Q: Let’s big picture this for a moment. When you look at the visual security metaphors that surround computing, the industry has coined sturdy language like “firewall” and “castle-and-moat strategy”—while a “cloud,” is soft and amorphous. Why not “sky citadel” or “floating fortress”? In a subtle way, is the very metaphor of a cloud a psychological barrier to its adoption?

Ferrari: (Laughing) For many years I’ve had to explain why cloud is a useful term. It is storing your data outside of your four walls in such a way you can access it from anywhere, using any type of security option. The “cloud” nomenclature may not speak well to all the advancements in security, compliance, and privacy that have occurred inside the public cloud over the last decade.

Q: Healthcare is one of the top three industries when it comes to security breaches by volume. Some studies show it at number one. What is the most popular way protected health information is being monetized by hackers?

Ferrari: The first one is building out false medical claim information that can provide hackers or attackers another revenue stream. In one instance hackers actually took that data, built a false medical claim company, then sent out invoices to unknowing victims who actually had their insurance companies pay the claims! It’s super sophisticated.

Also, foreign hackers have used medical records and social security information to get medical procedures. But if you look at where the financial gain is, essentially it’s insurance fraud—whether it is directly to the patient or directly to the payer.

Q: And how badly can these incidents slow speed to market?

Ferrari: The ways hackers gain access to clinical data or patient data are often really sophisticated attacks—either in the ransomware space, the email phishing space, or running chatbots on your desktop. That has created a sense of “proceed with extreme caution,” specifically in many provider organizations. So when it comes to enabling new innovation, deploying a new third-party service, or even using a new clinical application—the number of approvals has gone through the roof. Approvals from the governance team, the security team, the compliance team, the IT organization. There’s probably an individual security risk assessment that needs to be reviewed of the third-party vendor, and there’s probably a third-party audit. Since the noise of healthcare breaches has increased, many risk-averse things are happening.

Q: For some segments of healthcare like life sciences organizations, speed to market is a top business objective due to aggressive competition. Focusing on life sciences organizations specifically, what is the most common mistake their IT departments make that can slow speed to market?

Ferrari: Failure points or service outages. Some life sciences organizations that I know of don’t just suffer from “it takes weeks or months to deploy new stuff.” When they actually need to run a trial, the equipment fails. An example: I talk a lot about heritage systems or legacy systems. A large life sciences company that I’ve known has such dated systems that the developers have actually retired. The remaining staff don’t know how to access or log into the system! So, every time the system goes down, they simply reboot the device and pray that it comes back up. At some point this system won’t come back and product development will grind to a halt.

For healthcare companies in general, by far, a top security incident is when the infrastructure that lives inside of healthcare facilities—whether it’s in their data centers or at the end-provider—is not patched and maintained. We’ve seen amazingly simple things like healthcare organizations that haven’t patched their servers for years. That’s the ignored weakness that hackers live for, and when they get in, any momentum you’re having with your product pipeline is going to feel the impact.

Q: Is it a mistake for life sciences companies to have a do-it-yourself attitude in the cloud—particularly in regard to new privacy laws as they reach across international geographic boundaries, such as GDPR? Is this slowing down speed to market?

Ferrari: Yes, in most cases they slow themselves down massively. One big challenge is that GDPR doesn’t just apply to European data sets, as you consider the patient population as it relates to receiving healthcare. They have to think about all of their data sets as they move forward. Change inside of regulation is difficult to keep up with.

Q: Each segment has unique risks. What may be a risk for life sciences may be different for payers. Let’s look at payers: If payers can decrease the cost of care and increase speed to market, they can offer more competitive rates in the marketplace. What do payer IT departments—that manage their information in an internal data center—lack, that is keep them from reaching that goal? And are they even aware they lack it?

Ferrari: Some organizations are aware. They typically have innovation centers or innovation teams, with a separate CTO or separate “Office of Digital” title, where they are refactoring their applications to be cloud-enabled. For some payer organizations, the opportunities of cloud-services are brand new. They are aware, but they don’t have a cloud roadmap. What they lack is “How do I get there?” That can be very complex for a payer organization with decades of claims data and ETL data that isn’t living in the cloud.

Additionally, the challenge for payers at scale on the talent side is that they really struggle with hiring— finding DevOps or security and compliance professionals who know public cloud and want to work at a payer can be tough. Most professionals who really know public cloud are probably working for a public cloud company or if they’re in healthcare, at a healthcare IT company. So scaling on the talent side is definitely a challenge. A lot of payers are using third parties to help augment and continue to drive innovation.

Q: Continuing down the path with payers for a moment, payers receive information from so many different sources. Does this constant flow of data between organizations make payers more of a target?

Ferrari: It can make them more of a target. They are oftentimes more risk-averse—certainly more than a pharmaceutical or life sciences or healthcare IT customer—because those customers probably have more access to the talent or the ability to de-identify data when it hits their systems. The payers—because they are bringing in so many different sources of data—try to focus on setting up secure VPN or secure connectivity. It’s a requirement for HIPAA to have secure connectivity between the payer and the payload, that data that is being ingested from the other parties. That is the attack sector.

The challenge comes in when the hacker tries to find a ‘hole’ inside the payer environment, one that lacks a secure VPN or SSL-like connection that is transmitting HL7(Health Level Seven) or other sensitive data. The outcome is risk aversion. When some payers, especially DIYers, get started in cloud, their data load just grows because most tend to avoid deleting PHI on backend systems due to the constant changes in regulation and the difficulty in matching what PHI belongs to whom, how old is that patient, what state is that patient in versus the regulations around how long I have to store it. So their storage footprint continue to grow. This could be handled more optimally if they worked side-by-side with a third-party expert who can discuss compliance, CapEx and OpEx considerations.

Q: Is there a specific compliance/security mistake payers make that hampers their speed-to-market?

Ferrari: Mistakes are often made at the ingestion points. It is not the payer, in many cases, that has trouble with the state of compliance. It is oftentimes the third-parties. So, the payer has to go sign Business Associate Agreements (BAA) with every single one of the vendors they are ingesting data from—and that’s not only a financial beast, but also a beast to actually manage. Where we have seen failures is in third-party vendors is when they are storing, processing, or transmitting PHI and are not in a state of compliance inside their organization. So what is slowing down the innovation of payers? The healthcare IT organizations that are part of the application solution, but not maintaining compliance or security.

Q: Is a healthcare organization’s IT department’s inability to scale resources to business needs a big factor that impacts a speed to market?

Ferrari: Yes certainly. There are definitely scaling challenges both people-wise, as well as technology-wise. On the technology side, scale is a little different. It’s not enough to build cloud-enabled applications, but to leverage the cloud’s advantages to try to drive down costs as they scale. Some organizations are using containers to be able to pay only for running their application at peak periods. They’re also using server-less technology which allows them to pay only when the actual code itself is being executed. This way, they’re not paying for infrastructure at all and can scale on demand. Some of the more innovative organizations are doing those kind of things, but candidly that’s not as many as the market would like to see today.

Q: For IT departments using internal data centers: Is the constant vigilance required for security and compliance concerns overwhelming the department, taking them away from core responsibilities? Or is it the opposite—security and compliance become secondary because the team is stretched thin already?

Ferrari: It really is both. But I’ll pick the first one. There are so many changes on the security front, so many new vectors and new vulnerabilities that open up all the time. To put it in perspective, there are over twenty operating system patches per operating system per month, in many cases, and healthcare organizations don’t just run one operating system. On average, the organization is going to have hundreds–if not thousands–of laptops and desktops out in the field that could be potentially stolen, swiped, left somewhere—at all times. It can be completely overwhelming.

To give you a real example, I’ll talk about one of the smaller payer organizations that I’ve met with. Their overwhelming concern on the security front was around scale. Their IT team is 200, maybe 250 people. Only four people out of 250 focus full-time on maintaining security—looking at vulnerabilities, potential intrusion detections, or penetration detection coming inside the healthcare organization. Their challenge: they were getting a terabyte of log data in a week. Imagine trying to sift through a terabyte of data to detect the most urgent security issue inside the environment with only four people! That’s not even enough to cover a 24/7 shift.

 

During his career, Matt Ferrari has addressed the unique security concerns in healthcare IT firsthand. His descriptions of the speed-choking security mistakes should put every healthcare organization on alert—particularly the IT mistakes that involve ignoring common software updates. Tragically, there’s nothing uncommon about the damage that can be inflicted on a healthcare organization’s staff, product pipeline, and reputation.