Vy Technology :: Blog :: High quality technology innovation in the shortest amount of time

The Blog

SolarWinds Hack Shows Danger Of One Size Fits All IT Security
In 2018 I spent an exceedingly large amount of time arguing with managed care attorneys. I was representing a healthcare company that didn't fit traditional classifications, and in turn, "lively discussions" around traditional security requirements were occurring constantly.

In one particular call, we discussed their requirement for an around the clock, eyes on glass SIEM solution before our $5-million contract could start. This requirement was overkill for the operation, and it was my job to convince them.

Eventually, they backed off the need of around the clock, eyes on glass, but they still insisted for a traditional SIEM solution. Their recommendation was for us to use a company called SolarWinds.

I had concerns for TWO main reasons:

  • We already built top tiered solutions for security monitoring
  • More importantly, I wasn't (and still not) fully comfortable adding additional parties where someone else has control and there is no visibility into their security practices

Their response: "SolarWinds is used by DOD, FBI and almost all Fortune 500 companies, I promise you their security is better than yours."

Recognizing I had to bend on this particular requirement, I agreed. However, I wanted to be on the record noting that I didn't believe SolarWinds solution was better, but more importantly point out that they ARE a bigger target, which made me uncomfortable giving them access to our network and data.

Fast forward to 2020 and SolarWinds is now the source of what in my opinion will be seen as the largest security breach to date. Having Microsoft Source code stolen is hugely problematic in so many ways I'd need a whole other blog post (or ten) to detail. Then came the US Government agencies breached. And the more time and info we uncover, the worse it gets.

This is reminiscent of this summer's SonarQube hack of the FBI (also reminiscent for me because due to other discussions I had with a different set of MCO attorneys over SAST testing requirements and their suggestion to use SonarQube).

This topic will probably be controversial for certain vested interests, so let's get a disclaimer out the way. If you are a Fortune 500 company, a large government agency, or if part of an "IT security company" this post isn't for you. This post will be beneficial for healthcare companies that are not hospitals/doctors offices/pharmacies, generating $50-$200 million in revenue.
Disclaimer out of the way, onto the real controversial statement.

The current unfashionable practice of "security through obscurity" (when combined with other key security measures) is prudent and needs to make a comeback.

If you're still reading you are probably: 1) vehemently opposed to that statement and looking for a pitch fork, 2) you agree with me (very unlikely), or 3) you have no idea what I'm talking about.

So for third group, security through obscurity is the past belief that there was security in no one knowing your source code and your technology apparatus.

For the pitchfork folks, before we go too far, I am not saying that "security through obscurity" should be the only security measure. But rather we increasingly find that attack vectors come through adding services (yes, even security services) to one's network, and maybe as serious IT professionals we should consider limiting the amount of entities on our network for the sake of security. This principal applies doubly to small and medium sized companies.

Blindly adding services on top of one another is like adding more entrances to the White House without ensuring additional security precautions. In short, you're asking for trouble.

You need a solution that thinks through the most cost-effective (emphasis on effective) method of security. You need a solution that will look at your company's entire landscape and make the best decisions to keep your data safe. You need a solution that doesn't just regurgitate industry jargon like "standards" and "best practices" especially since every business is different and has their own specific needs. With these ideals in mind, Vy can not only ensure an effective tailored security solution but we can usually implement at a lower total cost. Truly a win-win.

Maybe your operation needs an incredibly well hardened software that has limited attack vectors. If that is the case, Vy would love to have a conversation with you.

Thinking of selling your company in the near future? Great. It's an amazing time of your life. A lifetime of hard work culminating into a single event. Similar to a wedding, only this is the end of the journey not the beginning, you need to broach important subjects to ensure you are making the best possible decision. For marriage that might be discussing with your spouse the want for children, where you're going to live, and values of importance. In business there are many issues as well, but one that often gets overlooked, and can make or break the big day, is data asymmetry.

You've likely never heard of data asymmetry, and you're not alone. But if you don't familiarize yourself, you could be leaving 10s, or even 100s, of millions of dollars on the table.

The private equity or publicly traded companies behind large scale purchases are highly sophisticated. They have scores of Ivy League MBAs that spend their time analyzing data with the sole purpose of estimating your company's worth five years in the future, and how they can justify "discounting" your company's valuation in their offer.

When a seller cannot compete with this intense data analysis, that's when data asymmetry occurs. Put another way, data asymmetry is when you know your business is worth more than the offers suggest, but you have no way of demonstrating why they are wrong.

It's a frustrating place to be, and quite frankly, it occurs more often than not. Private equity is banking on the idea that you can't demonstrate the full value of your business, and in return, their offers reflect that assumption.

You may be asking yourself, "but won't my investment banker help me through this?" Not exactly. Even if you go the investment banking route, think of the investment banker as a real estate agent. By that, I mean two things:

  1. Expediency of the sale is more important than final price. This is due to the cost-loss analysis, i.e. how much money do they stand to make on pushing for the best price vs. how much they stand to lose if the deal falls through.
  2. They are handcuffed with the data you give them.

Of course, investment bankers will clean it up, format it, and present the best possible view. But they can only work with what you have given them. And in a lot of cases it is not enough.

When I first went through this process I was shocked at just how little value the investment banker brought to the data side of the transaction. Still, they were worth their fee, just for their relationships in the industry alone, and that they knew what questions to get answered. But if you think they are able to take your raw data and present the case for the highest valuation, think again.

It is critical that data analyses occur before you hire an investment banker, or start talks with private equity firms. Truly, the time to think about/implement is one to three years before the sale.

I saw this first hand. My journey into increasing a company's valuations, via technology and data advancements, began when I was brought on board to increase a company who had recently received mid 8-figure valuation. Some might say, great, I'll take it. But the owners of this company had their sights set on a low 9-figure. But without changes that wasn't going to happen.

Those changes were simple to outline (data asymmetry and an inability to grow into sophisticated markets), but took expertise to solve.

Private Equity knew this and appropriately discounted their offers.

The owners, however, were smart enough to recognize the problem, implement a solution, and then bring the business back to the sellers.

In three years we were able to fix their data/technology systems which enabled:

  1. a more efficient operation (EBITDA improvement)
  2. entering more sophisticated markets (top line growth); and
  3. output sophisticated data when buyers came knocking

In the end, they were able to get an offer 3x higher compared to their original offer. 3 TIMES!! They earned their low 9-figures and then some.

If the above problem sounds familiar to you, and you'd like to hear more, feel free to contact us. We love solving data/technology problems and helping businesses prove their value.

Also, we promise to keep your intentions confidential, and NEVER sell your information.
WhatsApp - HIPAA Compliance
We completed a really fun project this past week for a client of ours involving our CRM and WhatsApp integration.

To WhatsApp's credit, they do not want to become a spamming engine for the entire globe. Because of this, navigating their API process is quite complicated. The API itself is super simple. But how to get approved, how templates are approved, and how templates are used for initiation make for a complicated integration. We are glad we are on the other side of that now and have the understanding of how all that works.

But it got us thinking about another area we are highly versed in: HIPAA compliance.

WhatsApp is great because it is end-to-end encrypted by design (which text messaging is not). So does that make it HIPAA compliant? As Steve Adler's great write-up in HIPAAJournal.com points out, no, not as it is traditionally used.

He's right, except for one thing. He assumes the only way to use WhatsApp is from phone to phone.

As Mr. Adler points out there are three issues that prevent WhatsApp from being HIPAA compliant on the surface: Access Controls, Audit Controls, and Termination Controls. Let's look at why these are problems for phone to phone messaging, but not within an application like Vy Healthcare CRM™ to Phone.

Access Controls

If you use WhatsApp phone to phone, you lose ability to control who can install that account onto a phone. Thus you have no access controls and that is a big HIPAA no no. But if you never install the application on a phone, this isn't an issue. If your WhatsApp messaging is built into your Healthcare CRM, and it does the sending, you have the same level of access controls as the rest of your application.

Audit Controls

Likewise, if you just use WhatsApp phone to phone, you have no ability to keep an audit trail of conversations. However, the very nature of integrating the WhatsApp API into your Healthcare CRM, will produce the same audit trail of communication as you do with any other method of compliant communication. We'd argue you actually get better audit controls because of the verified feedback you get from WhatsApp on the status of the message (i.e. you know whether it was delivered and not read or delivered and read).

Termination Controls

Lastly, termination controls are achieved just like the rest of your Healthcare CRM termination process. Unlike in a phone to phone situation, where if you remove the app from the phone it removes the data, all the historical data is saved, access is terminated, and everyone goes on with their life.


I do agree with Mr. Adler's assertion that a BAA is not necessary because by the nature of how WhatsApp built their platform and the underlying technology, the data never gets stored on their servers and the data is always end to end encrypted with keys WhatsApp doesn't have. If someone tells you that you need a BAA for WhatsApp, then you better get one with the United States Postal Service because a lot more PII is available to every letter carrier in this country than WhatsApp has available to them. That being said, you may have to sign a BAA with a third-party if you use them as your API gateway, but that is usually a pretty straight forward process, and certainly not a reason to not use WhatsApp.

Tools like WhatsApp coming together in Healthcare is exciting. So even though it isn't HIPAA compliant out of the box (or phone), it can be a solution if implemented correctly. If you have questions or ideas on how you want to implement it, feel free to reach out to us.
Do Not Make The Same Mistake COBOL-based New Jersey & Kansas Unemployment Department Made

It may be because there is nothing on TV. It may just be general curiosity. Either way, I find myself consuming a bit more news than normal in these interesting times we currently find ourselves in. Much of that news is to be expected. Airlines in trouble. Oil plummeting. Stimulus packages created and then poorly managed. But then I came across something I wasn't expecting. The dire need for COBOL programmers.

The backstory is this. Due to the rise in unemployment, and a flood of unemployment claims, the antiquated system that utilizes a programming language few people know anymore is creating significant issues processing claims. So there is this urgent call for COBOL Programmers. But few under the age of 60 know how to program in COBOL. Why? Because COBOL came onto the scenes in the 1960s and hasn't really been taught since the 1980s.

But before we jump on the obvious lack of foresight New Jersey and Kansas have had, it is important to understand that what most tech companies don't understand about non-tech companies is that you rarely get the benefit of being an early adopter in an established, profitable, well-run organization.

That being said however, what non-tech companies don't understand is that they have to have a game plan to deal with their aging systems and processes. Credit can be given for not always being up on the latest and greatest because the latest and greatest is not actually the greatest for established companies, but they don't get a pass on waiting 50 years to update their system either.

You have to find a balance.

While the old saying goes, never waste a good crisis, it is by far more preferable to modernize before a crisis hits.

One of our customers recently capitalized on that. They are one of the few businesses that have stable growth in the good times, but have very rapid growth when things are bad. In theory, their main competition could do the same. But their main competition can't because they aren't set up for that. So while our customer can pivot on a dime - even remotely - and integrate insurance companies' systems into their system, and then their system into UPS's system, their competition is left with a very small piece of the pie. We are talking tens of millions of dollars left on the table.

But it wasn't in the crisis that enabled them to do that. It was 7 years before that when they realized their RPG-based (similar to COBOL) system was stuck in the 80s and it was time to modernize.

Times are tough now and they likely will be tough for a while. And whether it is helping your team work easier remotely, or cutting costs, or simply because the time to advance is when your competition is flat footed: now (yes even now) is the time to modernize. It's probably cheaper and easier than you might think.

Be better situated for the good times. Be better prepared for the bad times. And stay safe out there.
Need help with modernizing your antiquated system? Don't be a stranger then. Let's talk.
We Are Zealots for Efficiency: The Andy Borgmann Story

Core Values Series: This is the final of an eight part series
highlighting the backstories to our core values

When I was a boy my dad would ask, like most fathers, "how was school?" I'd mentioned something along the lines of "well I had a math test today."

Then my dad would ask, "well how do you think you did on it?"

And I would answer, as if it was the most obvious answer to his question, by informing him that I finished faster than everyone else in the class.

Looking a little perplexed by that answer, he would then follow up with, "ok, but how do you think you scored on that test." And I would respond along the lines of, "yeah, that was a given. I got an A on it."

In my mind the fact I got an A, wasn't what set me apart. The part that set me apart was the fact that I finished before everybody.

To be very clear, I am not saying I was the smartest person in the class. But I was an "A" student in a gifted program. So let's say I was in the top 5%, but I was not in the top 1%.

This didn't really bother me then and it definitely doesn't bother me now. Answering my dad so naturally that I finished first, spoke more about what I eventually learned about myself: which is that I have a zeal for efficiency.

This is something very unique in technology. That is why I want to build our company on this value.

You can find companies that can do relatively the same thing as us. But you'd be hard-pressed to find one that can do it as fast as us. Likewise, you may be able to find companies who can move as fast as we can, but the quality and security of what they do is not up to par.

In college I had a professor, who is still a great mentor and friend, named Dick Pritchard. He would say in completely different context from business, "you can have something good, fast, and cheap, but you have to pick two out of three. You can't have all three." For the first 10 years of my professional career I always liked to think that I was the anomaly. You can have all three with me. Eventually over time I became less and less cheap.

While we might not be cheap in the strictest definition, we are the greatest value. Because in business time is money. First in a billable sense meaning that if you can do something in 10 hours that others will do in 40 hours, it doesn't matter if you charge twice as much because you still saved them half. But there is also opportunity costs. If something takes two years to implement that could be implemented in 6 months, there is a significant amount of missed opportunity in the 18 months lost.

So at our core: we are high quality technology innovation in the shortest amount of time. We have a zeal for efficiency.
We Are Dying If We Aren

Core Values Series: This is the seventh of an eight part series
highlighting the backstories to our core values

If there is one thing I am most grateful in this life is that I have had amazing mentors at all stages. There were three in high school. Two in college. Four after college. But there is one mentor that I have had throughout all the stages. Charlie Paparelli.

It is not an understatement to say I would not be the person I am today without Charlie. He is my Uncle. He is a very successful businessman. But when he realized that the life of success he was pursuing was pulling him away from family and instilling some bad habits, he had the strength to become someone completely different. A better person.

When everyone else in my life was just impressed I was a 4th grader with a job, he wasn't. That wasn't good enough. I still remember sitting in my dad's office and him teaching me (at 4th grade mind you) how to sell more newspaper subscriptions and the value of recurring revenue. I mean, who does that?

If you are going to be around Charlie you got to be ready to improve.

As a kid I don't remember him being an alcoholic. I just remember him being my Uncle Charlie. Right as I became of age and started knowing things is when he turned his life around. He's now as passionate about reaching this world for Jesus as he is a savvy businessman.

I remember a lot of his sayings throughout the years. One of which was when I was 13 or 14, I was up in my cousin's David bedroom, and he gave me this classic Charlie look. If you know Charlie you know that look. It's a look that means something - whether asked for or not - is coming. I love that look. He said, "Andy, if you are not learning you're dying." I am sure there were many supporting points to this statement that followed. I don't remember those. But I always remember that saying.

Unlike Allen Hunt's value, Charlie's value is one I naturally gravitate to. I like learning new things. I like experiencing new things. I get a little bored once I have become "good enough" at something. I think a lot of time when we get in trouble in life is when we basically come to the point where we say "yep I have learned that" and then try to coast it on in.

Charlie gets overcoming this temptation better than anyone I have ever known. It is rooted in the saying, "if we are not learning we are dying."

Be someone who is constantly trying to learn new things. Be someone who is trying to be better today than you were yesterday. Be someone who does not feel that it is up to anyone else to train, equip and develop you. Go out and find the answer and then do something with those answers.

We are dying if we are not learning.

Thank you, Charlie Paparelli. We will strive to be like you.
Do Not Confuse Efforts With Results: The Glenn Davenport Story

Core Values Series: This is the sixth of an eight part series
highlighting the backstories to our core values

There is no person in this life that I have worked with that has taught me more about business than Glenn Davenport. He is an amazing individual.

Glenn Davenport didn't go to college. He started at the ground level of Morrison Restaurants. They asked him to move (often) and he moved. His journey took him to Saudi Arabia. The personal sacrifices he made to advance his career were significant.

They spun off Morrison Restaurants into Morrison Restaurants, Ruby Tuesday, and Morrison Management Specialists which was essentially their healthcare arm before healthcare was healthcare. When they did, he became CEO of Morrison Management Specialists.

Even becoming CEO was not particularly easily handed to him by most standards. He had to take great personal risk when taking that position. But he did it well. He took them public, ran them as a public company, and then re-privatized them. Few get to do one of those things, let alone all three.

He also sat on the board of other publicly traded companies including Cracker Barrel and Team Health.

But more than all that Glenn Davenport is a great man. A great father. A great grandfather. A great boss. A great friend.

It is the greatest privilege of my professional career at this point to have gotten to spend 14 years with him (and continue to get to spend time with him).

I learned how to run a company from him. Learned how to read a P&L. Learned about the importance of EBITDA. That's just the start. While Glenn may not have taught me a lot about technology, everything else there is to running a business, he taught me.

Early on before Glenn became who was in my life, his CFO at that time was a guest on the talk radio show I was producing. We were doing a show on adoption. His CFO was adopted. He eventually tracked down his parents. This narrative fed into the nature of that episode.

I don't remember a lot about that show. But I remember walking into the radio station on October 22, 2006 like it was yesterday. Allen Hunt asked the CFO something along the lines of, "why do you like working with Glenn?" And his CFO said, "when I first started working with Glenn I remember him saying 'we don't confuse effort and results.' And I knew that was a man I could go work for as that is how I saw business as well."

A book could be filled with the amount of core values Glenn Davenport taught me over the years. I had to stop at eight, and I had to pick one for him, and I was just drawn back to that foundational moment before all this really got started.

We are not going to be people who judge performance based on effort, as tempting as that is. Likewise, if something gets results with less effort, that's a cause worth striving for.

Thank you, Glenn Davenport. We will strive to be like you.
We Are a Christian Company: The Dr. Jeff Justice Story

Core Values Series: This is the fifth of an eight part series
highlighting the backstories to our core values

Church was not part of my childhood. I started going in Middle School without my family and eventually became a Christian. In that time, I got to know a man named Dr. Jeff Justice.

Dr. Justice was amazing. He was a great father, a great husband, and very active in our church.

The first time I met Dr. Justice he was teaching a Sunday School class when I was still new to this whole thing. He gave a simple quiz - one of the questions was along the lines of what is Matthew, Mark, Luke and John - which anyone who has been going to church would answer easily those are the Gospels. But I didn't know that. I didn't really know anything about what was in the Bible.

Since I didn't know any of the answers to the quiz, it was a quick quiz for me. So I turned in the quiz with no answers. I wouldn't say he called me out, but I think he thought I was being a punk middle schooler not wanting to do the quiz. Not realizing that I had just started coming to church and knew nothing, he kind of teased me a bit for it.

I love that story.

Beyond that though, the one thing that struck me about Dr. Justice was how well he was respected outside of church. It's hard to describe unless you live in a community like Fort Wayne, IN, but everyone within the Medical/Legal/Business community kind of knows everybody. It's big enough to be something of substance. But also, small enough that most people know each other.

Often my church was a topic of conversation with people outside of my church and I would eventually talk about people inside there and when I would get to Dr. Justice people would stop and say how much they liked him and respected him. How much the nurses liked working with him. How much his patients liked him.

That wasn't always the case with other doctors.

Dr. Justice modeled what it was like to be a great father and husband, but also what it looked like to be a Christian out in the marketplace. Respected first for his marketplace impact, but also for a character that forces the question, "what else is there to this man?" Why is he different?

I am not naive to the idea that this core value is probably the most controversial for a business. Partially for reasons that might be warranted. But also for reasons that aren't.

We are glad that you are here regardless of who you are and what you believe. My life was impacted deeply by Dr. Justice and I want us to have that same impact in our marketplace. I would be remised if I didn't establish the same foundation Dr. Justice modeled for me. One that loves, that respects, that gives, that rests, and that creates a positive family environment.

Thank you, Dr. Jeff Justice. I will strive to be like you.
We Value All People: The Gina Donnelly Theising Story

Core Values Series: This is the fourth of an eight part series
highlighting the backstories to our core values

It has been a joy living in four very distinct places in my life. The first 18 years in Indiana. 4 in Los Angeles. 8 in Atlanta. And going on 7 in St. Petersburg, FL. More than living in these places, it has been a privilege working with some amazing people.

Starting my own company was always on my radar. Because of that, I maintained a list of people that are first and foremost great people, but also excel at some area that my future company may need.

One of those was Gina Donnelly Theising.

She was the Associate Director of Chapel Programs at Azusa Pacific University. She was so good at what a lot of people aren't good at: office administration. She did that relatively unsexy job with such joy and love that just permeated through the entire office contagiously.

The timing to start my own company was very much a struggle for me. I'd say I really wrestled with it for about two years. The time came in June of 2019 when I finally accepted it was time to leave the best job I ever had and start Vy Technology.

Like every year, I was planning on spending the 4th of July with my family up at the lake in Coldwater, Michigan. So I said, "I think I know where I stand on this, but I am going to take that week just to clear my head before I do what I need to do."

In the middle of that week I got a message that Gina died at 47 years old in an ATV accident.

This world can be tough sometimes. Good things happen to bad people. Bad things happen to good people. That's a conversation for another day. If this were a just and fair world, probably everyone reading this blog should have gone before Gina. She just loved everyone. She saw the value in everyone.

When I went to her funeral a few weeks later, I was awe struck how many people were there. I thought I knew the people who knew her. If I were to guess, the large Catholic Church in Simi Valley, CA had about 100 pews. They were all full. But the people I knew maybe took up 5 of those pews. It was then I realized just how big of an impact she had. That was all because of how much she loved.

She was always the first one there for anything. She would sign up for the marathon you wanted to run. She'd go hiking if you wanted to go hiking. She had a zeal for life and that zeal always involved others.

I am sure she had her selfish moments. Though from the outside that was not evident. She just loved and valued people the way God loved and valued people. We want to be a culture where we value all people the way Gina valued all people.

Thank you, Gina Donnelly Theising. We will strive to be like you.
We Pursue Margin: The Ray Neslund Core Value Story

Core Values Series: This is the third of an eight part series
highlighting the backstories to our core values

My grandfather Ray Neslund was an astonishing man. He spent most of his childhood in Stockholm, Sweden. Immigrated to a very poor side of Chicago. There are parts of his childhood that he wouldn't share. You can just tell that things were not good.

One of the things we do know is that he lied about his age to go fight in World War II. At 17 years old he traversed the Atlantic dodging German U-boats. Even back then, 17 year olds wouldn't volunteer for that type of operation if things were good at home.

He never went to college. He came back from World War II and after some time he started the Manpower franchise for Denver, Colorado.

It wasn't until I co-led a massive FEMA emergency meal operation in 2017 that I learned a nuance of Grandpa's business. Within that project, we had to employ 700 temporary employees. Even though we employed temps every day in our normal operation, there is something to be said about needing 700 temps as quickly as we needed them.

We had a very small break between Hurricane Irma production and Hurricane Maria production. In that small amount of time, another executive and I debriefed and we said that most went fairly well, but one thing that needed to change was how we checked in temps. In a matter of two days and a budget of $40, I developed a digital check-in system that could most easily be described as an airline boarding process. This took the temp check in process down from 2 hours to 15 minutes, and from requiring 10 people to 2.

Later I was sharing this story with a family member who said, "your Grandfather would have loved to have seen that." I was a bit surprised because I was always under the impression that his business employed more office temps than blue collar temps.

My uncle said "ohh no, he made his name in Denver with blue collar temps because he created a niche where he would pay them the same day they worked. This enabled him to get the best temp employees in the Denver market."

Grandpa of course did very well in business (with no formal education). He had built a lot of profit and margin for himself and his family. But he also built a lot of margin for his customers and his employees.

At that time credit cards weren't as accessible as they are today - especially to this population. Being able to pay the same day extended a lot of lifestyle margin to his employees. I also know full well that a lot of margin is extended to a company (his customers) that used temporary employees either by impacting profitability or flexibility or adaptability. You are enabling a lot of margin for that company too.

That is what we intend to do. We pursue margin for our employees, our customers, and our owners.

Thank you, Ray Neslund. We will strive to be like you.
Doing Right vs. Being Right: The Allen Hunt Core Value Story

Core Values Series: This is the second of an eight part series
highlighting the backstories to our core values

In 2005, my first job out of college was being a Videographer for a church in Alpharetta, Georgia. That is where I met Allen Hunt. He was the Senior Pastor of that church.

Unbeknownst to me when I graduated on a Saturday and packed up and moved from Los Angeles to Atlanta by Tuesday, was that Allen Hunt would become (and continues to be) a huge influence in my life.

I also didn't know at the time that he and another individual - Glenn Davenport - were starting a talk radio show aimed at talking about faith in the mainstream (not on Christian radio).

I spent the next six years working side by side with Allen. The show started as a side project of our church and eventually we struck out on our own: just the two of us.

It is where I learned a lot about running technology for an operation because we had no budget and a lot of needs. I was responsible for everything - from the networking to the website design, database management, CRM, graphic design, satellite uplinks, audio editing. You name it, everything.

But while I self-taught myself a lot about tech during my time with Allen, I also learned a lot about life from him. Looking back, it would be amazing if everyone spent the first six years of their professional journey with someone like Allen.

Allen would have this saying that there is a "difference in being right and doing right."

I always loved that. Not because I was particularly good at it. I like being right. If you know me for more than five minutes you know I like being right. I grew up in what I would call a multi-generational, extended-legal family. In three generations I can count seven lawyers and one politician. And that doesn't even count the two intense businessmen. It breeds into you the ability to think creatively and stand your ground. Which has its benefits some times.

But this was added as one of our core values partially because I am not good at it and I need the reminder, but also because - no pun intended - he's right. It is better to do right than be right.

Sometimes that means swallowing your tongue. Sometimes that means doing the right thing regardless of whether or not someone is right to have asked of it. Sometimes it means just having empathy.

It also makes a lot of sense given our industry. There is something about being in Technology and being in Healthcare that makes this all the more important. There are a lot of egos. There is a lot of dysfunction. A lot of times it just takes someone stopping and asking the question, what is the right thing to do, and then doing it.

We probably will not be successful at this at all times. But we strive to be.

Thank you, Allen Hunt. We will do our best to be like you.
What University of Michigan Football Could Teach Business: The Bill Borgmann Core Value Story

Core Values Series: This is the first of an eight part series
highlighting the backstories to our core values

My Grandfather - Bill Borgmann (#6) - played football for University of Michigan back in 1934. He was good buddies with fellow teammate Gerald Ford (#48). Grandpa went on to be a Lawyer. Gerald Ford went on to be President.

One of their teammates was Willis Ward (#61). Ward was a black football player 15 years before Jackie Robinson played Major League Baseball.

When the University of Michigan was to play Georgia Tech, Tech refused to take the field if Ward played. The story goes that when the players found out about this they contemplated refusing to play. Now I don't know if it was truly the "Rudy-esque" moment that President Ford's campaign made it out to be. There seems to be some dispute about that.

But what I do know is that they did take the field without Ward. Early in the game one of the Tech players made a snide comment to my Grandfather and President Ford that I can only assume used the N-word. As the story goes, my Grandfather and President Ford hit that guy so hard on the next play it took him out of the game via a stretcher.

Even 40 years later, you can still see the pride and joy in Ward's retelling.

Grandpa never told me that story. It would be 7 years after he died when I first heard it. I love that story for a lot of reasons. One of which is because I believe it speaks to a familial belief that this world should be a meritocracy.

This is one of the reasons I love sports so much (it certainly isn't because I am good at them). Ultimately at the end of the day, sports do not care about anything other than how well you play, how well you help your teammates, and how well your teammates help you.

Within that meritocracy there are phenomenal players and there are great players - you don't make it to the team if you aren't great - but compensation and tenure is solely based on how well you perform. Tom Brady is not compensated the same as Edelman, and Edelman is not compensated the same as the backup lineman. That doesn't devalue the backup lineman. Our value in this world should not be based on our position or earnings.

But business should be a meritocracy. Your value within a company should not be based on whether you are male or female, young or old, Republican or Democrat, educated or uneducated, straight or gay, Christian, Jewish, Muslim or non-religious, Black, White, Latino or Asian, or anything else. The only thing that matters in a business is how well you perform for your team.

Tech companies in particular are not notorious for being good at this. Sure, their Executives write books on the concept, but their cultures do not reflect this. Vy Technology will strive in all things to be a meritocracy.

Thank you, Bill Borgmann. We will do our best to be like you.
Database Replication - Business Above IT
We have a customer that is growing very fast in the Healthcare space. Two years ago their Member database was around 200,000 members. After 2020 Annual Enrollment Period settled, they are now over 5 million members. This growth is a very good problem to have.

One of the features of Vy Healthcare CRM™ is something called "IntelliSearch." This feature enables a quick and easy ability to find members when names are not always the same or when it is not obvious which MCO they are with (something that can be more difficult than you'd think - but this is a topic for another day).

The problem with IntelliSearch is that while it makes it very user friendly for Call Center agents, it is way more taxing on the server, especially as that database grows.

Another feature of Vy Healthcare CRM is that we process discharge/authorization files as soon as they come in from the MCO. This is of course great for the MCO, our customer, and ultimately the member getting served, but it is also pretty taxing to be processing through thousands of discharges and comparing it to millions of Members in the middle of the day.

So when average page load times went from 1.2 seconds to 7 seconds in January, something needed to be done and needed to be done fast.

It was initially proposed that we need to remove IntelliSearch and that file processing should be moved to an overnight job because that is where the problem lies.

The problem with this is that it would severely impact usability and also provide worse customer service.

And therein lies the problem. For those outside of technology (looking at you CEOs and CFOs), all "tech people" seem the same. But there are a lot of different types of technology people. In a perfect world you have:
  • Developers
  • Database Administrators
  • Server Admins
  • Network Admins
  • Security Specialists
  • Project Managers
  • And of course, an Executive over all of them that understands all of this

If you have an appetite for all that, Vy Technology may not be for you (that's at least a $1 million in payroll right there). Even if you can afford it though, finding and retaining is a whole other issue. So what most small and medium sized businesses do is they hire a single Network/Server Admin type, put them in an IT Director position, and turn to them to make big picture decisions. If you found that diamond in the rough that can wear all those hats and you can keep them happy, great! But if you don't have that, you can't leave operational business decisions up to the wrong type of technology person.

In the end, we went with a replicated database solution that processed the searching in one database, the discharge files in another database, and left the master database free to do everything else (at no additional cost, no operational impact, little work for the internal IT department, and in a matter of two days).

This absolutely was more work. Did it "ruin a weekend," yes. Was it the easy way out, no. But there is no doubt this was the right move to make for the business. And putting the business over the IT department is what good businesses (and IT departments) do.
Need help with keeping functionality as you grow? We'd love to hear from you. Reach Out.
896 MemberID Variation Solution
One of our core values at Vy Technology is that We Know the Difference in Being Right and Doing Right. What we mean by that is, being right is important, but doing right is far more important. When those conflict, choose doing right.

Even though most of our core values reflect what I naturally gravitate to in business, this, in full disclosure, is not one I naturally gravitate to. Out of all our values, this is one that I personally struggle with the most. I think a lot of technology personalities struggle with this. It's why it's important it's there.

Living out this value of course can manifest itself in many ways. One recent way was looking at helping a customer of ours come up with a solution because their customer didn't have the ability to provide consistently formatted data.

This story may get a little complicated so I will go ahead and call our customer Good Food Company and I will name their customer Homestead Insurance Company (neither are their real names).

A standard need for Good Food is being able to process hospital discharge files. This usually entails processing through the discharge file, comparing MemberIDs to a previously loaded eligibility file, and then proceeding on if a match is found.

This match is important because after the member has been served, the reporting needs kick in and there is a lot of metadata associated to that member from the eligibility file that needs to be reported back to Homestead.

The problem lies however in the fact that you would think the MemberIDs in the discharge file would be in the same format as the MemberIDs in the eligibility file. For most MCOs, that is the case. But for Homestead, that wasn't the case.

Now we could have rightly held firm and said, you need to get your two files to match. We would be right saying that. But that isn't necessarily doing right given the situation.

Why? Because we know that Homestead will take months to get this resolved. We know that Good Food will be missing out on revenue while Homestead sorts through that. And most importantly, we know that Homestead's members will be missing out on a benefit they very desperately need when they are at their most vulnerable.

So how does a "doing right" versus "being right" mindset solve this issue? Simple. Vy Technology proposed and then wrote an algorithm that tries 896 different combinations of MemberIDs to find a match.

So if a MemberID is 123456789-01 in a discharge file, then we try 12345678901, and 123456789*01, and 00012345678901, and 123456789, and 892 more variations. The computational impact on the server is measured in milliseconds. The coding effort was measured in 2 to 3 hours. Good Food is happy, Homestead is happy, and Homestead's members are happy.

These are the types of issues you find when doing business in healthcare. And this is the type of creative problem solving you get with Vy Technology.
Need help with creative solutions to complex problems? We'd love to hear from you. Reach Out.

On a recent visit to my alma mater, I sat in on a Machine Learning class.

It was fascinating. Being in the room with 20 or so students talking about a technology trend I have little real world experience with was a thrill.

But as thrilling as it was, and as talented and intelligent as those students were, I left the class with the words of my father in my head. He'd always say, "No one ever asked for my law school GPA two years after I graduated." The strong point that made to me as a child was that school is important, but the real world will be different.

Put another way: the theoretical is great, but the rubber meets the road in the practical.

15 years removed from the classroom, away from the field I originally studied, and after hiring many people in the technology field (and interviewing even more), I find his professional philosophy to be truer than ever.

Technology is full of incredibly smart people. No doubt about it. However, what those in technology miss too often that impacts particularly small and medium-sized, non-technology companies is a business first, technology second mindset.

If that doesn't quite resonate, simpler put: if an organization is struggling to get out of spreadsheets, machine learning is likely not the solution.

Now in full disclosure, and to his credit, the Professor made this point to his class. I believe his exact words were, "if you can solve a problem with out machine learning, you probably should." But what that Professor understood is very often missed by businesses vetting technology providers. And when missed, it becomes a big part of their frustration down the road.

Instead, those vetting technology providers should ask themselves, is this a Technology first or a Business first solution?

  • Technology first asks, what is the latest and greatest?
    Business first asks, with out sacrificing the objective, how can we make this the least disruptive to our workforce?
  • Technology first asks, what is everyone in the industry doing?
    Business first asks, what does this particular business need?
  • Technology first asks, what will garner the most respect of my peers?
    Business first asks, what will make the largest impact to this company's goals?

Sometimes these answers are the same. Usually they are not.

There is something great about being cutting edge, no doubt about it. But if it is incredibly expensive, it is incredibly disruptive, it takes longer than expected, and ultimately doesn't produce the desired results, there is no value in it. And providing more service value than you take in payment is the foundation of all great businesses.
Need help with a business first solution? It would be fun to discuss. Contact us.
Pillars of HIPAA
When I first started developing HIPAA compliant software I had been developing custom software for 9 years. But I had never had to develop a HIPAA compliant solution. Like a lot things in life I figured, no biggie, I'll do some research and figure this out.

Boy was I in for a surprise how nebulous the law is and how wide the varieties of interpretations were.

This blog will feature HIPAA extensively in other posts, but today I wanted to share what came to be called the Pillars of HIPAA.

Eight of these were developed pretty early on. Five more were added over the course of the next six years.

When we went for HITRUST Certification, we were positioned pretty well with just these pillars. Yes, the Certification required us to codify a more formal IT Policy. And in no way am I saying these pillars are the equivalent of HITRUST Certification. But I do believe the 105-page IT Policy that ensued doesn't do that much more than these 13 pillars below did to secure data in a HIPAA compliant system.

  1. Encryption in Transit - all data is encrypted and transferred using a 128-bit SSL secure connection.
  2. All access is controlled by an individual username and password for every employee.
  3. Every page view and action is logged - including date, time and IP address.
  4. PHI is always hidden unless an employee purposely chooses to see it, in which case a special entry is logged.
  5. All PHI is stored in the database in an encryption at rest state - i.e. a social security number of XXX-XX-XXXX would be encrypted and stored as WhvNDTdXAPJYzWajhkXegzfX...
  6. All PHI (which is already encrypted) is stored in a separate table from other identifying information. As an example, names and addresses are stored in a separate location than Social Security numbers and Medicaid IDs.
  7. Permissions for all employees are set on an individual level using the Principle of Least Privilege - access to information is reviewed and granted on an individual level.
  8. All member related data is not accessible outside of our internal network without the use of 2-Form Authentication via Google Authenticator and a proprietary key. This conforms to algorithms specified in RFC 6238 and RFC 4226.
  9. All reports are generated with minimal information needed.
  10. The server can only be accessed via SSH/SCP - since FTP connections are unencrypted, they are not allowed on the server - SSH/SCP is more secure than FTP and SFTP.
  11. SSH/SCP access is only granted via security keys (no passwords) - thus preventing brute force attack attempts - this method is much more secure than a traditional username and password method.
  12. Our firewall only opens the following ports: 80/HTTP, 443/HTTPS, 22/SSH to the outside
  13. All versions of Linux, PHP, Apache and MySQL are long term stable (Ubuntu 18.04.x LTS / PHP 7.2.x / Apache 2.4.x / MySQL 5.7.x).

After going through HITRUST Certification for one of our Customer's systems, I would add the following four as well.

  1. Force logoff system after 15 minutes of inactivity
  2. Include warning messages on all systems (Web or SSH sessions) that informs an individual they are entering a system with PHI and their actions are monitored
  3. Implement a DLP solution for Email that includes the ability to send secure
  4. Implement annual third party penetration testing and risk assessment
Need help with hipaa compliance? It would be fun to discuss. Contact us.