Today’s healthcare security threats demand new solutions. As more and more organizations move toward the cloud and clinical transformation accelerates at a breaking pace, keeping track of where sensitive data resides becomes increasingly difficult putting increasing pressure on data security teams. No matter how robust your organization's security stack is, vulnerabilities to intrusions still exist. According to a recent Identity Defined Security (IDSA) report, approximately 95% of security breaches are identity-related. Strong identity security is no longer a “nice to have” solution. It is essential.
Matthew Radcliffe, AVP, Healthcare, SailPoint
Shahid Shah, Publisher and Chief Editor, Medigy.com
Shahid N. Shah: Welcome back health impact audience, so we had a great session this morning, in which we started to discuss the idea of how best to apply. Maybe a methodical disciplined approach to innovation, so we don't over invest in areas that are not useful and then under invest in areas that are more useful and related to that topic i'm really excited to have Matthew here from sale point to really talk about one area of innovation.
That we sometimes do under invest in to our own detriment, and that is on cyber security in general but, more specifically, identity and access management. Identity and access management is of course the part of cyber security, which is arguably the most important, as well as the thing that an end user can regularly see and interact with. And I and we say arguably the most important because you have things like encryption and you know.
Encryption in transit encryption in storage and those kinds of areas, but those aren't things that end users can see when an end user has too many logins they get upset when an end user has too difficult and ability to get authorized for the things that they want to use on the Internet or in an application or at a hospital they get upset.
And so things like single sign on shared sign on identity and access management, these are all topics that are mattering more and more as things go into the cloud more and more integrations are done.
So that's why it's a very, very important topic, the speed of your innovation and your ability to deliver it is directly related. To how well, you can solve your cyber security problems to go through an audit and make sure that you are have a secure system so with that, let me let Matthew introduce himself tell us what you do at that point and we'll take it from there.
Matthew Radcliffe: yeah Thank you so Matt Ratcliffe from the area Vice President for the healthcare business here at so point actually just celebrated my 10 year anniversary, with the company, so it feels like you know, a third of my life at one company, but i've been in the identity security space and health care for almost 30 years so definitely have seen an awful lot in in this world and in this in this vertical and definitely an interesting two to three years more recently right so really great to be here and excited for our conversation.
Shahid N. Shah: Now I know most welcome here we love getting experts who have been in the business doing this stuff for hundreds of years so that's good to know but now let's start off with just in the last couple of years we've noticed that technologies and implementations that took a while to get implemented very quickly got implemented which meant arguably that perhaps we skipped some important steps, or perhaps we used to be very slow and we just got somehow faster.
Which one, do you think it is well we skipping any important cyber security or other identity and access management steps in order authorized like Tele health and these other tools that we got to use quickly and, if so, how how have you seen customers adapting to that.
Matthew Radcliffe: yeah so So yes and yes, and let me touch on something you actually said at the beginning about single sign on right this historically. If you talked about cyber security and an access and health care we kind of jumped to this conclusion of. Hey I got to make the doctors and nurses happy i've got to reduce their sign on and we enable them with some really great cool technology, something that reduced passwords me made it easy to to jump onto a shared clinical workstation and not have to enter username and password.
But I always try to get CIO's and CTO's to kind of pause for a second step back and think about what we're doing when we do that if we don't already know what they have access to we're really enabling them with a total of convenience to. Perhaps do something that was. Inappropriate just in a more efficient way. I think the last three years, identity and in health care greatly accelerated because frankly coded put a spotlight on some major gaps in healthcare. We first, if you think about all the critical care needs that route, their healthcare organizations had a rapidly transfer thousands of nurses.
34
00:05:08.790 --> 00:05:16.680
Matthew Radcliffe: onboard hundreds and, in some cases, thousands of additional clinical staff and even volunteer physicians.
35
00:05:17.130 --> 00:05:25.710
Matthew Radcliffe: and rapidly give them access all while they were doing this in a very manual way because that's what they were used to a small it team.
36
00:05:26.280 --> 00:05:32.640
Matthew Radcliffe: Giving the access, they need on day one did to go off and treat patients and they were manually creating accounts.
37
00:05:33.090 --> 00:05:43.050
Matthew Radcliffe: All of a sudden this rapid influx this rapid need to provide critical patient care show that hey we have some really kind of week or.
38
00:05:43.440 --> 00:05:51.420
Matthew Radcliffe: In it, you know outdated processes, we need to find a way to automate a technology that would allow us to quickly and rapidly.
39
00:05:51.900 --> 00:05:59.760
Matthew Radcliffe: onboard new clinical staff or transfer staff one unit to another and give them the appropriate access they needed.
40
00:06:00.210 --> 00:06:09.180
Matthew Radcliffe: And now, as we hopefully come out on the other side of coated now they've got a whole nother problem, how do we terminate this access that we rapidly on boarded.
41
00:06:09.510 --> 00:06:18.390
Matthew Radcliffe: And how do we unleash this not of making sure that we're still compliant with hipaa and other healthcare.
42
00:06:19.050 --> 00:06:27.450
Matthew Radcliffe: Regulatory demands right, so it, you know that the last few years has definitely been exciting in our world because they've now prioritize.
43
00:06:27.930 --> 00:06:36.870
Matthew Radcliffe: Identity security they're looking for ways of automation and Oh, by the way, the industry is stagnant it's it's moving forward in a very rapid way.
44
00:06:37.350 --> 00:06:50.220
Matthew Radcliffe: A lot of them in a activity, a lot of cloud transformation to now they're trying to do even more with these fall it teams, so the need for automation is is really that much more important.
45
00:06:50.640 --> 00:07:07.440
Matthew Radcliffe: So, although they had processes in place before the fact is, they weren't all automated and now they realize that gotta create some better security programs that allow them to build automation around managing access to patient APP you know applications and the patient data.
46
00:07:08.430 --> 00:07:19.320
Shahid N. Shah: So what do you think matt about walking into a health system, looking at what they do and say Oh, my goodness, these guys are ready for automation they're right for.
47
00:07:20.280 --> 00:07:31.050
Shahid N. Shah: Implementation of solutions like a sale point or a variety of other of your compatriots in that sector, so what could you tell healthcare executives to say look.
48
00:07:31.440 --> 00:07:44.100
Shahid N. Shah: If your it teams take n number of days to do identity or why number of hours to do xyz what are some of the symptoms of not having things automated that can easily be automated today with modern tooling.
49
00:07:44.730 --> 00:07:50.340
Matthew Radcliffe: Look at this is, I had never seen this kind of quality use case.
50
00:07:51.570 --> 00:07:57.000
Matthew Radcliffe: The more important to a healthcare organization than today and it actually has to do with employee satisfaction.
51
00:07:57.510 --> 00:08:06.510
Matthew Radcliffe: We had several customers in the last couple months acquire sell point because nurses quit on day one, because they didn't have the access they needed to go off and treat a patient.
52
00:08:07.440 --> 00:08:17.550
Matthew Radcliffe: So, more than ever, identity security is actually being leveraged as a as a tool to provide what they call their customers right their customers are their nurses and their doctors.
53
00:08:18.240 --> 00:08:26.760
Matthew Radcliffe: satisfaction that they have a confidence that the day they join the organization, they have the right, access to go and treat a patient, which is really what they care most about right.
54
00:08:27.330 --> 00:08:38.070
Matthew Radcliffe: So if, first and foremost you're struggling it's taking days and weeks, which is very common and healthcare to onboard clinical staff to give them the access, they need to treat patients.
55
00:08:38.460 --> 00:08:48.900
Matthew Radcliffe: If you're waiting on on that learning management program to kind of you know, when you need access to an epic cerner Meta tech there's required learning that you have to complete before you get that full.
56
00:08:48.900 --> 00:08:49.680
Shahid N. Shah: access.
57
00:08:49.980 --> 00:08:54.600
Matthew Radcliffe: If thats lagging behind and that process to connect the completion of learning.
58
00:08:55.020 --> 00:09:03.480
Matthew Radcliffe: To hey i'm a nurse, and in a in a in a in an emergency department, I need this this specific access that process is lagging.
59
00:09:03.870 --> 00:09:12.420
Matthew Radcliffe: Then yeah that that is where identity security and can definitely help and alleviate a major gap and on the other end of that the termination process.
60
00:09:12.870 --> 00:09:21.660
Matthew Radcliffe: This is just as important as the onboarding process that when someone leaves the organization that that access is immediately terminated.
61
00:09:22.110 --> 00:09:28.380
Matthew Radcliffe: and identity left behind, is that identity that creates a risk and a security posture of the organization.
62
00:09:28.800 --> 00:09:46.800
Matthew Radcliffe: And the meeting remediating that access the day they leave the organization is just just as important as that day one onboarding so that remediation process is also lagging either it's not happening at all or it's taking weeks to remediate that access that's another you know great.
63
00:09:47.850 --> 00:09:52.110
Matthew Radcliffe: that's another symptom that that you've got a great need for identity security Program.
64
00:09:52.320 --> 00:09:58.890
Shahid N. Shah: And so, when you think about automation matt you're saying that if I were to join as a nurse at a hospital.
65
00:09:59.190 --> 00:10:07.980
Shahid N. Shah: And I have to be on boarded on to 22 different systems which might not be too high, by the way, and it's fairly reasonable to believe dozens of systems have to be activated.
66
00:10:08.790 --> 00:10:24.990
Shahid N. Shah: you're saying that the tool sets do already exist to allow that that happened in minutes not hours days and certainly weeks, and if so what's holding people back from implementing is it a lack of knowledge that these kinds of systems are automated or is it something else.
67
00:10:25.290 --> 00:10:31.920
Matthew Radcliffe: yeah that's a that's a great question I just had this gave this exact talk at a recent healthcare conference.
68
00:10:32.370 --> 00:10:43.770
Matthew Radcliffe: I think if you look, you know there, there is, if you look at data and the past around identity security programs or healthcare based it programs in general.
69
00:10:44.610 --> 00:10:52.770
Matthew Radcliffe: There was a study, many years ago by the University that essentially show that almost 70% of healthcare it projects fail.
70
00:10:53.220 --> 00:11:03.060
Matthew Radcliffe: And when they dug into the whys behind it, a lot of it had to do with the technology really not solving a problem through the lens of a clinical caregiver.
71
00:11:03.450 --> 00:11:10.050
Matthew Radcliffe: they're solving a security problem but they're creating friction between clinicians and the it or Security Department.
72
00:11:10.650 --> 00:11:20.250
Matthew Radcliffe: And, in fact, if you look at similar statistics and in today's environment, the statistic is almost the same it's about a little over 60% now of healthcare it programs fail.
73
00:11:20.610 --> 00:11:28.530
Matthew Radcliffe: And I think because still a lot of technologies do not solve these problems through the lens of hey what's the impact on clinical care.
74
00:11:29.070 --> 00:11:38.880
Matthew Radcliffe: So as as an example of one organization we've invested over the last five years, and what we would call true data science high level, how can you leverage an Ai like technology.
75
00:11:39.210 --> 00:11:49.530
Matthew Radcliffe: To reduce the friction between clinicians and it and security one great example is what we're always asking a clinical manager to approve access request.
76
00:11:50.160 --> 00:12:00.990
Matthew Radcliffe: Why, I hear cios say, time and time again hey my nurses and doctors are really great at treating patients they're not very good at making it decisions right security decisions So why am I, asking them to do that.
77
00:12:01.590 --> 00:12:10.710
Matthew Radcliffe: But we're looking at ways of leveraging data science to either make that decision on their behalf, because of the data and the patterns that we understand in terms of.
78
00:12:11.010 --> 00:12:22.680
Matthew Radcliffe: Think about peer groups or ends getting similar access all Nikki nurses getting similar access all ED physicians getting similar for access we can recognize these patterns.
79
00:12:22.950 --> 00:12:31.050
Matthew Radcliffe: So when someone goes and request access if I know that someone falls in a peer group and that access request is consistent with the security policy.
80
00:12:31.350 --> 00:12:35.160
Matthew Radcliffe: I don't even I don't need to interrupt someone's day from treating the patient to.
81
00:12:35.490 --> 00:12:46.590
Matthew Radcliffe: To approve that access request and the opposite of that if the nurses asking for something that only 1% of other nurses that look like them in terms of role.
82
00:12:47.010 --> 00:12:52.650
Matthew Radcliffe: Have that access, and I should automatically you know deny that access request or terminate that access.
83
00:12:53.040 --> 00:13:07.740
Matthew Radcliffe: So we want to leverage new capabilities data science to reduce that friction between clinicians and an IT security right and we believe, if we can do that, we can have greater success and and I did a security program specifically in a healthcare setting.
84
00:13:08.340 --> 00:13:24.870
Shahid N. Shah: No, I love that so using machine learning and you know we'll call it ai just because it has a word using machine learning and Ai to learn how approvals are made, is a great way to automate so I love that any other examples of.
85
00:13:24.960 --> 00:13:27.240
Shahid N. Shah: Of what you guys could do to help automate.
86
00:13:27.570 --> 00:13:35.760
Matthew Radcliffe: yeah so look another great analogy, I met with a CIO the Lord Jesus Christ health system right right before the coven the lockdown right.
87
00:13:36.240 --> 00:13:42.990
Matthew Radcliffe: And, and when he walked in my when I walked into his office I get how he is all you already looked a little frustrated I have you talked to him, yes I knew it wasn't me.
88
00:13:44.280 --> 00:13:52.710
Matthew Radcliffe: But he said look i'm just i'm frustrated and pain outside consultants have a year to come into my organization look at my roles developer role model.
89
00:13:52.980 --> 00:13:59.040
Matthew Radcliffe: And because of how fast we're changing as an organization that role models broken 3060 days later.
90
00:13:59.340 --> 00:14:07.740
Matthew Radcliffe: Use the analogy of hey it's like painting a bridge, by the time you're done painting a bridge you got to go start all over again start at the beginning, so you really never done right.
91
00:14:08.310 --> 00:14:19.080
Matthew Radcliffe: So we want to also leverage machine learning data science and you know that Ai buzzword but it's true data science to continuously analyze an organization.
92
00:14:19.410 --> 00:14:30.690
Matthew Radcliffe: Watch for new applications being on boarded and who's being granted access to that to that new application and maybe we automatically adjust the role of where that application fits into.
93
00:14:31.110 --> 00:14:37.560
Matthew Radcliffe: If we find that there's a new new population of users, maybe because of the joint venture or business partnership.
94
00:14:37.920 --> 00:14:47.760
Matthew Radcliffe: And those people are getting certain kinds of access may we automatically create a new rule, a new role to accommodate that new peer group that new group of users right.
95
00:14:48.210 --> 00:15:00.180
Matthew Radcliffe: So we want to watch in real time different patterns and how things change over time, so we can automatically either recommend changes to the role model or actually update the role model in real time.
96
00:15:00.570 --> 00:15:12.060
Matthew Radcliffe: Instead of having this static, you know that that point in time kind of strategy around roles which historically identity technologies were based on a very static process for role modeling.
97
00:15:12.450 --> 00:15:28.440
Matthew Radcliffe: So that's another great way that we can use machine learning and data science to reduce that friction in that role modeling process, given all the m&a going on in health care we can't keep doing that process manually we just can't keep up with a rapid change in pace.
98
00:15:28.710 --> 00:15:39.360
Shahid N. Shah: Now, I completely agree, and you know we've discussed the idea of zero trust networks and zero trust security over the last few years, one of its shining.
99
00:15:40.080 --> 00:15:50.640
Shahid N. Shah: goals North stars tenants, is that, instead of approving someone because of what location, they sit in, for example, you know behind a firewall or.
100
00:15:51.240 --> 00:15:54.720
Shahid N. Shah: Generic rules that could apply to multiple people zero trust says.
101
00:15:55.320 --> 00:16:06.120
Shahid N. Shah: Everybody security must be individualized what a nice thing to say, but very, very difficult to pull off if you don't have proper it management in general, and more specifically.
102
00:16:06.750 --> 00:16:24.120
Shahid N. Shah: The kinds of systems that you guys are talking about at scale points so as you talk to cios and CEOs do they bring up zero trust as a way of using IBM and ID management and potentially sale point, etc, to implement zero trust, where the zero trust fit in the mix at the moment.
103
00:16:24.420 --> 00:16:33.120
Matthew Radcliffe: It is now and you talked about buzzwords with Ai is your trust is is definitely the word of the week right, I mean this is coming up and every conversation and.
104
00:16:33.540 --> 00:16:43.170
Matthew Radcliffe: there's there's a couple drivers behind it, one it's just good security practice right giving broad access to applications and Oh, by the way, data.
105
00:16:44.190 --> 00:16:51.150
Matthew Radcliffe: Is is not a great practice, we should really be providing access at the point of an interaction, or at the point of care.
106
00:16:51.390 --> 00:17:04.800
Matthew Radcliffe: and removing it even if it's a matter of hours or minutes new that access when they no longer need it right so that's just good security practice, but in healthcare, and I think coven really launched this by coby created this.
107
00:17:04.980 --> 00:17:06.060
Matthew Radcliffe: You know, remote.
108
00:17:06.120 --> 00:17:16.350
Matthew Radcliffe: Remote workforce strategy that actually accelerated cyber security threats right so more than ever, healthcare organizations will be taught work being targeted.
109
00:17:16.560 --> 00:17:28.860
Matthew Radcliffe: Because data was on the move, like never before, data was being accessed from VoIP devices from home from you know, think about earlier, we talked about these volunteer populations are new populations.
110
00:17:29.130 --> 00:17:35.520
Matthew Radcliffe: Just being brought on board and we broke this security glass just to give them access, so they could go treat patients.
111
00:17:35.820 --> 00:17:41.040
Matthew Radcliffe: So that the intent behind it was Okay, but the outcome was not great from the security perspective.
112
00:17:41.460 --> 00:17:51.390
Matthew Radcliffe: So, all of a sudden threats increase cybersecurity insurance premiums increased Well now, cyber insurance companies are actually programmed to ask the question.
113
00:17:51.810 --> 00:18:00.540
Matthew Radcliffe: You know, are you pursuing zero trust, do you align with a security framework like nist or high trust can you show us the controls, you have in place.
114
00:18:00.990 --> 00:18:05.460
Matthew Radcliffe: There they're expanding explicitly asking cybersecurity insurance companies are explicitly asking.
115
00:18:05.730 --> 00:18:19.560
Matthew Radcliffe: The MFA technology, do you use single sign on you have identity security right they're asking these questions, so they understand the risk profile of any one customer when they when they provide them cyber insurance.
116
00:18:19.980 --> 00:18:24.690
Matthew Radcliffe: So we are, we are one of those essential controls right and we are really at the forefront.
117
00:18:25.020 --> 00:18:36.570
Matthew Radcliffe: of ensuring that a user and healthcare a clinician and nurse, and it us, or that they have the right access at the right time to the right applications and data to only do their job.
118
00:18:36.900 --> 00:18:46.020
Matthew Radcliffe: And Oh, by the way, when that access is no longer needed whether it's minutes hours or days we're terminating that access immediately right.
119
00:18:46.470 --> 00:18:58.290
Matthew Radcliffe: So this is really the one of the core pillars of of zero trust is is establishing these controls and and putting these controls in place, so we believe we actually sit at the front door of that process.
120
00:18:58.830 --> 00:19:06.180
Shahid N. Shah: Now that sounds very impressive and, in fact, thinking about what you just said with cybersecurity insurance some places are getting.
121
00:19:07.170 --> 00:19:15.060
Shahid N. Shah: Very it's getting difficult to get cybersecurity insurance, because your security posture so bad right so could one make the argument that that.
122
00:19:15.780 --> 00:19:27.060
Shahid N. Shah: If you put in appropriate tools technologies automation etc, and it costs you n dollars to put that into place, could you save why dollars that may be equal to end somewhere.
123
00:19:27.270 --> 00:19:34.110
Matthew Radcliffe: I actually if you, you know I think one of the reasons that identity security lag years ago and healthcare.
124
00:19:34.410 --> 00:19:42.870
Matthew Radcliffe: Was they were trying to just build a justification around hey I can I can automate instead of save a few hours of time and that's That was a business case.
125
00:19:43.200 --> 00:19:46.710
Matthew Radcliffe: that's not really a board level kind of conversation right.
126
00:19:47.130 --> 00:20:04.350
Matthew Radcliffe: But all of a sudden, when you start having the conversation that pages board our our premiums are going up from $400,000 $800,000 a year or we're being denied cyber insurance that's a completely different conversation that's a board level conversation right.
127
00:20:05.490 --> 00:20:16.590
Matthew Radcliffe: All of a sudden that's what do we need to do to to get these premiums right to reduce the premiums to have the right, cyber insurance policy, what do we need to do, Mr Mrs CIO.
128
00:20:16.830 --> 00:20:22.800
Matthew Radcliffe: Well hey, the first thing I need to do is pursue zero trusts and there's these pillars I gotta pursue.
129
00:20:23.190 --> 00:20:37.080
Matthew Radcliffe: Right MFA identity security, these are core pillars, so all of a sudden, that the conversation has elevated in healthcare and now it's not a matter of you know, will I ever get the budget it's when can I get the budget and when can I get started right.
130
00:20:37.110 --> 00:20:45.150
Shahid N. Shah: yeah and really what's interesting about this math is that in the past we've said, you have to do it, but there was no data debt or else.
131
00:20:45.180 --> 00:20:52.290
Shahid N. Shah: And now they're the or else isn't some hacker might get and it might be you can't operate without insurance right.
132
00:20:52.530 --> 00:21:01.170
Shahid N. Shah: Like going into a hospital and saying Oh, by the way you don't get any medical malpractice insurance or any of your doctors next year the hospital would shut down literally and.
133
00:21:01.200 --> 00:21:03.000
Shahid N. Shah: dad is what unfortunately many.
134
00:21:03.360 --> 00:21:15.810
Shahid N. Shah: Health systems are are looking at over the next couple of years only because the cyber insurers are starting to recognize that there is a way of measuring security and it starts with you know, obviously things like.
135
00:21:16.500 --> 00:21:20.760
Shahid N. Shah: Identity access management, it could be intrusion detection there's you know, a.
136
00:21:20.760 --> 00:21:22.920
Shahid N. Shah: boatload of things and controls that are there.
137
00:21:23.160 --> 00:21:36.930
Shahid N. Shah: But some of these could be prioritized higher just because it matters so much to retention and employees, etc, so if you matter to employees and you could prioritize it higher and Oh, by the way you could make back the money.
138
00:21:37.350 --> 00:21:41.460
Shahid N. Shah: By reducing your insurance premiums etc seems like a win, win here.
139
00:21:41.640 --> 00:21:45.600
Shahid N. Shah: Have you noticed any customers using that as an Roi argument.
140
00:21:46.020 --> 00:21:53.910
Matthew Radcliffe: Absolutely, in fact, you know I think we're a little unique that we actually built a a financial analyst team and sit down with customers to really.
141
00:21:54.210 --> 00:22:04.410
Matthew Radcliffe: know what i'll call interrogate their business processes today, so we can help them, you know vendors all have these Roi tools, but, of course, those are tools always justify buying that.
142
00:22:04.770 --> 00:22:05.820
Shahid N. Shah: Surprise, surprise.
143
00:22:06.090 --> 00:22:07.500
Matthew Radcliffe: surprise you should go buy it.
144
00:22:07.800 --> 00:22:19.440
Matthew Radcliffe: Well, we took a different approach right we we on boarded a group of financial analysts that sit down with a customer and really interrogate their business processes, they want understand how do you on board staff.
145
00:22:19.680 --> 00:22:31.140
Matthew Radcliffe: Today, how do you transfer staff, how do you terminate stuff what parties are involved in provisioning to an epic cerner Meta tech right, so they really dive deep and all these different processes.
146
00:22:31.530 --> 00:22:36.420
Matthew Radcliffe: And they also look through the lens of cyber insurance and other cost savings areas.
147
00:22:36.750 --> 00:22:45.390
Matthew Radcliffe: And they build up the business value proposition based on that customers world how they do business, how they how their processes your managed.
148
00:22:45.750 --> 00:22:49.320
Matthew Radcliffe: And then they create this board level presentation that really allows them.
149
00:22:50.130 --> 00:22:57.030
Matthew Radcliffe: To put forth some some true you know investments and in cost savings over a three five year period.
150
00:22:57.360 --> 00:23:06.630
Matthew Radcliffe: that are more tangible in real life they're not these vendor you know derived numbers so we've really taken a different approach and helping customers.
151
00:23:07.200 --> 00:23:14.880
Matthew Radcliffe: solve that problem and the tell that board level conversation of white any security is super important and, by the way, you know we.
152
00:23:15.210 --> 00:23:21.630
Matthew Radcliffe: We always talk about applications and maybe that was the way 1015 years ago and everything was on Prem and health care.
153
00:23:22.050 --> 00:23:28.770
Matthew Radcliffe: But I gotta tell you that the the amount of iot devices out there now the amount of data that's flying around.
154
00:23:29.280 --> 00:23:36.030
Matthew Radcliffe: you've got to address identity security, you know, a single pane of glass through three pillars, the applications.
155
00:23:36.480 --> 00:23:48.270
Matthew Radcliffe: The data and, more often than not refining our healthcare customers have one or more cloud infrastructures and azure and aws tcp like Google cloud.
156
00:23:48.750 --> 00:24:01.140
Matthew Radcliffe: So we've also got to treat the access to the applications and data, the same, but also to the sensitive permissions the privileged accounts that sit within that cloud infrastructure.
157
00:24:01.560 --> 00:24:09.870
Matthew Radcliffe: So when we talk about these problems with it with a prospective customer or current customer we talk about it through the lens of applications data and cloud infrastructure.
158
00:24:10.260 --> 00:24:19.050
Matthew Radcliffe: If you're only looking and focused on one of those three pillars you're only solving a third of your identity problem so you've got to really look across all three of those areas.
159
00:24:19.350 --> 00:24:24.210
Shahid N. Shah: yeah I couldn't agree with you more and, in fact, in the last couple of minutes that we have we've already chewed up most of our time.
160
00:24:24.840 --> 00:24:33.240
Shahid N. Shah: I had a blast here so in the last couple of minutes, the last question i'd like to ask you is do a little bit of future scoping letting the next couple of years.
161
00:24:33.870 --> 00:24:44.310
Shahid N. Shah: As the complexity grows for the number of devices number of users, etc, and our our legal documents you know the existing business associate agreements and things like that.
162
00:24:44.760 --> 00:24:53.820
Shahid N. Shah: are not at all machine readable machine executable or anything like that, what do you see over the next couple of years that we could do to put.
163
00:24:54.390 --> 00:25:07.080
Shahid N. Shah: connect lawyers, with the output of the system's themselves so they can see an auditable infrastructure, where they know that the rules are being followed not hoping or guessing that the rules are being followed.
164
00:25:07.350 --> 00:25:16.290
Matthew Radcliffe: yeah So what we talked about one of the elements which is, we have to remember that when when we talk about any cyber security controls or technologies.
165
00:25:16.590 --> 00:25:21.360
Matthew Radcliffe: it's not just about application access ITS applications data cloud infrastructure.
166
00:25:21.900 --> 00:25:30.390
Matthew Radcliffe: But we also have to remember them an identity is not just the human footprint and identity can be a Bot device fine, it can be multiple months, in fact.
167
00:25:30.810 --> 00:25:40.320
Matthew Radcliffe: You know customers have have hundred hundreds and thousands of robotic devices out there that are are automating human process right.
168
00:25:40.650 --> 00:25:46.950
Matthew Radcliffe: So we also got to think about the word identity as not just the human, but these different types of devices.
169
00:25:47.430 --> 00:25:54.030
Matthew Radcliffe: The other challenge that we're seeing pop up now is is we're all called around api's right.
170
00:25:54.450 --> 00:26:02.430
Matthew Radcliffe: So you have all these web services, all these cloud applications and even on premise applications have all these different hooks into them.
171
00:26:02.880 --> 00:26:18.120
Matthew Radcliffe: And as a very astute see so set out of award Florida health system every one of those api's for me is is a is an area of risk right, I need to govern those just like a governance identity to an application data and infrastructure.
172
00:26:18.600 --> 00:26:27.930
Matthew Radcliffe: So, as we kind of think about you know some of these legal frameworks in the past, it was all about a human and not necessarily dictate dictating that technology process.
173
00:26:28.560 --> 00:26:36.420
Matthew Radcliffe: But it's always like a documented process, it was good enough Well now, we now need to think about these you know relationships through.
174
00:26:36.990 --> 00:26:44.760
Matthew Radcliffe: The what i'm touching applications data and infrastructure that is not just a human, it can be a Bot, and it may not just be.
175
00:26:45.330 --> 00:26:55.350
Matthew Radcliffe: Some static infrastructure, it could be an API or some other access point that i've got to govern just like a government access to applications or data right.
176
00:26:55.770 --> 00:27:04.200
Matthew Radcliffe: So this is rapidly evolving and as an organization, we try to make sure that when we think about an identity we're always very open minded.
177
00:27:05.070 --> 00:27:16.050
Matthew Radcliffe: Anything that requires governing have access to any sensitive entry point within the organization, whether it's an application, whether it's data, whether it's an API and iot device.
178
00:27:16.380 --> 00:27:30.870
Matthew Radcliffe: we're going to keep thinking about it through these lens but you're right, we need these kind of legal frameworks and policies to kind of catch up with with the reality of of where an identity is today, and the risk of those identities.
179
00:27:31.140 --> 00:27:38.670
Shahid N. Shah: yeah I mean this is a fantastic conversation Thank you so much for taking the time out to talk to us, and one of the key to key lessons here are.
180
00:27:38.940 --> 00:27:45.330
Shahid N. Shah: that things are more automated will than you ever think they are so that's one key lesson that naturally just taught us, and the second thing is.
181
00:27:45.750 --> 00:27:57.510
Shahid N. Shah: Think deeply about how if you implement certain things you could save money relatively quickly, like within that year, perhaps the following year on your cyber insurance premiums and that might help you out.
182
00:27:58.050 --> 00:28:04.140
Shahid N. Shah: And prioritizing some of these things with that you know Thank you so much Matthew any last minute words that you want to say.
183
00:28:04.500 --> 00:28:07.800
Matthew Radcliffe: yeah we're super excited really happy to be here and.
184
00:28:08.460 --> 00:28:15.840
Matthew Radcliffe: anything we can do, whether it's was so point are looking for lessons learned or advice we're always happy to collaborate with customers is really important to us and.
185
00:28:16.200 --> 00:28:25.140
Matthew Radcliffe: You know whether it's us around the vendor we just want to see customers approach this in the right way and think about it, the right way, so any way we can help i'm happy to and I appreciate your time today.
186
00:28:25.680 --> 00:28:28.590
Shahid N. Shah: We appreciate you being here thanks a lot, thank you.