Product Management and innovation enthusiast, Hank Lander, currently serves as a Group Product Manager at HubSpot, focusing on Customer Data Protections. Hank's expertise lies in launching new products and building product pipelines. Prior to his current role, he was the Director of Product at ZoomInfo and worked at multiple early-stage startups. Hank holds an MBA in Entrepreneurship from MIT Sloan School of Management and a BS in Computer Science from Georgia Institute of Technology.
In this episode Josh and Hank have a conversation about HubSpot’s Sensitive Data Management functionality and how it enables healthcare organizations to store and leverage protected health information (PHI) in marketing while staying compliant with HIPAA (the Health Insurance Portability and Accountability Act). You’ll want to listen whether you want to understand the functionality from a high level or if you’re interested in the nuts and bolts of how it works. Josh and Hank cover both.
Legal Disclaimer: None of the information shared in this episode should be construed as legal advice or counsel. Josh and Hank are not legal experts and any claims made regarding PHI or HIPAA are purely opinion and should be verified by legal counsel.
Josh Dougherty:
Welcome to A Brave New podcast. This is a show about branding and marketing but, more than that, it's an exploration of what it takes to create brands that will be remembered and how marketing can be a catalyst for those brands’ success. I'm Josh Dougherty, your host. Let's dive in.
Hello, I'm so happy to have you along with me today. In this episode, we're going to talk about something a little bit different. We're going to talk about marketing platform. I know, typically, we're talking about branding, branding strategy. How do healthcare organizations build a bold and memorable brand? But it turns out that having the right platform is what often enables you to bring that brand to people. And, specifically, we want to talk about how to bring that brand to patients in a differentiated, personalized way. And if you're in the healthcare space, you know that communication with patients comes with regulatory requirements through HIPAA.
And so, I have the pleasure today of bringing in HubSpot's Hank Lander. He works on the customer data protection team, and we're going to do a deep dive into HubSpot's sensitive data functionality. I think this functionality does an amazing job of marrying together HubSpot's best-in-class user experience with the security that you need to make sure that you're complying with HIPAA, you're protecting your PHI. And so, I’m excited to have them walk through both at a high level how it works but also some of the nitty-gritty details.
But before I bring him on, I also want to offer a disclaimer that neither Hank or I are lawyers or risk experts. And so, anything we say here is meant purely to inform you, but you're going to want to clear any claims that we've made, any of the conversation with your legal team, with your risk team, you're going to want to do your own evaluation to make sure that this set of functionality through HubSpot complies with the needs that you have as an organization. So, with that disclaimer out of the way, I'd like to welcome Hank in. Hi, Hank. It's so great to have you on the show today. Thanks for joining me.
Hank Lander:
Oh, thank you for having me on. I'm really excited.
Josh Dougherty:
Awesome. Well, before we dive in, I'd love to have you share a little bit about your story. Can you tell me a little bit about your career path, where it's taking you over the years?
Hank Lander:
Yeah, so I don't think I'm super unique in this, but after I graduated college, I had no idea what I wanted to do. And I tried a few things, joined a couple of companies, and just nothing felt right. And then, I started learning about entrepreneurship and kind of the art and craft of starting and running a business. And I just fell in love with that and went to grad school, I specialized in that. Then, I joined a few startups. Some of them I think the less said the better, and then others were a little bit more successful, but I was hooked and it was kind of love at first sight kind of thing. And then that's what led me to HubSpot. I really fell in love with their mission of helping millions of organizations grow better.
Josh Dougherty:
Awesome. Tell me about, I think you said you've been at HubSpot for around eight years. So, tell me a little bit about what you've done there and where your main focus areas are today.
Hank Lander:
Yeah, so I've been really fortunate in that HubSpot has given me a lot of opportunities to bounce around within the organization. So, all of my roles have been within the product management org, but I started, actually, in our FinTech group helping with some of our financial tools. And then, I worked in to our flywheel team. And, really, what that does is almost like an internal consulting where we as a company sell SMB product, but HubSpot, the company, is a much larger enterprise. And so, we kind of filled the gap between what we sell to products, or excuse me, to external customers and what we needed for our own internal marketing or sales operations.
And so, that was a really interesting role. I did that for a fairly long time. And then now, most recently, I'm sitting within customer data protection. I know that sounds like a bit of a mouthful, so let me give you a little bit more context there. So, at HubSpot, we really believe that we want our products to be as simple and easy to use as possible. And as part of that, we don't want you to really have to hire a full-time administrator to operate your HubSpot portal. And so, what that means in the data protection security space is that we really have to make it as seamless, as easy as possible to get those go-to market people back to doing their day job and what they really love doing and not so much the administration of a portal.
Josh Dougherty:
Awesome. Yeah, I think that's super important and I think that's something that we've heard over the years. Having worked with HubSpot for a long time, people love working with the portal or with, I mean, now the suite of products, right? Because a little bit of training you can be pretty dangerous about getting stuff done in-
Hank Lander:
Hopefully dangerous in a good way.
Josh Dougherty:
Yeah, in a great way. I mean, that's what I mean positively, but many things like it's an easy system to learn with deep complexity about how to be able to configure things. So, I think it's the real strength of the platform. And I'm excited to talk with you today because I mean, specifically, because you're in that customer data protection area. Because we want to talk about something that's really relevant to the healthcare clients that we serve as an agency, which is HubSpot sensitive data functionality. And so for a long time I've had customers kind of clamoring for, "Hey, we'd love HubSpot to be able to handle HIPAA-compliant data so that we can actually, and PHI, so that we can use it, but we can't do that." So now, obviously, you have a solution to allow people who have HIPAA issues, who have private data to be able to use the platform, but I'd love to hear you explain a little bit before we get into the details, we're going to get into the nitty-gritty. Why did HubSpot decide to go into the space now and build a solution around this?
Hank Lander:
Yeah, I think that's a great point. We didn't just jump into this market. We took our time and to let you in on some of the discussions behind the scenes. Going into regulated industries was actually out of scope for a long time within HubSpot. It was a strategic decision not to go into these types of markets. And what we really learned is that we kept getting a lot of people similar to the prospects you mentioned saying, "Hey, we're interested in HubSpot, we really love a product like this." And we decided, okay, I think the timing's right now, I think we can make this a really valuable product and not make the core offering of HubSpot weaker by trying to go into this space. We actually felt like we could bring what makes HubSpot awesome to these industries.
And I know that seems a little nuanced, but for us, what is really important is providing that awesome experience and making sure we're doing it at our level of quality for the healthcare industry. And we started slow. We didn't go in saying, oh, we're going to be HIPAA or we're going to go for HIPAA enablement on day one. We went with a very small rollout. We said, okay, we're just going to make properties. Let's see if we can just encrypt properties and see if there's value there. And then slowly kind of built out the functionality where I think now you can run most of your, let's say marketing operations — if you're in a regulated healthcare industry —through HubSpot and have a top-notch experience.
Josh Dougherty:
Amazing and all without compromising, I think the user-friendliness of HubSpot that has been a class or a keystone of the product since day one.
Hank Lander:
Yeah, absolutely. We didn't want to lose out on what makes HubSpot HubSpot trying to ... I think you get yourself into trouble sometimes if you just chase revenue and then you end up with a cobbled spaghetti software because you've made this decision, oh, I need to add this complexity for this customer or that complexity for this one. And then you have buttons and toggles and all kinds of things everywhere because you're trying to help serve every type of possible persona out there. And for us, we wanted to take a much more intentional approach and really keep that at the forefront of what we're trying to do.
Josh Dougherty:
Excellent. I love that. It's one of the reasons that we love HubSpot as an agency. I'd love to dive into now talking about the platform, and I'm going to repeat what I said in the intro as well here. Keep in mind, listeners, that myself and Hank are not legal experts. We will share with you about how this, I mean, Hanks really going to do this, share about how the functionality works and how things are set up within the platform. But really encourage you, as you're vetting this out, you need to do your own due diligence and your legal due diligence to make sure that stuff will work for you and that it matches the needs of your organization. And so, legal disclaimer done, but let's dive in. Can you share with me a little bit about the basics from a high level? How does the sensitive data functionality work inside of HubSpot?
Hank Lander:
Yeah, so from a super high level perspective, you open up your normal HubSpot portal, you go to your privacy settings, and then from there you can just toggle on turning on sensitive data. What's happening behind the scenes when you do that is that we now enable you to create encrypted properties and you can now store, let's say additional things that weren't originally agreed upon in our terms of service, but now you can start storing them there within our product. And then also for added benefit, you can also start including sensitive things in engagements, like notes, meetings, etc. to really add to the umph and power of what we're doing there. But all that is happening under the hood. From a user's perspective, other than creating those special properties where you're intentionally saying, hey, I'm going to store sensitive data here, it's the same user experience as you would use everywhere else. So, to me, that's really the awesome thing is that a lot of things are happening behind the scenes, but from a user's perspective, it's just a toggle.
Hank Lander:
Which is pretty straightforward.
Josh Dougherty:
Yeah, that's pretty cool. And makes it simple, right? So, let's talk about the healthcare vertical then. How are you seeing healthcare companies leverage this sensitive data to fuel their marketing and communication efforts? So, they're toggling stuff on, they're setting up their properties, but then what's the output that you're seeing so far with organizations?
Hank Lander:
Yeah, what has been really cool to me is that before going into the space and really learning a lot more about the healthcare industry, I always felt like healthcare marketing campaigns were just different than let's say a startup’s marketing campaign. And I feel part of that was maybe constraints in terms of data and things like that, but they weren't super targeted, they weren't super personalized. And I think what I've started to see, and what's been super exciting to me, is now I'm getting marketing managers at some of these healthcare companies. We're running campaigns just like let's say your top-notch Silicon Valley startup would run a marketing campaign. And that is super cool to see from an outsider's perspective where they're starting to talk about it, not necessarily in the go-to-market terms a startup would, but they're starting to think about how does our conversion funnel look like?
What are the data or the metrics we'd really want to put around this? And really being able to apply those best in breed marketing principles to the healthcare industry. I think this is super relevant now because from what I hear from talking to these folks is that the healthcare industry has really changed since the pandemic, and no one thinks it's going to go back to how it was before. And so most of these operations are having to run much leaner due to the impacts of the pandemic. And so, because of let's say more constrained budgets, they're having to do more with less. And I think one of the areas of investment has been marketing operations to improve that function to make sure they're bringing in more predictable cash flow to the business and are able to operate at a different level than they were prior to the pandemic. I'd be curious, I know this is your industry, is that something you've seen as well?
Josh Dougherty:
I think that's something I've seen. There is really a lightening of, I mean for good or for bad, there's a reducing of how many people are tackling problems inside of organizations today in marketing teams. I think the other thing that's interesting, I was reflecting on your comment about before you maybe get this overly general marketing campaign, and it wasn't born out of not having a desire to be personalized or a desire to do something that was maybe more responsive to the specific, if we're a patient, you or I were a patient. I think most organizations would love to do something that's responsive to our specific situation, but without the unification of data between the EHR and the marketing platform, it's really difficult to do and then you're left doing maybe more generic, hey, do your sign-up for your annual exam or do this sort of thing, but it's not specific to the individual and the individual's needs. So, I mean, you've kind of touched on two key points. Yeah.
Hank Lander:
No one wants another one of those emails that say, click on this to view your MyChart.
Josh Dougherty:
Exactly.
Hank Lander:
That's not a compelling, let's say, campaign, to get you to do whatever that marketer's trying to do.
Josh Dougherty:
Exactly. Yeah. So, I'd love to hear, speaking of that personalization, the ability to send out a more responsive campaign to the specific needs of a user. How does HubSpot's platform enable healthcare organizations to unify that patient data from various sources while staying in compliance with HIPAA regulations?
Hank Lander:
For us, what is one of our selling advantages, let's say of HubSpot, is that unified customer platform, as you kind of mentioned. And for us, it's critical to get all the data in together so we can create that unified perspective. And so, what we do today is really enable companies to pull in the external sources that may have the information they want to be able to write those personalized emails, whether that is coming from an API or from an integration to connect to the EHR. So, from that, once it's into the HubSpot system, then we allow you to pull it all together and then create that personalized experience.
Josh Dougherty:
Cool. Yeah, that makes a lot of sense. Can you now maybe dig a little bit into that secure storage and handling of that PHI, maybe the safeguards in place or some of the safeguards in place to allow you to securely store and handle that info?
Hank Lander:
Yeah, so we take security really seriously. The last thing I want is to be on the front page of any newspaper saying in breach of HIPAA. That would be my nightmare scenario. So, with that in mind, really we try to do encryption in the safest way possible that would protect that sense of information. So, the techniques we use is we use a unique rotating encryption key to ensure everything is stored safely within the account, and then in the unlikely event that there's a breach, that means the bad actor wouldn't be able to take everything.
They'd only be able to take bits and parcels of the information, and they wouldn't really be able to do anything too malicious with it because they wouldn't have the full data set. We also have created a really robust audit trail system to make sure we monitor that the people who are accessing the data are the people who should be accessing that data, both from a customer's perspective, but also from a HubSpotter perspective and making sure that we don't have any, let's say malicious or unintended people within our organization that are able to access sensitive information. And so we're kind of taking a two-pronged approach there in terms of really ensuring that we're providing a best-in-class safety mechanism for all this data.
Josh Dougherty:
Nice. So, I think we've talked a little bit about high level and how this works, what security looks like. I'd love to get into maybe transitioning into talking more nuts and bolts about specific elements of the platform. Obviously we don't want to get too technical, but I know people in this space are ... I mean, it's a technical issue no matter what. And so, I wanted to spend some time talking about some specific issues. And the first one I'd love to chat about is maybe the specific measures that HubSpot's implemented to ensure the platform’s compliance with HIPAA standards. We've talked a little bit about this already, but are there any other specifics that you would bring up?
Hank Lander:
Yeah, I would say, as you've kind of mentioned a couple of times, consult your attorney friend or your risk officer here, but HubSpot really just provides the tools to enable you to be HIPAA-compliant. So, just clicking the flag that says, hey, I'm a HIPAA entity, doesn't magically make everything HIPAA-compliant.
Josh Dougherty:
No doubt, no doubt.
Hank Lander:
But in terms of what we are doing, it's all about the minimizing access, the enabling encryption, and then providing strict allow lists. And then we also complement that with a BAA. Let me give a plug to my security enablement friends. You can read all about the details at trust.hubspot.com. That's our trust center, and there's a lot of information that you can go over there if you're concerned about how you can use HubSpot to be HIPAA-compliant.
Josh Dougherty:
Great. We will include that link in the show notes as well. So, if you didn't catch trust.hubspot.com when either of us said it, you'll be able to find that afterwards in the notes as well with a link there. Let's dive into then about data segregation. How are you segregating the sensitive data from the rest of the user data?
Hank Lander:
So, from the user experience, it all hooks together and that is super important to us. It shouldn't feel like you have two classes of data when you're using the tool. It should feel like one class of data. On the backend, we're doing a lot more things to protect the data, and that's where all that encryption comes into hand. And not to go into too much technical detail, but we are making sure that all the things around HIPAA, around aggregation, and all that stuff are happening on a compliant level to make sure we're giving you all that best-in-class security and that, but layering that with a best-in-class experience as well.
Josh Dougherty:
Yeah, absolutely. So, I know another thing about managing PHI, managing sensitive data, is about who has access to it. So, let's maybe chat about how HubSpot ensures that only authorized personnel or the right people have access to that sensitive data. What's the approach there and how can clients control access?
Hank Lander:
So, we take a combined approach here where we both look at the user permissions, whether that is a person logging into their HubSpot portal or a HubSpotter themself, and then layer that on top of a tool access management system. So, this means that only the people that have access and a tool that has access should be able to view sensitive information. If somehow one of those doesn't marry up, then you won't be able to view it. And so, that's really that two-pronged approach is how we're ensuring that the right people are being able to view the information and not that you could accidentally see sensitive data by just clicking through on a contact record or something.
Josh Dougherty:
Nice. And I think, I believe, you also have click to decrypt on certain highly sensitive data pieces. How does that work?
Hank Lander:
Yeah, so this is less about HIPAA, but for, let's say, if you had financial information or wanted to store social security numbers. For us, we suggest a higher level of protection. And so we've created a thing called highly sensitive data, and essentially what that means is if you create one of those properties, you can't actually view the value of that until you click it, and that creates an extra audit log to ensure that extra layer of protection that the right people are able to view this, but no one else is able to view those data points.
Josh Dougherty:
Absolutely. Cool. That's very smart. Let's talk about audit trail because I know that is another piece that happens. How does HubSpot manage an audit trail? How in depth is that audit trail?
Hank Lander:
We take auditing pretty seriously. We've gone to the layer of granular entity that every time a user and or a tool decrypts data in any way, we record that. And so, we have a very lengthy trail. And our whole goal here is to really provide that granular level of sensitivity and ensure that, in the worst case scenario, if something went wrong, we'd have a very good list of things that were done and could remediate that situation as quickly as possible to ensure that it didn't proliferate throughout the account.
Josh Dougherty:
Great. I'm going to keep going through my list. This is kind of rapid fire questions to Hank to get through stuff, but I think super helpful stuff. I thank you for going into depth on each of these. Can you discuss the encryption methods that you employ to protect the sensitive data, both at rest and in transit? How are we making sure encryption is happening accurately throughout?
Hank Lander:
A hundred percent. So, by default, all data stored in HubSpot is encrypted in transit using TLS 1.2 or 1.3, and then at rest using AES-256. When you turn on that sensitive data toggle, we add in an additional app layer encryption using AES-256. This is what provides that unique encryption key for each account and that’s a lot stricter access control than you would have with just non-sensitive data. I don't want to reveal too much more because I don't want to give the keys to the kingdom here, but yeah, there's a multi-pronged approach there as well with the encryption.
Josh Dougherty:
Absolutely, and totally. We can't enable bad actors too much with this conversation. We just want to make sure people know where stuff is.
Hank Lander:
My goal is never to be on the front page of a paper.
Josh Dougherty:
Exactly. It's a very enviable goal. It's something maybe people can live by to a certain extent. Let's talk about resources and support then. Moving on from kind of technical, what type of resources and support do you offer healthcare companies to ensure that they can properly implement? Because it's one thing to have the features and functionality, it's another thing to know how to implement correctly.
Hank Lander:
I think there are two approaches that I've seen really common when it comes to implementing sensitive data at healthcare companies. In particular is one going the partner route, which I highly suggest. They're going to have expertise in this, they're going to know how to use this and they can walk people through this process. The other one is if you want to go the do-it-yourself route, let's say we have tons of knowledge-based articles, academy classes, we have implementation guides, and then as I mentioned earlier, we have the trust center that are all super useful tools to get people started.
Josh Dougherty:
Excellent. So, a little bit of DIY, for lack of a better word, or you can work with someone who's going to have that expertise. Smart. Let's talk about upcoming enhancements. I think we've gotten through the technical side of things and we can maybe share a little bit. I'm sure you have lots of things in the pipeline, but I guess fmy irst question is are there features enhancements in the roadmap? And then, can you share a little bit about some of the ones you're excited about?
Hank Lander:
Yeah, so one of the ones I'm excited about hopefully is going to go into private beta next week. We'll see.
Josh Dougherty:
Nice.
Hank Lander:
We're running out of hours on a Friday afternoon. It is called scanning. And so what we do is or what we heard from customers is they want to make sure they're protecting all the potentially HIPAA information within their portal or just sensitive data that they don't want to see in their portal. And right now, that's really hard to do. We know that as much as we love some of our agents and reps, they may have taken a note and put something that probably shouldn't have been in that note, et cetera, et cetera. And so, with this detection tool, we're able to scan the portal and you can see, oh, these are all the things that you may want to take a closer look at because it could come into the HIPAA territory or could have, let's say, banking information present with your portal. And then, we're going to hopefully do a fast follow up and then allow those administrators to then redact that information so that if you don't want it there, you can clean it out and you don't have any concerns or risks that that data leaked out there into the wild.
Josh Dougherty:
Awesome. What does the products rollout plan look like for new features going forward? So, that's one piece. I think there might be other elements, but what does product rollout typically look like as you're rolling out new features?
Hank Lander:
Yeah, that's a great question. So, as I mentioned with scanning, it sounds like, oh, that's obvious. You just talk to customers in the building. Unfortunately, it's not that simple, which I guess in some ways it's great, it gives me a job. But, a lot of research goes into what we should build. Is there data to indicate this? Is this qualitative research that kind of indicates that this is going to be a good feature? And we are in the, excuse me, enviable position where we have a lot more ideas than the things we can actually build. And so we have to be super selective because what I don't want to do is build a ton of features half-baked, because then it makes for a worse experience overall. And then you feel those paper cuts over time and then it just doesn't add value.
And so for us, it's about going really deep in super focused areas and testing that. So, we use a methodology called RAT, which sounds kind of scary, but it really means Riskiest Assumption Tests where we want before we release a feature to everyone, we want to make sure that we're validating the assumption that we had before we release that feature. And from there, then we can say like, okay, cool. We're seeing the qualitative inputs, we're seeing the data, and then we are able to prove out that yes, hypothesis was correct. All right, it's met that quality threshold, let's release this to GA, or sorry to general availability, GA as we say in our terms. But yeah, it goes through a pretty rigorous process. It's not just the wild west where we're just shipping features right and left.
Josh Dougherty:
Yeah. Awesome. Well, thank you so much for giving us a little bit of a view into the back end from a technical perspective about how you approach product development and, ultimately, I think how this really valuable feature set for HubSpot clients works. I know this is something we get questions about a lot as an agency, so I think it'll be a really valuable piece to share. And to close out our conversation, I would really love to ask you a question I ask everyone, can you tell me about what your superpower is? What's that thing that you put on your cape and say, yeah, this is where I shine?
Hank Lander:
I really wish I had a cool superpower like flying or indestructible strength or something like that. But sadly, mine is much more of let's say, human or mortal. And that for me it's curiosity. I just love learning about things. And I was a tinkerer as a kid. I would pull things apart, try to rebuild them, sometimes less successfully than others, but it was that curiosity. And that has really, really served me well. I am in most things a shy person, but when it comes to asking questions for whatever reason, I don't have that block.
And so for me, it's about being able to ask people questions, asking them, how does this work? What is that workflow? Why do you do it this way versus that way? And to me, that's what allows me to really empathize with that person and then build a better product or a better feature to meet their needs and meet them where they're at. And it just gets me excited to dig below the surface and see what is that root problem versus maybe that symptom that you heard when it was first being described to you. And that’s just what brings me joy and gets me excited about waking up and going to work every day.
Josh Dougherty:
Yeah. I mean, I was smiling as you were talking because I think that's similar. Our day-to-day work here is to work on developing brands. And that's why I love doing that work too, that there's always another big question to ask to unpeel and understand more, which leads I think, to a better brand and from your perspective, leads to a better product. Because without curiosity, how do you improve something that's already maybe working well? You’ve got to be able to ask those questions underneath the surface.
Hank Lander:
100%.
Josh Dougherty:
Great. Well, Hank, thanks so much for the time today. I really appreciate you coming on sharing some of your expertise and your knowledge here. What's the best way for people to stay connected with you if they're interested in following along or catching up?
Hank Lander:
Yeah, the best way to get in contact with me is through LinkedIn. I try to respond to all the messages that come in. So, please send any questions or thoughts my way. Love to hear from you.
Josh Dougherty:
Great. And we'll include a link to Hank's LinkedIn inside the show notes as well if you're interested in having a further conversation with him around stuff. And from there, we'll just close out. Thanks so much for being on the show today. Really appreciate it.
Hank Lander:
Thank you so much for having me.
Josh Dougherty:
Thanks for listening to this episode of a Brave New podcast. Go to abravenew.com for more resources and advice on all things brand and marketing. If you enjoyed this episode, show us some love by subscribing, rating, and reviewing A Brave New podcast wherever you listen to your podcasts. A Brave New podcast is created by A Brave New, a brand and marketing agency in Seattle, Washington. Our producer is Rob Gregerson of Legato Productions.