John DiMaggio, CEO, BlueOrange Compliance

CAST | February 14, 2018

LeadingAge CAST had an opportunity to interview John DiMaggio, CEO at BlueOrange Compliance. John DiMaggio is the co-founder and CEO of BlueOrange Compliance, a firm dedicated to helping healthcare providers and business associates navigate the required HIPAA and HITECH Privacy and Security regulations.


John, thanks for taking time to talk to us today. How about we start by you sharing with us a little bit of about yourself, your career so far, all the way to being the CEO?

John DiMaggio: I started out with a technical background in computer science and spent early on in my career doing software development.  And then, worked in for an engineering firm, I saw having a business as a better offer for me, so I got my MBA in finance and then spent most of my career as a chief information officer for large healthcare organizations. So, my goal is to align and execute, you know, IT strategies, with those lines of the business, and that was a very interesting experiment.

I spent a lot of time in the long-term care industry, understanding that business. And then when a high tech happened back in 2010 – 2011, had the opportunity to how would I want this problem to solve from me, if I were a CIO, and was on the other side the table. So, we build the company around those promises, of how’s the best way that it works from organizations standpoint of working with a vendor, or partner to help them solve this problem for them.

John, tell us a little bit about BlueOrange Compliance. What is it that you folks do that makes you special?

John DiMaggio: We help anyone who has to deal with health care information to protect their information and meet all the regulations surrounding protecting their information. So, if you’re dealing with health information and there are HIPAA regulations, on security, and also privacy, and breach regulations, all of those come into play.

We help organizations that may not have kind of kept up with this information and with these processes. And now with all the breaches in cybersecurity when cyber threat attacks, this becomes an issue.

We’re starting to see the board of directors asking for their executive team, “hey, is this going to be us next?” So there’s a lot of focus on this, and sometimes when organizations don’t quite know where to start, right. So to get a handle on this, one of ideas we come in with a very straightforward process, where we come in and we assess where they are. And that’s the first step in this process is assessing, because that’s something that’s required by the regulations. If you don’t assess you can’t move on from there.

To help you do a very thorough assessment, and then based on that assessment we give them a plan of, “hey, what you need to do first and next.” Because sometimes if you do an assessment, you have a plan with a lot of things to do, you just don’t know where to start and what is important.

That’s the next kind of critical thing that we do, we give them a plan, and then say “here’s items you should work on now, and here it items you should work on when you get those things done.” And then, we track where they are through the process, and with our regular guidance calls for them. A lot of organizations are kind of light on policies and procedures, so we provide those and guide them on, “here’s what they mean, here’s what they are, here’s how you need to get them through your organization, and get them accepted, adopted, and implemented.”

Also, there are technical issues. We don’t really help them fix those technical issues, but we facilitate. We tell them, “hey, you know you need to fix this issue, you know go find some money to either get off a Windows XP or one of those other things.”

We facilitate, and guide and it really helps the clients keep on tracks. We have regular calls, and they have agendas to do, and we have a security plan for them. If ever there is an incident, they can prove that they’re taking this seriously and making progress. So that’s in general what we do; we also help with the privacy and all the privacy regulations.

Some of the guys haven’t kept up with those, those are a big change with OMNIBUS in 2013, so we checked those and all the breach of regulations too. Because if there is a security incident, you need policies and procedures around that. That’s all, kind of at play, if there ever is an incident to be kind of exposed, if they’re doing these things in the right way.

We also help them secure their information by doing that vulnerability scanning and penetration testing in all things that come and help them in those areas. We do mock audits to see how they would do if they were audited by one of the agencies, etc. So, that’s in general how we do it.

What do you see as the top challenges in securing IT systems, specific to the acute care and LTPAC communities?

John DiMaggio: In general, it’s the lack of resources. Most organizations, unless you’re large organizations and have a chief information security officers or security teams, don’t really have the resources and it’s so fast moving in IT, they’re busy running their business of putting out fires and this is something that necessarily has to do, with sometimes come secondary to running the business. So, that’s one that one of the issues is resources.

The other issue is just, how fast technology is moving, how fast cyber threats are moving, and all the measures and countermeasures. With that healthcare has been kind of behind other industries, and security, so that in all of the value of information, healthcare information on the black market is kind of too thick creates a perfect storm, so this is fast moving, and having organizations focus on that is an issue. So, we try to come in and help them move in the right direction.

So that is resources and fast moving. I mean technology is great, connected, everything but, that creates an additional problem.

You have been with that you’ve been associated with LeadingAge CAST for quite some time now. How has your association with CAST helped you and the industry?

John DiMaggio: We have been with CAST for about 3 years, and being on the CAST mission has been fantastic. We are able to see where the industry is heading, my personal background was in long-term care for most of my career. Long-term care is a kind of different business, there are different nuances to it. It has helped us keep up with the kind of where the industry is going, meeting on a regular basis and exchanging information has been fantastic.

We have been able to meet some great people and with that knowledge of where the industry is going helped us align to be able to help our clients in a better fashion.

How about we close with something that you can share it with younger executives that are wanting to get into healthcare, or they are already in healthcare when they look at you and say we want to be like John, the next CEO. What is your advice to them?

John DiMaggio: Well, personally, we found that a good industry that really needs a lot of help right now. So, finding a need for that on the security side, there’s a big shortage of security professionals. Getting up to speed on that.

Understanding your business in a strategic direction, because a lot of folks think that this is an IT problem, it’s really a risk management problem, right. So, integrating security, understanding where companies are going, integrating this into your executive team, from governance all the way down, and treat it more as a risk management problem, is something an IT guy should be doing.

So, I think if you understand those two things and obviously you can tell where your business is going and they can build a strategy and excel on that, and that’s a powerful thing.

That’s great advice John, thank you so much for taking time to share your wonderful insights with us. Really appreciate it, have a wonderful rest of the day.