[00:00:15] Ghazenfer Mansoor: 

Hello and welcome to Lessons from the Leap. I am your host, Ghazenfer Mansoor. On this show, I get to sit down with entrepreneurs, founders, business leaders, talk about bold decisions, pivotal moments, and innovative ideas that shaped their journeys.

This episode is brought to you by Technology Rivers. At Technology Rivers, we bring innovative ideas through technology and AI to solve real world problems. We do this in two different ways. First, by helping businesses streamline and automate their operation and second, by partnering with startup founders, entrepreneurs, product owners to create innovative software products from Saas platform to web and mobile apps, a big part of our focus is healthcare, where we work with the health tech companies to build secure and HIPAA compliant products. Today on Lessons from Leap, we are joined by Larry Trotter II. Larry, welcome to the show. I’ll let you introduce yourself, tell our audience whatever you want them to know about you.

[00:01:14] Larry Trotter II: 

Ghazenfer, Thanks for having me. It’s a pleasure to be here. So, Hey everybody. Thanks for watching. My name is Larry Trotter. I’m the founder of Inherent Security and our company focuses on helping health tech companies become HIPAA compliant and helping them also address their cybersecurity needs.

Where did I, how did this all begin? That’s a great question. A pretty interesting story. So, went to college, you know, back in my day there were very few colleges that actually had cybersecurity courses. I went to Old Dominion University, actually, I think the nearest college and out of probably like one of a few was George Mason in Northern Virginia where they actually had cybersecurity courses.

So that’s where I started, worked in the corporate world for some time. Worked my way up from help desk. Yes, help desk everyone. So it is possible and actually I think that’s the best route. So I started from a help desk to work myself up to essentially the deputy CISO working at a nonprofit here in Washington DC for about, that was about six, seven years ago.

Left that at the height of the pandemic and started my own company and it was amazing. And the funniest part about this is I ended up towards the tail end of my career was healthcare. It was that accident, but it was also funny because this is the time when cybersecurity companies was really diving into the industry because of HIPAA and all the breaches, that sort of thing. So I kind of fell into it. Some of the first companies I worked with were COVID Solutions, right. I told you I started my own company during the height of the pandemic. So that was interesting and I’ve just been working, you know building everything out from then on. 

[00:03:19] Ghazenfer Mansoor: 

Cool. Thanks for sharing. So you say some people follow the rules but you prefer rewriting them securely. When did you first realize you didn’t fit the traditional cybersecurity mold?

[00:03:34] Larry Trotter II: 

About the cybersecurity mold. okay. Right. Well, really, you know, that comes stems from me personally. I was going to say five years old but I don’t want, that wasn’t of course specifically cybersecurity then but just always been that type of person who liked to create his own rules, right? And not essentially follow social norms. So that’s what that is really about. So in terms of cybersecurity, you know, it’s about building my company and one of the reasons I built the company was to actually be able to make a difference. I think it’s to me, it’s more noticeable when you start your own company than when you’re working in the corporate arena and dealing with politics that sort of thing. So really that’s where that stems from.

[00:04:28] Ghazenfer Mansoor:

Cool. So you are currently running a company called Inherent Security.

[00:04:33] Larry Trotter II: 

That’s right.

[00:04:36] Ghazenfer Mansoor: 

Can you dig a little bit deeper? Tell our audience what exactly do you do there? Who are your ideal customers?

[00:04:45] Larry Trotter II: 

So we work with health tech companies primarily. We have worked with health systems and we do currently work with some other type of health centers as well and we also have clients in other industries like FinTech, Edtech as well. You know, we’re a little bit all over the place but we really primarily focus on health tech which is the highly regulated industry as I’m sure you’re aware. And what is HIPAA compliance? Essentially it’s the federal regulations where there’s a security rule, privacy rule and a breach notification rule.

What’s really relevant to health tech companies? Well, I guess all three but I guess the core pillar. Of those rules is HIPAA security, right? So we come in and help health tech companies build cybersecurity programs which means writing their policies that are accustomed to their organization conducting risk assessments which is always everyone the number one finding by OCR when it comes to dual audit and also working with the development teams to actually implement the technical controls throughout their ecosystems to ensure security.

[00:06:00] Ghazenfer Mansoor: 

So your business is more defining those policies. You don’t implement that you work with the partners to do the implementation. Is that the right understanding 

[00:06:10] Larry Trotter II: 

So you can kind of think of it like that? Yes, we provide the CSO services essentially. What you are referring to, we all make development teams where we’re an extension, right? And we help govern the cybersecurity program, working with the development team and also working with other senior leaderships because cybersecurity is a collaborative effort. Effort, right? It’s not just one part of an organization that calls all the shots or can get it all done themselves, right? It’s a shift in culture as I’m sure you understand. So essentially, right? Yeah, we’re an extension of their team and we do have partners that we work with where we will actually come in and do the technical work, the implementation as well too. So we do both but primarily it’s just governance and working with technical teams and teams and senior leadership.

[00:07:04] Ghazenfer Mansoor: 

So when it comes to the implementation or the HIPAA rules, so obviously there are different components of it, right? So in a traditional world, there are physical documents and then there’s a software being built and then there are things at the infrastructure level

[00:07:25] Larry Trotter II: 

Right

[00:07:25] Ghazenfer Mansoor: 

So you do the work at the infrastructure level as well, where it could be setting up, let’s say AWS for HIPAA or Google Cloud or any of the cloud provider or any external, right? So is that right understanding?

[00:07:43] Larry Trotter II:  

So almost right. So we let’s break it down to each specific area that you talked about. We’ll doing one by one. So you mentioned infrastructure, you mentioned policies and procedures, and you also mentioned. What was the third one you mentioned? the application itself, the development work. So start, we essentially, we do all right. So when you think about cybersecurity and governance, we’re thinking about the whole ecosystem of a business.

So that incorporates everything and also how I mentioned, it’s a collaborative effort, so we have to work with other teams and I’ll get to that in a moment. So when we speak about infrastructure we’re talking about if you’re on-prem or if you’re using cloud hosting providers such as AWS or Azure, as you mentioned.

We wanna make sure that is secured and we’re monitoring that on an ongoing basis. Now, if we moving on to what else did you mention? Policies and procedures. So that’s the, what we call the administrative work where we’re developing policies and procedures. There’s also onboarding and offboarding processes that we need to make sure are efficient and aligned with the cybersecurity controls that management prescribes to the organization. Those are some of the administrative controls of that and then also there’s the development or the application side. There are some security components, a lot that come to that right to on that side of things as well. Right. 

We talk about the secure development life cycle making sure security controls are natively built within the application and making sure that application itself has security features or software that it might need to actually protect itself and when I say software we might be talking about an intermediary such as a application, what do you call it? Apps gate application protection software where it monitors incoming traffic to make sure no any, you know, no one is submitting malicious code into the application and it’s ensuring it functions as intended.

[00:09:48] Ghazenfer Mansoor: 

Perfect. What about the monitoring of those? So let’s say you build the application. Now it’s live, you have a healthcare application, it’s a web, mobile, whatever different pieces and there are certain things people have to keep looking when it comes to ensuring that your applications are continue to be HIPAA compliant because things continue to change as well. So how does your work come in, play in that arena, do you provide the monitoring as well or do you provide the guidance for the company to follow? In terms of monitoring the hipaa?

[00:10:30] Larry Trotter II: 

We actually do both, and it really depends on what the business wants to do. So if we’re doing it, we have a team, well let me break this down first, right, because there’s a different type of monitoring. So in terms of compliance, we’re talking about making sure that the activities that need to be completed on an ongoing basis. They are done and they aren’t being overlooked. So what are these compliance activities that I’m talking about? User access controls, making sure whoever, whatever users are in your directory system that they should be there and they aren’t stale accounts. That sort of thing we could talk about log monitoring if logs are being monitored, if logs actually be turned are being, are turned on and if they’re being monitored. So that’s more the compliance side of things. Which is security but there’s also threat monitoring and this is what organizations really miss out on, is threat monitoring and that’s actively looking for threats within your network or within your application that you wouldn’t see otherwise if you didn’t have software to be able to protect your assets before something really bad happens. So it’s being proactive. 

Right now what you’re seeing is this is manual work that’s being done or really not even being done at all. I’m gonna say more along the lines of the latter not being done at all. So you don’t know who’s on your network. You don’t know if any attacks are coming through because you don’t have any software to help monitor this and it really isn’t a manual process if you have one application. You might be able to do it for some time but it’s really not sustainable. Really, this is a 24/7 job because attackers don’t take time off right when you’re not working. It is more or less the time when they will be actually trying to break into your network because they know you’re not working. 

So those are really the two different types of monitoring and we actually help out with both.The majority of the time because of the nature of the industry is some of the compliance side of things where we’re just monitoring compliance and making sure we’re keeping up with regulations. But, you know, my company one of the things we pride ourselves on is helping companies mature and actually putting that in front of them. Not saying, okay, we’re complying year one. Okay, we’re complying year two, kind of staying in that same cycle, if you will. We want to make sure that the company is. 

As the company is scaling, that security is scaling along with that and whatever controls we had in year one, we want to add on additional controls in year two or we might wanna add on in some additional processes in year two. So just to make sure that we’re maturing and within, you know, that five year timeframe we want to actually implement some software where we can actually monitor the network for threats.

[00:13:24] Ghazenfer Mansoor: 

Cool. So when you run your security gap assessments. What are the most dangerous or overlooked issues that you have seen in the health tech companies?

[00:13:37] Larry Trotter II: 

Oh, you put me on the spot on that one. What do I see most often? Well, policies are in place, but they usually canned or template policies or something that, you know, you can, you might get from assistance with, from ChatGPT, something like that. That’s one of the things another big thing is no risk assessment at all.I really think people in the industry don’t have a full grasp, but what a risk assessment is, and it’s often used interchangeably with gap assessment. 

So like you said, I’ll come and do the gap assessment and the health tech company thinks that’s their risk assessment but it really isn’t. So those I say are really the top two things I usually see within an organization and really I would advise to make sure that your policies are tailored to your company and don’t use or rely on can policies especially the ones in GRC solutions that help you manage compliance. They’re there. They might be good to work from but please don’t rely on those. You know and this is another conversation, I’m not gonna delve into it now, but last year vendors were accounted for 42% of breaches within healthcare that says a lot. I think health systems are going to start to get a lot smarter and they’re gonna like, going to perform a lot more due diligence in terms of these vendors. So they’re rarely going to scrutinize these can policies and other documents that they see going forward. 

[00:15:26] Ghazenfer Mansoor:

 So you’re saying don’t use AI

[00:15:29]  Larry Trotter II:

Use AI with humans in the loop.

[00:15:34] Ghazenfer Mansoor: 

Absolutely. 

[00:15:35] Larry Trotter II:

That’s what I am saying

[00:15:37] Ghazenfer Mansoor: 

All the time. That’s what we say as well. Like obviously it’s our work is also working with health tech building HIPAA compliant app and even when it’s not healthcare or hipaa, if you’re just relying on AI you will have hallucination, ChatGPT or any of those. 

They’ll always respond to you, even if they don’t have answer, they’ll make up something and you don’t want that. So you want right. Then to give you the specific that is for your business and that’s where obviously the process of building a tool or building in such a way so that your personal or your internal data, your sensitive data even stays within but at the same time you’re doing that query.

So there are different strategies that we do that, but it’s important to follow those. For this kind of work rather than just and this is a common question, people do ask, oh, where do we get those policies? And sometimes they’re just maybe cutting corners being cheaper and then using AI and then keep doing that we are like people are still making those mistakes and that’s very dangerous

[00:16:51] Larry Trotter II: 

For sure. You bring up a lot of good points and AI definitely is, has made it even more challenging now and prior. Right, I would find that companies would Google online for a template or something like that. Right now you have gen AI that can spit out this policy for you at, you know, the push of a button, which makes it even worse. 

But again, I think security teams are getting a lot smarter and there’s, you know, I was looking, actually reading a post today about that when and they were saying when they do their due diligence on any vendor, the first flag is when everything’s perfect, everything is perfect, you know, and that does say a lot because if I’m, you know, when I’m working on behalf of my clients and the tables are turned and I am doing that in the risk assessment on vendors or doing due diligence and I’m looking at the policies. I, that’s what I’m gonna say. 

I’m like this is ChatGPT. This is, you know, this is not them and what companies don’t realize is that makes guys like me not trust you, and I’m going to dig even further and you don’t want to blow a $40,000 deal because you don’t have your policies in ordering. You didn’t, or you didn’t, you know, want to hire the right expertise to help you get things in order.

[00:18:18] Ghazenfer Mansoor:

Yeah. So, while we are on it, I will change the topic. So let’s talk about AI, so how AI is changing your world. Obviously people are relying on that. We, you already shared some ideas. Is AI helping what you are doing? How is it impacting and what are the things people should be aware of?

[00:18:48] Larry Trotter II: 

Yeah, so it helps me in my business on a day to day bright. But if we’re talking in terms of I’m a health tech company and how can AI keep me secure, it does help with automation and I’m sure it’s gotten a lot better. When I used to work in security operations and we were using AI machine learning at the time, right? It was good as well. 

Essentially, one of the use cases is where we could put agent on the end user’s computer and it would baseline the system for a few days to see what normal activity was and then if anything went out outside of that base, a baseline, it would send us an alert saying this is the abnormality based on the user base, normal user interaction with the system. Right. So we had AI machine learning at that point in time. So fast forward now, we’re using generative AI, so I’m sure it’s helping a lot of companies out, but it’s even the same, you know, back when I was in Security Operations, it’s the same, it’s not going to save you a loan. It’s not at that point yet where you still need analysts in the loop to actually verify a lot of the findings that it might flag. It’s not perfect, right? So it still does take resources. It can reduce your resources, I’m sure, but it does still take resources in terms on the defense side. 

Now, if we want to talk on the offensive side, how hackers are using it to actually attack companies. I always say, you know, people always hear the comment that Phishing is going to be even more sophisticated now with generative ai. yeah, it will, but it really doesn’t matter when you think about it, because before AI was developed people were still getting phished too, you know, as if,  it was something new. So is it really that big of a difference? People are still falling victim without AI. You know, that’s my agent. It’s really not making anything. You’re still not doing the right things without AI from a defensive perspective to stop phishing. 

So, but hackers are using it now. It does make developing malware a lot easier. I think people need to worry about that a lot more because unless you’re an expert like yourself, you know, at development. A few years ago, that’s really the only way you could develop malware or, you know, you could buy a red kit or something like that, essentially SaaS, malware for SaaS software for malware.

But now it’s so easy, you can be as a really basic user and create your own malware, maybe ransom  5.O. So I really encourage people to, you know, stay on the lookout for that.

[00:21:49] Ghazenfer Mansoor: 

Cool. yeah. Thanks for sharing that. So people with PHI data with personal data, obviously a lot of being applications, being developed. Any advice you would give to companies building these applications, so that the personal data or, or internal data  specifically the PHI data is not used to train by the LLM or it doesn’t even either, doesn’t touch the AI or use it in a different way. Any thoughts, any experience shares on that?

[00:22:31] Larry Trotter II: 

So I would say number one: identify the data use as less as possible that you need to get the job done. You know, that’s row number one. Don’t put all of the information, the different categories of data in the LLM if you don’t need it all. Use as little as possible. Then second number two would be to work with a company like you who’s really familiar with that building, LLM models and knows how to keep the data out of the sensitive data out of the LLM.

Go that route because it’s very niche and it could really, you think, you know, before AI, if something could kill your business. Now if you have, if you’re leaking sensitive data, health data in your LLM that’s gonna be real troublesome and healthcare is very niche and how it works in highly regulated.

So you don’t want to skimp money on development. With companies who aren’t very familiar with this. So I would really recommend health Tech founders CTOs, CIOs to work with companies like you who have vast experience in building LLMs and building health applications in general to help them do it right.

[00:23:49] Ghazenfer Mansoor:

Yeah, absolutely. No, this is a good information and as we work with different companies. I think there are certain lessons that we learned along the way. One of them is you wanna make sure that you treat your LLM also as one of the vendors and make sure they assign BA. So, which is very good because if your LLM vendor is signing a BA, that means they are committing to HIPAA regulations no commit or not shared with trading and all others. 

In addition, understanding how really the AI works in different fields. Like, for example, MCP is a new protocol model context protocol by Andro, which allows different applications to expose their data through it’s kind of through a PII would say because L-L-M-M-C-P is your, is like API or the application. So MCP is API to AI. So you connect with any application and then you can query from cloud or chatGPT desktop. So a lot of those MCP servers are being created and hosted. Not everything is HIPAA compliant, right? Not everything is secure. 

So that’s where those malware risks that you mentioned could come in as well. So you wanna make sure you are only looking at the ones that are approved by whatever the specific authority that you are working with. So it’s not like just picking anything. It’s like open source. If you download anything and use it, you don’t know what you’re getting into.

[00:25:41] Larry Trotter II: 

You Right. You bring up some good points. So, you know, I had a client recently within like the four months where they were actually building AI features into their solution and one of the things we did was, or one of the things I helped them out with was doing a risk assessment on the vendors.

Now they were the top three, right? But I was really curious to dig in, you know, into what their API, MCP protocol integration security features were and definitely and privacy was a big part of that, right? Because of the data that they were dealing with and some interesting things. They were, you know, very, they were the big three, right? So, you know, they had all crossed all the dotted all the is but of course. I would say, you know, health tech companies need to be vary of, if you don’t pay for it then that means whatever data is communicated through that API they can use for their purposes. 

So you need to get on a paid plan. And also, one of the things I noticed was with some of the vendors. You got, you only got extra security features if you bought the enterprise version as well.So that’s something you have to be on the lookout for. So it was very interesting and I don’t know if you got the email last week but open the, I sent me email because they got breached last week and here we go again. We’re talking about vendors and being breached and affecting, you know, health systems or whoever the primary buyer is. So they are just as risky as, you know, your startup AI provider. So you have to be very thorough.

[00:27:20] Ghazenfer Mansoor: 

Yeah, I think that’s even way more scarier because people are blindly uploading their data in an open AI. So if they’re breached depending on what data is gone, you could be in big trouble as well.

[00:27:33] Larry Trotter II: 

Right. Yeah.

[00:27:36] Ghazenfer Mansoor: 

Yeah, you work with health tech companies. What is the best time for these companies to contact you? Is it before the project? Once it’s built in between? What is the right moment?

[00:27:57] Larry Trotter II: 

Per best case scenario is, you know, the first iteration of the product, right? You want to embed it when things are, you’re in a really foundational stage because you don’t want to build too far in and then find out that you didn’t do X, Y, or Z, right? And let’s say if they built this using an in-house or offshore team, right? And they didn’t hire your company. They didn’t put in some native security features or whatever and I have to go back to the drawing board.

So really the short answer is that the first iteration of their product is the best time to really start incorporating security because you want to build that mindset from the ground up. It’s really hard to, or challenging the shift culture from a security perspective. If you are, you know, three versions in you’re, you know, at 30 employees and you’re growing really fast now. It’s really hard to shift that culture, so it’s always best to do it from the ground up from the foundation.

[00:28:58] Ghazenfer Mansoor: 

Okay. Cyber threats evolve fast. What trends or risks in health tech were you most right now or excite you the most?Any trends or risks in health tech when it comes to cyber threats?

[00:29:20] Larry Trotter II: 

Cyber threats, you know, the really, the trends,I, the main trend that I’m seeing is, oh, well, I just started up another one but the main trend that I’m seeing is, you know, vendor breaches. I really think within the next two years, there’s gonna be a shift in how health systems verify the security of their vendors because you know, the breaches are just on the rise and it’s happening because of third parties. 

We saw change healthcare and how that took down, you know, forget just their ecosystem. It really affected in the entire industry and you know, we can also talk about CrowdStrike. Not only did they take down a lot of healthcare entities they took down industries all over the place and by the way being in the industry this long I never knew CrowdStrike had such a grasp on all these different organizations because this has never been brought to the table in my career. So that was really fascinating to me. 

But again, you know, getting back on track is, you know, vendor security.I think we’re really going to see health systems buckle down on that.

[00:30:35] Ghazenfer Mansoor: 

So on the same note, if you would rewrite one rule in cybersecurity or HIPAA today, what would it be?

[00:30:44] Larry Trotter II: 

Oh, I would rewrite the entire HIPAA regulation in terms of security. It needs to be, it’s very outdated. It needs to be updated and I will also change the accountability for when a breach happens, meaning the penalties would hurt because I think that’s one of the problems with the regulations and why we see so many breaches is because it’s not, number one it’s not enforced enough but also the repercussions aren’t as devastating as they should to be to really thwart people and then let’s be honest, you know, we’re human beings.

If human beings the regulation came into place because people weren’t doing the right thing, that’s why they’re number one, right? So now you have a regulation that’s in place, but the penalties are, you know, severe enough to still force someone to do it and OCR doesn’t enforce it enough to make people want to do it.

So. You know, again, people, human beings. So the penalties just need to be more severe and I think that that’s really gonna force people to actually do it and we will see, you know, less breaches and that than we’re seeing because you know, and recently I’m okay but I’ve been to the hospital recently within, you know, within the past few months more than often.

But I really started to think about this stuff as a patient. Like your health information. Being linked on the internet and I think when people hear that, they’re still used to hearing credit card information that they kind of write it off. But when you think about your healthcare information and you know, people probably have some really personal stuff that they don’t want to get out there, right? 

That’s what we’re really talking about when we were talking about healthcare information. So we need to be a little bit more serious in terms of protecting that and also patient lives are at risk now. Earlier this year the first case of a patient dying because of a cybersecurity attack was actually documented, right? Previous to that case it was in the UK but previous to that case there were some other instances where they couldn’t really tie it to cyber, the cybersecurity attack, but I believe it’s because they didn’t want to. But it has been confirmed now a patient died because of a ranch wear attack. They couldn’t get care on time that sort of thing. So we really need to take a more serious.

[00:33:21] Ghazenfer Mansoor: 

Do you have any recommendations for dev teams who are building HIPAA compliant applications? To bake in security from the day one but to make it so that there’s an easy transition from MVP to scaling.

[00:33:43] Larry Trotter II: 

You know, the truth is I would tell dev teams to really focus on the controls when building the application, right? Access controls, logging, encryption and having a good secure development lifecycle program in place with processes, that sort of thing, scanning the application for vulnerabilities. But I think that’s really where the buck stops with them, right? They’re busy shipping, they can’t be focused on security and development, you know, eight hours a day. It’s just too much and it’s a learning curve. 

In terms of security, just like you wouldn’t depend on the security person to do development, right? So why, you know, that’s what kind of blows my mind sometimes. But I would just say that just to make sure that at the least, you know, you’re building those native security features within the application from the ground up and you should be good going forward from that side of things.

[00:34:50] Ghazenfer Mansoor: 

Okay, cool. So you build systems so others can sleep better at night. What keeps you up at night?

[00:34:59] Larry Trotter II: 

You know, I think really, that breaches. I’m doing the best I can to make sure that my clients are secure because nobody wants to be their responsible person for a breach. Nobody. That’s the last thing you want, right? Because we’re talking about reputation and we’re talking about financial costs. You don’t want to be that person. So, you know, that’s what I would say would keep me up at night and I think that’s just a matter of laying things out too. The health leader that I’m dealing with, you know, the pros of doing X, Y, and Z, or the con, the repercussions if we don’t do it just so they have an understanding.

Because at the end of the day, I’m there to advise, right? I can’t make them do anything, but I want to give them their options and really, you know, based of my experience, the best way they should move forward that’s the most you can really do. So,yeah. No one wants to be their response responsible for a breach, especially the cio. Absolutely.

[00:36:13] Ghazenfer Mansoor: 

Absolutely. So for the health tech founders listening, what are the three things they can do today to improve compliance without killing the moment?

[00:36:24] Larry Trotter II: 

Having security conversations and all of your development meetings? Yeah. Carving out some time, at least once a week within your DevOp meeting. Carve out some time about security. Just talk about it even if you don’t have the expert there. But as long as you, I think if you get the conversation started that you’ll begin to see how important it is and where you’re really lacking and where you really need to augment or hire somebody to help you out from the security perspective that’s one.

Two is again, you know, make sure that you have, you make sure you understand your security posture because when you’re selling to health systems. What’s really big now is receiving vendor security questionnaires and then essentially these questionnaires are asking what your program looks from a cybersecurity perspective, right?

So you don’t wanna give vague answers. You want to be specific and you want to sound confident in your answers but be truthful at the same time. You know, because it’s all about trust at the end of the day whether we’re talking about health tech selling to hospitals or in your personal life. You want to buy someone, you wanna buy from someone and someone wants to buy from you from a person that they can trust. So be truthful and number three is if you don’t have it in place already, make sure that you budget for you, you can’t get around it and use it as a part of your go-to market strategy instead of waiting for the buyer to ask you about security. As part as you, as part of your presentation, include that within it that way you signal that you’re serious. You take security as serious as well, and it’s just going to make the conversation and the whole process a lot easier.

[00:38:39] Ghazenfer Mansoor: 

Those are really good points and I’ll add a few things from our side like just to answer the same from our development perspective, the same, like for example, in our business I make sure like, okay, do we have a checklist or the steps for our QA to make sure I said, well if the application goes to our QA. They need to know exactly what are the things that need to validate to make sure app is web or mobile app is HIPAA compliant as our developers are developing what things they should know in terms of domain our PM and the requirement people what things they should know in terms of, so as a leader, I wanna make sure our team is up to date.

So adding another part, which you are talking about, like sharing with the team. We have this policy where we’re meeting once a week. So it’s a combination of things, ai, hipaa and all of those where we talk about different things so that we stay up to date. The whole team is aligned on that but most importantly as part of our business, like every employee in a company is framed on hipaa even if they’re not working on a healthcare project or even if it’s not relevant. So that’s part of the policy as onboarding, they have to go through their checklist and within two weeks they get a quiz that they have to go through before they start working on any project. 

So the whole idea is that everybody’s aware of it and because they’ll be working in some ways. So the requirement may have a missing thing. The client requirement will not tell all the 10 things that need to be available or that needs to be valid, verified or be part of it because the requirement may just say, oh, the application should be HIPAA compliant. But now what does it mean? What does it mean if it’s a mobile app? What does it mean if it’s a web only? What does it mean if it’s using ai, right? All different meanings, so the people validating, people writing the requirements, people managing the project, people coding, they all should know the meaning, indirect meaning of those, but it gets caught at the requirement stage because now they will be recording those steps that need to be added so that the developers make sure those are coded and the testers make sure those are tested. So these are the policies we are putting in our business to make sure our application that we are building are HIPAA compliant

[00:41:24] Larry Trotter II: 

Quality.Yeah, sounds like quality man, quality management. That sounds good.

[00:41:30] Ghazenfer Mansoor: 

Yeah. So one last thing. What leap are you standing on the edge of right now?

[00:41:40] Larry Trotter II: 

I would say AI security. I think it’s really, I don’t hear a lot about it. I hear a lot about AI governance and security is sprinkled within governance but AI security is something of its own. So I’m really leaning into that a lot lately and also building AI the right way, right? Using a methodical process and helping health tech founders understand that. What does that look like? Identifying whatever problem you’re gonna solve for health systems and make sure it is something that’s actually worth it to them and actually, you know, figuring out. 

How do we make this feature or this new AI product? What, what are the questions we should be asking ourselves when we build it for our health systems? And one of the main questions, is this easily integratable into their workflow or is it going to cause a lot of friction because clinicians don’t want friction in their workflows. So really un helping them understand their AI readiness to purchasing and action building that feature within their products. I’m really on the edge of that right now. So I guess that the short answer would be AI. I’m just like everybody else, right?.

[00:43:09] Ghazenfer Mansoor: 

Everybody is on that. So what’s next? What are your, what’s next for inherent security? What are your goals for that? Where do you see yourself in the coming months or years?

[00:43:20] Larry Trotter II:  

As a go-to. As a, you know, the company as all, as a whole, as a brand in terms of AI security and healthcare, right? When you think about AI implementation, AI readiness, AI security, our brand we want our brand to be recognized as the go-to source, who understands it, who can get it done right and securely

[00:43:47] Ghazenfer Mansoor: 

Cool. Thanks Larry. This was all very insightful information. It’s been pleasure having you on the lessons from the leap podcast before we depart where can our listeners find your information? Can you share like the website, LinkedIn, where like give them a way to connect with you

[00:44:15] Larry Trotter II: 

Sure. So on LinkedIn, you can find me at Larry Trotter II.Very active, fresh content every day. I might even already engage with you but you can find us online at wwwinherentsecurity.com. 

We have a lot of great resources, free resources there for health tech builders. How to determine if they’re AI readiness, if they’re AI ready. How to assess their vendors and themselves and we also have some HIPAA compliance guides to help them with that as well and also it has our contact information and also shows some of the services that we offer.

[00:45:03] Ghazenfer Mansoor: 

Thank you, Larry. It was a pleasure having you on the podcast. 

[00:45:06] Larry Trotter II:

Thanks for having me.