[0:00:00] Adam Zeineddine They say 70% of software projects fail before ever reaching the end user. But in the world of health tech, a failure isn’t just a lost investment. It’s a potential compliance nightmare. Today, we learn how to build for the exit while keeping security at the core. Stay tuned.

[0:00:30] Adam Zeineddine Welcome back to the HIPAA Insider Show where we’re here to demystify technology related to HIPAA compliance and make it accessible for every company, not just the largest enterprises, but the smallest startups as well. Before we jump in, please remember to like and subscribe to our channel. If you’ve already subscribed, thank you very much. We’re on the road to uh 1,000 subscribers. So, if you haven’t yet subscribed, and that’s 90% of our audience, be sure to hit the uh the subscribe button. Uh, joining me today is Ghazenfer Mansoor. Ghaz is the founder of Technology Rivers and a specialist in HIPAA compliant health tech and AI powered SaaS solutions. Ghaz, it’s great to have you here. Here we go. Hey, Ghaz. Nice to have you here.

[0:01:18] Ghazenfer Mansoor Thanks, Adam. Thanks for having me.

[0:01:22] Adam Zeineddine It’s a pleasure to have you. Yeah, I’ve been uh checking out a lot of your stuff on LinkedIn and on your uh website and yeah, very interested to talk to someone like-minded in a similar space to what HIPAA Vault do.

[0:01:38] Ghazenfer Mansoor Yeah, thank you.

[0:01:39] Adam Zeineddine Yeah. So, um Ghaz, you’ve led the build of like over 50-60 applications at this point, right? and you become a trusted partner for health tech entrepreneurs. Um, but every innovator has a starting point. So, I’d love for you to share a little bit about your background. How did you first get into software engineering and the other services that you offer and what led you to found Technology Rivers?

[0:02:10] Ghazenfer Mansoor Yeah, absolutely. So, um my background is computer science. I grew up in Pakistan. uh moved to the United States in 99 and since then worked with different companies, two companies as an early engineer. Um and then I started some consulting work in 2004. Um then built a recruitment software startup and then 2015 I started this business. While I was doing consulting, I also worked at Veterans Health and so I was somewhat in a health care space as well development during my um startup. I learned a lot about product development. That’s when we saw an opportunity to help us build products for startups to build the right the first time. Our second customers were health tech and that’s how we got into more and more health tech. So okay uh along the way we did some work for the startups for NID by Johns Hopkins that’s where we learned HIPAA and then we gradually did more and more HIPAA compliance. So as of today in 11 years we have built over close to 120 to 130 total applications and out of that uh over 50 are over 50 are healthcare applications. Um but in terms in general like we did a lot more before moving into more and more healthcare. So over 50 health care and out of those 50% of those are HIPAA compliant that includes web and mobile.

[0:03:44] Adam Zeineddine Wow. That’s an amazing achievement. Well, you’ve let’s talk a little bit about why software projects fail because you’ve you’ve had a lot of pro you’ve had a lot of uh software projects under your belt and statistics seem to show that um a large majority of them over 70% of software projects never make it to uh production. Um and you’ve been called in a lot of the time to rescue projects that are deemed sinking ships. Um, so from your perspective, why does this happen so frequently in health tech? And what is the—I’d say what’s the first step you take to get a falling a failing project back on track?

[0:04:27] Ghazenfer Mansoor Close to 50% of the work is fixing those broken projects. So customers come to us, they either have an internal team or they work with somebody um building these different products for a variety of reasons. Some are working for over a year, two years, never being able to launch. You’re right, a large number of those projects do not go to production. Um it’s the fear or whatever. In some cases it’s the quality. I mean many times obviously the—the founder is not comfortable that’s why those projects are not going to production. They’re not working one way or another. So I think the biggest reason I would say I mean among many others is really the clarity of what needs to be built, the requirement of ownership—like all these things do make a difference. In a healthcare world the compliance part—yeah that seems like it—but that needs to be embedded in the application you can’t add that later on or you—if you add it—it adds a different complexity but just not knowing just just getting into the weeds directly without really planning. So uh the strategy is important what needs to be built and that plan is very important. So the very first step we do is do the assessment. So we have a process where we really dig deeper in the whole application to figure out what are the issues where are the gaps on the user experience side on the quality on the UI side any Trojan core—like whatever. So we have a deep [audit] that generates a big 50-60 page report that looks at every aspect of those apps that gives us good insight and then a plan to build to correct that. In many cases it’s fixable in some cases you may have to redo it. In some cases it’s just maybe a different component that you need to build. It really depends on the specific what the customers are trying to achieve.

[0:06:39] Adam Zeineddine Yeah. Yeah. Most definitely. I think in healthcare, what we find is that a lot of healthcare founders, healthcare tech founders are visionaries. They do have a vision for what is going to bring a better patient outcome for the technology from the technology. but they often lack the cyber security skills, the technical know-how in coding and—and they don’t need to know all of that stuff, the cyber security and the and the coding, but they do need to have the right people in place to to help out with. So, it’s it you’re very well versed in that. From our side, HIPAA Vault, uh we handle secure infrastructure, cloud storage, so like the walls of the house, so to speak. Uh but you’re like an architect of the software inside those walls. Um in your mind, what actually goes into HIPAA compliant coding? Um, if you could speak a little bit about what it’s like beyond just having a secure server, what do developers and software architects need to do at the code level to ensure security and compliance with HIPAA?

[0:07:48] Ghazenfer Mansoor Yeah, absolutely. And obviously the infrastructure is important but it’s uh it’s just the foundation. It’s a one piece of the HIPAA. Uh the bigger part in building the HIPAA compliant application is really how you code it. It starts with obviously looking at the core foundational aspect of the HIPAA: authentication, authorization who access what data at what time. So that means as your application is being built there are flows that need that you’re coding those need to be tracked as well. So um for example um like you’re adding let’s say authentication is automatically timing out uh after a certain time you’re logging out how the data is stored when it comes to mobile like on like on the devices because you could lose those devices as well. Uh the encryption you have to make sure the data is being stored on the browser in the app on the server on during transit all encrypted. And the bigger piece is the audit logging: who accessed what data at what time. And as you’re building these applications you see like you have a list of patients that has a PHI data let’s say somebody looked at that list is one view but if you click on it and then you look at more specific detail about that patient maybe uh the medicine the prescriptions the labs, anything. So that’s more specific. But what information was viewed? Tracking all of that is important. In HIPAA, no data is deleted. Every time it’s deleted or viewed, it needs to be tracked. There’s a history. So you need to track all of that. But more importantly, be able to even access that later on. So I think those are the things that are very important in building these HIPAA compliant applications.

[0:09:35] Adam Zeineddine Yeah, most definitely. Key point there with the audit trails, you know, that you—you don’t get—you don’t get fined typically for a breach of data. It’s—it’s the—it’s—it’s what you had in place to prevent the breach and what you did after the breach that really counts. So, audit trails are key to figuring out, you know, you know, monitoring to figure out if the breach has happened and then audit trails to see how it happened and how to correct it. So, yeah, I definitely agree with you 100%.

[0:10:03] Ghazenfer Mansoor I mean there—there are different ways I’ve seen even like people handle at the infrastructure level as well. Let’s say you add those interceptors at the API level. Uh you can technically fulfilling the requirement that yes you are tracking every call who did what but in reality when you start getting to report extract that then it’s—you have to get a meaningful data and that’s where it comes in who look at let’s say a view data only versus who look at the detail and because on a UI you you may not have give let’s say it never scrolled to the bottom of the page you only saw the top portion so technically you’re only storing these five patient data were was visible things like that. So you can go more granular on that because the more accurate trick tracking you are doing the better results you will have and especially when it comes to views or or um or deleting any of those. So that’s important. So on that note we do have a HIPAA checklist that we put together for creating HIPAA compliant mobile apps and HIPAA compliant web applications. Those are the steps that you have to follow when you’re creating a new web or mobile app. And that’s on the website. We can share the link afterwards.

[0:11:14] Adam Zeineddine Oh, fantastic. Yeah, we’ll definitely um leave a link in the description below. And it’s technology. It’s an easy one. TechnologyRivers.com.

[0:11:22] Ghazenfer Mansoor That is correct.

[0:11:24] Adam Zeineddine Perfect. Perfect. Yeah. And link in the description below. Um so yeah, you—you touched on a core aspect of your service which is mobile. Um and obviously that is—has been an ever-increasing uh segment of usage especially with younger um users. Um I’d like to talk a little bit about prepping—prepping for you know 10x uh profitable exits when it comes to building an application and then it—it being—it being purchased. And it strikes me that mobile is—is—is a core part of that. Could you—could you talk about um you know what are some technical and also compliance must-haves that are needed to—for owners to implement today to be attractive to buyers in the future?

[0:12:13] Ghazenfer Mansoor Yeah. So in today’s world where with AI um obviously the tech is comp it’s pretty easy or faster to develop. I think the real differentiation comes in how your workflows and processes are implemented. Well, we come in, we say, okay, you need to also build a proprietary tech that can 10x. So, no matter what business you are in, whether it’s lawnmowing, it’s mechanic shop, whatever business you are in or like in healthcare, um obviously whether you’re a provider or a hospital or any business that you’re in there. What is the difference between you and your competitor? You are um is it a better service, better sale, more people—like all—all of those—those factors are not going to be as important because your competitor can catch up. What makes a difference is technology. The efficiency that you bring in in your process is how quickly you allow your customers, your patients to request and receive a service from you. So I think that’s where the automation of those workflows makes a huge difference. So as you create those flows that will bring more efficiency into your business and that will obviously mean increasing more revenue more profit and that will increase your value. So uh focusing on automating these processes is the key in getting the 10x value.

[0:13:50] Adam Zeineddine Most definitely. And you touched on um AI there at the start. Um and we’re heading into a period where AI is becoming almost in some cases invisible in the software stack. Uh but it’s mission-critical. Um beyond just the hype of you know AI and LLMs and things like that. What does real AI integration look like uh for a HIPAA covered entity? And how do you balance you know massive data processing requirements uh with the strict privacy requirements of HIPAA?

[0:14:27] Ghazenfer Mansoor Yeah, that’s a very interesting uh and important topic because uh in in healthcare obviously with the PHI data everybody’s reluctant to use AI and there’s a lot of hype in the AI as well like in terms of how to use the AI. So there are certain uh processes, certain ways of using AI in the healthcare environment to make it more compliant. So I’ll share a few. So for example, if you’re building any healthcare application where you have that sensitive PHI data, you want to make sure that they that data is not shared with any of those cloud LLMs to be used for training. So the number one step you do is have those vendors sign BAAs. So which is a Business Associate Agreement. So as in our company we work with multiple LLMs and we had them signed. So once OpenAI or Google or any of those LLM companies they are signing BAAs they’re committing to a zero data retention policy. They’re committing to not using the data for training the LLMs in compliance. So any vendor that—that touches your PHI data should sign BAA. That’s number one. Number two, the—there are different architectural considerations that you have to do in order to make those uh compliant. So for example, there’s a concept called RAG—Retrieval Augmented Generation. This is where you take your data and convert it into chunks and give it to the vector database. So you store that data into—so obviously you use LLM to create those chunks in a vector database and as you’re querying that big data you basically do the search based off of those vector databases and then give it to LLMs for optimizing and for giving you the results. So rather than just throwing the whole data into um the LLM, you are now using the vector database to store and retrieve data. Once that data is filtered and limited data, then you use AI uh to optimize the results. So those are the strategies that you have to follow in terms of building any um any application that has sensitive internal data and that’s very common in the regular regulated industries including in healthcare. So for all the HIPAA applications that we are building we are following the RAG architecture.

[0:17:04] Adam Zeineddine Fantastic. Yeah and I assume that the RAG also helps a lot with the security side, sorry the efficiency side of things as well as the security side of things. Um so at HIPAA Vault we see companies that view the compliance portion of the project as a hurdle. Um however you argue that it’s a pillar of innovation and a key to scaling. So how does having a robust compliance infrastructure actually help a healthcare startup to scale uh faster rather than to slow them down and just be ahead?

[0:17:40] Ghazenfer Mansoor Yeah, I think uh it’s similar to as we talk about in general processes that oh processes make things slow but in reality compliance only slows you down when it’s bolted on late. Uh but when compliance is designed into your workflows early it actually accelerates the scale. So I mean your teams move faster because the guardrails are clear. They are not really building, experimenting and then redoing it. So the challenge is when you add HIPAA or compliance later on that means how you designed your system is going to change. So technically you’re redoing a lot of work. So it would make it slower if you’re adding the compliance later. But when you are adding the compliance earlier you’re making fewer mistakes. You have a few rework and then you have a few fire drills. So I mean that’s where we believe that um building—um having compliance from day one does make a difference and it goes back to the same thing we talked about earlier in terms of why the project fails because if you talk about those things later on that’s where the challenges come in. It’s like you build the house and now you realize oh you need to add a new door or um a basement. It’s going to be a lot of rework. So knowing the strategy up front, you have to have a right plan of what things will go where. We talked about the audit log when it comes to building applications. Imagine your database design is changed. What actions do you do when you have uh when somebody views the data, somebody deletes the data or adds the data, right? So there are actions that need to happen suddenly. You can’t just change the database to or change your code to automatically have those things start happening. So those need to be part of your development plan, your system design, your architecture, everything. So yeah, so in healthcare um definitely compliance from day one is is important and—and obviously in healthcare the trust is also the key and when the compliance uh is added into the system from day one it’s add trust and with your clients with your partners with your buyers um and that shortens your sales cycles and that reduces your your risk. So in reality it’s not the blocker it’s your growth lever because I mean how many time like as we are building these application many time what we notice like even your application does not have any PHI if you try to sell it to any hospital system any providers this is always the first question: is it HIPAA compliant? And the moment you say it’s not the reluctance even though you’re clearly saying there’s no PHI data but somehow the user automatically um steps back when they see it’s not HIPAA compliant. So we recommend you need to have application HIPAA compliant irrespective of whether you have a borderline um PHI or not—like when it when I say borderline it could be user ID right something like that yeah it’s not really a PHI but it technically could be argued so yeah gray area.

[0:20:56] Adam Zeineddine Yeah no definitely and I think um we we had a guest on last episode um you’ve had him on as well Larry Trotter the the second and we talking about these those security questionnaires and um definitely if if you’re not if you’re not ready to answer those security questionnaires and and you know have a have a process for that uh then it that’s going to be like you said a big stumbling block when it comes to proposing these to uh covered entities and yeah so that just definitely uh goes along with having a HIPAA compliant infrastructure as not being a hurdle. Ghaz, for this has been a um a deep dive, but I I think that you could—our—our viewers uh can probably do a deeper dive and I know that you—you’ve got an upcoming book. So, tell us a little bit about that and then also tell us how—how viewers can you know follow you and and learn more about your uh approach.

[0:21:55] Ghazenfer Mansoor My book is about the mobile app growth strategies: Beyond the Download: How to Build Mobile Apps That People Love, Use and Share Every Day. It does have a chapter on AI healthcare um as well. There are 30 plus chapters where we talk about mobile app growth strategies. Um after this book I have another one in the works which is more on healthcare and AI. Uh don’t have a timeline for that second book but Beyond the Download is going to be released anytime.

[0:22:28] Adam Zeineddine Fantastic. Yeah. Beyond the Download check it out. And that’s if I understand correctly, is that available through your um through your website?

[0:22:36] Ghazenfer Mansoor It will be. It’s so it’s with the publisher. We all—we already have a Kindle version, but yeah, it will be through Amazon uh as well as through the website as well.

[0:22:45] Adam Zeineddine Fantastic. Yeah. And we’ll we’ll uh leave a link in the description there. So, well, thank you very much for joining us today. And uh to our audience, if you’re looking for a partner to help host your next big health tech innovation, visit us um at hippavault.com. Uh you can also check out more episodes on the HIPAA Insider Show YouTube channel. Um we make the cloud compliant so you can focus on your business. See you next week.