  • Putting a framework in place that addresses the full lifecycle of data and ensures human behaviors follow the plan with regular checks, tests, communication, and training to confirm everyone in the organization is aware and following the plan. 
  • How senior leaders must stay aware of how well the organization is implementing and evolving the plan.
  • Successful security and privacy programs are the ones that coordinate closely and often report to the same person in the organization.

About Our Guests

Rebecca Herold has over 25 years of IT, info sec, and privacy experience. She is the owner and CEO of The Privacy Professor, founded in 2004, and Privacy Security Brainiacs, founded in 2020. Rebecca hosts the radio/podcast show, “Data Security & Privacy with the Privacy Professor.” She is an expert witness, entrepreneur and author who has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 20 books to date, chapters in many books and hundreds of articles. Learn more about Rebecca.

Nathan Gibson is the Chief Security Architect and Director of Enterprise Security Architecture at Allstate. Nathan’s information security journey spans multiple industries including our nation’s Air Force, healthcare, fintech, residential and commercial security, with a heavy focus on cloud engineering security. 

Read the Transcript

00:56 Matthew D Edwards: Welcome to the long way around the barn. This is the second episode in our series, discussing remote monitoring, management, security and privacy in the senior living industry. Last week, we focused on purchasing and securing IoT monitoring devices, implementing platforms and securing the data associated with them. This week, we dive into the role and value of whole organization, Information Security and Privacy plans. Do you have them? Should you have them? And what do they look like?

01:28 Matthew D Edwards: We have two exceptional experts for today’s discussion. Rebecca Herold has over 25 years of IT, info sec and privacy experience. She is the owner and CEO of the Privacy Professor, and most recently, Privacy Security Brainiacs. Rebecca hosts the radio podcast show Data Security and Privacy with the Privacy Professor. She’s an expert witness, entrepreneur and author, who has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 20 books to date, chapters in many books and hundreds of articles. And Nathan Gibson. Nathan is the chief security architect and director of enterprise security architecture at Allstate. Nathan’s information security journey spans multiple industries, including our nation’s Air Force, the healthcare industry, Fintech, residential and commercial security, with a heavy focus on cloud adoption, engineering and security.

02:29 Matthew D Edwards: Thank you for joining us today. Question one, whole organizational information security plans, and basically senior living organizations, as they become more and more technology-savvy and dependent, the number of moving parts and exposures to risks and liabilities is only going to increase. Do you guys recommend the organizations formally create and implement whole organizational information security plans, for example, if they don’t have them already, should they? And if they are going to put them in place, what should they look like? How do they know when they’re done? What is a good model? What is an information security plan and why should the C-Suites and leaders and senior living communities have them? Nathan, would you like to lead us off, sir?

03:20 Nathan Gibson: Sure, I think that the short answer for that is yes, but there’s a long conversation surrounding that. There’s a right way and I think a wrong way for implementing information security plans. And if you go out to NIST or different federal guidance, NIST is National Institute of Standards and Technology, they’re gonna have sample templates for an information security plan. And if you’re implementing them for the right reason, which would be you’re truly looking to protect your customers or protect those people that you’re caring for and the data, then you’re actually gonna look at it and understand what it is. If you’re simply trying to check a box from a compliance perspective, then it’s very easy to take those and copy paste and label that, Hey, I have an information security plan, and you’re checking a box.

04:18 Nathan Gibson: And there’s a difference between being compliant and being secure or actually protecting the data the way you should and the way you want to. And each organization, I think depending on the technology they offer, is gonna have a different set of standards and a different set of policies because their technologies are different. So if they look at it from, “Hey, we’re gonna bring in this capability and spend the time to document a particular policy for when that can be used and how it must be used, and technical guidance,” that collection of documents over time, that becomes your information security standard.

04:57 Nathan Gibson: Those are the types of things I think organizations should strive for. A lot of times, the technology they’re using is gonna be based off a vendor. So it’s also equally important for them to understand the vendor and understand those vendor’s privacy policies and practices and procedures, and maybe even that vendor can help them institute their own standards based off other customers that are using their product. So even though they may not have those skills in-house, they can ask for that question, ask for that service when they’re purchasing that particular product or capability from vendor, can you help me implement internal policies and standards to appropriately operationalize this product or this service?

05:43 Matthew D Edwards: Okay, Alright, Rebecca, what are your thoughts on this?

05:47 Rebecca Herold: Yeah, absolutely, and I agree with what Nathan said, and I would add to that too. A lot of folks who are listening, if they’re from senior living organizations or they have loved ones who are there, I think also add to just that need that Nathan talked about. Just think about all of the information that is within senior living organizations. And it’s not just technical, in fact, there is so much information within these organizations that is written down on paper, that is written on whiteboards, that is written on bulletin boards, that are on chalkboards, that are on the outside of people’s doors when you go to visit a resident.

06:39 Rebecca Herold: So it’s so, so important to make sure that all of that information is protected. And the best way to make sure that you’re protecting not just your residents and your visitors, but also just think about the actual organization itself, you have a reputation, each senior living organization wants to be trusted. If you don’t have a strong and consistently followed security program with some applicable rules that are specific to your organization and your risk environment, then you’re going to have bad things happen. It could be accidentally, maybe somebody wrote their password down and left it on the registration desk, and somebody saw that when they came in to see someone, or maybe a sales person saw that when they came in.

07:43 Rebecca Herold: All of a sudden now someone else knows what perhaps your ID and password is to get into the Senior Living Organization website. Or if they see files of your residents, do you know how lucrative it is to have the personal information of senior citizens and use that to perform identity fraud and other bad things. So, there’re so many reasons, as Nathan said, beyond compliance, certainly compliance is there to set up really the minimum necessary to make sure you have basic security controls in place, but you also must always go beyond those basic minimums to identify where are these additional problems that you might not have in a check list, but still are problems.

08:44 Rebecca Herold: Somebody brings in an Alexa because they know that the residents are going to enjoy that. Well, you know what, Alexas are really cool. I’ve been experimenting with one since last December, and they are fun, you can play some really cool music, I love Ella Fitzgerald so much. I play music by here, I know the Senior Living Organization folks would love to hear all their old favorites, right. But if you have that going and it’s not a 100% perfect, it’s also taking information based upon keywords and storing it in the cloud. And that information has been compromised before, has been misused before, it has been shared with third parties before. So you need to just make sure you know what your environment is like and where all the risks are. You might have these digital spies and other types of spies on feet coming in and out of your organization that you don’t know about, so… Yeah, you need to… Every organization needs to have a information security and privacy program in place. No organization cannot have one today and still be safe from bad things happening.

10:16 Matthew D Edwards: That’s a really good call out that I’d like to amplify, if you don’t mind, which is, Rebecca, you mentioned that information security plans don’t only cover technical things, but it covers all types of information and that behavioral… It’s behavioral information, it’s experiential information, and as well as the technological considerations. And so a lot of people that we’ve run into through time have assumed that common sense was common and that passwords shouldn’t be stored on post-it notes, or passwords shouldn’t be stored out in plain sight for everyone else to use or that entire staff shouldn’t be using the same login credentials for one application, those types of things. I think that those are the types of things that you’re referring to also, which is to have a plan, talks about the behavioral, experiential, the technological, all of the aspects of data, not just I bought a device, I plugged it in, and now I have a plan. Am I getting that correctly?

11:33 Rebecca Herold: Yes, and I would add to that, it must consider the full life cycle of information as well because there are some significant risks when you’re collecting information. When you have new residents come into your senior living organization, think about it, they fill out how many forms? And I know because as we talked about before the show, my mother was in a facility because of early onset Alzheimer’s, and then my father was in a facility because of cancer. And when filling out so many forms and so many times you’re filling out 20 forms and they’re asking you the same thing on 10 of those pages, where are those pages going physical, that’s physical information. And they say, “Well, don’t worry about it. We’re going to input this into the system, so then it’s… All that going to be safe in our computer.” Well, where are you putting the physical paper when you’ve got it input into the computer. Will you throw it away?

12:47 Rebecca Herold: There it comes to the end of the life cycle, right. You’ve input it, and now how are you throwing that away? Can I find my information that I just put down for my parents back behind your facility in the alleyway dumpster? A lot of people find information there, so even that physical information, you need to make sure that you deal with that, too.

13:14 Nathan Gibson: And I would add on to what Professor Herold was saying. In between there, likely what’s happening is they’re collecting that information on paper, and then what’s that data input process? What’s that look like? If they get so many forms, and this isn’t just the initial… This is if they have Medicaid claims or Medicare claims potentially. Is that sitting next to a scanner, just a pile of paper sitting there waiting for the night crew to come in and scan those and input into those systems, while they’re sitting there, who has access to that data?

13:48 Nathan Gibson: I think you mentioned spies with feet, right, who’s coming in and out of your facility. How you’re locking those up, and that’s where your information security program can be as simple as setting some operational processes, document, saying, Hey, when we collect this document from the patient or a patient’s relative, this is the place that it goes and have a discussion around, how are we securing that, how long does it sit there? Who’s authorized to get access to that and then what’s the next step. And just documenting that process right there, that simple thing is not a complex thing, but that’s part of your information security program and your plan and becomes an operational standard at that point.

14:37 Rebecca Herold: Well, and I wanna just quickly emphasize, I love that you brought that up, Nathan, because having it documented is so important because the people in your organization will not consistently follow these practices if it is not written down. If you have just one person who’s not doing something, that one person could cause a huge problem, a huge breach or a huge outage because they didn’t consistently follow what everyone else was doing, it needs to be written in policies and procedures.

15:18 Matthew D Edwards: One of the things I wonder then, and you guys could both expound on this, one of the things I wonder then is when you’re talking about the data, all of the different forms of the data, you’re also talking about the types… If you’re talking about the types, but you’re also talking about locations. And so as part of an information security plan, then do you recommend or what do you recommend as it relates to in order to have a policy or a procedure or to have an opinion, you need to know what you have, you need to know where it is, and you need to understand who’s accessing it, how it’s being used, all of those types of things, is understanding that if it’s an asset inventory or it’s an inventory of all data in the organization, do you consider that to be a critical component of the information security plan itself?

16:09 Nathan Gibson: Absolutely. First off, I would assume, and professor can probably speak more to this based off her experience, but there are some standard forms that is usually filled out when somebody is being admitted into a facility or transient through a facility and understanding what data you’re collecting on those forms and classifying that data, and then from that point, setting rules around that data classification, knowing that, Hey, this particular form does have sensitive data, so we’re only going to allow it to be stored in these locations, so once you collect it, we’re only allowing it to go in this location, and understanding that and putting that in policy and then enforcing that. I think it would also add is, it actually helps the organization take security out of it, helps them be more streamlined. If you have a new employee that comes in, what better way to quickly get them up to speed, than having exact operational standard that they can read on how they collect data where it must go to maintain a consistent, predictable, repeatable operation for the business and onboarding new employees quickly.

17:19 Nathan Gibson: So I think, yes, it does become more difficult when you’re dealing with paper documents, that has to probably change quite a bit. But yes, knowing where that data’s at, and what data you’re collecting is something that should be in your standard and your organization’s way of classifying it. We consider this extremely sensitive data, so therefore only these roles or titles within the organization can have access to it underneath these circumstances, that’s super critical to have in your plan.

17:55 Rebecca Herold: To add to that, just think about it, how can you protect data and make sure it’s used appropriately, unless you know exactly what information you have and in what form it is, and where it’s located. I mean my gosh, just imagine, what if every one of us had 20 credit cards, but yeah, we didn’t keep track of where those credit cards were. Now, maybe there might be a credit card in your home safe and you have it locked up, that one’s probably pretty secure. But what if you have five of those credit cards out in your… Maybe in your automobile and you go to a restaurant to do it and leave it in there… Somebody gets your credit card. Are you gonna even know that if you didn’t know your credit card was there to begin with? So keeping track of all of your information is kind of like keeping track of your own personal values, because if you don’t know where things are that you value, and if you don’t know how to protect them, then things are going to happen to those valuables and you’re going to really be sad and mad at yourself for not securing them and keeping track of them to begin with, that’s the same way with any business.

19:15 Rebecca Herold: A business has to consider information as being valuable and they need to know what information they have so that they can then determine how they need to protect it in all the locations where it’s located. Because kind of like Nathan was talking about with the classification and so on, if you have certain high value information and it’s located some place that might be a high-risk area, like out in a public area, that will need much more security around it than if you had it some place perhaps within many walls, within the center of a building that all have locks on them and very tight access controls.

19:58 Matthew D Edwards: Alright, alright, that’s good. So let me summarize these things, if you don’t mind. So far, basically what I believe you both have well-communicated is, hey, an information security plan is non-negotiable, it must exist if you’re a business and you have employees and clients, you’re likely collecting information, and that’s not just technical things. So while we’re talking about the senior living community, and we’re talking about the adoption of Internet of Things devices and technology and networks, where there’s a whole lot of data and privacy and planning that required there, it also includes everything leading up to and around it, and afterwards as well, which could be paper-based, it could be experiential, it could be relational, communicative, Post-It notes, the doors. So what data do you collect? Where is it located? Who has access to it? And then what’s your plan, what’s the plan to collect it, what’s your plan to store, what’s your plan to share and engage with it. So it has to be done on purpose, and while we all want to trust, we need to have a plan and then trust that we’re all using the plan as opposed to just trusting the merits of good character and great people and sometimes hairy days and, it’s a tough day.

21:20 Rebecca Herold: Exactly, and I might add, make sure you know if people are using their personally owned devices and include those devices in your program, because you absolutely have to protect data everywhere, even if it’s not on your organization’s own computer systems within your own facility walls. And I know in a lot of organizations, people are now, especially with work from home, people are using their own personally-owned laptops and… Oh my gosh, I’m looking right here at a USB drive that has 64 gigabytes of storage on it, and I know a lot of workers who use these handy-dandy tools to take home and do work at home. Or they probably already have them there, and it’s easy to collect because this one only costs $9 and so I could have probably a dozen of those, make sure all of your program covers those personally owned devices and storage devices and that you have training so that the people using them, know how to secure them.

22:37 Nathan Gibson: And what the professor just said on training, that’s the most key part. Having a information security plan and doing regularly training on that and testing the effectiveness of your training is important. You can document everything, but if you’re not training your employees, you run into situations where, somebody may be just trying to do their job in just situational… I see it all the time. Somebody calls into make a payment and your computer is down. Okay, I’m gonna pull out a sticky note here, what’s your credit card number, and write that down on the sticky note, what’s your CVV, the security code on the back. And the expiration date and everything, and they stick that on their desk, and then later that day when the computer comes back up, I’m gonna go process that payment now. What happened to that sticky note that has that payment card data on it, or what happened to that sticky note that had that person’s social security number on it?

23:42 Matthew D Edwards: And your training on your information security plan isn’t about this is our policy, you must read it, take a test and follow it. It’s more about, Hey, this is what we are charged with, this is why we’re trying to protect data, here are the threats to that here, the people who are trying to gather that, to bring that threat awareness or the vulnerability awareness to the employees, so they can do their part in those situations where the policy may not cover it exactly. It helps bring them that situational awareness so they can do their part to continually protect the data, so that training is a key part.

24:20 Matthew D Edwards: That makes sense. So training needs to be a part of this on purpose. So let me transition this conversation to privacy. Do you believe that privacy is a component of the larger information security plan, or is a privacy plan its own entity? What’s your perspective on that, and then what composes a good privacy plan in an organization that’s collecting not only paper-based data, but they’re also collecting data based… Device-based data all over the place, what are your thoughts on privacy and what does that look like for folks?

25:02 Rebecca Herold: Well, privacy definitely has a lot of overlaps with information security. I mean, you have to protect the information, certainly. I think a very common misconception is that privacy means that you only protect data by encrypting it or it’s just about confidentiality. It goes so much more beyond that. Privacy means that you are giving the individuals about how their private and personal information applies, you are giving them some control over that information, you’re letting them know, Hey, here’s the information we’re collecting from you, and by the way, here’s how we’re using it, and here’s who we’re sharing it with, and here’s how long.

25:56 Rebecca Herold: We’re going to keep it and retain it, and here’s how you can get access to it, because we wanna make sure that it’s accurate because if this information is not accurate, it can have impact on your personal life when that inaccurate data gets out there and is being used to make decisions about your life. So yes, I’ve been doing privacy and information security management since around 1993, when I wanted to address privacy. I was responsible for creating the security requirements for what that was going to be… And I think it ended up being the first online Internet Bank in 1994. And I was establishing the security requirements and I was doing research and I found the OECD privacy principles. I thought, these make lot of sense because this is a bank, and a bank has a lot of personal data. I happened to know the CEO and I thought… I’ll mention to him that it’s important for the legal counsel to address privacy.

27:20 Rebecca Herold: Well, at that point in time, just think about it, ’93-’94, there were no laws or regulations, so the General Counsel said “Sounds like a good idea, but it’s not my problem because there’s no legal requirement”. So the CEO told me, “Hey, Rebecca why don’t you go ahead and take care of privacy while you’re doing security,” and that’s where I learned throughout the years that it’s so important for security and privacy areas to work together. I think we need… You asked before about, should that be part of the program? Should it be separate entities? I say that it should be… Maybe possibly two areas, but they have to be integrated. And in fact, I see the most successful security and privacy programs are the ones that really coordinate closely and often report to the same person in the organization.

28:18 Rebecca Herold: They don’t have the privacy officer reporting to the General Council and the security person reporting to the CIO, they actually have a Chief Information Assurance officer who is responsible for all information and that comes down and covers privacy and security equally. And they’re kind of outside of the CIO and the general council area. Because I’ve learned from just experience, if you start getting put into the IT area, or into the legal area, oftentimes needs and risks do not get addressed appropriately because you don’t have enough authority in that organization to say “We need to do this. It’s important.” Sometimes you get overruled in these organizations, when you’re talking about senior living organizations, those might have a little bit different setup with regard to executives and their org charts, but still they need to understand that you need to address security and privacy, the different issues between them. But at the same time, they can’t be done in isolation of each other, they have to work cooperatively in order to be successful.

29:43 Matthew D Edwards: Well stated.

29:46 Nathan Gibson: Yeah, I would echo what Professor Herold said. I work closely with my counterparts on the privacy side, the chief privacy officer, and very passionate group of privacy, I guess, I would call them engineers, architects, but more often advocates is the best way I can describe it. Now to answer your question about how I see privacy and information security, and it may take a little bit different view on this, the privacy folks also have kind of an ethical watchdog component to it. It’s not just about what data you’re collecting, everything Professor Herold said absolutely… But they’re also there to make sure that the organization is doing the ethical thing. We are collecting this data specifically and solely for this purpose, and when another group or department comes by and has great innovative ideas, that’s absolutely fantastic. That privacy plan and those privacy professionals are there to say, “Hold on a second, I’m gonna be the voice of the customer. Have we communicated with the customer that we’re gonna do this? We need to give them the option to choose whether or not they want to do this.” It’s going beyond typical, this is what exactly the law says I can and can’t do with this data from a privacy perspective.

31:17 Nathan Gibson: And it’s more about, “Hey, are we doing the right thing by our customers? Do our corporate policies, do our corporate standards and procedures reflect our ethics and our values as it pertains to protecting our customers data, only using the data in the way we stated we would use it, not trying to blur between the lines or trying to figure out how to make an extra buck or whatever.” They are that advocate, they’re speaking on behalf of the customer. And the security plan is a component of privacy in a sense, because part of security is okay when it’s on technical solutions, how do we make sure it’s encrypted or how we make sure that it’s secure in transit or it’s only being stored where we allow it. That’s one small component of a larger privacy plan, which is more around communicating and being ethical and truthful on what data we’re collecting, what we’re using it for, and giving people the opportunity, a choice, to update that data or ask us to get rid of that data, if needed. That’s really a privacy plan in the privacy program and the professionals that operate them.

32:33 Matthew D Edwards: So if I could summarize, based on what I’ve heard so far, before we move on to another interesting question, it sounds to me like the idea of information security plan must exist, the idea of privacy on purpose must exist, and whether they are one idea or two ideas, they’re basically so interwoven that they must both exist.

33:00 Rebecca Herold: Well, I was just gonna say, when you’re talking about that interweaving, definitely, I wanna give kind of a real world example, too. And I’ll use HIPAA because I know that senior living organizations as covered entities, most of them are anyway, under the Health Insurance Portability Accountability Act or HIPPA. We have the privacy role and the security role. And I know that a lot of organizations deal with each of those requirements separately in the organization. However, real world, the privacy rule requires that you give your patients, your residents access to their personal information. So oftentimes that information is given to them via online portals. Now the privacy office is going to say, “Okay, well, we’re going to make a policy that we must give all of our patients, all of our residents access to their health records,” that means that privacy real requirement.

34:07 Rebecca Herold: Well, who’s going to have to implement the actual access to that information within the system? It’s going to have to be the IT area, and the information security area has to be involved because in order to meet the privacy real requirements, which also include a very wide requirement to follow the security role, have safe guards in place, they are going to have to be able to implement security over the way in which patients are given access to that patient information. They have to work together because the security officer, they need to understand if what they’re giving access to is everything that is necessary to meet the privacy real requirements and then to log for the accounting of disclosures requirement, that access not only by the patient, by other people who need to get access to it as well.

35:09 Rebecca Herold: So those of your listeners who might have responsibilities for these might recognize that, yes, accounting of disclosures and access to information in all forms, not just digital, but also physical, you have to coordinate how that is done securely with the security officer as well. So I think that’s a very important real world scenario that every type of organization has to deal with.

35:38 Matthew D Edwards: Well, let me take that material then and transition to my next question for you both, which is, let’s say for organizations where the senior leadership said, Okay, I can understand why this is important, so I should have an information security plan, and that requires a list of things that I need to go do now that I have historically not done, including information security training. And I need to have a privacy policy, privacy plan that’s put in a place that is, to your point earlier, Nathan, giving the customer a choice and or acting on behalf of the customer while pursuing business goals and daily operations. So the senior leadership says, We need to have these well done, we are now persuaded, we’re going to get it done, and so they work diligently to put them in place.

36:32 Matthew D Edwards: For organizations, whether they have experience with it or not, after they have these in place, they have an information security plan, they have a privacy plan, all is right with the world, and they believe that things are great. How do senior leaders and these organizations stay aware of how well their organization is actually doing implementing these ideas. In other words, just because we have it doesn’t mean we do it, but if we are implementing and doing these things how do I know on a regular basis as a leader, if I’m not involved in it day-to-day, how do I know that we’re doing it well? Or doing it at all for that matter, how do they know? Nathan.

37:20 Nathan Gibson: Yeah, so, essentially, what we do in our role is called effectiveness testing. How effective are our administrative controls, our operational controls and our technical controls? And part of a healthy information security program is to have appropriate effectiveness testing. And effectiveness testing can be anything from audits like we are probably mostly familiar with. Somebody comes in and actually takes a look at your policies, your standards and your procedures that make up your information security plan, and then they observe day-to-day operations and historical artifacts and actions to see if people are actually adhering to those policies and standards that you have in place.

38:11 Nathan Gibson: So having an effective testing program, both internal and external, whether you contract occasionally with an external third party to come and evaluate or have somebody dedicated internal whose job is to go through and just randomly spot check these standards and the processes and procedures as they are in action. The other thing is to have a healthy reporting mechanism for employees that when they do see something that violate standards or procedures, that everyone’s comfortable with elevating that so that organizations can understand, employees won’t have fear of reprisal necessarily because they violated a particular standard, violating HIPAA privacy rule.

39:02 Nathan Gibson: It sounds like a pretty scary thing, but if a process or procedure is broken or training is ineffective… We talked about training earlier, the organization needs to know that. So it’s important not for leaders to necessarily have heavy-handed approach to policy violations, but more treat those as opportunities where you’re testing your program and you are making changes, whether that be enhanced training or whether that be a total change of procedure because you found out something you documented in the past. May not be applicable today or may not be working today because new technology came in or new processes came in place. Employees are innovative all the time, they may find out ways to do things better and cheaper, but we may need to amend the policies and processes or tweak their innovative ideas to ensure that it’s still meeting the initial objectives of that information security program and plan.

40:04 Rebecca Herold: And I would add, too. All of this is so important to be part of a full risk management program, that’s a subset of your overall security program. What Nathan talked about, one of the things I love, and I think the different types of senior living organizations and other healthcare organizations can do as well. And I think Nathan mentioned this, but I wanna highlight it because I found it’s very, very useful. I used to call them doing a work area walk-throughs. I do them after hours, but basically what I would do is I’d get my team together, and I do this for other clients too, and we would go through the areas and just see in the areas where people have their work stations, are they still logged in. Are they logged in and actually in this screen where patient data is being shown, do they have files laying on top of their desk? All the different things that you can actually see, and here’s when, oh, this is still common today, 25 years later, 30 years later, it’s still common today, sticky notes under your keyboards with your passwords written on it. Do the work area walk-throughs. This not only helps you to find where people need more training and not just formal training, but also reminders.

41:36 Rebecca Herold: They’re fun things to do, different types of activities so people can see what they’re doing with regard to how they would handle security and privacy. Another thing I’ve done with some hospital systems is I have use case exercises. So I get different teams together within an organization, give them a scenario, it’s usually a breach or some other type of security incident and see if they can follow the published security and privacy policies within the organization, in order to appropriately address that situation. You have your policies and procedures written for your employees to follow. So do you know if they’re going to be able to follow them when they really need to in disasters or business recovery, and certainly…

42:30 Rebecca Herold: In Iowa with the derecho, we had a lot of disaster recovery and business continuity being tested here in the past week. So doing those use case exercises is another way. You can call that it falls right under your training requirements for many different regulations beyond HIPPA, but it’s not a formal training where they’re sitting there looking at their screen. They’re actually doing things and it’s something that sticks in their mind for quite a while. And also doing other types of fun things. Have guest speakers, and I don’t know if any of you remember Clifford Stoll? Clifford Stoll wrote The Cuckoo’s Egg. He actually, in 1987, busted the first huge ring of Russian hackers into a university on the west coast because he noticed a two or three cent discrepancy within the system and he just wouldn’t let it go. And why would he let it go because everybody told him that two cents was within their range of acceptability for errors, and he was like, no, this isn’t right, so anyway, read that book, The Cuckoo’s Egg, it’s still very good.

43:47 Rebecca Herold: I had him come in to be a guest speaker, and he was so good. He kind of reminded me of Einstein in the way his look and his hair especially was, but talk about engaging. And it got people interested and it made them think about security for many, many months after that. And how do I know? I know, because I saw the number of hits on our internet website was so high for many months after he was there, and people were calling and actually giving me… Calling when they saw a concern, is this a problem? Should we be worried about this? And I love that because it meant that they had really taken in that message of information security is important and it’s important to recognize when something might be wrong. So all of this falls under risk management, because it is helping everyone in your organization to identify where risks may be, and also then take actions when they think there’s a risk and they need your help as security or privacy officer to let them know whether or not that is something they need to be concerned with.

45:12 Matthew D Edwards: Let me summarize some of the things I think we’ve talked about today, and then I’m interested in some final thoughts that you may have yet unspoken. Basically, what we’ve discussed is Information Security and Privacy plans must exist. And in order to do those things, you need to know what you have, where it is, who’s engaged with it, how it’s being utilized, and its full life cycle from birth to end of life cycle and what you’re gonna do at each stage along the way. And that includes everything from paper to marker boards, to Post-It Notes, although there should be no Post-It notes all the way out to the digital stuff, which includes the adoption of Internet of Things devices for remote monitoring in order to enable autonomy for our elders and eventually, maybe even us. So the privacy and security plans need to exist, it needs to be done on purpose, but then after it exists, you need to put in place a framework or a behavior that says, Hey, I’m going to regularly check, regularly test, regularly train to make sure that everyone is informed, everyone is practicing, everyone is heading in the same direction in the way that we need to.

46:27 Matthew D Edwards: So the things that you’ve communicated should be no surprise to people, which is, Hey yes, you need to have them. Yes, you need to do it on purpose. And by the way, you’re actually never done. So after these things come to exist, you haven’t said it, so I’m asserting it, but you’re never done. These exist, they have to continue to exist, you have to continue to train, continue to practice, continue to audit and test and verify and validate, you’re never done. So thank you for articulating these things because it’s not only Internet of Things, it’s everything inside the organization, but I wonder, do you have any parting thoughts for us that you haven’t mentioned yet, Nathan, Rebecca, any additional thoughts you’d like people to consider along the way?

47:25 Nathan Gibson: Yes, I would just say it may seem overwhelming at first, information security program or plan, and if you don’t know what that is, you may have a tendency to go Google that. The good news, bad news is there’s gonna be a plethora of information out there and there’s a lot of guidance. One of the most common is the National Institute of Standards and Technology, specifically, the special publication 800 series. It’s a great resource to go out to learn about what you should be thinking about in your information security plan, but don’t get overwhelmed by it. You can start simple by creating simple procedures about, Hey, when we have this form that needs to fill out, here is our procedure on this form, customer fills it out and we do A, B and C with it all the way from when they finish it and hand it off to you to when you eventually hand it in the shredder. Detailed description, plans and all that is, is giving your employee and your staff directions on how to do your business, but you’re adding in the security components in there to make sure you understand every step of the way, so it can be that simple.

48:42 Nathan Gibson: And over time, as you create more and more simple documents like that, that becomes your information security plan. That is helping you ensure that you’re protecting your clients and your customers and consumer’s data at that point, and then you can use those references like NIST to help you understand, “What am I not thinking about? What else do I need help with?” And it can help guide you, so don’t let it overwhelm you.

49:14 Matthew D Edwards: Yeah, very good. So use NIST 800 series as an excellent starting point, but start small. Rebecca.

49:23 Rebecca Herold: Yes, and I would add. Everyone needs to remember and think about the fact that these concepts that you use to secure what’s within your organization, these apply to your own life. Everyone basically now has their own computers, everyone has their own smart devices or own smart phones, WiFi networks, I mean, not everyone, but it’s getting there one of these days, it will be ubiquitous. It will be pretty much anywhere you go, you’re actually going to be, if not leaving a digital vapor trail around you, you’re going to be passing through other people’s digital vapor trails because everyone is having computing devices. So when you think about developing these controls, think about the fact that you can use these same concepts, and same controls within your own home. You can use them within your own WiFi network at home and so on. So you need to keep that in mind and just view this as an opportunity to use what you’re doing at work to also improve your own home life with regard to your digital assets and your paper assets and secure them better as far as that goes.

50:50 Matthew D Edwards: Well, this has been an outstanding conversation today. And I am confident that in just the short amount of time that we’ve been together, we haven’t even come close to communicating or amplifying all of the things that are occurring in both of your minds this entire conversation. So thank you for distilling a lot of your experience and your thoughts and your perspectives down into smaller bite-sized chunks for everybody to think through.

51:18 Matthew D Edwards: Today, we’ve talked about information security plans, we’ve talked about the value of privacy plans and doing both of those things on purpose and a lot of the work that goes into getting there. But then we’ve also talked about after it’s in place, how do you know you’re doing the right thing correctly and completely on a regular basis, well into the future? These aspects, these conversations help people get started, but there’s a whole lot of work after that, and they’re probably going to have to have one or more people who exist in the company to do these things on purpose on a regular basis. And both of you have experienced leading and guiding and training those types of organizations and those teams and those implementations companies large and small, so thank you for taking the time to teach us. Thank you for a wonderful conversation. And I look forward to talking with you both again in the future.

52:15 Nathan Gibson: Likewise. Thank you, Matthew.

52:15 Rebecca Herold: Oh thank you very much. I enjoyed it.


Part I: IoT Devices, Data, and Exploitation

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses on how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Our first episode in the series addresses critical factors when purchasing monitoring devices, securely storing, moving, and using the collected data that is exponentially accumulating, and how to mitigate the exploitation of these systems.

About Our Guests

Xavier D. Johnson is the Founder of Enterprise Offensive Security in Detroit, Mich. He also serves as a Secondary Cybersecurity Instructor at the University of Michigan, the Director of #MISEC, a Founding Organizer of DEFCON Group for Detroit, Show Host on How They Got Hacked, and Founder of Red Team Clothing.

Nicholas Starke is a highly skilled security researcher and penetration tester focusing on Internet of Things (IoT) security evaluations. Nick’s primary area of interest within IoT is networking equipment, ranging from Small office / Home office routing equipment all the way to carrier grade/ISP equipment – and everything in between. Right now he is focused on enterprise-grade networking devices as part of his role as a Threat Researcher at Aruba Networks, a Hewlett Packard Enterprise company.

Read the Transcript

01:00 Matthew D. Edwards: Hello and welcome to the inaugural episode of Long Way Around the Barn. Today, we are starting a series focused on remote monitoring, management, security and privacy in the senior living industry. In today’s session, we will discuss IoT devices, data, and exploitation. Very simply put, what do you need to know to purchase, implement and manage remote monitoring devices? How do you securely store, move and use the collected data? And how do you mitigate the exploitation of these systems by external actors. My guests include Nick Starke, a threat researcher at Aruba, a Hewlett Packard company, and Xavier Johnson, a full-time ethical hacker and part-time cyber security instructor at the University of Michigan. Welcome, gentlemen.

01:50 Xavier Johnson: Thank you for having me.

01:51 Nicholas Starke: Thank you.

01:54 Matthew D. Edwards: For a senior living community interested in adopting some of the the newest connected remote monitoring technology that exists, what do you believe are some of the most important things leaders of senior living communities must consider when they’re purchasing, implementing and using connected devices in their communities and networks? For example, remote vital monitoring, daily activity monitoring, geographical movement mapping, predictive analytics and contact tracing. What do you think are some of the considerations that folks should review as it relates to hardware, network, Cloud platforms, data collection, use? Xavier, what are your thoughts on this?

02:29 Xavier Johnson: First thing that comes to my mind, privacy. The considerations of maybe where you sourcing data, excuse me, the actual hardware that this data is flowing on to, where else could it be going to? If we’re dealing with a piece of hardware that has a system on the chip, how easy is it to update the firmware on that specific device? What is the life cycle of that? And what’s the management of it? How much of a pivot… Much of a pigeon hole does it put you in? If you deploy it, do you get stuck with one particular vendor? Using one specific stack? I don’t wanna name and shame, but we all know those environments where when you go to go replace the one thing, you gotta replace the whole thing unless you’re gonna continue to go on the life cycle, and eventually they’ll upsell you on replacing the whole thing. When we’re talking about assisted living, and we’re talking about devices that are supposed to be there to help offset the load and to load balance and to create a higher quality, we still have to make sure that we’re doing right by way of privacy and assuring that there are ways to maintain and update these devices.

03:49 Matthew D. Edwards: Good call. So privacy number one, and then also making sure that we don’t put ourselves in the corner such that we’re not able to change, or that when we do want to change, we don’t end up having unplanned costs and complexity along the way. That’s a good call. Nick Stark. Mr. Stark, what are your thoughts on that?

04:11 Nicholas Starke: Vendor lock-in is definitely an issue you wanna consider. The adoption of open standards with whatever communication protocols are implemented in the devices that will allow you to build on top of whatever you’ve deployed quite easily, as long as they’re not using proprietary protocols and things of that nature. In addition to privacy, I would say security is a big issue too, because of privacy. Because there is sensitive data being collected and stored, you wanna make sure that no one who is unauthorized gets access to that data while still maintaining the people who do have authorization, that they can still have access to it. So it’s balancing those two things.

04:57 Matthew D. Edwards: That’s a good call. So making sure that we’re balancing privacy and security. From your perspective or from your experiences, Nick, in different organizations, have you found that people undervalue or overlook or just assume the relationship of permissions and access with devices? In other words, have you seen through time that people are most excited to plug things in and least excited to think about how to secure them?

05:32 Nicholas Starke: Yes, so I think there’s the issue of, you get a new IoT device and you plug it in. It’s the configuration of it, right? Not only just the device with the network that it sits on and everything, and I see a lot of times that the amount of configuration needed isn’t performed, and that results in security holes, exploitation vectors that open up, the device itself probably needs to be configured in some manner, and so does the network it sits on. So there’s two different levels of configuration that you need to do, and a lot of times I don’t see end users performing the amount of configuration that they need to perform in order to keep the devices safe and the data safe, and provide that level of privacy that is expected.

06:16 Matthew D. Edwards: Right. Okay, so there needs to be a plan. It’s just that simple. There needs to be a plan for the device, there needs to be a plan for the device ecosystem, in other words, one or more devices, and possibly spanning multiple vendors. And there for sure has to be a plan for the network, the network configuration, the device configuration, the security around it and the privacy. So this isn’t so simple as someone at an organization going and making a bulk purchase from Best Buy or some other store and plugging it in and everything rocks and rolls, but there needs to be a plan for what problem do you wanna solve? There needs to be a plan for the device, even the firmware, as you brought up, Xavier. So it sounds like there needs to be a lot of forethought, is the summary, there needs to be a plan.

07:11 Xavier Johnson: Certainly, and you know what else, Matthew, I’d like to toss in there, there needs to be room for innovation and room to play. And I think that as a security person within a company, as security engineer, we often are saying, “Hey, you cannot do this. Thou shall not.” And us as testers when we come in and we do our scans and we do our thing, and we reinforce why you shouldn’t, but I think there’s room for us to all play nice together, and figure out a place on the network where we can go out and vet these things. Where we get ahead of some of these problems. Maybe we start to think about our networks the same way that marketing thinks about campaigns, and start to have more of an A/B environment beyond just prod-dev, like, “Hey, we wanna try something out, let’s low balance some of our more stable users, our younger users in this case, that may take less attention over to something that may have a higher risk and reliability, but has all of these other features.” And I know we’re talking about lives here, so you have to be careful, but what I’ve noticed in healthcare, especially in the smaller clinics, as a tester, you find these doctors, they run the show at these clinics, and so they plug whatever they want into the switch, when you’re not around as a system admin.

08:38 Xavier Johnson: So this is just a toy, this is the latest thing that they got on the show room floor at a trade show, and sometimes they forget it’s plugged in. Sometimes they don’t change the default passwords. Most times they don’t, and it could be a week, it could be any given… It could be moments. You’re talking about the potential to compromise. So it’s something that, there’s multiple angles that you got a plan for, you don’t wanna put people in a box and then make them go stir crazy so that they just do outlandish things without your permission. You wanna have a process in place so they can actually feel empowered when they hit the trade show floor to ask the right questions like, “Hey, I’m gonna take this to my team and they’d gonna put this in our special network, what do you want to let me know before I do that? What should I know?”

09:27 Matthew D. Edwards: That makes sense.

09:29 Nicholas Starke: I wanted to speak to something that Xavier just mentioned. An important part of this is how you build and validate the configuration that you’re building, the system that you’re building. I think external validation is gonna be really important, getting… Not only just checking all the check boxes on the compliance side, but performing security audits, penetration tests, things like that, of these deployed networks beyond what the manufacturer is doing on the manufacturer side, they need to be doing the same thing, and that should be a question that you ask as you’re potentially gearing up the purchase system like this, is, do you have a software bill materials? Do you perform regular penetration tests? Do you adhere to the compliance regulations around HIPAA for protecting health data? And what do you do to meet those compliance standards? These are all questions you should ask going into going into purchasing a system like this.

10:40 Matthew D. Edwards: That makes sense. So just again, it comes back to, I’m sure that we’re not touching the depth and breadth of the things that you guys have seen and regularly test, but the net of the conversation so far is, know a problem you wanna solve, have a plan, and then figure out how to make sure you can evolve. Test and evolve and not get boxed in, privacy and security have to be done on purpose, they don’t accidentally come with the device when you take it out of the box. Alright, those are fun conversations, and that then spans across to everything where the hardware, the network, the Cloud. And the data collection in particular is a big deal. So for example, with the idea of Geofencing, organizations that are interested in Geofencing are looking for ways to identify where are all of my staff? My healthcare worker staff. And putting in place ideas that says, “If this part of the building, then these conditions. Else this part of the building, then these conditions.” And so on. So behavior driven, Geofencing if you will. Similarly though, there are understandably some parts of the building where our elders, our family members should be in the senior living communities and some that are probably off-limits, dependent upon. I’m sure they wouldn’t wanna turn me loose in one of these buildings.

12:12 Matthew D. Edwards: They would have to tell me, “Matthew, you stay on this side of the building. Please and thank you.” But they are leveraging Geofencing to understand where people are and where they should be. Also leveraging, there are some interesting new technologies that are monitoring your location in the building. But in relation to your activities, in other words, how many times have you been to the sink to get water? And/or have you taken your medicines? And/or your times that you’ve taken for personal time, if you will, in the restroom. And so monitoring all of these things, not because there’s an interest in knowing your details, but rather enabling autonomy is the goal, enabling autonomy. But it means we’re collecting data on everything all day, every day for all of our elders or family members, as well as all of our health care workers. In this world where there are so many devices collecting so much of that data on so many people, we’re gonna just have a lot of data. What are your thoughts? How do you guys react to that? Nick, will you start us out on that? How do you react to that many devices for that many people with that much data? What do we do about that? How does a person in charge of a senior living community make sure they’re doing right by the healthcare workers and doing right by the elders or our family members? And they stay within the law, but still add value?

13:46 Nicholas Starke: My first thought is, protect that data, you have got to do everything within your disposal to protect that data. But at the same time, you need to allow people who are authorized, access to it. From a security perspective, you need to have good access controls surrounding that whole database, if you will, the collection of data that you’re siphoning up from the devices, there needs to be auditable, discernible access control lists that determine who has access to it and who doesn’t. Another problem you’re gonna run into is just the amount of data, with all these devices collecting all this data all the time, you’re gonna just have… Terabytes and terabytes, if not petabytes of data. So you need a place to store all that, that will scale, because if you don’t have that, all of a sudden your devices will not be able to send data to your central system and you have an availability problem. So the ability to scale is going to be very important, even just from a security perspective, not taking into consideration the business value of being able to scale.

15:04 Nicholas Starke: I think maintaining Cloud platforms for your stuff is a good way of meeting that scale, the Cloud engineering stuff is built so that you can scale it out to millions of users collecting all this data at once… And it’s much more difficult to do that on-premise, so I would definitely look into Cloud options.

15:32 Matthew D. Edwards: Okay, that’s a good call out. Xavier, what are your thoughts on the volume of data? And the method of collecting, managing, securing. What are your thoughts on the Cloud stuff that Nick was just offering up as well?

15:48 Xavier Johnson: So we talk about the data lake, as it’s called. There are a couple approaches you could take to it, and I’ve been involved with both of them, at least two of them. One of which is the on-premise method. This is gonna require you to have military grade security, encryption, up-time. If your housing secrets there that are military grade, it makes sense to do that. I’ve been lucky enough to work for some smart people that solve some hard problems that keep us safe, and I’ve been able to work in startups where things move faster and you grow on demand. Where the growth looks like a hockey stick, and sometimes you do things that are maybe short-sighted, but to get the job done, and so we wanna make sure is with both of these approaches, be it if we move fast or if we want to roll our own and move really slow. The things that we want to do is as very fundamental, keep people away from the data.

16:55 Xavier Johnson: Humans and data just don’t mix, so that means a lot of controls right there, we’re talking five to seven layers of controls from access on the physical layer, access in the digital world, encryption, the amounts of keys that it will take to actually decrypt any one piece of information and the separation of those keys over people, over a number of people. So you treat your data like you would a nuclear missile, it is that level of important to you when you’re talking about if someone’s brushed their teeth, or if someone’s taken their medicine. These are very, very intimate things that are otherwise not captured or even captureable without some of these endpoints.

17:44 Xavier Johnson: And so you have a huge responsibility no matter which way you take it. And I would say that with regard to Cloud and the adoption of Cloud. One fundamental on Cloud is encrypt everything. Just encrypt everything. I forget the actual saying, something like, “Dance like everyone’s watching, encrypt like no one is.” Or something like that. Or the inverse, dance like no one’s watching, encrypt like everyone is. Because they are. And so even on your local environment, that last mile, I find a lot of people will encrypt up to that point, then it’ll be on the private network and they’re like, “Oh okay, cool.” Because it costs so much to do encryption, “Cost.” We’ll just plain text it until it makes it to the database where everything is encrypted by default on the disk, and that’s where people like me actually go to go look with our Wireshark to get all of the free and clear packets. So take the time, be meticulous and create what…

18:45 Xavier Johnson: In the Cloud we call it defense in-depth, so putting multiple layers of defenses that are available, be it encryption, again, digital access control, physical access control, and there are ways to be able to create these layers in front of whatever it is that you’re guarding, the Cloud makes it really, really easy to do that, but at the expense of capital. So both of these solutions end up costing you money at the end. It comes down to how much data you have, what level of secrecy that data has, and how complex the systems are. How old your systems are that are already existing, because if we’re talking about somebody like ADT, which could very well get into this business because they’re already into monitoring and security, they may have a standard data lake, they may not have anything in the Cloud, or they could just scale on demand like this. So I feel for the CTOs and CISOs that have to solve exactly what to do with this level of data, because we thought social media was gonna generate a lot of data. This is gonna generate a lot of data, this and combined with mobility, ’cause this is kind of extension of mobility in my mind, this is the medical end of mobility, keeping our elders self-sufficient longer keeping an eye on them without being overly involved with them. I think that that’ll create data that we’ve never had to house, or seen.

20:17 Matthew D. Edwards: That’s a good call. So the Cloud conversation, so the capacity to store… That’s a big deal, because the volume of data is just ridiculous.

20:28 Xavier Johnson: I’m almost giddy about how much it is.


20:31 Matthew D. Edwards: But the capacity to store then to your point earlier as well, Nick, is availability. As the data surges or as it just increases, you need to be able to recognize it, and capture it and contain it.

20:46 Nicholas Starke: And act on it.

20:48 Matthew D. Edwards: And act on it, absolutely. So there has to be a plan when it goes back again to having a plan on purpose, there has to be a plan to know where it’s coming from, to be able to handle it, to be able to store it. And then to your point, it has to be secured, to both of your points, it has to be secured is just a non-negotiable. And in particular, healthcare, therefore HIPAA, and in some cases HITRUST, and there may be some additional considerations that if they don’t currently exist today, they will need to exist. For example, when you consider state-by-state privacy laws, and then an elder or a senior family member and/or someone else in the family says, “I wanna know all of the data that you have on my dad. Now I want I want you to remove it.” I wonder if that’s come up yet? And if that’s where that’s heading, you absolutely must have a plan for the data, or that is gonna be a miserable and a horrible experience to figure out, what data do we have? And where is it? Now, how do I extricate it from my large, large vault of data. Have you guys had those opportunities yet or to look at, “My gosh, how do I get that needle out of the haystack from the privacy laws?”

22:09 Xavier Johnson: Not State side, but GDPR hit everyone in the product market in the mouth, square in the mouth. I worked at a company called DynaTrace a few years ago, and we had a large number of people in Europe that use our product. The users of our private data actually gets collected as well, so we had to figure out a way to actually go in and literally find the needle in a haystack, and that goes back beyond any data that’s even just live, that’s all of copies of that data, there is literally no one blanketed way to solve that problem, it will really come down to data classification, and I know that’s an umbrella term, but whatever that means for your organization, some people are small and nimble and they could potentially have a separate database for all of those users with different web endpoints where they house things in different regions thanks to the Cloud, and completely separate out those types of users. But when you talk about state level, that becomes much, much more difficult.

23:22 Matthew D. Edwards: That makes sense, GDPR. So a lot of these communities that we’re talking about right now may actually be domestic US, and they may have extensions down into Canada or Mexico, for example, but it could very well be that some of these organizations have international footprints outside this particular continent. Those are good considerations, good call out.

23:46 Xavier Johnson: And even if you look at New York and California, the way that they’re moving with their data privacy laws. They’re gonna have state level versions of GDPR, very soon, if not this decade… I can’t imagine it not happening this decade actually, it will be a problem that we have to solve as a community on the domestic level of data classification. And it’s a good problem to solve, a lot of people who get into HIPAA compliance should already have a strong data classification program because of… It’s not a requirement, but that’s something, that’s a huge consideration that I’ll be honest with you, I didn’t even think about.

24:27 Matthew D. Edwards: That’s a good one though. So the net on this conversation on data, guys, I think what I’ve understood for you is, understand your points of origin, understand your traffic and demand capability, have the ability to receive it and store it and encrypt everything, encrypt everything. But then on the tail of that, you have to have the ability to honor and obey, be compliant with, if you will, privacy laws along the way, which is, “Hey, I know it’s encrypted, I know you have all the stuff on my dad. Now, I want you to show me what you have, now I want you to remove it please.” And so state by state privacy laws, big deal. So if you’re an organization that has different types of data, you need a data classification plan, and if you’re an organization that has different types of data in different states, it’s even more important to have a data classification plan. So this is no plug and play job, this is not order 50 IoT devices from company 12, plug them into the net and I’m a rock star, and now I have marketing materials. There needs to be a plan or you’re gonna be in the paper for all the wrong reasons.

25:39 Matthew D. Edwards: So in terms of being in the paper for all the wrong reasons, let’s talk about exploitation. Nick, from your perspective on the work that you do nowadays, your responsibility is to see attack vectors, and assess the quality of a solution that’s being proposed, assess the method of securing and attacking it and destroying it. And similarly, Xavier, your responsibility among other things is, you’re hired to just go into various situations, and ethically and responsibly and above board, take it down. So I have questions for both of you, and I’d love to hear from both of you guys on this, but Nick, would you start us off on exploitation of the systems, if you were responsible to go into any of these senior living communities who’ve recently adopted and implemented large Internet of Things device networks, or remote monitoring networks, if you will, managing geofencing and personal data, and all of that. And your responsibility was to prove to them, “Hey, this is secure, or is not secure, and here’s how it’s not secure.” Where would you be inclined to start?

27:00 Nicholas Starke: Sure. So, I think the logical place to start in this type of assessment is to define a threat model, right? Define all the attack vectors that could be used against whatever system you’re evaluating, and then just go through each one of those, and see if you can attack it in that manner. So, securing IoT devices is more difficult than securing regular systems. A lot of times, because less protections are built in place to the IoT device, whether it be because the manufacturer didn’t spend enough money to build security into it, or there was problems along the assembly.

27:39 Nicholas Starke: So, with the addition of more security problems, you’re gonna have more attack surface, and there’s gonna be more ways to attack these devices. I would start by individually looking at the devices that are on the network, or attached to the hub, if you will, and just try my normal tools, to see if I can get into them. One of the things I wanna call out here, part of the threat model is going to include the patients themselves, right? You know, whether they don’t wanna be tracked, and they break the device on their own, or they try to get into it to manipulate the data that goes over the wire. The patients themselves are going to be part of the threat model, part of the attack surface that is part of the system.

28:34 Matthew D. Edwards: That makes sense. I hadn’t considered that. So when you’re considering all of the different ways to penetrate or manipulate the system, it needs to be all devices or all points of origin, and some of those points of origin are actually our elders, or parents, or our family members themselves. Not because, perhaps, most of them desire to do bad things, but rather they might not favor the circumstance, and have some particular opinions, and that could compromise the data, or the equipment. I can certainly see myself doing things just to mess with data analytics people, and making repetitive trips to illogical places, just to create heat maps that don’t make any sense. I think that’d be hilarious.

29:17 Nicholas Starke: Or that could be accidental too. That could be a factor, as well.

30:21 Matthew D. Edwards: Sure. That’s a real good call out, is, the threat model has to exist, and that threat model has to include all points of contact. It doesn’t mean you’re labeling granddad as a bad guy, but you have to consider granddad as a point of origin for data. Therefore, how do we make sure it’s good data and secure data? I hadn’t thought of that one. Xavier, if you were to walk into the situation and your responsibility was to prove, or disprove, or enable more secure solutioning, what do you consider to be some interesting approach points?

30:03 Xavier Johnson: I love Internet of things. Internet of Things is, in my mind, mobility, right? It allows us to be able to stay highly mobile, and collect different things from other things. And there is a entire network that we… It’s a new network, that we have never really seen before, so much so that we’ve had to make new IP addresses for them. And we’re on the very front edge of this. And so, for IoT, I would attack it like I would every other high-mobility system, Radio? So, there’s gonna have to be some kind of GPS, if not cellular, if not Bluetooth, if not Wi-Fi. Because you’re not gonna run miles and miles of copper, right? So, radio. So, I will probably start there. And then, if I was able to get a foothold, let’s say, from radio, I would see if there was a way for me to send endpoint to endpoint communications, because there’re probably a whole another layer of SD Care API communications that only could happen on that route, machine to machine. So then, you have the potential for a worm, over wireless. And then, if I wanted to attack it from, let’s say, the server side, well, I know hardware folks aren’t the best at software, and software folks aren’t the best at hardware. And so, being able to…

31:37 Matthew D. Edwards: They would all disagree with you, in all of the directions, right now.


31:37 Xavier Johnson: Love IoT.


31:38 Xavier Johnson: So, we’re talking about potentially having… Most likely, having RESTful endpoints that have some type of authentication, most likely OAuth or SAML. Things that we see and that we know, right? And that we know how it could be misconfigured, and we’re trying to, from the server side, trick… Send commands to endpoints, right? So, there’s this wireless side, there’s this management API angle, there’s this machine-to-machine angle. And then, my end goal is… If I’m proving the point, and this is a controlled environment, because I would never want to do this in real life, I would try and demonstrate how ransomware would work… Kind of a ransomware worm, I get one endpoint from a mile away, using my radio. I get one endpoint a mile away, and that thing is a worm, and it goes into a community that may have three or four different systems, and compromise all of those systems, using just one rogue trojan.

32:45 Xavier Johnson: These are things that we have to think about, because we’re putting a lot of compute, potentially, into a bracelet, necklace. We’re already carrying them around in our pocket… And we have to treat it the same way, because if I can send bad packets over cellular, just to mobile phones, we have the same risk. So, we’ve seen these problems, and we know how to address them. But these are the things that I would test for, to make sure that they have been addressed, because most of the time, the things that I test, it’s not like they’re zero days, they’re often 900 and some odd days.

33:21 Matthew D. Edwards: So you mentioned earlier endpoints, so the idea of endpoint security may or may not be something that all of the technology shops and CTOs, CISOs, and senior living communities are aware of, if they haven’t had to play with an API-driven platform or Cloud solution, can you expound a little bit on that as well, and as well as you, Nick, as it relates to if IoT and then platforms or Cloud ecosystems or endpoints, what does that mean to them? How are they gonna make use of it? And some of the implications it sounds like it’s an attack vector?

34:04 Xavier Johnson: I’d say agents, agents are our current way to approach endpoint security, having an agent on the endpoint, it’s gonna create overhead always, so that’ll need to go into the spec, maybe this agent is maintained by the actual provider of the hardware, as kind of a selling point, I’m not 100% sure. These are just ideals. But I would say that that’s the current day way to approach it, I think the next gen way to approach it would be more potentially agent and combined with something that looks at the network traffic, something that happens upstream to actually block known bad activities on the network level or activities that aren’t white listed. If you know that this thing is only supposed to do one of 100 interactions, the moment it gets action 101, smack it down and say, “Hey, do you know that this is happening? Is this something that you wanna add as an action?” Because those protections upstream are probably gonna be what allows for these endpoints to not just continuously get dossed and knocked offline. ‘Cause at a point we’re dealing with small bit compute up against a world of hurt. Also segmentation and having these things away from the public where they could potentially be tampered with to begin with. And start there, too.

35:32 Matthew D. Edwards: I think that we’re probably talking about a platform-based conversation, one main platform, one platform, very many different vendors, vendor classes, device classes, all of that, is probably its own deep and wide conversation, and we’re just glossing over the top of it to say, “Hey, it’s a thing, you need to know about the thing.” But Nick what are your thoughts on that in terms of implementing Clouds and platforms and all of these endpoints, it looks like a giant bowl of spaghetti.

36:03 Nicholas Starke: Sure, so I don’t know too much about endpoint security, but I’ll talk about a few things I do know. One is, you’re gonna want to purchase a solution from a vendor, I don’t know which vendor is the best this week, but there’s a lot of vendors in this space and you’re gonna wanna go with one of them, you’re not gonna wanna try to roll your own. The other thing I know is that you’re going to need a person to manage that solution, basically as a full-time job, if not a whole team of people to manage it, depending on how large the network is. So there’s personnel involved in rolling out an endpoint protection solution. Really, that’s all I know about it. So I’ll…

36:48 Matthew D. Edwards: But part of what I think you’re suggesting is that the Cloud platform itself is its own conversation. And so if you’re gonna have, more or less you’re saying, you can roll your own, but why? It makes more sense to go find ecosystems that already exist and put those together, I think is where you’re heading, as opposed to let me custom wrap all of the things on my own.

37:18 Xavier Johnson: It’d be nice if it was open source, so that when I get bored, I can go play with it as an attacker, I can think about it as a DevOps guy, think about it as a system admin, I can think about it as a software engineer, so I can make it better more than likely, but if you black box it, then I have to go through HR, I don’t wanna go through HR. So if we can move some of this stuff that’s gonna matter to us in the future, because let’s be real, we will have this technology while we’re still young and able. Let’s make sure that we formed the right mentality, let’s not just make it a black box, let’s try and get this as open as possible so that we know that our grandkids and great grandkids are doing right by us, hopefully.


38:12 Matthew D. Edwards: Did you have anything you’d like to add on top of that Nick?

38:17 Nicholas Starke: In my experience, yeah, open source is such a great way to go, but I have this conflicting idea in my mind that when it comes to the actual devices that are being deployed to our elders, I almost wanna say, lock down that firmware that goes on those devices don’t make that open source. Don’t even make that public. Make that very, very hard to come by. I think that from my perspective, if I can get access to the firmware of a device, I can get into the device. So I think firmware security is a very, very important topic when it comes to discussing the security of the actual device, and it’s not so much on the Cloud platform, but the devices themselves. And I know that flies in the face of the idea of open source, I don’t really have a way of reconciling that cognitive dissonance there, it’s just, in my experience, that’s been a big attack vector.

39:18 Matthew D. Edwards: That’s your job though, from your perspective, if you can get the firmware it’s over.

39:21 Xavier Johnson: And I’ll be honest Nicolas, I’m probably still gonna get the firmware.

39:28 Nicholas Starke: Yeah, that’s true. Even if you don’t have it on a website somewhere, you can always desolder it, the eMMC chip off the board and dub it there.

39:36 Xavier Johnson: I would probably do the logic analyzer route talking to ones and zeros, get really ugly looking code and assemble a really ugly looking C. But you know what’ll stay the same? That API key. So it makes sense to… That upstream, no matter what, that Cloud platform, that platform that we’re talking about has to be hardened, has to be prepared for that kind of attack, as to make it harder for me and not just, “Oh yes, a key.” Has to have something else too, something that’s only generated at boot that I have to literally tap into the boot sequence of the device to go and steal the key, and it’s new every time. Has to be something that’s outer world for to be truly secure on the endpoint level, so it will have to happen on a layered approach, it will have to happen at the network. It will have every layer of the OSI model basically. There will have to be some kind of account for this, otherwise, I’ll be honest, I’m uncomfortable if we don’t at least get seven of those controls in there.

40:43 Matthew D. Edwards: Fair enough. Well if you would, I quite enjoyed this conversation with you gentlemen, and I very much value you taking the time out of your schedules to talk with this about these things. We think that the senior living community in particular, as are very many other industries they’re at the front end of adopting Internet of Things technology devices, and the devices have matured very, very much through the years, predictive analytics predicting a fall is a very big deal, but in order to predict a fall, there must be gate analysis, to have gate analysis there must be data, to be data there has to be full-time collection so that only through time can you understand patterns, and then predict variances from those patterns. And that’s the only one example of the inclusion of this technology in the senior living community. Now multiply that by every room in a senior living community, in every building, on every floor for every resident, and now add multiple layers of other devices over the top. If you’d allow me, and some of the summary ideas that I believe that we’ve talked about today, and I think brings us to good close in this conversation so far: Is you need to have a plan.

42:06 Matthew D. Edwards: If you are an administrator, a C-Suite leader in any way, shape or form of a senior living community, and you need to address nursing shortages, you need to address having to re-architect based on COVID, you need to address a surge in a residence, or elders, or folks who are in your care. If you would like to adopt Internet of things technology solutions, you need a plan, and that plan is not something that’ll be solved on Saturday with pizza and Mountain Dew, it’s not something that’ll be solved at Starbucks with too much espresso, it’s something that requires you to recognize it’s an entire ecosystem, an entire plan, it’s an entire team and it’s an entire set of training and learning. The devices themselves need to be secure and compliant, where you’re going to put the data. There needs to be a plan for how you get it, how you’re available, how you secure it, how are you compliant with Privacy?

43:06 Matthew D. Edwards: They’re going to attach to something else larger, called a platform up in the sky basically, Cloud-based platform, unless you’re gonna build all that stuff in your house, which I can tell you based on our own experience, building platforms for other companies. The unprofessional indirect or direct answer is “No, just don’t do it.” The recommendation would be, use systems that are already out there, public cloud solutions, private cloud solutions, but get platforms that exist that are secure and you can connect all of your things up to that, and then after you have the data, the compliance, the devices, you’re still talking about all of the ways people could attack you, and it could be through employees through the elders on the premises. It’s a big deal for companies that haven’t put together information security plans or privacy plans yet.

44:54 Matthew D. Edwards: Please do. For those that already have them, you’re going to have to put an entire next chapter, giant chapter, onto your plans, because Internet of Things changes the way your organization operates, and what we’ve learned from Nick Stark and Xavier Johnson this morning in our conversations is… In our very short time together, we’ve only scratched just such a small part of the large surface of what should you get? How do you get it? How do you implement it? How do you service and secure it? And above all else, take the time and to go talk to folks who are above board, professional, ethical people, who can tell you the top five ways that you’ve overlooked and you still need to secure your ecosystem because there are so many moving parts. Think about this, and this would be our closing thought for the day, if I put 10 or 50 different monitoring devices into one room, for one resident, and I have 500 rooms, and I have 10 buildings, and I own 10 campuses across the US. And then I tell you, “Are you collecting data on my dad, show me what data you have, and now get rid of it.” How are you going to prepare for all of those things? It’s not on Saturday, it’s going to be through months and years of work and it’s gonna be on purpose with on-purpose people and solutions.

45:34 Matthew D. Edwards: Xavier, Nick, thank you very, very much for taking the time to talk with us and teach us today, it is much valued, much appreciated. And I look forward to questions that we’re gonna get, and I look forward to talking with you guys again in the near future. Thank you.

45:49 Xavier Johnson: Thank you Matthew.

45:49 Nicholas Starke: Thank you.