In this episode of Telemedicine Talks, hosts Phoebe Gutierrez and Dr. Leo Damasco chat with Cordell Robinson about the critical role of cybersecurity in telemedicine. From his Navy intel background to leading Brownstone Consulting, Cordell shares insights on VPNs, AI scams, public WiFi risks, and compliance strategies to safeguard patient data, avoid breaches, and build trust without breaking the bank.
This episode is sponsored by Lightstone DIRECT. Lightstone DIRECT invites you to partner with a $12B AUM real estate institution as you grow your portfolio. Access the same single-asset multifamily and industrial deals Lightstone pursues with its own capital – Lightstone co-invests a minimum of 20% in each deal alongside individual investors like you. You’re an institution. Time to invest like one.
__________________________
What if securing your telemedicine practice against AI-driven scams and data breaches was as straightforward as using a VPN and asking the right questions?
In this essential episode of Telemedicine Talks, hosts Phoebe Gutierrez and Dr. Leo Damasco sits down with Cordell Robinson, as he unpacks the cybersecurity threats facing telemedicine providers, from public WiFi vulnerabilities at hotels and airports to AI-powered phishing and deepfakes. He discusses his journey from Navy intelligence to cybersecurity expert, enforcement trends like HIPAA penalties, and how Brownstone's new Compliance Aid app simplifies audits for pros and beginners alike. If you're in telemedicine and concerned about 2026 AI risks or compliance costs, this is your guide to proactive protection, shielding patients, dodging lawsuits, and leveraging security as a business advantage.
Three Actionable Takeaways:
About the Show:
Telemedicine Talks explores the evolving world of digital health, helping physicians navigate new opportunities, regulatory challenges, and career transitions in telemedicine.
About the Guest:
Cordell Robinson is CEO of Brownstone Consulting Firm, a cybersecurity expert with over 15 years leading the firm. A philanthropist and decorated US Navy veteran in military intelligence, he blends software engineering, law school insights, and compliance expertise to protect sensitive data in healthcare and beyond. His new Compliance Aid app demystifies frameworks like FISMA, FedRAMP, and SCADA for easy implementation.
LinkedIn: linkedin.com/in/cordell-robinson-a2213a4
Email: crobinson@bcf-us.com
Website: https://www.bcf-us.com
Instagram: @brownstone_consulting_firm
About the Hosts:
[00:00:00]
Hey, welcome back everybody to telemedicine talks. Do you know we have our gracious host, Phoebe Gutierrez? I'm Leo Damco, and we have a great, guest today.
This is Cordell Robinson. Cordell Robinson is the CEO of Brownstone Consulting firm. And he focuses on cybersecurity. he has more than 15 years at the hel of Brownstone. he's a cybersecurity expert, philanthropist decorated US Navy veteran and with a whole slew of experience in the field. So welcome and thank you for gracing us with your presence today.
Awesome. Well, thank you for having me. I'm very excited about this. Yeah. The question that we ask our guests, just kind as an icebreaker and just to get to know you better. So doing what you do now is, when you were a little one, is this what you wanted to be doing? Like when you were growing up, I want to be a cybersecurity expert.
no, not at all. I wasn't sure exactly what I wanted to do. actually, I leaned a lot into like law 'cause I wanted to be a lawyer even though I did the, you know, technology and [00:01:00] sciences, for undergrad. I was really good at, math and sciences. But, and then I ended up gonna law school, but I still didn't become a lawyer because.
I don't know, I just found cyber more fun. But yeah, when I was a kid I just liked all kinds of things 'cause I'm like artsy and kind of nerdy at the same time. So it's kinda like both sides. Yeah. And you were in the Navy as well, right? Did you do cybersecurity and whatnot in the Navy? Intel, so I was military intelligence.
Got it. I spent a lot of time with those guys. My first duty station was with the, Navy folks at a little place in Cuba. And there was a lot of intel there. Mm-hmm. So a lot of good friends, great people. And then how did you fall into, cybersecurity and doing what you do now?
So when I left the Navy, I got a job as a software engineer. So I was doing it for a while and I entered law school at the same time. And so I was doing like research to see what I wanted to do next with the law degree. Like what am I gonna do? Because I didn't want to continue being a software engineer.
And then there was, InfoSec was what it was called back. This was back in two, [00:02:00] I remember. So I was like, I read the book by Sean Harris, C-I-S-S-P. Mm-hmm. So I read that book like several times which was great. And so then I went to my, manager. And I was like, I think I wanna take the C-I-S-S-P and get into this field and see how it is And then from there, like my next job, I ended up, doing, compliance and cybersecurity for National Weather Service. And then from there, it like really took off. 'cause from that job I ended up being the certification agent at the Department of Commerce under the Office of the Secretary of Commerce.
So that's where I really, had to like, grow up quite a bit. So it was a great journey doing that. And then from there on just my career just like really took off and I, really focused. Nice. And, let's take it back to telemedicine, right? So, you know, some listeners right now are like, why are we talking about cybersecurity in this telemedicine podcast?
And for me, I think, hey, it's just a natural thing, right? It's telemedicine. We are on the internet, we are on technology, and a lot of us take it for granted, right? Right. [00:03:00] We log on and. I'm gonna talk to patients. I'm dealing with HIPAA information. Mm-hmm. I'm dealing with very sensitive information that you're out there.
Now this is not even to mention just the stuff that's in my computer, you know, save password, just stuff. You breaking my computer, you basically run my life. in your own words, why should telemedicine and telehealth.
Pay attention to cybersecurity and what you're doing. They should pay attention to cybersecurity 'cause there's so many sensitive aspects to your information, especially when it comes to your health, private information. 'Cause I noticed a lot where, you know, there's wifi, for example.
There's wifi everywhere. And so you can connect to any wifi like at Starbucks and at your hotel. just like, okay, here's the wifi password. You have free wifi. So let's say you are traveling and you have, a telemedicine appointment with your doctor. If you're on a public wifi, that means that anybody can pick up that conversation and now they know your private information.
And most people don't even think about that. And I think [00:04:00] one of the most dangerous places is a hotel because I never connected a hotel wifi ever. I bring my own hotspot. Yes. Yes, because there's actually people that purposely go to hotels, rent rooms out, and they scan the hotel wifi and pick up conversations from people's internet connections and pick up their data.
Alright. I'm gonna be asking very elementary questions. Okay, so let's talk about that. when we were coaching doctors to be tele doctors, this was one of the most.
Often ask questions, especially in the beginning, how do I make sure my stuff is secure? when I log on, do I get a hotspot? What kind of hotspot? What do I need to look for in a hotspot? is it better just to get like a star link?
Is that also secure? Do you recommend that or is there a certain. Kind of hotspot that you look for. Also, VPNs, if you can kind of talk about [00:05:00] that too. this is probably super elementary, but this is, often asked question. the first thing I say is, learn about VPNs.
If you don't know, and I know a lot of doctors, they don't really get into technology, so they should have whoever their IT person is or talk to an IT person and get a VP n onto their network if they get a VPN onto their network then there's a secure connection between them and the patient.
So that helps out with the patient. If you travel a lot, especially there's traveling doctors, they travel. Sometimes all over the world. you can put VPN on your cell phone. install it on your cell phone, have the VPN on there, and then connect through the VPN to have your phone calls.
I always say do that because it's available on your smartphones, it's available on your tablets, whether it's Google or Apple. So you can use it on both. And I say use that when you're gonna, talk about sensitive information. Because if not anybody can just kind of, eavesdrop and pick it up.
And then also the other thing is like with a non VPN, you're still kind of secure. Like if you're using your own wifi. So if you have your own, like you can set up a hotspot on your phone, or you can buy a [00:06:00] hotpot from, your provider, use the hotspot instead of the public wifi. Like, I don't get on any public wifi like.
Whatsoever. And I know it could be expensive when you're using your own wifi 'cause you have to pay for it. But if you're a doctor, I'm assuming you have the money to do it. but in reality, you have to really think about the sensitivity of the information that I know that everything technology is so readily available to us.
We don't even think about it. And it's no one's fault. it's there. It's like, okay, I'm gonna go to Starbucks. Oh, I'm at a hotel. Oh, I'm at an airport. I'm in the airport lounge. And they always have to give you a card. Oh, here's the wifi password. Okay, well, how secure is that? Like it's not secure at all.
We've done some testing and we call it penetration testing on those different hotspots and we're able to just pick up, because for example, have you ever like been in a hotel room and you turn on like your wifi and you can see other people? Yeah. so if you could see it, that means you can actually connect to it.
I mean, I've done it where I turn on my wifi [00:07:00] and I can see all these connections and I'm like, okay, I can probably get in there. I don't do that because it's illegal, but most likely because my skillset, I can get in there and it could be a problem. But there are bad actors that that's what they do.
That's their job. That's what they do for a living. So I say, you know, take those extra precautions. VPN is always good. Use a private hotspot. If you can. If you want to use a public network, it's okay if you're gonna be doing like nothing. You know something that's frivolous, you know something that's like if you're watching a video, you're watching a movie, that's fine.
But if you're doing that, do it on a computer or machine that's doesn't have sensitive data because if you have sensitive data, it's gonna be a problem. Also, airplane wifi as well, because remember, it's just one network on the airplane, so that means everybody on the airplane is connected.
Can you set up a VPN and airplane wifi? Yes.
Leo's based right now. These poor doctors. Oh my gosh. I'm like, I pick the airline. I was like, [00:08:00] which has the best wifi so I could make money on the plane. I'm about to go to California soon. From Hawaii and I'm like, alright, I'm gonna work on the plane. So yeah, he would still do it. So I'm not trying to scare, you could still do it because it's like, so what I would do is I would, ask the airline like what is their security measures for security people's data on the plane?
'cause you know, they have, strong cyber teams and IT teams Sure. But. How secure is that? And I haven't done a test yet, like on an airplane to see like who I can connect to. I kind of want to do it, but I do wanna kind of get their permission first to see, like, I kind of want you to do it too.
I give you permission to do it to some random person . I just need to know And I'm gonna put you on the spot here. 'cause again, this is a common question and mm-hmm. I usually answer with whatever I used when I was down range, when I was active, you know? Mm-hmm. what VPN service do you recommend?
What are your top three? Um,
there is [00:09:00] KISKI has a VPN it is pretty good. Norton has a v, VP N as well. Yeah, because they have a VPN side as well, so Norton is really good. And then apple has VPNs as well, or if you have Android,
Google has VPNs. So any of those are actually really good. They're fine. Yeah. Because what happens is you're putting in. The security basically like, like mm-hmm. You're putting in your passcodes and all that. So I say always just make your passcode strong, which means, and people don't know what strong means because they're like, oh, okay, I'm just gonna make it like very difficult.
If it's under 17 characters, it doesn't matter. A password cracker can crack anything under 17 characters within seconds. Even if you change the last number like every two weeks. I'm joking. I'm criticize. I do. Oh my gosh. Okay. All right. It's like all of these things, and I know it gets in a way because it's a lot.
But also like, if you set it up and then let's say you use your biometrics, you can use your biometrics. Just don't allow anyone to steal your biometrics. We could talk, which we [00:10:00] can kind of discuss it just a little bit, because I just had a scammer that tried to steal my facial recognition. Yeah.
Talk about that. How is that done? So they called me on FaceTime. I saw the number and it was like, you know, Wells Fargo at, Gmail, well, it's not Wells Fargo Gmail, so I knew it was a scammer, so I was like, yes, I'm gonna like, really have fun with this. So I answered the phone and I held my phone to the ceiling instead of my face.
And so they're like talking to me like they know me and they're like, oh, well I'm logging into your bank account, which means I would have to look at my phone. And I was like, no, I'm not gonna do that. And they were like, oh, you know, we wanna see your face. And I was like, oh no, it's not necessary.
And I just talked to them and what they were trying to do is they were trying to steal my facial recognition so that whatever like I use facial recognition for, they can log into, which actually, I don't, but yeah, they could pull that off a FaceTime screen. Yes. Like really think there's AI tools [00:11:00] that can do that.
I don't know which ones, but there are AI tools that can do that. So Really? and they were just trying to phish, right? they were, yeah. They were phishing. They called you outta the blue and it was, how'd you know that, you know the number it said Wells fargo@gmail.com? Yes. Okay.
So it's really just a suspicious like email, right. Yes. Very suspicious email. 'cause I know that Wells Fargo email is not at Gmail. That's impossible. Like really? But think people, I mean, people fall for stuff like that all the time. it looks the same. It feels the same. And I have to assume.
That in today's world, right? Like maybe five years ago. I think it was a little bit harder to scale some of these things up now with like ai. Oh my gosh. I mean, it's like you hear, and this isn't really cybersecurity, but it's like you hear these like horror stories of like You know, the, just the voice of like, oh, like my daughter called and said that she got kidnapped and you know, there's a ransom or whatever.
Like those things are happening more and more. Yes. So [00:12:00] From your perspective, like how is even like AI kind of challenging, like what you do? It's very challenging because I have to go out and do my own research and own tests. 'cause I get hit up by like, scammers like quite a bit. 'cause they probably Google me and look up stuff.
So they really wanna like, okay, we're gonna mess with him. And I tell people look for pattern recognition when it comes to ai. Like I got one scammer that called me on. Video, but it was an AI video. It looked like a real person. It sounded like a real person, but it was an AI video.
And because I knew that the movement of the mouth was a certain way, and I recognized pattern recognition because like I've been doing this for a while, I'm like, okay, like this isn't real. And so I was like, Hey. I'm like, why are you speaking like that? Why don't you know? Speak normal.
And they're like, oh no. And then like the response was very robotic. Like it wasn't, I knew it wasn't a human, so I said, well, this is an AI video, this is not for real, the person [00:13:00] behind it. And so what I did was I kept them on the phone to geolocate them. And so then I sent a message to them and I said, you are located in this city in, this longitude latitude.
So I think I'm gonna get on a plane and come. Find you. I wasn't serious, but I was telling 'em not to scare them and then he hung up. Where now are these local, is it in the States or they International? They're around the country. Really? And So, you know the tells, right? Like, this is what you do, so talk about Dr.
Old me who is trusting and you know, will just be like, oh, whatever. what are good tells to be like, Hey, this could be a scam. heads up. So if someone calls you and they start asking you personal questions or they start asking you about bank account information or start asking you about like your address, they start asking you about like what you do, like work-wise.
They start asking about patient information. If they start asking about those things [00:14:00] without the conversation sounding like your normal conversations. Yeah, most likely it's a scam. So just always look for something that just. Like, it's almost like innately, like you have that intuition like, oh, this is kind of weird.
And so you can verify that by just like, that doesn't sound right. 'cause they're asking too many pointed questions. And we just started the conversation. And then they try to act like they're your friend and try to be like really nice. It's like, why are you being so friendly? We just met, and so you just really pay attention to that and then you'll be fine and you'll be able to pick up on it.
Like easier than you think. Yeah. Yeah. and what's the background like when they call? What's kind of the purpose or, why are they saying that? They call it just, could it be random? Just like, Hey, you know, we need your bank info, we're part of this group, or. is there certain patterns or is it just kind of random?
So they'll call and say, oh, there's been these suspicious charges on your account. And then they'll go and say, there was discharge and They'll give you a dollar amount, and what they want you to do is they want you to quickly.
Log into your bank account to check to see if those [00:15:00] charges are on there. And because of that, that means they've already connected to your device. And so as soon as you log in, they have stolen your login information. So never do that. Be like, okay, thank you. I'm gonna go ahead and call the bank myself to verify this in which.
Most likely it's not true. But also what I would not do is on that same device they called you on, do not log into your bank account for 24 hours on that device. Go to another device to log in or call your bank directly where you call and say, Hey, I just got a suspicious call and I want to verify this.
That way you're covered. That's interesting. Now thinking about this thing, have you ever heard of stories where, a lot of us do telemedicine, right? A lot of us do, synchronize telemedicine, we're talking to videos. Have you heard of any stories where, you could just
hop on a platform and people pretending to be clients or patients, And, targeting the doctors that are doing this Yeah. So that happens. [00:16:00] So look out for them asking very pointed questions about the patient. 'cause like if they're the patient they should know everything.
So I would say you ask the questions and if you have their record there, and if there's something that's not matching, that's not them they're impersonating. So I would say like, you ask the questions as much as possible, so then that you know, unless you know the patient and you know what they look like and everything, then it's fine.
But if it's like a patient you've never actually like really met, you're doing telemedicine for the first time, then yeah, definitely ask those pointed questions. Yeah, no, definitely. there's a lot of platforms, right? Especially, urgent care, acute care where it's just like, just one and done, right?
It's interesting, Yeah. And, let's see. So what other kind of AI issues that you're seeing nowadays? That we have to look out for. A lot of these platforms are AI, heavy, even advertising themselves as AI forward. Yes. Right. So what else do we need to look out for, before we get caught in kind of the traps?
[00:17:00] So I think like really looking out, so there's so many companies that claim to be like, there are like AI experts and all this. That is just because they were funded by all of these VC firms to like get their startups going. And so they're trying to really get their feet, which is fine.
You're trying to grow a business. But my thing is like, okay hold 'em to the fire. because I even. Fell into it. 'cause I'm trying to, you know, get, all these AI things and learn and do all these things. But what I do is I ask questions and I ask very pointed questions. I ask detailed questions when they say, oh, well I can offer you this, and we use our AI for this.
And so I begin to ask pointed questions because one thing that I do not like, if it's. 100% ai. I'm like, well, where's the human factor to this? Because what I don't want is just like AI sending out all of these emails and there's no humans involved and it's talking to another human, so they think it's talking to me and it's not really me.
And I'm like, no, you can't do that, because I don't want people to think there's some inauthenticity with me running my operations. So make sure that human factor is there. Yes, you can have AI for [00:18:00] like if someone's like call centers and things like that because people are gonna be constantly calling.
And it's gonna make it more efficient, but of course it ends up into a human's hands, which is totally fine. But people use it where it just like does everything and then they expect everything to be so automated. Well. Technology is not there yet. The AI technology just is not there yet, at least here in the United States.
Like I am gonna travel outside the United States to check out the AI and a few other countries that have some very advanced AI technologies. And kind of, check that out and have some meetings to see. But I know here in the United States it really isn't there yet. And so, I think that if someone comes to you and say, Hey, we have this ai it's gonna help you with more efficiency,
The first question I would ask is have you, wrapped AI governance around your AI tool? And they'll say, they come up with all of these different things as well, and these, oh, well, let's have a call and let's talk about it. No, tell me what you've put in place. Tell me like, is it government grade [00:19:00] type of governance around it? Is it, and then what kind is it? So if they can name certain things. So if it's, Hipaa, make sure that there's HIPAA compliance. that's inside ai, especially for doctors like yourself. If they don't say that, then you don't need to utilize it because they need to make sure that they put those measures into the AI tools so that health private information does not, leak out or learned by those lms and then the whole world can have it. The other thing is open ai. Don't use all these open AI tools without it being in a enclosed network. So if they encapsulate it and enclose it, then you can use it. But when it's just open to the world, then I would say, you know, don't subscribe to it.
Don't use it. But ask those pointed questions. Say, you know, How do you secure it? What measures are you securing? And then one of the really good questions is, okay how long have you been doing this and out of all of your clients, tell me about a client that you had that [00:20:00] at first things did not go well.
You were able to fix it and turn it around to give me that story on how that happened. Because no one is perfect. Nothing is perfect. So you have to tell me about your mistake and you have to have ownership of that. And then you have to have, tell me your solution. How did you solve the problem?
Because if you can't solve that type of problem with that client, then you can't solve my problems. No, that's interesting that you were saying that. 'cause I was just thinking, you know, a lot of, our listeners too. Want to develop platforms, want to develop their own telemedicine practice. And, with this AI boom, they're gonna want to rightfully so, incorporate AI tools.
Right. And either doing their own or, trying to find a third party to build it for them. you kind of mentioned it, but what else do you need to look for? What are the common pitfalls when you're creating these tools, you know, what do we need to know and what do you think Most of us [00:21:00] don't know, but definitely need to.
Well, especially for telemedicine, so it'll be like people calling in. Right? So they're gonna use AI agents for that, right? Yeah, correct. So find a company that knows how to build out those agents or find out there's platforms that have the agents and do you have to configure the agents? So find a developer that knows how to configure the agents that retrofits to exactly what you want, and then go through a period where it is tested.
and you have other people test it out, to make sure that it actually works. Like we have some developers there. They build different agents. There was one developer, he built an agent I called. There was an error. I said, okay, this is where the errors were. He went back to fix it, I call again, there was another error.
Okay, here's the other error. And so we kept going back and forth until it was fixed, before we went back to the client to say, okay, this is ready for you to use for your call center. So things like that is really important to make sure that you hold 'em to the fire and make sure they do their due diligence and then you're just fine because they're gonna be building agents or they're going to be [00:22:00] configuring agents for you.
Good advice there. Phoebe, do you have any questions? Yeah, yeah, I do. So, from my perspective, I take more of like the compliance angle. Mm-hmm. And I think often you know, my thing is more, to your point, I'm seeing more and more health companies, like, you know, of course they will tap into ai.
and often like wanna use kinda like open source. Like chat GPT or something of that. What are some of the like risks and the penalties that you've seen kind of on your side? I think where I always try to come from is like, nobody cares until like their pocket is impacted.
And I think when we talk about, privacy, security, hipaa, anything in the healthcare world. One breach or one small thing can ultimately completely derail your whole company. You know, from your perspective, like what are some of those penalties and how does, what does that look like?
So those penalties, one is grave financial loss and another penalty could be [00:23:00] legal ramifications, whether a major lawsuit or even criminal. According to what happens, because it's very serious dealing with people's health information. And so doing the due diligence as the doctor you know, the patient is putting the trust within you because there's doctor, patient, confidentiality.
So if you have that confidentiality, whether it's either person to person or technology. They expect that confidentiality and all the laws say so as well. That's why there's hipaa and it says that in the law. And so, and I know people think about the money and they don't. They wait till something happens and then they end up paying or they say, oh, well I have insurance.
Insurance does not cover your reputation, right? So you can ensure to pay out that person and they get their money. But if it hits the media. What are you gonna do? Your practice is now in jeopardy. 'cause people aren't gonna trust you. And trust is a big factor, especially in the medical field. So I tell.
People, and I've said this many, many times on, other platforms, podcasts, [00:24:00] like be proactive instead of reactive. So look at it as an investment. Look at it as insurance without actual insurance, because this type of insurance is that you're more involved because one, you're investing. Also you're involved in the data and you are in more control actually.
'cause insurance policy, just an insurance policy. And they tell you what the guidelines are with this. It's your data and the patient's data. So you have a lot more control. So do it that way and control it and invest in compliance people. So many people, like, they don't like compliance 'cause it's very inconvenient.
And I know that because I always hear it. But compliance isn't inconvenient. It's a protection. It's education, it's protection, and it helps you where you can sleep at night. You're not worried. You're not like, you know, I'm not so worried about this breach because I. Checked all the boxes and I put in the due diligence and all the technical, everything that's under compliance.
I've done that and so I'm good to go instead of it hasn't [00:25:00] happened yet, so I'm gonna take the chance and see what happens. Well, when you do that, it's when you lease the expect it because it could be years, and then when it does happen, it is huge. It just hits you like a brick and who wants to spend their time in court in lawsuits when you want to be spending your time taking care of your patients.
Yeah, actually it's funny, like Phoebe's face is just blown right now, right? Because this is right down our alley. And this is good timing too. 'cause I think last week's a guest same advice, right? We had, somebody with compliance, same thing, right? You know, an ounce of prevention, definitely prevents a whole pound of just badness, right?
That's not the saying, I just somewhere there, but you know, you get the deal. But No, but to your point too, I mean, again, like I harp on compliance so much because I think people don't really focus on the reputational damage. I mean, I could tell you right now, it's the same way that like from a consumer looks at a breach is the same way as like, you're not gonna go get surgery from a doctor [00:26:00] who's killed a few patients.
Right on accident. Or has a bunch of medical malpractice claims. Like same thing as a company. If you're working in healthcare, I'm not gonna go to the company that is like willy-nilly. Not securing my data or is a little careless or cutting some, you know, corners. So, to your point I'm, yeah, I can talk forever about why compliance matters and why people don't like it.
It's rules. Nobody likes rules, people wanna be able to do, you know, but at the end of the day, if we don't have those rules, it's the wild, wild west, which also is what I secretly call the health tech industry. Yeah, and I always say this I say this to people and especially to doctors because they, you know, deal with patients.
I'm like, if you go and get your annual physical every single year and the doctor finds something, they're gonna find it early and you're gonna pay that copay or whatever, right? You're gonna do that. They're gonna find something, they're gonna catch it early. The cost of the fix of [00:27:00] that is gonna be a lot cheaper.
Now, if you decide, well, I'm not going to the doctor, and now I have this little pain, I'm gonna ignore, ignore. Until it gets so bad that you, now you're in the emergency room and then your doctor steps in and all that, and now it's cancer. Now it's like major diabetes. It's like something so major.
Now, your health costs are so astronomical that some people, it bankrupts them just because they were being careless. It's the same concept. Yeah totally. I always joke, 'cause again, nobody wants to hire compliance folks. I'm sure. Like you have to deal with the same sales cycle that I do, right?
Where they're like, oh, no, we'll hire you in a month or a couple months. I was like, you know that $5,000 is gonna turn to about a hundred grand. Like I'm just saying it, I don't mean it from a mean way. I mean it from a realistic. Like you are going to be making some extremely big decisions that are gonna have very large downstream financial implications.
Yes. I've never even thought about that, example, that's a perfect correlation. [00:28:00] Yeah, definitely. Well, yeah, people need to really. Think in those ways so that they're not, and We're all humans, right? So it's like complacent. And we always wait to react to stuff like, you know, there's, all kinds of stories and fables of like, you know, like the boy who cried wolf and then boom, like.
It happened, or, the flood story, oh, there's a flood and nobody's like, oh, whatever. And then there was a flood. Like, there's so many different stories that say that, people warn, warn, warn, and then like, they're like, oh, well nothing happens. But then you kind of see the signs, which you kind of ignore it.
It's like, no, don't ignore it. Like, do something to, it's called due diligence. It's just that simple. Yeah. and you know, you're dealing with startups a lot of times here in this space. Right. and the startups have very limited capital. Mm-hmm. And it's sometimes very difficult to convince that this is a priority.
So hopefully, you know, saying it over and over again and, setting, examples like this and sometimes yeah, it has to be like, Hey, here's a scary story. This is why you're gonna do it. [00:29:00] And so it convinces them to make it a priority. as a startup, my advice to any startup in any field, I would say if your approach to do compliance like you have very little capital.
One, try to get yourself to a point where you put some capital aside to invest in it, but then also ask that compliance company to say, Hey, I don't have the capital now. I'll have it in about this amount of time, but what is the cheapest way I could do something when I get to that time to at least begin to build my compliance house and get that in order?
Can I do it in phases? And I'm sure every compliance company will be happy to help you build it in phases, because we don't do this for the money. We do this because we wanna protect your information, we wanna protect your reputation. And so there are steps that can be taken as well.
Instead of thinking like, oh, I'm gonna spend like $20,000, $50,000. Like no. Like there's little things you can do. Training, there's, you know. Getting certain things in place. There's certain things that, you know, you can begin to research to begin to put things in place that will make it [00:30:00] cheaper.
So there's many ways to skin a cat. There's all kinds of ways. It's just like critically think about it and say, okay, you know what, can I do what's best now? And then build upon it just like building a house. No, that's smart advice there. we are getting into time, but I want to talk about brownstone.
And, your company and what you do, and I hear that you have a new app out that could help people out. So tell us more about, that. Sure. So Brownell, we've been around for 15 years. I've been doing this for about 25. we do compliance across the board. So you name the type of compliance we do at hipaa, GDPR CCPA, nist, fsma FedRAMP all of it, P-C-I-D-S-S,
So we do it across the board and we do, of course, penetration, test of vulnerability, skin ai, governance, the whole thing. And, I just developed an app called Compliance Aid. And what it does is it's mainly for cybersecurity professionals, but even professionals outside of cybersecurity can utilize it.
Because what it is,well basically it's fsma, FedRAMP, and scada. Controls that you would use to [00:31:00] implement in your environment. So there's things called access control. There's things called the physical environmental controls. They're all in this app, and so the app has the plain language in there so you, like anyone can understand it instead of it's like, okay, well I don't understand.
It's this language where plain language, where every single control so you can understand it. And then when you click through it tells you like. What questions an auditor would ask you. It tells you what questions you ask your engineers. It tells you how you would implement things like what we call a security plan.
It tells you how you would implement those. And I tell people, if you aside for that, in the real world, if you're setting things up or you looking at your environment, you could take like, for example, access control and say, okay, Am I following AC two? In my doctor's office, am I following AC two at my law office?
Am I following that to a certain extent? And then just read through those requirements to see if you're actually following that or if you actually need to implement those things. It's just as simple as that. Just using an app so anyone could use it, but it's where cybersecurity professionals stay.
Um. Use it to do their [00:32:00] job so they can just have it on their phone or have it on the tablet, and they just can go and ask the questions instead of like, if someone asks them a control question, they can quickly look it up on their phone and it's right there instead of like, okay, well I have to Google it, or I have to, you know, find the document that's stored somewhere.
It's right there in the palm of their hands and they don't have to worry about that. Comprehensive. And there's other apps like it out there, but this one is superior because of the level of detail and like everything it asks from the beginning to the end of your assessment or audit process. So that's what I really like about how we developed it.
No, you know, as you're talking about it, I've been at so many companies you say that you do compliance and they automatically assume you do. All compliance. And the one pay place, I am like, Nope. Go get somebody else is cybersecurity. Like, basically everything you do.
And I think it's really interesting because half of the struggle is like people don't know what they don't know. So it's the idea of like, yeah, we wanna do [00:33:00] FedRAMP, we have a government contract. What does that even mean? What is the first step to even take, so I love that you kind of like break it down onto, its like digestible steps.
Actually that brings up a follow question that I had is, you know, let's say you're starting a company, but you want to tap into Medicare, you want to tap into federal monies, you want to tap into grants, so forth and so on, is there a specific minimum that you need to meet?
You know, you've mentioned out a lot of acronyms and mm-hmm. kind of certifications. Do you know if there's a specific minimum that you need to meet in order to qualify for these? If you're setting up something in the cybersecurity space. Definitely. So, and everything is in the app, so you need to meet FSMA requirements.
Usually for government, unless it's cloud, then it's FedRAMP. And then if it's a facility, like a power plant, then it's scada. And there's other ones that we're adding. we're gonna add hipaa, we're gonna add, GDPR to it. But right now we have those three. You have to have a minimum. There's a low, a moderate, and a high, and according to the [00:34:00] sensitivity of environment, usually medical is gonna be a high because of the privacy data.
In that, it's called a white gloving process. The white gloving process basically takes you through all of those controls that are required to implement, which means you have to create all the documentation for it policies and procedures. All your people have to be properly trained, so it's like.
Everything that you have to do is within those entire control sets, that you would need to do, and it could be overwhelming. Hence why you would hire a compliance firm to actually implement it for you, help you put it together. So what they do is they'll help you write the documentation or write the documentation for you,
if you have people to write it, then they'll come in and they'll assess it and tell you where all of your gaps are, so then you can go and fix those things, and then now you've gone through the process and it's called a TO authority to operate. You get an authority to operate. Then once you bid the government, you can say, here's my a TO letter.
Here's my package. It's a package of all of your information, and that package does not mean you check the box. It means that you've actually [00:35:00] put all of those controls in place in your environment so that your environment is safe to go on a government network or you're able to do business with the government because you're gonna have government information onto your network.
Oh, that's interesting. Oh, thank you for that. Yes. Yeah, we are wrapping up a bit. Phoebe, do you have any last questions before we ask your last question? I learned a lot. Yeah, definitely. Me too. I appreciate all the learnings. my airplane rides are gonna be less fun, but no, this was so helpful.
This was so helpful, Yeah. Very informative. I think again, most people forget. At the end of the day, healthcare really is run on data. Mm-hmm. Everybody wants data and you have people that just move really like fast and loose. And I think it's really important to understand the implications and kind of like what you're getting yourself into.
And you know, I always try to take the side of like, I'm a consumer. I would hate to like have my data, accidentally, be [00:36:00] shared because of some carelessness. So. No, this was really eyeopening and kind of scary, but thank you.
Now, just a common follow up question that we have, going back to post, let's say post graduation right before you decided to go, I don't know, post law school or whatnot, what's the one piece of advice that you'd give yourself right now? Back in your younger self. that's a good question.
I probably would tell my younger self back then that make sure that you don't lose, focus on what's important as you're going on your journey. And enjoy the actual. Journey and not focus on like what the goal is because the journey is what matters. Well, you're telling a bunch of doctors that Oh, painful.
Yeah. we've lost that view a long time ago. No that's wonderful. Thank you so [00:37:00] much for spending time with us. how can our listeners get in touch with you? How can they reach you? If they had more questions, wanted to, you know, use brownstone, use you, while they're building out their business.
So what's the best way to contact you? So they can reach me on my LinkedIn, which is Cordell Robinson. And brownstone is on, LinkedIn under the same. Profile so they can reach me there. Easiest, they can reach me. c Robinson, C-R-O-B-I-N-S-O-N at B as in bravo, C as in Charlie, F as in foxtrot, us.com.
My email, I'm always on my email answering like all the time. And then my website is under construction right now 'cause I'm rebuilding. but they can still go to www.bcf-us.com. you can still get to it, but it's going to change. So those are the best ways. and then, I'm on IG just a little bit, like on Brownstone Consulting underscore firm on ig, and I just started like putting like, you know, little videos here and there and I'm gonna get more into like the social media, but I'm kind of figuring out.
You know, what's the best way [00:38:00] to like do it where it makes sense for me? But those are the ways. So I'm looking forward to like hearing any questions from anyone. if they want to hire brownstone, we definitely will, make sure that you get your compliance housing in order and make sure your people are properly trained and, able to protect, their data and your patient's data.
Awesome. Thank you so much. And, for the listeners out there, if you have any questions for Phoebe, it's phoebe@telemedicinetalks.com or leo@telemedicinetalks.com. We also have info at telemedicine talks.com . Thank you so much for spending time with us. And, yeah, thank you. I'll see you guys next episode.