This Week in Health Tech

Security - Malware, Viruses and More!

December 18, 2019 Vik Patel and Jimmy Kim with Cyber Security Expert, Dennis Leber Season 1 Episode 2
This Week in Health Tech
Security - Malware, Viruses and More!
Chapters
This Week in Health Tech
Security - Malware, Viruses and More!
Dec 18, 2019 Season 1 Episode 2
Vik Patel and Jimmy Kim with Cyber Security Expert, Dennis Leber

Vik and Jimmy welcome guest Dennis Leber, a Cyber Security expert to discuss security challenges in general and for Healthcare organizations. 

Who is coming up w/ viruses and malware and why are they trying to hack organizations?
What can we do to keep our data safe? 
What to watch out for when using the web and mobile apps.

Support the show (http://www.thisweekinhealthtech.com/)

Show Notes Transcript

Vik and Jimmy welcome guest Dennis Leber, a Cyber Security expert to discuss security challenges in general and for Healthcare organizations. 

Who is coming up w/ viruses and malware and why are they trying to hack organizations?
What can we do to keep our data safe? 
What to watch out for when using the web and mobile apps.

Support the show (http://www.thisweekinhealthtech.com/)

spk_1:   0:01
Welcome to another episode of this weekend, HealthTech, where we cover the latest news and trends in health tech industry. My name is Jimmy Kim, and I'm a company by my co host, Vic Patel. Hey, what's going on, man? We are back. We're back. They had us back. Well, I hope so. I hope someone's listening. I'm sure. I'm sure. More than someone. At least At least my mom's listening, you know?

spk_2:   0:25
Okay, My mom too. So you got to

spk_1:   0:27
two. Perfect. That's all we need, man. That's all Doesn't hate, man. How's your How's it going? How's it hanging for you? It's

spk_2:   0:33
been hanging grade. You know what's so, um, just I think there's a lot of different things on the go. I mean, business wise, we are. We're working on quite a few interesting projects, and I know one of the thing that keeps coming up as more and more off our clients. I actually thinking about moving to the cloud and, you know, as soon as you say moving data to cloud specially in health care, the biggest thing that comes up is always security. It's a big concern, right? I mean, the data is leaving you're like your premises. It's going out to the cloud. It's usually going to one of the Big three Google, Microsoft or Amazon. But there's there's quite a few players out there, and security is always a big concern. So, you know, I'm really excited about this this episode.

spk_1:   1:28
Yeah, you know, and this episode will actually feature 1/3 party. We're actually gonna have a guest for this episode. He goes by the name Dennis Lieber, and he's a leading expert in the cybersecurity world. And I'm interested know about it and like Like, I guess, like any kind of business, whether you it's hell tech or whether you decide to open up a store, a retail store like security's going to be like a big, um ah, big resource that you're going to invest into right and oh,

spk_2:   1:55
huge. I mean, it's a cat and mouse game. It's nonstop. So you definitely want to invest in it. And yeah, I mean, I'm excited about having dentists on the show, and one thing that you don't you don't know about is Dennis actually worked at one of the hospitals that we work with.

spk_1:   2:16
You know him well. How much How much did you have to pay dentist again on the show?

spk_2:   2:21
I want disclosed that he's a good friend. S o. It's probably Ah, you know, £2 of wings and beer. Perfect. Not not too much.

spk_1:   2:33
He's getting more than I am e. I gotta read ago. Shakir, You

spk_2:   2:40
do man you. Ah, what are you getting? I don't remember.

spk_1:   2:44
I feel like I feel like I'm in the minuses. It's all good. It's all good. It monetarily perhaps in the minuses. But in terms of knowledge, I've honestly like the articles you send me. The people that we've that we've spoken to already. I've learned a lot already, but listen so like with cyber security, while while we're waiting for Dennis to come to Come on, do you think cyber security is like a It's a hard space like you talk about cat and mouse. Is this something that we're doing a good job of right now? Are we are we behind in the sense of like, the bad guys are winning right now? I

spk_2:   3:21
would say I don't have the bad guys are winning, but I know it's definitely something is like malware viruses. They pretty much effect every organization out there. I mean, I'm sure you're even, you know, personally, you, at some point more effect. I mean, one of your computers was affected in some way, right? I mean, so imagine dealing with hundreds and thousands of computers in a business and making sure that these are all safe all the time. So we don't lose any of any of our sensitive data and yeah, I mean, I think every especially in health care, I mean, I know, um, that there was a survey done by the point Amon Institute and 50% of the organizations that were surveyed They actually said that, Yes, we were affected in some way by somehow there. I mean, that's huge half off. The organization's said yes. So

spk_0:   4:23
it is a

spk_2:   4:23
big deal, right? I mean, I don't know. Do you Really? I mean, I don't think that you can stay ahead of the hackers at the end of the day. Those guys there because you need to come over the new way to break in, or you find it a loophole that exists that no one has seen before. And that's what you usually fix. Right? But you need tools to actually identified and something is broken. I mean, that's what it starts. I mean, that's what I'm interested in seeing what Dennis has to say about those things. And maybe you can ask him who was winning.

spk_1:   4:58
Uh, well, look, I don't know. This is gonna sound silly or not, but who? Who is coming up with malware and viruses? You mentioned hackers, but what's what's their motive for, like wanting to do something like this?

spk_2:   5:13
Oh, I think it's all monitoring

spk_1:   5:16
is monetary. Let's say Let's say let's say my data is in, Um is in a cloud, for example, Right now my dad is in a cloud. My in my hospital records this and that. Why would a hacker want that information to begin with? And and then how would they implant? How, like, how would someone make money doing something like that? I couldn't even imagine it.

spk_2:   5:37
No, I mean personal finance data like, for example, your credit cards. Those you can imagine how they would use it. They would actually try and buy things, obviously, using those credit card numbers and your passwords that they have stolen. There's also other ways, which Obviously, if you have collected enough data, there are companies out like you can actually sell that date. I mean, it is, You know, at the end of the day, it's very important personal data that other people are willing to pay for. And, um, the other way, I think they also make money is, for example, ran somewhere where they actually what they do, is they Once the deploy ransomware on your network, all your files are encrypted, so you can no longer use any of your information anywhere for data on any of her computers until they give you the key to unlock and decrypt your data. In a lot of times, you and after you pay those people the hackers or wherever they're located in Bitcoin or however you end up paying them. Usually they asked for Bitcoin because you can trace once you make a Bitcoin payment. That's the beauty off having decentralized currency. And you know, we don't want to get into that hole. Maybe that should be another episode,

spk_1:   7:03
because I would love to get educated educate on that. I have asked a few people who are in it, and, like I I still don't know how that works. So in this weekend, Healthtech would like to introduce you to our guests on today's show. He is a award winner for the most innovative security programs in 2017 and 2018 and I'm sure to repeat for 2019 as well. He could be found in articles in Fours magazine. He's an author, a veteran, but most of all, a proud Kentucky. In May I introduce Dennis Lieber. Dennis Lieber. Welcome to the show.

spk_0:   7:35
Uh, glad to be here. Thank you.

spk_2:   7:37
Welcome, Dennis.

spk_1:   7:39
So, Dennis, we have you on today's show because today's topic is about cyber security. And ah, from the sounds of it. You are. You are leading man in this in this Ah, this industry. So once you give one to give listeners a little bit of introduction of yourself,

spk_0:   7:54
sure. Be glad to. I'm currently serving as the chief information security officer for the Cabinet of Health and Family Service's at the Commonwealth of Kentucky. Ah, and that involves a lot. We, uh, in the cabinet serve all the residents of the Commonwealth, and it's all service is that a citizen would need in the common well, so we strive to protect the data to bet I can. And it's a very broad range of data. It's from birth certificates to food assistance to healthcare, adoption assistance and any service that you could think of. That a citizen our resident of the coming local need.

spk_1:   8:34
Mmm um, and just going to give you a little tidbit here. Like I'm I'm actually quite the Lehman in this in this health check for Well, then I'm hoping to try today. So I say for it, for some of listeners and picking yourself are obviously the experts. And I understand the security is a very big thing in any industry, whether we were just talking just before you go on the show about whether whether you own a retail store, whether you own something online, like securities important, Um, but for me, it's it's hard to imagine. Let's say, let's say, owned a store. I can put up Gates and Aiken set up alarms and things like that in In in the online world, in the cyber world. Like how? How would how would like how, like a health tech industry, how would they secure their their information?

spk_0:   9:16
Sure, and, you know, I like to try to simplify cybersecurity to its core for anyone and everyone that we can. That's how we, along with business right, is simplified. People understand it. So when you get to any industry, be it auto manufacturing, being health care, you have to simplify it to the fact of we're serving a a za business we're serving. Someone are providing a service. And in today's time and age, and even for decades now, right service is done over the Internet through a computer through a mobile device. There's not a industry out there that doesn't provide the customer a of means to do their business over a computer. So it's simple. Find that down further is servers or servers. If you are using a Lennox or a Microsoft server in an automotive industry or health care industry banking industry, it's the same damn thing, right data, trans verses over networks, their bits and bytes. And 10 is there's a lot of tech folks like to say so when you can simplify it down to that point. Now you're protecting those physical assets of your every structure in your servers and your machines. You're protecting the data and how that data is transported and stored and used, who has access to it. And then, yes, I have to to protect the user first are the humans that are using it. And that's how I like to try to simple site when we start talking about it, are talking to organizations that are struggling with cyber security are just getting started in cybersecurity. So you talk about a small mom and pop store like you kind of mentioned right. They still have a point of sale system, which is a computer which is transporting data, which is storing data. Now you start talking to him about what is the important data there so you can take news stories and related toe credit card data being stolen and being sold, and you strike saying you go. Your system has that data. Now let's talk about the risk to that data and then the ways we protect that data beyond just the technical, how we protect the human, the machine and the processes and procedures. And when you start laying there like that, you built a foundation, you talk about it. It really contributes to the conversation helps folks understand that may not understand are used to it. Uh, you know, we don't want to ever assume that someone doesn't know anything. But you also want to assume that maybe they don't. Ah, lot of folks that are in business, you're gonna go back to health care. There's a lot of very technical savvy people in health care. But when you're talking to a provider, are are someone in the billing department who uses computer every day. They may not really understand technology, so you had to lay the foundation and try to simplify it to it and relate it back to the business.

spk_1:   12:08
And I feel like you're talking to me. So that zoo gentlemen, you know, we were talking about health, tech and the health tech space. So I would love to get both your opinions about something that I came across in an article. I don't know if you guys have come across this or not, but you know, recently, ah, there was a cloud deal between Google and a hospital chain by the name of Ascension, and this was reported recently in The Wall Street Journal, and this has now raised fears of how this information is going to be used now. Me as ah, like I said as a Sulaiman here, I think. OK, Google, they're a very large company and ascension this this chain of hospitals that around? Why? Why should I? Why should I be worried? Or why should the public be worried that that they have come to this deal?

spk_0:   12:56
So I actually just saw and read the article today and what I had taken from that article. Uh, there was two things. One. There is the statement that both organizations are doing everything that is required by CMS to be what's deemed hip a complaint. The second thing I took from that was You have internal employee. He's raising concerns. Any time your internals employees are here, internal employees are raising concern. I think it warrants listening. You know, there's some validation, uh, trust, but verify right. But when you have internal employees saying, Hey, what's happening with an organization doesn't appear to be completely I wouldn't say it's not legitimate, but they have their raising concerns. You should listen to the concerns. Um, the concern that I read in the article was the data harvesting in the use of data analytics that Google does with data. Um, and that's what we know. Google does that and does it well, right? They use it from targeted marketing and research on many other things. And that's what the concern was in that article was yes, the D identification of data is there. The business associates agreements are there. They're taking efforts to protect hip up required hit the hip of protections required under the law. But what are they going to do? What are the ways they're getting around? That, um, I've read an article in the past, and it's with research, and I'd have to find it before you maybe send it to you later, Jimmy. But there was a company that was able to take D identified data and within 3 to 6 data points that were all not related to each other. Identified it are identified Jimmy or identify dentist. So what is? It wasn't anything that wasn't public knowledge. So they weren't doing anything illegal, are sneaky, but definitely have proved to the research that D identified data doesn't really keep you from being identified. Google with the processing power and speed, they have an access to data probably exceed the amount required to go back and unidentified data and target health care. Right? That that's and that was the big thing was our patient's going to be targeted now for marketing for their health. Health care solutions, missus. The numerous things from that article

spk_2:   15:49
Yeah, and the other thing that stood out to me I mean, this whole partnership between Google and Extension, I mean, it started out looks like from a project because it's such a big hospital chain. They have data in multiple locations at multiple facilities. May be indifferent, am ours. So I think Google was actually helping them put it all together. So that way the data is accessible from the cloud for all the patients, no matter what facility you are going to. And that kind of makes sense, right? I mean, you do wanna use a big trusted partner in this case that trusted might be a little bit stretching just because we know Google search engine and the marketing and and the advertisements that we see. I mean, they can obviously, you know, there's so much targeted advertising already. But as Dennis said, once you have access to the healthcare off patients. I mean, now you can take it to the next level using that data. And I think maybe that's where Dennis, you know, some of those employees concerns may have stemmed from, um But it wasn't. It wasn't totally clear on, you know, exactly the how the partnership was going to use the data. I know there were. There were a few things about OK, we wanted to use the cloud for data sharing, and then we wanted to use the Google sweet for employees so they can use the Google sweet for document storage for e mails and everything else that comes with Google. Sweet. But to me, Jimmy, it wasn't I wasn't 100% clear on exactly want the partnership was about, but it is definitely legitimately, you know, it is concerning, right? I mean, ones. Google has access to your healthy. I mean, how much more can they target? You know, like the targeted our advertising. Um, if you're sitting at your home computer with somebody and you know you have guests over and next thing you know, you have this ad pop up for liver disease or, you know, whatever Jimmy, You know what other, Ah,

spk_1:   18:10
whatever humans that I'm

spk_2:   18:11
one of And I mean, that's you know. So anyways, I think that's a good one to bring up, especially related to security and health care.

spk_1:   18:22
Is that such a Is that such a terrible thing? I mean, I'm going to play Devil's Advocate here like I wouldn't I would like to think I'm pretty careful with information. That's what I put up. Well, what?

spk_0:   18:33
I'll jump in on that with Jimmy So and playing Devil's Advocate, one of the one of the roles as the security team is the what if Right, uh, you start tying into privacy as well, right? So this is when your chief privacy officer in the privacy rules coming in. So here's Here's some what ifs Google through ascension data, and I just sent you the link of the researchers that are able to dia de identify data. But very few data points. Um, they legally right, they legally use this data, and they used their data sets to identify Jimmy through all the data sets in all the data. Now, including your medical data, are your medical profile. Um, you have a probability of down before your 65. Yeah, So you start applying for households when you're 50 they're selling this data to Equifax and Experian and TransUnion, and your risk factor goes up and you don't get a home loan because, well, you're going to pass away before you pay the loan. Back off, write it. And you could take example like that. They just run wild with it. Think of all the data sets and people who make decisions now can include in making the decisions life insurance, car insurance. Um I mean, just a little

spk_2:   20:07
money on the other. On the other hand, I mean, that's a great point, you know? Now you are big companies have access to very sensitive data, and it's actually helping them make decisions in terms off. This is a kind of insurance that we are going to give you based on this data that we have me and I'm gonna tell you how we got that data. But on the other hand, what about research? I mean, research needs a lot of data, and if Google and Microsoft and Amazon, they have the processing power to actually used some of these anonymized data and may maybe help us solve some of the things that we have been actually trying to crack, right? I mean, with cancer and a lot of the other diseases that are out there that we still don't have any answer for may be using this health data if it's de identified. And again, you know, I see your article here that you just sent us about how you could still, if you really wanted to, um, identify people. But I mean, that takes a lot of work that you do need to actually use the processing power to get through that point. And, you know, it's not cheap, so I don't know. I mean, you know that that meat in this case, we don't know if actually Google has that goal off. Actually, using that data in terms of sharing that data with researchers across universities are, um, you know, medical treatment centers. But that will be good to know.

spk_0:   21:48
Well, you know, I like to assume that everyone, especially big companies like Google and Google, has a reputation of doing the right thing often right? All businesses are in business to make money, but he also, you know, you should write, do no evil, right? Way like to assume. And I think it's safe to assume that most people and most companies have the best of intentions. And you mentioned the research that could help cure cancer or HIV. Right are the opioid epidemic. And those were happening now, right? We have systems even here in the Commonwealth of Kentucky, where we're we're doing Data Analytics and using that Data analytics to improve the health of the residents and the health care provided. I mean, that is occurring now. So, yes, I I agree with that. I think that's Ah, that intention. I think that would be a outcome, especially with the backing of like you said, of the the computing power that Google has and the data analytics that Google has displayed. You also have to keep in mind of that will be monetized right, and it's a service that could be provided. Well, it'll it will make one central research. It could. Could it put all the others doing this research? I mean idea, Watson, uh, there's people that are building these systems themselves, and, you know, there's health care providers. Health. There's like our state is building one you know does that I'll become competition now, does it? It all go away. So you have a whole lot of what ifs again. Best of intentions. But, you know, do we have a monopoly? Does Google become the sole source of that research? Right.

spk_1:   23:34
So now we've identified like these. These are some of the issues now, but okay, so maybe maybe not the level of ghoul or ascension. But there's gotta be other other companies and other hospitals or, you know, making similar kind of deals with clouds. If I'm one of those, if I'm one of those hospitals and you guys are one of these Googles and we come together now and we've we've we've brokered this deal. What are what are some of the things that I should be doing or I should be aware of so that I can protect the information of my clients.

spk_0:   24:09
So the first thing and I'm just going to speak generally in an organization, you know, we're talking about health care, but any organization that is migrating to the cloud and depending on the cloud for their computing, right, um, the first thing until folks is cloud does not a quite security. Is there a certain amount of inherit security that comes with moving to the cloud and reduce costs of some security controls that comes with the cloud? Yes, absolutely. There's certain response amount of responsibility that that cloud provider has in provides, which leads to You need to have a discussion or have one like a sea. So our security leader that can have that discussion with that cloud provider to understand exactly wood is the amount of security and type security you provide. And then what is the responsibility that falls back on us as the client or the customer? Using the cloud, Um, aws, Amazon and Azure. They published their shared security, uh, put store. I'm looking for their their standards. Yeah, Yeah, they're they're model of all things are. Yeah, you can. You can google it. I am talking about google. And you know what? You're Amazon, our zoo, and they publish it. You also have that someone who understands what that means and then with the gaps are, uh, one of the biggest, um, reasons for breaches of customers that are utilizing the cloud here of last year was Miss Configurations and the Miss configurations were on the customers in not the cloud provider. So you have to understand what that means. You gotta have a security team that understands what are the configurations, and how do we make sure they're not miss configured, are left un configured some of that's coatings of its settings. And you got to have those conversations and you have to monitor that, and it's still access management. There's still an access of your users access in those cloud providers and those your solutions that are residing on those clouds. So, yeah, that click click here, put your username and password in because we got to fix something. You've created the same problem, and you still have to control that. You know Amazon is there. No one can control your users regardless, sorts at So Go into the cloud definitely has financial benefits. It relieve Yates some of the costs of security, it AIDS and compliance. You know these systems that air health check their hip a compliant. It's easier to look at your cloud provider and go proved to us give us a certificate, you know, documentation that you are meeting these hippo requirements that Well, you're required to meet so we can show the feds that we're doing that right. You've eliminated some work there now on email, on a phone call. But you also have to be able to go. Okay, Now on our side. This is what we're doing. These air. Where where's our requirements are still in place. These were still accountable responsible for these things.

spk_2:   27:30
Yeah, that's a great point at us. And we are actually seeing that Maura and Maura, as lot of our clients are moving from on Prem to cloud, whether it's Google aws or azure and, you know, like you said, I mean, of course, you get all these resource is with the cloud providers. They actually, you know, it makes it easy to do your backups to do your make Sure you have the policies in place or and how are we going to do the disaster recovery? But at the end of the day, theon key texture want you Have you used a cloud that's still your responsibility. So that's still the responsibility of the client, and yeah, I mean, we we pay a lot of attention to the eye contact, sir. Make sure the security tour. Uh, security concerns are all covered because at the end of the day, the cloud provider is gonna tell you. Hey, we had the tools for you. You just use it correctly so that Yeah, that's that's a great point in terms of Yeah. I mean, the clouds there. All the resources are there, but you actually still need too. Right special. The right resource is on your team to actually take advantage off the cloud provider.

spk_0:   28:43
Sure in. And you could get complex of that. Right? So, you know, Salesforce, well known company, big company does things well, you know, they have a lot of custom configurations, depending on what you're building on Salesforce. You know, a lot of the times is the the code of the application. Living in sales force is maybe 100%. You're still. So if you write bad code and it's vulnerable to hacking, sales force is gonna go well. She knew was always very secure. They got in because, Well, your stuff was weak,

spk_2:   29:15
right? Yeah. And that's where I So you're saying if I'm a c i o and you know, at a hospital or a health system So these are some of the things that you still need to pay attention. It's not just okay. We have our B a with or the business agreement with Google, AWS or Microsoft, whoever you go with. But as the leader as the C I o. You still need to make sure your team knows how exactly they're executing, how they're implementing, whether you're moving every HR or whether you're moving your integration to the cloud, whatever it may be, you still need to have it. So if you architect it within internally, maybe hire an outside consultant to verify that and get the third party feedback on on exact on your design

spk_0:   30:10
exactly in. And it's not just that you have to make sure you're thinking beyond compliance. So a lot of those things you listed right our compliance and not necessarily security compliance does not a quite security nor the security complete quite back to compliance, Right?

spk_2:   30:29
Jimmy? Did you get all that?

spk_1:   30:32
Um, I'm still trying to process it, crosses

spk_2:   30:36
it. Why don't you use Google for your processing?

spk_1:   30:40
You Google? It sounds like I shouldn't that that's that's what I thought was my take away from this conversation.

spk_2:   30:46
I think security is such a huge. It's such a big topic, right? I mean, and it never ends. It's not that, OK, we put the we turn on the firewall, and we're making sure that we are upgrading the firewall whenever it's required. And, you know, we are. We have the Windows updates on our computers. It never stops like there's always you always have to keep up other revise, you know? Anyway, so it's one of those cat and mouse A Z talked about Jimmy and the very beginning, So yeah. I mean, we really appreciate all the knowledge that you shared today. Thank you.

spk_0:   31:21
Sure. You know, And any time I have a platform to advocate, I like to advocate, so you know, with it what you just said, Vic, you know, security is not an ant on right. Security is still maturing, and I think we're getting better at it. I think we're getting closer to the way it needs to be, but, um, you know, the CFO, the CEO are not something you talk to after business is done right? They are involved in the conversations while business is being done. Security in some organizations in some industries is not there yet. Securities and afterthought. Our security is a subsection of the I T department, and that that has to change. Security has to be into the business flow in the business. Decisions in the business risk from the get go. I mean, you think about the impact of a security and a cyber security event to the business there. Say it's It's one of the top right two or three and the impact business. So one of your items in your business risk that could have one of the largest effects on your business is thought of afterwards, are tucked away in a corner, are at a later lower than you know, the board are sitting at the table. Ah, and into your 0.2 vics. Security is always changing this one of the reasons and they're stuck and we could talk for another hour of all the reasons why I'm inside of security. But one of the reasons is it is always changing. Uh, I don't like to be bored in cyber security. What I did today, I can go wake up tomorrow to go to work, and there's new things I learned there's new things to do. So it's an ever changing, you know, industry. And it's more than just like you said, firewalls and secure coding. Ah, lot of folks that get into cybersecurity they go. You know, I wanted to be in cyber security, and I've created jobs with entry level analyst for they can get an ideal of what they want to do in cyber security. But when we interviewed those people, everybody wants to sexy job of being the hacker, right? Right. You wanted to do what you're told and cybersecurity is one of my questions. I wanna hack and then they get in. There they go. Man hacking is kind of boring because you spend a lot of time research in and write code and digging around, and you got to write a report when you're done hacking. If you do it for a company and I go, wow, well, you know that it's not as fun as I thought it was gonna be. Or it's harder than I thought it be. You know, it's it's a special kind of person, like a firefighter, a policeman. If you really, really like the hack, uh, it's a different breed, but they get into the my security office and they start realizing, Oh, wow, there's policy writing. There's governance and oversight and risk management And oh, you got incident response. And you know, all these other facets that a lot of people don't realize that are a part of sub security. And I think a lot industries are still learning that, too. They go, Oh, we got we've got a C I s So we got security and you don't write. You've got to have all those parts. You know, I and and the list goes on your staff access management. I mean, there's so many parts of security that I think a lot of organizational leaders don't realize are actually security. There is that misperception of I got a firewall. I meant the checklist of P C. I. R. Hip and it's zey false security blanket. They have a sense of security, and it's it's a false sense of security. And he goes back to that. Compliance doesn't mean security in order. Security mean you're compliant.

spk_2:   35:04
Wow. No, that's that was I think every security officer in every health system every C I o should hear that I mean that that's exactly it. You know,

spk_1:   35:16
I'm curious. I'm really curious to see how this is Google on Ascension Thing is happening. I mean, this is this has just started and ah, but the sounds of it, there could be a lot of implications for the bad and for the good

spk_2:   35:27
we didn't even talk about I didn't even touch apple health records. You know, that's if you go on Apple website and you look at how many organizations have signed up to share that data with apple so that you can, you know, because in every iPhone you have the Apple Health Records AB, where you can actually see all your medical record, you know, in a really nice way, which I think should be the case. And so many organizations have have signed up. I mean, it's only one day right now from the hospital information system into your iPhone to these AP eyes that have been enabled by all these hospital e h ours. But it's coming, I mean, and that's the way it should go. But what that also means is that you need to know how you are. You know what your architecture is very exactly you're sharing the data from. And if you have a CZ, Dennis said, You know, if you have considered all the different raise that needed to be aware off when it comes to security,

spk_0:   36:32
well, you know, Vic, end of that us, as individuals need to understand that, right? So we all have the smartphone. You know, if it's android or apple, they all have, like, Sam, some health right is on the Samsung phones are the apple health. If you've got the watches, it's collecting health data on you constantly. Your heart rate. You know what, You eight if you're filling in all that, your exercise.

spk_1:   36:55
I

spk_0:   36:55
mean, that's right. So it's like any time you share data, uh, you have to really be aware of what you're sharing of what's being done with that data. You know, you think of GDP are in the California privacy rules that are coming out now. That's one of the big things in those laws. Is the organization collected? The data has to be more clear about what they're collecting and how they're using it because you is the individual. You're agreeing to it. So if you don't read those agreements and they're saying they were going to use this data. And we're gonna market you for political healthcare and financial markers. Any. Does anyone read that?

spk_2:   37:36
I mean, I have never read it.

spk_0:   37:38
Don't you touch? It's like a Bible. I mean, that's the problem, right? No, but

spk_1:   37:43
I've honestly, I've read, I've read some of them

spk_2:   37:46
know you have.

spk_1:   37:46
I haven't read. I know I haven't read the whole thing, but I read it because I was signing up to something and it said just briefly just gave me kind of like, Well, we're gonna use We're gonna need this data We're gonna use this data on like, Well, what kind of data? And, you know, pretty much things like when I when I log onto this program and so on, so forth. But there was no option to not do not let them use it, right? Like I either had to accept that. That's the information that I was gonna give them. Or I wouldn't have access to this program,

spk_0:   38:18
don't you? Yeah. And there was no option for you to opt out and then really bad. So I think a good example that Jimmy and it could be a whole another podcast is the Fitbit. And to sell a Fitbit, right? A lot of people were complaining about that going. No, thank you. Burning it today and I don't know, but they've already got all your data and people who went back and read the Fitbit agreement. There's a little sentence in there. It says they own your data. So you agreed to. Once they collect that data, it's not your data anymore. It's their data.

spk_1:   38:47
You Wow. So it's kind of like we're It's this This is double edged sword, right? At least I feel like now I've been seeing a lot of, um ah, lot of like you go to the doctor's office now and now they're using some sort of some sort of app, too, right? The doctor's notes to put

spk_2:   39:05
down your most of them now have a electronic medical records system.

spk_1:   39:10
Yes. What if so, things like I want to use that, But at the same time, they say I guess thes e zap cos they own this data, right? I haven't looked at the terms of agreement for those things, but I

spk_2:   39:21
mean, are you comparing your doctor I mean, that's That's a great question right there. You know, your doctor, he's actually working directly with you on your health care. So I hope you want them to have your data. I mean, I would one mind.

spk_1:   39:38
I worry my doctor have my data, but at the same time do I want this? My doctor's not the one that came up with the app for the programs, right?

spk_0:   39:46
Well, well, you know, that's a little bit different situation, because doctors are providers are regulated by a hip, a role, right? So they have rules around what they can and cannot do it your data and how they have to store to protect and who they can and cannot share it with and how you can and cannot share it. Um, so there's a little complexity that but you're right. What if you know these e h ours that they are using? Thio, do your record 10. What's the agreement between the doctor in the HR? And like I said, we like to believe everyone's doing the right thing, But are they? How do you prove it? They're going. Yeah, we're not. You know, we're not gonna use your data, but they're used in it, right? Are there going well? The Lupo is you can use D identified data. Well, okay, we're using D identified and we're not hurt nobody, but they've got processes in the backside. Like the link I sent you where you can't be identified data and they're going. That's not illegal either. So, yeah, we we followed all the rules, but like, that's why lawyers exist. And politicians, that's right. They find loopholes, and they get around it legally.

spk_2:   40:55
And Dennis, I think I think that was a good good one. I mean, in terms off, you know, if you wants the agreement between the provider and the E h r. And especially if you're using a lot of these new VH ours they're hosted, they don't give you the option anymore. For example, I think Athena, you don't really have an option to have an on Prem installation for that E h r. It's all in the clouds. So that's a great question. I mean, if I am the c i o. Or even the privacy officer, you know, you should look into those agreements in terms of OK, if this data is in your cloud, You don't be an already storing it on prim. What exactly does that mean? Can you share that d identify data to four with anyone for research purposes or any of that means? Um, yeah. I mean, I don't think that I'm not sure how many organizations actually think about that.

spk_0:   41:59
Well, we spend a lot of time in agreements, uh, at the Commonwealth, and a lot of it's driven by security of Here's some questions we need to ask. How are you protecting the data? However you segment in the data, where does this day to reside? How do we make sure that the data doesn't leak out or be used? I mean, but you're right. If you don't think to ask those questions, didn't you maybe falling victim? I would say, you know, loosely to the loopholes. And if you are an organization who has ah, more mature security and privacy program, hopefully you're asking those questions and giving it into your procurement contracts are If you're doing request for proposals, you make that up front. This in proposal. This is what we are requiring in that we require that once you collect this data, it's not shared at all. Back with us, right? Are who we tell you can. I mean, sometimes it's just a simple conversations. It goes, you know, you could tie that back to the cloud, Miss Configurations. It could be a contract. Ms. Configuration. All right. You didn't ad or asked the right question or add the right statement into your contract with your cloud provider that prevents them from doing. And I won't say something illegal. A legal loophole.

spk_2:   43:19
And I wonder how I mean Okay, sure, if you modify your agreement and you customize it, but at the end of the day, I mean, are they actually going to modify the way they are storing and making sure that your data is staying separate from everything else? Just because your agreement was slightly different than all these other organizations that they're also hosting in the cloud in

spk_0:   43:49
the same crowd? Sure, sure, because these cloud providers are very configurable, right? I mean, they have the public cloud and private cloud. They had the fed ramp certified Gove clouds. So yes, right, they will. But you have to ask, right? It's like Burger King. You know, you gotta order a whopper and the one at your way. You have to tell them what your way is. Ah, and if they can't make it your way, then maybe you need to look it someone else, right? If if they're not willing to change your contract or they can't provide what you're asking to me, that sounds like shopping, right? It's not the vehicle I need. So

spk_1:   44:24
So Look, Dennis, I Well, well, well. Both victims are. We appreciate you taking the time and coming onto our show. Where can work and people get to get to know you live in more working people find you. I have your website, which is Dennis lieber dot com d e N N i s l e b e r dot com Is there if somebody want again contact with You wanted some of someone who? Some of your advice. Where can I find you?

spk_0:   44:46
Sure. I'm also on linked in. I'm on Twitter. Pretty easy to find. It's all Dennis Lever.

spk_1:   44:53
Yeah, just go. Just Google down asleep, right. He'll find him

spk_0:   44:56
and you can that there's some truth to that.

spk_1:   44:58
Yeah. Thank you so much. Enjoy. Enjoy the rest of your evening.

spk_0:   45:01
Thanks. guys.

spk_2:   45:01
Thank you. Thank

spk_1:   45:03
you. Hey, Vic. So we just finished talking to Dennis and ah, I learned a lot. And I think what I learned the most is like, I gotta be careful when I when I when I get on that cloud,

spk_2:   45:13
all you need to and I I learned so much about because one of the things that we are focusing on, as I was telling Dennis, was, uh you know how we are working with our clients and moving them to the cloud and the architecture. But what stood out to me when he was talking about these agreements that you need to pay so much attention to when you are moving to the cloud and making sure you're going through the very minute details. And I'm amazed that you actually read those agreements. Good for you. Yeah. I

spk_1:   45:50
said I read a little bit of it, and then I was just, like, all right. Just like sometimes you guys were talking. I was just, like, just kind of not in my head over here. And you're like air. You still there? I'm like, Yeah, I'm still here trying to process everything.

spk_2:   46:02
Well, so yeah, I mean, I think those those things really stood out to me and just awareness. I mean, in terms of just just making sure that not just because you're moving to the cloud doesn't mean it's it's good to go. I mean, you still need the expertise on your team, or you need to hire the expertise outside off the organization just to make sure that you have all your bases covered. But again, I think that was very, very good episode. I think I learned a lot about security.

spk_1:   46:34
Amazing, amazing. And that's a wrap for another episode for this weekend. HealthTech. I hope you'll join us next week. Hit that subscribe button so that you don't miss a beat. My name is Jimmy Kim, and I am Vic Patel. We'll see you next week. This week in Health Take is Brought to You by Tito Wink. I trust the tech partner for health care organizations