HealthIMPACT Live Presents: IoT, Ransomware, Human Factors of Cybersecurity, Data Protection and Tokenization - Understanding the Perfect Storm of Vulnerabilities to Manage Cyberthreats
Originally Published: Apr 7, 2022
YouTube Video: https://youtu.be/d-put3vQp7w
No matter how robust your organization's security stack is, vulnerabilities to intrusions still exist. Unmanaged cyberthreats can compromise your organization’s ability to perform its mission by putting critical assets, data, and services at risk. As more and more organizations move toward the cloud, keeping track of where sensitive data resides becomes increasingly difficult putting increasing pressure on data security teams. Recent events in healthcare IT show that a zero-trust security strategy is the only way to prevent successful security breaches and ensure no threat or vulnerability to the continuity of care model. In this session, health system security leaders discuss how to:
Manage critical privacy and security issues healthcare organizations face
Establish and optimize information security and privacy operations to be better prepared to address current — and future — IT risks
Transitioning and securing data methods and devices – IoMT, IoT
Data protection and tokenization
Getting clear, readable data out of the healthcare environment
Mauricio Angee, AVP, Chief Information Security Officer, University of Miami Health System
Melissa Lawlor, CISSP, Director, IT Security GRC, Hackensack Meridian Health
Michael Ebert, Partner, Guidehouse
Michael Ebert: I want to thank, Melissa Lawlor and Mauricio Angee for joining us today for a session on cybersecurity. These are the leading issues that are going to discuss around health care management and healthcare cyber security. Now we look at the changes in health care, you know much, much greater consumer involvement in healthcare consumer engagement. And our platforms, but we're wrestling with some mental issues dealing with you know iot and end of things in here in medical things we're dealing with the cloud and movement to cloud, so you know and how we manage and secure those overall so. Now let's keep this very free and very interactive let's talk about the first one of our first points, this is how we manage privacy and security. With all these connected devices that we have in medical it and other information Internet of Things devices and our network, Melissa or Mauricio who wants to go first?
Melissa Lawlor: I'm happy to start if Mauricio wants me to okay. So really from a Hackensack Meridian health perspective, the way that we're managing medical devices iot is really how we're managing traditional devices to you know we look at it at a purchasing level. Before we ever approve a purchase, we have a capital expense request that goes through a number of different channels through purchasing through legal through it and IT security. And when it gets to the IT security review we look at the MDS to forums, which are manufacturer device security forums and their standard. So it's very easy to ask a vendor, can you please produce the MDS to form, so that we can start to understand?
Some of just the foundational security controls in these devices, whether it's encryption, can you do automatic log off, how are you doing backups as hmm ah, are we allowed to scan for vulnerabilities are we allowed to patch is that the responsibility of the manufacturer, so we look at it at that level, and then, if any of the MDS two responses come back that don't meet our standards, or we do not have the ability to safeguard and control the device we segmented to a separate V land on our network that has all of the sort of vendor be land devices.
Mauricio Angee: And I we do it verbatim I mean, I think this is a book that is written for years on, on the supply chain, from the you know, even when they're thinking about. One thing that Lisa is doing that she didn't mention, and I know we pretty much the same is even when when a somebody trying to purchase something. We get involved in that in reviewing the you know from before they buy, to make sure that they they made our security requirements so. That that's important is always important to see from the iot side of the House and we were talking about discussing this a little bit is is this thing of the the new generation of Medical Devices where you where the wearables or in the hospitals, now there you know there's many iot that do not relate to patient directly with their their patient care patient safety related thermostat or even oxygen rods that we're now looking at and and when we're scanner meant work with whatever tools we get these days we're trying to identify them in and identified where our weaknesses are per se, I would not didn't see it before, because even fingerprint annoys first is specifically the same same release we're doing is in that regards.
Melissa Lawlor: And I would say to you know to Maurice ios point it at the foundational core it's all around the ability to identify the asset manage the asset and then remediate any vulnerabilities associated with the asset, and I know you know i'm sure mauricio can say the same thing with the log for J zero day vulnerability i'm sure everybody in healthcare wishes, they knew where all of their assets and applications were. And what was subject to this vulnerability, because, at least on our side there's a lot that we knew but there's also a lot that we're finding as we continue to do vulnerability scans and identify additional systems and applications that are now vulnerable to this.
35
00:04:58.050 --> 00:05:05.460
Michael Ebert: was initially with your fingerprinting your assets, then is it to the voluntary scan are you employing other so tell us capabilities.
36
00:05:06.150 --> 00:05:16.080
Melissa Lawlor: So, from an HR perspective, what we're trying to do we're going to implement a network access control solution to assist with some of this and then start from a.
37
00:05:16.830 --> 00:05:20.940
Melissa Lawlor: First, a monitoring perspective and then move it into an enforcement policy.
38
00:05:21.480 --> 00:05:32.730
Melissa Lawlor: But right now we're really using you know some of our standard tools, like our vulnerability scanning tools our asset identification tools, where we use those to push software out to the assets.
39
00:05:33.390 --> 00:05:42.360
Melissa Lawlor: yo and it can scan the network to identify any assets that have popped up in the last X amount of days so that's really what we're doing right now, until that next solution is in place.
40
00:05:43.440 --> 00:05:45.330
Michael Ebert: Recently, how are you handling the situation.
41
00:05:45.720 --> 00:05:59.520
Mauricio Angee: It is very similar we recently deployed a medical device management, you know what data PRC we like the PLC the telemetry we get into this VOC with this tool is amazing.
42
00:06:00.120 --> 00:06:09.570
Mauricio Angee: we're finding out not just Melissa made reference to the MPs two very important, but what we're finding out what the telemetry is providing to us.
43
00:06:09.870 --> 00:06:22.470
Mauricio Angee: is really more on the is a vulnerable, is it being this release, so we get telemetry in immediately and alert to say these devices vulnerable and there's there's flashes of their.
44
00:06:22.470 --> 00:06:25.890
Mauricio Angee: For these for sometimes it says here here is the report.
45
00:06:26.400 --> 00:06:36.570
Mauricio Angee: From the manufacturer, how to fix this so always fingerprinting The other thing that we're doing in the snack in the network access, controls, you know we fully deploying these right now.
46
00:06:37.440 --> 00:06:45.270
Mauricio Angee: Is is medical devices, now we working with biomedical engineering and every time they have a device will begin to plug in the network.
47
00:06:45.840 --> 00:06:55.680
Mauricio Angee: They reach out to us before they reached out the destination IP address, can you scan it is it Okay, for us to move forward is putting a lot of burden on my team.
48
00:06:56.010 --> 00:06:59.160
Mauricio Angee: And i'd heard my team saying it is becoming an issue.
49
00:06:59.550 --> 00:07:09.000
Mauricio Angee: But a talent, you know we we gotta get we gotta do these before and not after the fact, when it's already connected so i'm gonna i'm gonna die it's the first comment really summit.
50
00:07:09.360 --> 00:07:23.370
Mauricio Angee: we're treating this as a regular device on the network and we're doing the same security due diligence, as we work with a workstation or server in in the sense of security controls.
51
00:07:24.060 --> 00:07:25.680
Michael Ebert: And I blurry, so this is.
52
00:07:26.070 --> 00:07:32.580
Michael Ebert: Michael those the same reason Is this true not only in the acute care, but in your physician practices and your specialty areas.
53
00:07:33.000 --> 00:07:41.670
Mauricio Angee: it's, so it is yes, it is so, the answer is yes, I said this morning we're opening our whole bunch of practices right everybody else in the healthcare industry.
54
00:07:41.940 --> 00:07:49.320
Mauricio Angee: And now we we sit in this like like never before, because I requested it, I said you're opening practices, I need to go from.
55
00:07:49.650 --> 00:07:55.800
Mauricio Angee: You know, like if you know the hipaa security rule administrative physical and and technical control so.
56
00:07:56.130 --> 00:08:01.500
Mauricio Angee: I might succeed in this business a look a words this device is going to be connected who's going to access them.
57
00:08:01.830 --> 00:08:14.220
Mauricio Angee: I reach it, so it is driving the the whole view and then I assign someone from my team say here's the list of the laundry list of things you need to be aware of before this practice open, so it is to that level now.
58
00:08:15.900 --> 00:08:22.050
Mauricio Angee: I normally say you run a bigger operation than ours, but it's it's something that we're doing day in, day out now.
59
00:08:23.040 --> 00:08:33.270
Melissa Lawlor: yeah um one thing I would say that Maurice and I haven't mentioned, but I know we're both doing it is that, in the cases where we're sharing our data with third parties and whether that's from.
60
00:08:34.140 --> 00:08:41.790
Melissa Lawlor: You know, a cloud perspective, whether it's vendors helping us for payment care, you know treatment operations any of that.
61
00:08:42.000 --> 00:08:49.920
Melissa Lawlor: We also have privacy and information security attendance where we outline our exact security and privacy requirements that we expect.
62
00:08:50.220 --> 00:09:08.070
Melissa Lawlor: Our third parties to have in place to safeguard our data when it's not within our traditional four walls and that at least here at h&h is mandatory for any vendor or third party who creates receives maintains or transmits what we consider h&h confidential or restricted data.
63
00:09:11.310 --> 00:09:17.160
Michael Ebert: that's in that you're flowing that from acute care down position sound, especially operation and across the board as well.
64
00:09:17.670 --> 00:09:19.770
Melissa Lawlor: In some cases to where we have.
65
00:09:20.910 --> 00:09:32.520
Melissa Lawlor: A physician agreement in place where they're not wholly owned by hmm it could be a joint venture, for example, it could be a practice, they also have to sign our privacy and information security addendum.
66
00:09:33.330 --> 00:09:37.410
Michael Ebert: Well you're both also dealing with the academic issue, as well as research issue.
67
00:09:38.940 --> 00:09:44.730
Michael Ebert: that's that's totally different story so we're talking about the academic side and again the best.
68
00:09:45.780 --> 00:09:55.530
Mauricio Angee: Being a researcher myself I understood when I when I get hired by Dr reese to come work for him there's always there's this, the thing about.
69
00:09:56.100 --> 00:10:03.330
Mauricio Angee: Having a research background and and being seen by the researchers as rich as appear right so that's that's different and.
70
00:10:03.750 --> 00:10:11.490
Mauricio Angee: And what we've been able to do is a lot of awareness, so I sitting committees with the research communities, I sit on the IRB now.
71
00:10:11.910 --> 00:10:17.880
Mauricio Angee: Because I want to create the awareness of you just can't just go greater grant buy equipment and plug it in the system.
72
00:10:18.270 --> 00:10:25.380
Mauricio Angee: We have some guidance The other thing we're reviewing is that the grants calm and now must than ever before.
73
00:10:25.890 --> 00:10:35.790
Mauricio Angee: come with a requirement for a security plan or security assessment or or we have to be aware of those and we we make all possible you know we try to.
74
00:10:36.030 --> 00:10:46.320
Mauricio Angee: accommodate the researchers under the security, but they have to buy to our security policies and sometimes it's been hard but they're understanding, more and more why we do it, and the more.
75
00:10:46.650 --> 00:10:49.890
Mauricio Angee: Attacks out there, and the more we can show them look, this is a.
76
00:10:50.550 --> 00:10:57.570
Mauricio Angee: ransomware attack, but does it happen, because what we I researcher did something which other bring it up to them so they see it is not easy.
77
00:10:58.020 --> 00:11:02.580
Mauricio Angee: And then that got me excited you know the freedom of information on this side of the.
78
00:11:03.270 --> 00:11:11.370
Mauricio Angee: School per se, the students and professors and hipaa security rule is totally different that we took a different approach.
79
00:11:12.060 --> 00:11:22.560
Mauricio Angee: In in what we're working on on at every level with administration students residents everybody on the importance of the seat of following security protocols.
80
00:11:23.070 --> 00:11:32.940
Mauricio Angee: and the last thing with it and Melissa knows this also we're working together with the compliance and privacy office so every time we go into a.
81
00:11:33.570 --> 00:11:52.710
Mauricio Angee: Whenever we talked about security I bring the privacy officer with me or someone from their office to say that this is not just a security issues a privacy issue and and the fines and penalties are huge but we're looking now at something very interesting, is this the shifting of.
82
00:11:53.730 --> 00:12:10.080
Mauricio Angee: patient care and patient safety issues as a result of you, we all aware, a baby died as a result of a ransomware attack and, fortunately, that was the first that is that so we try to do this.
83
00:12:11.010 --> 00:12:23.400
Mauricio Angee: Ongoing awareness training together, but it wouldn't work without top support and what i'm saying by that is our CEO is aware, he wants us to be out there.
84
00:12:24.210 --> 00:12:41.550
Mauricio Angee: The Board of Directors actually asked if we're doing this, and so it's it's a joint effort it's like security one one is my CSP I remember, do you have policies procedures, do you train on it we're trying to do that more and more today to kind of bridge that gap.
85
00:12:45.390 --> 00:12:45.840
Michael Ebert: Melissa.
86
00:12:46.620 --> 00:12:54.870
Melissa Lawlor: yeah I would say very similar to what mauricio is doing, we are trying to work very collaboratively collaboratively with our researchers.
87
00:12:55.530 --> 00:13:12.870
Melissa Lawlor: I will say that i'm not always their favorite person hmm he has implemented GEO blocking where we have essentially blocked everything but 10 countries in the world, and that is very problematic for the researchers who have a legitimate business need to have to go to websites and other.
88
00:13:13.920 --> 00:13:22.110
Melissa Lawlor: Other sharing platforms that are typically blocked by hmm ah, so we have had struggles, at times, where there has to be a balance between.
89
00:13:22.380 --> 00:13:31.110
Melissa Lawlor: Being able to be secure, but also allowing the researchers to do what they do best and and we are still working on that every day things pop up where.
90
00:13:31.800 --> 00:13:40.830
Melissa Lawlor: They get a block page and we have to quickly revert that for them, but we are working to also build a environment for them, that is a little bit more open.
91
00:13:41.160 --> 00:13:46.770
Melissa Lawlor: And architected with research in mind, rather than trying to keep everything secure.
92
00:13:47.040 --> 00:13:58.380
Melissa Lawlor: and finding that happy balance that's not in place yet we've had some discussions and we've also engaged third parties who, who have a lot of experience in this area, to help us so that we aren't.
93
00:13:58.860 --> 00:14:06.660
Melissa Lawlor: impacting our researchers, but we're also not opening the floodgates of h&h and and potentially putting us in a spot to have a ransomware attack.
94
00:14:07.530 --> 00:14:08.460
Mauricio Angee: Lisa, if I may.
95
00:14:09.630 --> 00:14:13.680
Mauricio Angee: You know something I i've been dealing with and writing about.
96
00:14:14.880 --> 00:14:21.090
Mauricio Angee: In my students every time I start a new semester is the definition of information security or cybersecurity.
97
00:14:21.570 --> 00:14:28.350
Mauricio Angee: And and and i'm going to tell you what i've been using these days, and thanks to Dr tj who was my Professor my my Grad school.
98
00:14:28.830 --> 00:14:39.540
Mauricio Angee: And I say this it's important that we understand security is a delicate balance between the risks and they control the workplace, if this controls are too stringent.
99
00:14:40.290 --> 00:14:51.390
Mauricio Angee: The risk is mitigated but that the users may may find ways to you know go around security right so hey it's just trained in you've done, let me do my work so i'm gonna bring my computer from home.
100
00:14:51.660 --> 00:15:03.090
Mauricio Angee: connected to the network in boiler or some or buying a wireless card to connect to the somebody but if the controls are two lakhs that we all know, the security risk right.
101
00:15:03.570 --> 00:15:14.010
Mauricio Angee: I find myself as a practitioner, these days, trying to find that delicate balance between security and risk and not different person we're not here to you know.
102
00:15:14.640 --> 00:15:23.760
Mauricio Angee: When that the context context with context, but we are here to protect the organization against an attack the other idea that i've been.
103
00:15:24.300 --> 00:15:33.060
Mauricio Angee: Dealing around or walking around in in talking and thinking about and I know a lot of you up there are gonna say oh my God, what are you saying.
104
00:15:33.570 --> 00:15:53.550
Mauricio Angee: The hipaa security rule hasn't been reviewed for a while I think it's been last revision was four or five years ago, so i'm i'm thinking about this is the hipaa security rule now hindering patient care and innovation in that's in my mind, all the time with that delicate balance is.
105
00:15:54.600 --> 00:16:08.400
Mauricio Angee: The interpretation of the hipaa security rule by merely some may be different than mine, maybe different than other practitioners, so we got to be very careful on your interpretation in the controls, you want to apply and that delicate balance that I mentioned in the beginning.
106
00:16:09.030 --> 00:16:10.140
Michael Ebert: I am very easy to.
107
00:16:11.040 --> 00:16:17.250
Melissa Lawlor: Do and you know the hipaa role was written by a bunch of lawyers and we can have them to thank for why it's so ambiguous.
108
00:16:17.790 --> 00:16:23.580
Melissa Lawlor: But you look at some of these corrective action plans that are put out by ocr and hhs and you read.
109
00:16:23.820 --> 00:16:36.720
Melissa Lawlor: How they tie back the violation and to what citation within the hipaa role and you scratch your head sometimes and say how on earth did you tie vulnerability management back to this area of the hipaa rules so.
110
00:16:37.140 --> 00:16:52.710
Melissa Lawlor: You know that's it's just you know it's always a guessing game, but I agree with you, it is a very fine balance that I think we strive every day to achieve and some days, we are, we are off kilter and we need to sort of right the ship so that we're not impacting our end users.
111
00:16:53.370 --> 00:16:54.660
Michael Ebert: Read correct was, I mean.
112
00:16:54.720 --> 00:17:00.930
Michael Ebert: you've got that experience, having you know, been with you know, working with the ocr and and.
113
00:17:01.710 --> 00:17:06.840
Michael Ebert: And this you guys know on the call I was the lead partner on the ocr work to find the criteria by law and.
114
00:17:07.200 --> 00:17:20.940
Michael Ebert: It has taken contextual is your Vice President says it's contextual application it based on the sophistication and nature of your organization and their interpretation against that is sometimes over here.
115
00:17:22.140 --> 00:17:29.160
Michael Ebert: Because they didn't have that practical experience healthcare clinician experience in the field, how it operates and.
116
00:17:29.730 --> 00:17:43.530
Michael Ebert: So they're trying to apply a law against how really needs to operate in the area and doesn't always jive so can reach this point I agree, I think there needs to be they try to do it the guidance to the industry from what they're learning.
117
00:17:44.940 --> 00:17:53.580
Michael Ebert: But they they need to probably you know reconstitute that in a more practical manner so that it's more operational in nature.
118
00:17:55.080 --> 00:18:00.420
Michael Ebert: You know, and that brings next complex is, as we do everything nowadays minutes to the cloud.
119
00:18:01.170 --> 00:18:06.540
Michael Ebert: You know how is cloud impacting your environments, you know research academic and operational health care.
120
00:18:07.200 --> 00:18:19.770
Michael Ebert: practices that are using more and more cloud Apps a lot of vendor ios devices have a cloud back end as well, and how you incorporate address that that into your environment when the tools today don't necessarily address class fury.
121
00:18:21.150 --> 00:18:22.140
Mauricio Angee: My God i'll take.
122
00:18:23.160 --> 00:18:36.510
Mauricio Angee: That First, I think the cloud has been around for four years right so we've been talking about cloud for years and and I don't think we fully understand what the concept, until now, the big guys.
123
00:18:37.020 --> 00:18:40.500
Mauricio Angee: The big names are coming out and telling us how to do compliance by the way.
124
00:18:40.950 --> 00:18:52.500
Mauricio Angee: I hear the big names saying a our environment is hipaa compliant and I want to ask the question is, what do you mean hipaa compliant there's no such as I really scream and they looked at me like.
125
00:18:53.220 --> 00:18:59.400
Mauricio Angee: Okay doctor and the We understand that there's no hipaa compliant The second thing is the approach we took is because we're.
126
00:19:01.140 --> 00:19:15.210
Mauricio Angee: Our strategy is multi platform multi year right and, and so it has it is, it is all you know, a challenges to to protect what i'm telling my team is winning vendor will.
127
00:19:15.660 --> 00:19:22.560
Mauricio Angee: We have tools on the arsenal of tools, if you want to talk about tools, because I like to go back controls and save works.
128
00:19:23.100 --> 00:19:35.940
Mauricio Angee: But one thing I looked at is, do we have our audit logging and monitoring robust logging and monitoring access, controls and, first and foremost, is, do we know what we're using this platform for.
129
00:19:36.420 --> 00:19:45.540
Mauricio Angee: And so that's the complexity, you understand, first and foremost, what is the business case what platform, are you using the three, four or five big names.
130
00:19:45.990 --> 00:20:04.770
Mauricio Angee: And then you build your program around what the business needs here is because we no longer dictating what the users to the users are learning and dictating to us this this centric focus on what the business needs and no more on what it tells us to do so is evolving.
131
00:20:06.090 --> 00:20:13.980
Melissa Lawlor: yeah and I would say on our front any cloud environment that h&h architects and is responsible for so all of our cloud tenants are built.
132
00:20:14.580 --> 00:20:29.340
Melissa Lawlor: In alignment with nist 853 moderate so that, from our perspective, any of our regulatory obligations contractual obligations, we feel that nist 853 moderate meets or exceeds any of those expectations.
133
00:20:29.790 --> 00:20:45.150
Melissa Lawlor: And so that allows us where hey what's up what type of data are you putting in there, why are you putting data in there, at least we have a baseline to say if it's our cloud environment we know it's meeting nist 853 we've partnered very closely.
134
00:20:45.780 --> 00:20:57.870
Melissa Lawlor: With our cloud architects and as well as some of our major cloud partners like Google like Microsoft to develop these technical design documents, so that anytime a cloud tenant is spun up.
135
00:20:58.110 --> 00:21:02.610
Melissa Lawlor: We have the ability to implement all of these controls that we've architected.
136
00:21:02.910 --> 00:21:07.830
Melissa Lawlor: Now, on the flip side when it's not a cloud environment that we're able to manage.
137
00:21:08.010 --> 00:21:16.560
Melissa Lawlor: that's where you have similar to what mauricio and I were mentioning before we have those privacy and information security attendance that we put in place with our third parties to say.
138
00:21:16.890 --> 00:21:27.390
Melissa Lawlor: Whether you're storing it locally in your data centers or in a cloud environment, this is our expectation, for you, this is what you must do when you have our data, regardless of where you're storing it.
139
00:21:28.440 --> 00:21:31.140
Mauricio Angee: But let's say I may ask you a question Mike i'm sorry to interrupt.
140
00:21:31.230 --> 00:21:43.230
Mauricio Angee: don't mean that as a believer of Nice ever since it simply inception in 2002 with Dr rose we worked on days we looked at this, we knew we were looking at.
141
00:21:43.560 --> 00:21:51.360
Mauricio Angee: But interestingly enough i've been posed with a question that he said it needs is not a prescriptive framework.
142
00:21:52.140 --> 00:21:58.230
Mauricio Angee: So is it is it that we need to go with it, you know, Eva is this is required to address it will control.
143
00:21:59.160 --> 00:22:11.070
Mauricio Angee: I am same we are using the nist cybersecurity framework 853 and the new revision five on the two new additions with the to supply chain in that the risk manager right.
144
00:22:11.640 --> 00:22:19.200
Mauricio Angee: But I i've been asked in in in you know kind of challenge on it's not prescriptive doesn't say that you must do this.
145
00:22:19.590 --> 00:22:28.800
Mauricio Angee: So how are you, you know this is interesting because i'm calling calling your name, but how you work or are you managing that when you were challenged about not prescriptive contracts.
146
00:22:29.340 --> 00:22:36.360
Melissa Lawlor: So in our perspective when we started looking at the hipaa security role and any other obligations that we may have.
147
00:22:36.990 --> 00:22:48.000
Melissa Lawlor: yo ferpa, for example, because we do have students in their data we started to look at what is the minimum necessary and where do we want to be from a security program with our cloud environments.
148
00:22:48.300 --> 00:22:59.430
Melissa Lawlor: And I will say that once upon a time when I was working at KPMG we had to develop a very large cloud environment within Microsoft that held over 180 million.
149
00:22:59.430 --> 00:23:00.420
Melissa Lawlor: Patient records.
150
00:23:01.170 --> 00:23:11.430
Melissa Lawlor: They grabbed cms data and a number of other large data feeds and so when we started peeling back those data use agreements what it all ended up pointing back to.
151
00:23:11.700 --> 00:23:25.320
Melissa Lawlor: Was nist 853 when you started reading those agreements in detail and looking at the regular regulatory citations that they used so when we came over to hmm ah, and we started to architect these cloud environments, we said.
152
00:23:25.740 --> 00:23:33.150
Melissa Lawlor: We know we're comfortable with this if we ever got cms data and had a similar data use agreement, we know this is their expectation.
153
00:23:33.330 --> 00:23:41.220
Melissa Lawlor: So why don't we just sort of bite the bullet and go architect it now that way and it took a lot of time up front, it was not easy to say.
154
00:23:41.460 --> 00:23:48.300
Melissa Lawlor: When we have a lot of people asking where's our cloud environment why can't we spin it up, now that we're on the cloud it's supposed to be easy and quick.
155
00:23:48.870 --> 00:24:01.680
Melissa Lawlor: Why can't we do it, it took a lot of time in the beginning, but it sort of paid off on the back end, knowing that we don't have to do any last minute configurations to these cloud environments, or if we do they're very minimal.
156
00:24:03.930 --> 00:24:19.020
Michael Ebert: Say yeah and we we guy House had been talking about it and Maria you brought this up, they say they're hipaa compliant and it's you know it's it is funny is is Joe can we keep on going, you know beyond compliance mentality right.
157
00:24:19.050 --> 00:24:36.300
Michael Ebert: There were 175 reaches last year REP saying over 61 million health records and everybody says, well, we are hipaa compliant but you got you know beyond compliance why we haven't all these breaches and we, we have to look beyond compliance so yeah we have.
158
00:24:36.690 --> 00:24:38.850
Michael Ebert: time for that game together, so we agree like.
159
00:24:39.060 --> 00:24:43.890
Michael Ebert: you've got this 853 is a little more prescriptive, at least, it gives you the dialogue to say.
160
00:24:44.340 --> 00:24:57.180
Michael Ebert: Well here's the here's the required here's the things you can do right, so it, it gives you a point in time, and by moving to that level, and you look at cms data look at research, when you get research grants from NIH it requires is a 53.
161
00:24:57.750 --> 00:25:07.740
Michael Ebert: Moderate 18 high control so as you move to that and then new fives are actually increasing the number of high controls, they want in that, and they said they're going to come out guidance by end of this year on all that.
162
00:25:08.430 --> 00:25:17.850
Michael Ebert: You know, we need to have a common framework and apply that across all of our capabilities, whether it be cloud, whether it be on Prem whether the iot and how we treat it.
163
00:25:18.420 --> 00:25:25.710
Michael Ebert: is an important point, because you need to go beyond what record compliance to get past 61 million records being breached nice job.
164
00:25:26.400 --> 00:25:28.590
Mauricio Angee: Right Michael who we.
165
00:25:29.220 --> 00:25:30.540
Mauricio Angee: Go ahead bye bye.
166
00:25:31.980 --> 00:25:44.250
Melissa Lawlor: was just gonna say let's be honest, the only people who can do something hipaa compliant is the regulators and I don't think they're going around cloud environments and giving a stamp of approval, and so the job guys your your compliance.
167
00:25:44.850 --> 00:25:48.180
Mauricio Angee: or they said, we as an industry would keep one allowing the big.
168
00:25:48.900 --> 00:26:00.900
Mauricio Angee: is not that you know they did what we asked them to do that Microsoft Google aws there did what we industry said, if your environment does not meet the minimum security safeguards.
169
00:26:01.200 --> 00:26:08.460
Mauricio Angee: Unnecessary I can do business, so they went out and put this, but you see this sales people telling them where hipaa compliant you challenge if.
170
00:26:08.730 --> 00:26:17.310
Mauricio Angee: They stay quiet because they don't understand what you turn the but the reality is is that the regulator is not coming down and saying hey, this is a certified.
171
00:26:18.360 --> 00:26:24.660
Mauricio Angee: I wanted to touch base real quick we started talking about iot and i'm gonna make a connection here with cloud.
172
00:26:24.990 --> 00:26:31.770
Mauricio Angee: A lot of these iot devices cloud based a lot of the data is another not but probably most of them are all of them.
173
00:26:32.160 --> 00:26:40.830
Mauricio Angee: Their cloud based because that's what cloud allows them to do and so i'm curious to see if we're the only one doing or everybody's going into when we are.
174
00:26:41.130 --> 00:26:55.080
Mauricio Angee: Looking at these iot devices or medical devices or diagnostic devices when it's a cloud based we even go a step further and review the cloud based not just their security vendor Melissa which is really good because.
175
00:26:55.500 --> 00:27:04.380
Mauricio Angee: It protects us from liability, but we want to understand what it what that is and you'll be surprised if you do that it takes a little bit of time he has many Sir.
176
00:27:04.770 --> 00:27:09.840
Mauricio Angee: I know, but if you put the framework and in front and then you just replicate every time.
177
00:27:10.290 --> 00:27:19.260
Mauricio Angee: We found no security and some of them, we found the access, controls passwords never changed admin passwords using in the background, as a service.
178
00:27:19.620 --> 00:27:30.600
Mauricio Angee: We found a lot of iot devices, so now the vendors, are asking us could do you know somebody who can help us with this and i'm like, no, no, no, no, this is this is incredible but.
179
00:27:31.410 --> 00:27:39.090
Mauricio Angee: All kidding aside, it is incredible what's happening, the latest of this is a research that some researchers were doing.
180
00:27:39.480 --> 00:27:52.920
Mauricio Angee: And I got a chance to peek at some of the documentation and provide feedback is the concept of the body Area Network or body body Area Network and now they call it web and you can research, it is fascinating.
181
00:27:53.520 --> 00:28:03.240
Mauricio Angee: All these wearables all these medical devices that we have the big major brain me now are attached to an IP address.
182
00:28:04.650 --> 00:28:10.920
Mauricio Angee: Hospitals some hospitals in the United States are trying to do, proactive approach and to patient care so.
183
00:28:11.340 --> 00:28:26.010
Mauricio Angee: This device's send a signal to a command Center very similar to a knock or security incident this device or this this this patient is having these conditions, the nurses calling them already and say you need to take your medication, you need to.
184
00:28:26.640 --> 00:28:26.700
Do.
185
00:28:28.140 --> 00:28:28.470
Mauricio Angee: That.
186
00:28:28.590 --> 00:28:30.270
Mauricio Angee: Either I didn't want to say, the name.
187
00:28:30.660 --> 00:28:46.170
Mauricio Angee: So it is so crucial that we understand how body area networks work, because now it's in introducing a new level of complexity into our environment, so I welcome everybody to kind of look at this.
188
00:28:46.800 --> 00:28:57.720
Mauricio Angee: was a new concept, many years ago, but he's a concept that he's making his and I want to be when he says brain is how you manage those now with with all this complexity.
189
00:28:58.320 --> 00:29:08.280
Melissa Lawlor: it's it's going to be a very interesting and fun challenge, so one of our hospitals, is actually going to be a pilot for what we're calling hmm a hospital at home.
190
00:29:08.640 --> 00:29:18.270
Melissa Lawlor: Which exactly what you said mauricio allows the patient to receive some of these acute care services from the comfort of their own home and that's that's solely made possible by.
191
00:29:18.660 --> 00:29:27.720
Melissa Lawlor: iot iot empty, you know these next gen capabilities for patient monitoring outside of the traditional four walls of the hospital.
192
00:29:28.020 --> 00:29:39.960
Melissa Lawlor: And so they get these wearable technologies, where it can start flagging that there seems to be an issue there's there's likely going to be an issue and send it back to the hospital, so that they understand.
193
00:29:40.230 --> 00:29:48.150
Melissa Lawlor: You know, Melissa lawler may be coming in shortly for a heart attack or somebody better get her on the phone because we're watching her baselines change.
194
00:29:48.450 --> 00:30:04.020
Melissa Lawlor: And so it's going to be a very interesting pilot and The hope is that he will roll this out across all 17 of our hospitals, but right now we've selected one to be that pilot program and it just launched yo I think the announcement went out this week, so it will be.
195
00:30:04.110 --> 00:30:05.640
Mauricio Angee: that's what i'm saying is the hunter.
196
00:30:05.850 --> 00:30:06.360
Melissa Lawlor: So yeah.
197
00:30:06.870 --> 00:30:13.830
Mauricio Angee: Melissa congratulations on the innovation but I wanna I want to welcome everybody in this, you know, and this.
198
00:30:15.630 --> 00:30:26.220
Mauricio Angee: broadcast in this this webinar to look into this is the things are coming they're Here we see it happening in the financial sector would fintech.
199
00:30:27.120 --> 00:30:36.450
Mauricio Angee: As micro loans and all this is coming now more and more to patient care and and the issue is always in the back of my mind it again and again.
200
00:30:36.780 --> 00:30:52.200
Mauricio Angee: We cannot be entering patient guarantee innovation, the HIPAA security rule needs to be revised, we need to make sure that the controls are there, but it's going to become more complex as as we move forward to this new type of care for patient care.
201
00:30:54.210 --> 00:31:07.260
Michael Ebert: yeah and the automation patient care of the key issues so example is gaius actually developed a radiology examination X Ray or MRI radiation analysis.
202
00:31:07.710 --> 00:31:17.640
Michael Ebert: process so that it takes away from the doctor identifying a leader in the brain and other immediate abnormalities within any MRI scan.
203
00:31:18.030 --> 00:31:22.740
Michael Ebert: and present that these are high risk areas, so the doctors can be more focused and therefore.
204
00:31:23.100 --> 00:31:32.700
Michael Ebert: You know, Minister more patients per per minute right because that's where we're at we're we're short on doctors were shorter clinicians we've got automate the process and we're doing this in.
205
00:31:33.000 --> 00:31:42.600
Michael Ebert: To an artificial intelligence way and now we're getting bots in our system and other on the routines and and we have to manage the security and access to those as well how you guys treating.
206
00:31:42.870 --> 00:31:54.840
Michael Ebert: This type of technology, you know I know I know we create your friend and he has now been rolled out several hospitals, but you know how how you train this pipe bomb a technology and it's it's command to use of your systems.
207
00:31:55.950 --> 00:32:01.710
Melissa Lawlor: So i'll start so from an agent perspective we actually and it's no secret, we have a.
208
00:32:02.130 --> 00:32:12.060
Melissa Lawlor: Partnership with Google and so we're going to deploy artificial intelligence and machine learning and key clinical areas, especially around screening and detection.
209
00:32:12.330 --> 00:32:19.110
Melissa Lawlor: To help sort of transform the way that healthcare is delivered to patients across New Jersey and really the tri state area.
210
00:32:19.470 --> 00:32:32.790
Melissa Lawlor: And some of the areas that we're using that Ai Ai and ml solution is to assist with the screening and disease detection, especially with Kobe 19, how can we do advanced screenings yo through this pandemic.
211
00:32:33.540 --> 00:32:40.500
Melissa Lawlor: You know they're also looking at sepsis detection prostate cancer screenings mammography screenings and newborn screenings.
212
00:32:40.710 --> 00:32:55.350
Melissa Lawlor: You know we're trying to take areas and be smarter we don't need to recreate the wheel we don't need to recreate how you treat a patient but let's do it smarter let's do it more advanced and in a quicker manner if it's possible.
213
00:32:57.300 --> 00:33:08.640
Mauricio Angee: And I know it should be meaningful, so I want to go back to that you know idea that this patient centric now takes cybersecurity.
214
00:33:09.780 --> 00:33:14.820
Mauricio Angee: Making more decisions with data data driven decisions and the third.
215
00:33:16.050 --> 00:33:27.030
Mauricio Angee: Part of that is you know understanding what the needs are so, so it is important, as part of the University of Miami health system transformation roadmap.
216
00:33:27.480 --> 00:33:39.990
Mauricio Angee: Is what Melissa just said is let's get out of the comfort zone in the traditional Vedic medicine taking it to look at what are the patients requiring and requesting.
217
00:33:40.860 --> 00:33:47.130
Mauricio Angee: You know I people hate to go sit at the doctor's office which 1520 minute and an hour waiting for the doctor to see them.
218
00:33:47.520 --> 00:33:55.980
Mauricio Angee: So we know that we got to get better at that diagnostics, we know test results is mandated you have to see the Beijing can see immediately.
219
00:33:56.310 --> 00:34:09.780
Mauricio Angee: But it's not, that is, how are we really advancing and innovating this this new technologies that are being asked of us in I am not a digital native i'm a.
220
00:34:10.680 --> 00:34:18.540
Mauricio Angee: lot since no kidding aside, I am I came to this technology as an immigrant and immigrated to technology.
221
00:34:19.020 --> 00:34:30.420
Mauricio Angee: And if we don't switch that mindset that I learned technology lemon stay here, this is what I learned into what is changing in the world, and how I need to evolve interest form we're going to be.
222
00:34:30.870 --> 00:34:42.750
Mauricio Angee: Something that I mentor to me to not be left out, because you become irrelevant and so when you become irrelevant you don't you don't support innovation you don't support new tools.
223
00:34:43.110 --> 00:34:52.140
Mauricio Angee: And you don't have a saying on how we're no longer the security and says no we're enablers of the business so when Melissa said.
224
00:34:52.530 --> 00:35:11.760
Mauricio Angee: All this is possible by as being more agile by seeing this what's coming in, by preparing ourselves to put security safeguards in place that are repeatable and not hindering innovation so that's what I am thinking about it we're thinking about it, the transformation.
225
00:35:13.530 --> 00:35:15.090
Melissa Lawlor: You can't be the Department of know.
226
00:35:15.210 --> 00:35:16.590
Melissa Lawlor: insecurity, it just.
227
00:35:16.620 --> 00:35:17.520
Melissa Lawlor: It will never work.
228
00:35:18.120 --> 00:35:19.230
Mauricio Angee: My boss says.
229
00:35:19.380 --> 00:35:21.000
Mauricio Angee: How do we get to yes, Maurice he'll.
230
00:35:22.200 --> 00:35:22.590
Mauricio Angee: play.
231
00:35:22.980 --> 00:35:24.330
Mauricio Angee: i'm sorry.
232
00:35:25.230 --> 00:35:46.710
Mauricio Angee: The beautiful thing is the communication with my boss, he you know time out how do we get to yes and any I learned so many things, otherwise working to get to yes, then more complex thing of trying to say no, or why is it another good idea so that's yeah, how do we get to.
233
00:35:47.550 --> 00:35:51.930
Melissa Lawlor: yeah, how do we get to yes and velocity I think is the other term you probably hear a lot.
234
00:35:54.240 --> 00:36:10.650
Michael Ebert: So what, what do you think are the next steps for for cyber security and optimizing it as we look at the next 10 years and in all this new technology, all this new sensor based management and and biometric management, where we think next steps are.
235
00:36:11.850 --> 00:36:12.330
Michael Ebert: Listen.
236
00:36:13.290 --> 00:36:14.880
Melissa Lawlor: You know what I would say, Michael.
237
00:36:14.880 --> 00:36:15.990
Michael Ebert: Is you know we've.
238
00:36:16.020 --> 00:36:24.480
Melissa Lawlor: we've sort of skirted around it, this entire conversation but it's still the fundamentals just because the technology is changing and adapting and evolving.
239
00:36:24.810 --> 00:36:29.910
Melissa Lawlor: doesn't mean that the security foundations change you still need to be able to.
240
00:36:30.240 --> 00:36:45.750
Melissa Lawlor: Do your access management and privileged access management, you need to identify vulnerabilities you need to know where your assets are I know a big issue for for h&h right now is that we never had a strong m&a playbook as it related to it and.
241
00:36:45.750 --> 00:36:51.810
Melissa Lawlor: It security so we're cleaning up a lot of sins of the past in terms of those.
242
00:36:52.290 --> 00:36:59.610
Melissa Lawlor: Practices hospital locations that nobody took the time to say let's get them standardized and what does that standard look like.
243
00:36:59.850 --> 00:37:06.780
Melissa Lawlor: So before you can even worry about any of the next gen technology and all the fancy fun things that people like to talk about.
244
00:37:07.020 --> 00:37:19.860
Melissa Lawlor: it's really the foundation of how do you set standards for your organization from a technology perspective, a process perspective, so that when it comes time that there are these new.
245
00:37:20.670 --> 00:37:31.290
Melissa Lawlor: You know sexy toys in the in the industry it's just how do we bring them in to the environment it's not creating chaos and net new processes.
246
00:37:32.790 --> 00:37:33.390
Mauricio Angee: And this i'm gonna.
247
00:37:33.420 --> 00:37:44.670
Mauricio Angee: piggyback on that there's a an article if anybody cares like I wrote a few years ago and linkedin you can my linkedin account go back to basics and Melissa said it is like this go back to basic.
248
00:37:45.150 --> 00:37:54.390
Mauricio Angee: I think we're missing that so one thing I would do differently, I think i've heard from people is every time there is a new.
249
00:37:55.080 --> 00:38:05.340
Mauricio Angee: compromise the new bridge I bring my people my team together to review what happened, how it happened, what were the controls enablers that were the not work.
250
00:38:05.880 --> 00:38:15.870
Mauricio Angee: And so, by by doing that we learn more about how we are we either good we need improvement or we really going in the right direction.
251
00:38:16.170 --> 00:38:20.820
Mauricio Angee: So to answer the question why do I start there is what is relevant what you just said, but he's really.
252
00:38:21.360 --> 00:38:31.020
Mauricio Angee: So now, how do we enable new technologies and moving forward or new ideas and innovation with all these researchers happening at the University of Miami.
253
00:38:31.410 --> 00:38:42.060
Mauricio Angee: We got to be there is by not making the same mistakes I tell my team I don't care about the past or say don't come to me, as in the past, this person don't care, I just want to move forward.
254
00:38:42.330 --> 00:38:54.990
Mauricio Angee: Now, if your procedures if you procedures if you're you know document work papers are solid all you need to do is continue to do what you do best assessment.
255
00:38:55.710 --> 00:39:04.620
Mauricio Angee: Recommendations mitigation of risk and risk and never be zero, so we need to understand what is our risk appetite where risks like.
256
00:39:05.010 --> 00:39:14.490
Mauricio Angee: and focus on those areas now we're bringing more technology than ever the University of Miami so what you know, it is important for me and my team and the technology team.
257
00:39:14.850 --> 00:39:24.420
Mauricio Angee: To be a child to understand what the need is and to have that favorites is security controls medium nist 853, how do we apply that quickly.
258
00:39:24.780 --> 00:39:33.210
Mauricio Angee: And I have conversations with the sisters from the companies are bringing the technology and they understand what we said they fill out our security.
259
00:39:33.900 --> 00:39:44.070
Mauricio Angee: We don't call it a vendor risk management, we call it a vendor assessment or you know we're just trying to collect information about your practices, because we have the security than them.
260
00:39:44.610 --> 00:39:52.500
Mauricio Angee: But we've been able to identify do they have a good practices do they have solid practice where are we going to get hit if there's something goes wrong with vision.
261
00:39:53.010 --> 00:40:03.630
Mauricio Angee: So that's are the things that i'm trying to get my team to do and more agile and not live in the past, where people are not listening to me they make this mistake is how do we make people to.
262
00:40:04.140 --> 00:40:13.230
Mauricio Angee: What I say drink our own Kool aid and be able to understand that we have a job to do is protect the organization and and ultimately.
263
00:40:13.680 --> 00:40:28.530
Mauricio Angee: The reason I work in the healthcare I work with a passion for patient care and patient safety and that's always in my mind is nothing happened to that patient in that they get to get the care that they need from our health care worker.
264
00:40:33.240 --> 00:40:42.540
Michael Ebert: that's an excellent point he is about patient safety, radio, you know as as most knows, one of the one of the famous quotes is you know we care.
265
00:40:42.960 --> 00:40:56.580
Michael Ebert: When you look at CIA confidentiality integrity availability a physician and clinician will sacrifice confidentiality integrity for availability every day twice on Sunday, because it's about patient care it's about patient safety and the patient.
Michael Ebert: Management piece, and so, as we move to these biomedical areas and biomedical censoring at home acute care treatment content continuous monitoring we're adding great care of the patient we're adding safety for the patient, we can bear treat the patient bring so much complexity in the data were collecting how I have to secure where it goes and how we have to treat it and it just exponentially continues to grow, the complexity of what we're dealing with in healthcare today it's a leading issue so.
Mauricio Angee: My yeah I want to leave. Everybody with a thought. Is cyber security is that whatever you call it, these days, information assurance security or cyber security. And I want everybody to really you know understand what i'm going to say because are we creating a denial of service against our patients. And we got to be very careful and Melissa and I when we may we hit it on really well because we think the same way, but are we are we. Because we're the deployment of know because we don't know because we are afraid to say, I don't know and we go get help it a week reading a denial of service. On our patients and that's one thing I want to know, everybody here to remember, if anything else, is that we they because of that analysis.
Michael Ebert: Right, we have to be part of innovation, every part of the way right we can't be the the know department, we have to be the yes, but how can we make it work safely confidential and confidently in our environment, to protect the patient as well.
Melissa Lawlor: And tomorrow tomorrow CEOs point don't don't be embarrassed to ask your peers, what are you doing, you know how are you tackling this problem you don't have to have all of the answers you don't have to be solving. Every aspect of security and healthcare look at your peers and and make those relationships and start to share information around here's what we're doing here's sort of the trouble that we've run into today or here's the success that we've that we've seen so far. You know, we can we can share the documents with you the project plans, whatever will help you also be successful, because at the end of the day. Whether they're a patient for Hackensack meridian health or university of Miami the whole point is that the patients are getting the care they need that's that's what it comes down to.
Michael Ebert: I agree, and I don't think you to co wrapped it up any better that's it you're absolutely hundred percent right, this is about how we're treating our patients how we're protecting our patients and and how we're invading all at the same time.
Mauricio Angee: And I always support innovation. And how we support innovation great Thank you so much, is a great discussion and look forward to more of these in the future. Thank you.