Transcript
[HOWARD] Hey, guys.
[KOPCZYNSKI] Hello. Hello.
[HOWARD] Sumit and Tyson, thanks for being here today. Welcome, everybody. My name is Matt Howard. I'm the chief marketing officer at Virtru. And today, I get the great privilege of doing what I, love to do most, which is spend about forty five minutes to an hour chatting with some really, really smart guys who, are living on the front lines of, you know, what it means to be a modern cybersecurity, kind of data security leader, in the world today, which is certainly not an easy job. So, Sumit and Tyson, thank you both for being here.
[KOPCZYNSKI] Yeah. Thank you.
[HOWARD] Sumit if you don't mind, I welcome you to introduce yourself. Just kinda just give us a quick perspective on your background and kind of, your journey through the industry.
[SEHGAL] Sure. Absolutely happy to. So thank you everybody for joining. I've been, and I lead, the technology and the security programs here at American Addiction Centers, and I've been in health care for about twenty five, twenty six years off and on depending upon the type of organization. Right? So I've had sixteen years of experience directly in provider settings in different areas, and I've also led eight years worth of security technology go to market and product alignment to health care. So it's been a fun journey to see security change from the late nineties, early two thousands, into now. And, also how I would say attitudes towards data identity about I think overall the value of what a security program can bring to the organization, how that it has changed over the last twenty years. So I've had a lot of good fortune of working with good mentor mentors and varied experiences from, like, small rural hospitals to academic health centers to private equity multisite specialty locations. So happy to be happy and excited to be in the conversation today.
[HOWARD] That's awesome. Thank you very much for that intro. Tyson, how about you?
[KOPCZYNSKI] Yeah. So I'm, I'm Tyson. I'm coming to you live from Japan. I'm the prior CISO at Aledade. Long story short, I've actually been in security well over twenty years across several industries, large and small companies. I've been in and out of consulting, across those various dimensions. I work with various startups on their go to market strategies. I also sit on Team eight cyber advisory board. I'm now operating as a fractional CISO, helping, advise, various companies or their CISOs and their boards on, you know, good good cyber practices. I'm also part of a consortium of CISOs now working to to stand up a CISO professional association. So think kind of like the ABA, but, for CISOs themselves. And I'm also happy to be here, live from Japan.
[HOWARD] Yes. Thank you for being up late. We really are very grateful for that. So the title of the conversation today, as you both know, is interesting. We kinda picked this walking the tightrope, navigating data security challenges in Modern Health Care. I I thought it would be interesting based on some conversations that the two of us had recently the three of us had recently. Before we get into modern healthcare, I thought it would be useful to have the two of you comment on what it was like maybe, you know, ten, fifteen years ago just to set some historical context. Because data security and health care has been a thing, as everyone on this call today knows, for a long, long time, and there have been, you know, sort of large scale attempts within the industry, within sort of massive technology vendors, Microsoft comes to mind, you know, to try and put sort of good controls and governance into place to help health care specifically get a grasp on data security. You know, from a historical perspective, if you look back just a few years, you know, Sumit, I'll start with you. How do you think about that kind of, like, past that rear looking view? What worked? What didn't? And curious to get your thoughts on that.
[SEHGAL] It's interesting how this landscape has changed. Right? It started out I mean, back in the day, it was mostly a compliance exercise. Right? We the data at that time was still very much kind of on the brink of what I would call being used for something that clinicians the word they use is clinical decision support. Right? Fancy way of saying, we need systems to make data about clinical care. So there was this very, like, fine line in the sand between what we need to protect versus how we use data to treat patients. That line has started to get blurred over the last ten to fifteen years ever since, at least in the US, the meaningful use regulations kinda came into play, as well as the importance of data started to switch from just protecting and encrypting the sensitive parts, like, in in identify all the information and stuff like that to more now worrying about availability, about continuity of operations, about, clinical quality, clinical safety. So I think that has probably been the biggest shift that I've seen that security people have had to deal with because in the past, we were all technologists that were looking more from deploying a solution that helps provide a certain output. Now you have to take that and kinda marry that with what does it mean for the security to provide a mitigation for a risk, and what does the risk mean for the organization. So it's much more of a black or white conversation. It's more of a shades of gray, on how health care, I think, as an industry in general, views data. The other piece, I think, I will also wanna add is the level of interconnectivity that has happened, like, ten fifteen years ago, twenty years ago, health systems and the health care ecosystem was largely silos with very few interactions between them. And that has changed. That has changed probably a massive amount from the last fifteen years. And we talk about security patches, so we talk about the perimeter being porous. Right? That's the same thing that has happened along the four walls when you talk about hospital systems working with payers, whether that's sent whether that's public health care or it's, insurance companies in the US or how we kinda collaborate with the university ecosystem. So it's become a very interesting landscape to manage from a data perspective.
[HOWARD] Interesting. So so, Tyson, when you look back, ten, fifteen years. You know, on health care and and data security, data privacy, and and and all of that, You know, curious to get your macro thoughts. And would you agree with Sameet that kind of things have shifted maybe more from you know, in the past, it was kind of IT centric. Today, it's a little bit more business centric or clinical centric. I mean, how do you see it?
[KOPCZYNSKI] Yeah. So, obviously, my perspective is gonna be coming in more from an outsider because I transitioned into health care recently, given my last stint, over at Aledade. When I go back, fifteen years ago, I was in the consultancy arena and worked across many different industries. And in general, when you look at data protection, it was to submit point. It was within four walls. Right? And the solutions that you deploy are I'm gonna protect the data within said four walls, whereas you fast forward to now, and data is more transitory. Right? It needs to go from point a to point b. It needs to go from, you know, organization a to organization z. And as a result, when you look at data security, it's not only gonna need to be secure, it's gotta be usable. Now when you look at what I've experienced or observed in health care, it's not only gotta be usable, but it's gotta be usable for folks where time obviously matters. Right? And time obviously has an outcome with regards to a patient's kind of outcome with regards to their health. And so I think in particular health care, it's more challenging because you can't take that four walls perimeter approach by no means at this point. But you've gotta keep the data secure at the same time.
[HOWARD] So one thing I'd be curious to kinda pull the thread on a little bit for the benefit of the folks, you know, listening today. I mean, you you guys, you know, on the frontline in in recent years, both of you have had that, you know, responsibility of of balancing that that tightrope, so to speak, between I've gotta keep data secure, but I also need to make sure that it's usable. And usable in the context of health care probably means different things than it does in a lot of other industries. Right? Because, like, when the rubber hits the road, we're talking about lives and clinical outcomes. How do you do that? Like, how do you think about the need for security in the IT sense versus the need for information access in the clinical sense? How do you balance that to me?
[SEHGAL] I think that there's three parts to that question, Matt. The first thing is, like, as an industry as a security industry in the practice, right, we've evolved. We've evolved in a good way that the conversation about what risk means has changed over time. Risk used to be just, like I said before, like, it used to be a compliance effort. Now it's more understanding of data flows. So to your question, how do I, even now, like, do this at my current organization, the very first part is mapping data flows. That's understanding from a patient's journey when they come into an organization from the point of admission as they get their care till they leave, and they get their follow-up care, and how they get billed, and stuff like that. Understanding those data flows actually helps you not only determine the importance of a specific data and data type, but it also helps understand the importance of availability. Right? Tyson mentioned timing. Right? That's that's critical if you're a let if you're a trauma hospital and you have an emergency room running, running critical radiology scans and stuff like that as part of triage and treatment of people coming in. Your criticality for systems and information might be different than a senior living facility where it's more just taking care of a normal environment, right, like of of of, folks that are there. So understanding those data flows actually can help you not only identify what you have and what it is used for, but it also helps you ascertain how important it is because timing is very important from a recoverability perspective. And you asked me how we can like it, how do we measure success? We measure success based on separating response and recovery when it comes to a date to an incident because those two things are very different muscle memories. And, a lot of times, that can mean the difference between what systems we pick, what policies we deploy, how we classify our data. And let's not forget identity. I mean, identity is a huge part of this endeavor. We talked about information just percolating everywhere. Right? So there is a valid reason why a lot of the security practitioners now are looking at not only the kind of policing the infrastructure, but they're also more and more and more looking at the data and the identity side.
[HOWARD] So, Tyson, I am curious to get your thoughts. I mean, is IT security and and and data security in the context of health care, you know, to hear Sumit describe it, it's kinda contextual to the type of health care provider you are. It's kinda contextual to the type of, you know, patient workflow, if you will, or critical care versus noncritical care. Is that context, something you see? And as a leader, do you have to then dial in or dial out the kind of controls that you would prioritize as a security leader in health care?
[KOPCZYNSKI] Yeah. I mean, absolutely. I mean, again, going back to the the thread that timing is everything with regards to folks being able to access and leverage and use data within the healthcare arena, there's actually data, no pun intended, out there that shows that there is a direct correlation to the amount of controls that you put in the healthcare space and patient outcomes. Right. So they've actually done studies where they've, you know, looked at hospitals that have experienced incidents, and the natural reaction of a hospital that experienced incidents is they improve their cybersecurity controls. And there's actually adverse reactions with regards to heart attack patients and their outcomes. Right? And that's because the controls introduce friction into that particular environment, which then slows down the practitioners from providing care, which then obviously causes those adverse impacts on patients. And so as a practitioner, you can't take, you know, back to Sameet's point, the true and false kind of approach with regards to security. You have to look at the entire life cycle of the data, understand how it's being used, and try to apply, security controls in a balanced equation that allows you to both protect the data, but ensure it's as usable as possible by the various actors, good actors not bad actors, that need to get access to the data and leverage it as well. So absolutely, it is a consideration.
[HOWARD] And so staying with that for just a moment, Tyson, it's almost as if and you've said this a couple of times, you know, like like, it has to be contextual to the workflow within the healthcare environment, it being sort of security policy and control. There is such a thing as too much security perhaps because it can sometimes get in the way of clinical outcomes as you've just described. And, therefore, that would probably lead me to conclude that there's probably this idea of the right amount of security at the right time for the right workflow. And does that then mean the security policy and the control that you're describing kinda has to get, I don't know, smaller and move closer to the data and sort of, you know, in the architectural sense?
[SEHGAL] Yeah. It it it does, it does. Not necessarily smaller, but more nimble. There's a term we like to use, continuous improvement. Right? So it's understanding that your security program, just like a data security program, is not a one project effort. Right? It will continue to have iterations on it. Tyson made a very interesting comment earlier that, you know, from the outcome of a clinical procedure or when you do studies with regard to what type of organizations get what type of data, it is important to also factor in other powers to have a say in it. So I give the example of a cyber insurance policy. And most health care organizations, at least in the US, are self insured. So the question becomes, Matt, to your point, when you ask the question how much security, how much investments that we need to make in it, you have to ask the organization the question, is this worth the investment that we're making given how we are covering yourself or self insuring for that? So me putting in a million dollar data security program doesn't help if I'm self insured for anything over two hundred grand that'll get covered from that side. Right? So that also makes a business conversation. Mhmm. That needs to happen, but from an evolutionary side, I think it's important for security programs to not be so rigid that it only is like, hey. Update only once every two or three years. You have to adjust based on the threat landscape. Tyson mentioned that, right, because our threats evolve. Threats are evolving every single month, every single week. So having a cadence that allows you to move stuff technologically that kind of addresses the needs is very, very important.
[HOWARD] So so, Tyson. Actually, not that expensive. Yeah. Yeah. So following up on that, Tyson, I mean, you know, data needs to move, flexibility and context is paramount. How do you actually do that in terms of, like, you know, governance and control from an IT perspective? What does that look like from a workflow perspective, from a practical perspective?
[KOPCZYNSKI] Well, I think you need to push the data security plane down to the data itself. Right? If you look at too many programs, you know, the decisions around how the data is protected and openly used is made too far away from the data itself. And the prime tax practitioners, the data owners, they're typically not involved. And they're typically not given a mechanism, that is, well, dead simple to use. Right? And so when you put all that together, what you're basically talking about is you need something that is, well, data centric, around the security itself. And I think that's what we're all alluding to. That's what we're talking about. And that's in reality where folks are increasingly going, which is obviously what you all are are working on at Virtru as well.
[HOWARD] So Yeah. I mean, I think, you know, from our perspective at Virtru, obviously, we're hosting this conversation today and and grateful for the two of you sort of lending your expertise to the conversation. But, you know, as a practical matter, just sort of keeping it very real with respect to the practitioners who have to do your jobs in the healthcare industry. I mean, I've had the pleasure of talking to many, and I just know how challenging it can be. And one thing I think we're alluding to is this idea of ease of use. You know, like, how do you have your cake and eat it too, you know, where your cake is, like, I'm the IT and security person, and I'm managing risk because I'm self insured, and I have a business context. Like, I need to manage risk. And, also, I have people who have to do their jobs because that's the nature of health care. Like and and doing their jobs means I can't be in the way. Doing their jobs means it has to be easy for the person who's possessing the sensitive information that needs to share it. And, also, by the way, ease of use probably has to do with, you know, the person on the other end of that workflow who has to then interact with that piece of information in a way where they aren't forced to do, you know, unnatural acts just to kind of authentication and access the thing that's, you know, being sort of protected. How do you think about ease of use, Sameet, from your perspective as as this conversation sort of evolves?
[SEHGAL] So I've had a long passion for human factors. And health care is interesting because, invariably, if you have any kind of scale, you will have multigenerational folks working together. Right? So when it comes to ease of use, ease of use for somebody that was born in the seventies, nineteen seventy is gonna be very different than ease of use for somebody that was born in two thousand eight. Right? That's what's working.
[HOWARD] I can speak for the seventies generation.
[SEHGAL] So but that's from a practical perspective, that's important for me because how the groups from a generation perspective view data, how we train them on that, how we ascertain what is easy. Right? Like, it's a folk somebody who came out of high school or college, like, five, six years ago is gonna be much more used to using an app on a phone as opposed to somebody who trained IT in the early late nineties or mid nineties type of thing. Right? So I think ease of use from a workflow perspective is important. Ease of use from application interoperability is also important because when you have things that tie in together just Tyson mentioned you guys were too annoying. That's one of the things why I have invested with you is we run Google Workspace on our site. So the ability for people to just toggle and just it's all in one spot, that's important. That's important because it takes the friction away as Tyson was saying earlier Right? So those kinds of workflows are important. How security ties into the EHR. Right? The electronic health record when they're sending information out of it and it ties into an email system, the email system being able to recognize that connection is coming from the EHR and automatically encrypting it and sending that out or knowing that there's a volume. Right? You like, I may have ten thousand emails that go to a company that does my revenue cycle management. Instead of having data security done at an email by email level, I create a tunnel. So that way, it's natively encrypted at the source. Those are some examples of ease of use from a person perspective, but also from a technology architecture that you have to think about because people will find different ways to move around it, and it makes it hard when you have multiple Tyson mentioned the word data owners. Right? Data owners, people get the concept of that, but it's very hard to implement because multiple people own multiple parts of the same file depending upon where it's going. So it's harder to actually talk about that governance. So you have to kinda deal with it closer to the practitioner of what Tyson was.
[KOPCZYNSKI] And going back to what you just highlighted multiple times, they are gonna have different ways of interacting with that data. Right?
[HOWARD] They they they who?
[KOPCZYNSKI] Those various data owners.
[HOWARD] Right. And they could be both clinicians, caregivers, as well as patients? Correct.
[KOPCZYNSKI] Yeah. They could be patients. They could be business folks. They you know, then if you know, when you look at that constellation of folks that are interacting with the data, to your point, they might be varying degrees of this is how I interact with it. This is how I use it. And as a result, when you talk about ease of use, the solution that you're putting in place has to meet them where they are.
[HOWARD] Well, listen. I mean, I think I'd love to just sort of poke on that a little bit more. I mean, I think as a as a employee at Virtru and and somebody who who has been in the software business a long time and cyber in particular, you guys talked about this this, concept of sort of interconnectedness in health care, how the game has changed, and it's no longer just one perimeter. In fact, it's all interconnected. Maybe it's less perimeter. And then to hear you just talk a moment ago, Tyson, you know, it's like it's a clinician here, it's a patient there, it's a partner there. It's like it's like, the data has to move, and you could argue the perimeter is more and more porous or maybe nonexistent. And, therefore, if the data has to move and there is no perimeter, then what's left is to protect the data. And that sounds easy, but what we're really talking about is protecting the data that has to move with really simple, dead simple, policy and access controls where anyone can do it, even a person born in nineteen seventy like myself. And, I mean, is that what I'm hearing from the two of you?
[SEHGAL] I would say yes. The issue has been everybody says we need to protect the data. Right? What that really translates into is you mentioned the word context, Matt. Right? So in the context of data security, every single data protection solution in the market will do the table stakes now that most organizations need. That's not the problem. The problem is time needs to be invested to actually tune these solutions on how they weigh the algorithms, whether it's machine learning, whether it's AI, everything like that, how they view the automation that determines what set of attributes needs to be protected and what are the protection actions that need to happen on one side of it. On the other side is how do you deal operationally from now that the trigger has happened and a protection action has been taken, if there's a deviation from that action, how do you respond to that? Right? So it kinda comes down to I'll give you an example. Everybody and their brother talks about protecting PHI. That's fine. That's not hard to do. Protecting PHI, protected health information for a hospital or any kind of healthcare organization, the system has to know not only the medical record numbers, it needs to know the visit IDs, the encounter IDs. It needs to know how the departments are set up, the specialties are set up, and it needs to understand when for certain classification of level, what does that mean? Right? Is investment information critical for me? Is mental health information critical for me to have a data classification set? So those are examples of things that you need to think about when you're setting the system up correctly. This is a double edged sword because data protection solutions are very noisy. So when it comes to the reality of running them, putting them in is one thing, but actually running it, dealing with the alerts day after day after day after day, That is also where a lot of focus needs to be given because ease of use comes in that side as well. But it's what is really, really good that's happened is there's been so much focus on actually leveraging automation technology that can kinda cocoon itself and attach itself to the piece of file or information that's moving.That's not used to be the case before.
[HOWARD] And and, Tyson, what is your take on that same question or that same sort of, you know, concept?
[KOPCZYNSKI] Well, it's basically what Sumit was saying is, Does data have to be classified?I would actually argue in some cases, it doesn't. I know that sounds weird. But, yes, in a traditional sense, you're gonna go through, classify your data, figure out what's what, apply protections to it, stick it in the box, and hooray, everyone's happy.
[HOWARD] Right.
[KOPCZYNSKI] In reality, it's messy.
[HOWARD] Right?
[KOPCZYNSKI] What you put in is never gonna be perfect. And in reality, it's gonna be rigid. And increasingly, the more you can make the decision, in the hands of folks that are more capable to make the decision, meaning the clinicians, the data owners, etcetera, the more fidelity or higher fidelity, protection you're actually gonna have in place. Right? Because they understand the data. They understand where it needs to go. They also understand how it needs to be used. And so as we kind of navigate from the traditional, let's build a castle, to know it's just a kind of messy mess, and we have tools that'll allow us to actually protect that mess, it becomes a win win on both sides in my opinion.
[HOWARD] Yeah. And and and together, I'd I'd like to maybe sort of poke at that a little bit because as the broader industry around us continues to evolve and and, you know, you know so Tyson mentioned tools that are available to kinda help as as, you know, the world becomes more perimeter porous or perimeter less. You know, there's a category of software vendors out there, the data security posture management vendors, if you will, that I think have become increasingly kind of prominent in the last sort of twelve, twenty four months on the cyber radar, so to speak, or the CSO radar. And by and large, these are really compelling, you know, vendors who have a capability to kinda, you know, like, do rich discovery of data across a very complex enterprise. They do the discovery. They can kinda do some automation and classification of that data. And with the discovery and classification, they can kind of somehow do some control. And the control that is largely kind of envisioned in that product category is to prevent that data which you possess as a healthcare organization from being accidentally lost or stolen, which I completely get. Like, that idea of, like, I have sensitive information. It's in my possession. I don't want it to be lost or stolen accidentally, which is a bit of a different view than maybe what I think people think about what we're talking about here today, which is like, no. No. I have sensitive information in my possession at this moment. Mhmm. And the very nature of the business, which is me delivering health care, requires me to share it with you and you and you, which are increasingly third parties in different domains, across different boundaries. And so it's this concept of sharing the sensitive data and also wanting to do governance and control over that which I share as opposed to just, you know, keeping control over that which I possess. Does that make sense? Do you buy that? How do you think about that, Sumit?
[SEHGAL] It does make sense. I do buy it. There are things that need to improve on that. Right? So one of the things is the idea of identity context is hard with those systems to deal with. So in a practical example, Tyson talked about data owners. Right? A lot of people focus on specific personas in an organization that talks about certain sets of users, clinicians, nurses, technicians, IT, stuff like that. What I've my opinion is that if they follow the actual data flow from a patient's journey perspective on what the flow is, very similar to when audits are done, clinical audits, like, from a triageant agencies like Joint Commission, you tend to pick up on personas that are pivotal. So, for example, in a nursing unit, normally, you have clinician nurses, but the charge nurse or the unit secretary, she's like the police person. She or he is the person that kinda controls what gets shared when by whom and who gets access to do what. That person's input is critical for you to set the appropriate controls on how you would set the sensitivity. Mhmm. So DSPM solutions like you're talking about, do great things from an infrastructure perspective and data analysis. They are not very good right now to deal with the ecosystem of electronic health record applications. Because there's no way in for them right now. So that context is a complete black box, and all of them kinda, like, are, like, not non useful when it comes to giving the CISO or giving the security team a context of something bad happening from a system it had alarmed. Was that normal? Was that not normal? Is there a deviation from behavior? Like, that is hard for them to do right now. So I think that needs to improve, but that's some of that's the general that's more, like, software engineering industry partnership problem, not necessarily DSP and capability problem.
[HOWARD] Interesting. Any thoughts on that sort of front, Tyson?
[KOPCZYNSKI] Yeah. I think when you look at that ecosystem, the way I would box it is what you described on the DSPM stuff is more reactive. Right? To your point, I'm kinda putting, like, a fire alarm in place. Right? You know, if there's smoke, the fire alarm's gonna go off, and things are gonna be done. Right? Whereas the other side of the equation is you're, in a sense, trying to, put fire retardant in place or something of that nature. Right? That you're trying to prevent the fire. Right. It's like defense and offense. Is that a good point? Right. Right. Right. Yeah. It's proactive in nature. Right? You've kinda put something in place that is going to healthily prevent something from actually occurring because you're, again, you know, putting the decisioning, closer to the problem. You're putting the actual security closer to the problem. And as a result, you should have better outcomes.
[HOWARD] Yeah. I think that's something I've thought a lot about in my own journey is this idea of being sort of in a risk management posture where I'm trying to play defense to prevent bad things from happening versus the other side of the equation is I wanna have agency over information. I want to be proactive about something, and I want to apply policy and access control to something that I have to share with somebody else. And so much of sharing, to your point, both of you have made, which is data has to move in order for health care to happen. So much of sharing data for a long time has been done in less than desirable or, like, basically, ungoverned workflows. And and this idea of bringing governance to those workflows where data is moving, data is being shared, and people can, in fact, do have agency over that sensitive data that they're sharing is obviously, you know, something that that we believe kinda near and dear to our hearts is something that, benefits health care providers, you know, certainly partners like both of you and and, you know, maybe the larger ecosystem at large. With that said, what I wanna make sure we do we have about, you know, fifteen, twenty minutes left. I wanna make sure we get the opportunity to take some questions from the audience. But before I do, I want both of you to offer some thoughts. And we talked earlier prior to today about the importance of making sure we both cover, not just kind of the challenges that we face, but give you guys an opportunity to share with your colleagues and peers here today. When it comes to data centric security, what does practical success look like? I mean, you know, what does success look like? I mean, we can't just, like, swallow a magic pill and pretend that we're successful. Mhmm. Is it a small step? What does it look like to be moving the ball forward? I'll start with you, Tyson.
[KOPCZYNSKI] So it's, again, the simplest approach. Success is ultimately something that a security team is not using, And it's something that your end users ultimately embrace, and and kinda take the ball from you. Right? You know, time and time again, I've been in many different implementations all the way back to the RMS days if folks are familiar with that particular tooling from Microsoft. And you end up with something that is rejected, by the end constituent. Right? They end up not wanting to use it. It becomes something that actually limits or prevents the business from moving forward. And as a result, you don't achieve, well, your security goals, but you also don't achieve kind of your end, user satisfaction goals as well. Right? And so, success, in my opinion, when you're doing something or embarking something like this, ultimately, is going to boil down to you've deployed something that your users embrace and they take it from you and kinda run it.
[HOWARD] It's interesting. You know, I've I've often, you know, reflected on and I can't remember who said this, but it was years ago I heard someone use the phrase, you know, successful security is security that's immune to user indifference and user ignorance. Like, it just works, like, behind the scenes. And to your point, the security team isn't using it, but the users are, and they don't even know it. You know? It's like Mhmm. Kids eating broccoli. Maybe you have to put a little cheese on it, but get them to eat the broccoli. Mhmm. How about you, Sumit? What does practice of success look like?
[SEHGAL] It's interesting. I have a little different angle to that. First, keep the scope small. You mentioned smaller is better. Scope creep happens a lot in these projects, and you don't have to boil the ocean. Right? So just because some regulation says you have to do thirty things, doesn't necessarily mean those thirty things are correct for your organization. So consult and make sure you consult with your compliance group, your legal group, as well as your operational leadership to figure out where would be the value for the effort that you're putting in for a data program. So managing the scope is very, very important. That will help you produce something that's usable to Tyson's point. Right? It's usable. It's deployable. It's scalable, and then you iterate on top of that knowing that this is a program. None of this should be dealt with like a project. The second part is on the flip side of the operations. Specifically in our industry, in health care, right, people don't have fully staffed security operation centers. Right? They would be lucky to have three, four, five FTEs that are doing multiple jobs. It's like a security analyst that's serving as a security engineer that also doubles teams as a system engineer for IT. So managing the operational side of what it looks like from an incident response and recovery effort to be like, if we do have a problem, if we have to respond, if we have to get the information back, do the analysis, what that process is and practice that. Because that will mean the difference between you being able to respond in five minutes, ten minutes to something happening as opposed to responding to, to the same incident in, like, two days. Right? That's a major, major difference in capability. The other piece is also a factor in your partnerships, because a lot of healthcare organizations outsource the monitoring and the initial triage of these incidents. Making sure you and the partner you work with have a good idea on what that is that they're responding to. Last thing you want is somebody to identify some data flow that happened or some data incident that happened, they turned stuff off, and all of a sudden now it breaks the ability for the organization to send a critical piece of information for a grant or a position to be able to collaborate with somebody else. Right? So those kinds of workflows are very, very important. Operational maturity on the one side and then keeping the scope simple on the other side are critical to the success after you do the data flow analysis.
[HOWARD] Interesting. Okay. We have just about ten minutes left before we wrap up, and I wanna encourage anybody and everybody in the audience. If you have any questions, please, you know, please put them into the chat. A couple here that I have, that I wanna lead off with to kind of maybe start with you, Tyson. When you think about the job that has to be done as a leader in health care from data security perspective, do you have specific thoughts or or or strategies or best practices for how you would, you know, handle things like technical debt and just sort of, you know I mean, there's just so many systems that have been there for so long. How do you think about legacy debt in terms of, like, moving the ball forward?
[KOPCZYNSKI] Wow. That's a that's a broad question.
[HOWARD] It's a softball. Hit it out of the park.
[KOPCZYNSKI] Yeah. Tech tech debt is an incredibly hard challenge to deal with for any organization. And I think health care organizations in particular, especially, let's say, hospital systems or private practices and etcetera, are even more challenged, with that particular equation because as Sumit just highlighted, their teams to deal with that are gonna be fairly limited. Right? And so if you are challenged with that particular equation, I think taking a more data centric approach, and and realizing that you're not gonna be able to get to all these other things, and just really going after the data that matters and applying kind of these more advanced tactics that we've been talking about should hopefully start carving some sort of enclave where you can feel good about the security that's in place regardless of, the systems that may surround it. Because you now have data wherever it goes in transit, wherever it lands, that is hopefully protected, at that point. Tackling tech debt in general, that's a that could be, well, a webinar by itself. Yeah.
[HOWARD] And I mean, as a practical matter, I think it's a joke, it's a softball question, and you did very well with it. And I think the truth of the matter is it's almost like you can't tackle tech debt. So then what you have to do is find solutions that work with the sort of reality of your systems and infrastructure, which in many respects are bound to be old, in particular where resources are finite. That's just the reality. So I love how you described Mhmm. You know, sort of find tools and capabilities that can integrate with systems that might be old and sort of reduce the scope and give someone just the ability, you know, in the scope of their job to do the right thing with that information and make it as simple as possible and, you know, click a button, apply policy, apply encryption, and protect the data to the best of your ability because you're just doing your job and you wanna do what's right by people's data, which is protect it, and and make it, you know, and make and to the extent that you can do all of that in a way where your partners in the healthcare ecosystem can interact with it easily and it's and it's friction free as much as possible, that that makes a ton of sense. It's not to say that debt will ever go away, but it is certainly to say. I mean and, you know, fortunately, for us at Virtru, we've had the opportunity to do business with the two of you over the course of our journey and many, many, many, many others in the health care world. And that theme that you just described is certainly familiar to us and one that we try to align against in our everyday motion as we go to market. But, Sumit any thoughts? Actually, I'm gonna give you a different one, Sumit. What do you think about maximizing user adoption across your organization for something like Virtru? If you would as you adopted Virtru in your business, how do you know what the user adoption is like? How did that go, and and, you know, what are your thoughts there?
[SEHGAL] So we we didn't really we didn't really have a separate goal. So we don't necessarily do massive separate training sessions for security because users tend to have a mental roadblock when it comes to that. We tend to do training for security programs tied to that particular department or that particular specialty's workflow. So for example, if we're talking to folks that are in clinical research, we'll be talking to them about safely securing data, safely encrypting stuff on-site, safe secure transmissions, or collaborations on how you share information through Google Drive using Wordpress, stuff like that, in that context. Same thing when it comes to when it comes to a clinical, like an op like a normal running department. I would be training them more on not only how to secure data, but more on how to look for signals that could be potential problems. Right? Is somebody calling and asking for information? Or, hey. What are the symptoms of a potential problem that we would want you to call us for? If you see something, say something. So it's very much contextual driven with regard to the type of workflow, the type of mix of folks in the department as well. That's how we do the change management efforts. But it's a mix of sessions from concrete examples for them. Micro videos serve very, very good for this purpose. To do that, it's very easy. The barrier to do that stuff is very low now. So the ability for you to push those out and send, hey. If you don't wanna read this pamphlet, one page pamphlet, here's a thirty second video you can see. For better or not, I mean, most of our training videos that we did and recordings were viewed on cell phones. Right? So for what that's worth, that's about two thousand employees for the ones that we just did in my normal company. So it kinda depends, but that's that's that's the general.
[HOWARD] But anyone anyone can watch a video on a cell phone. That doesn't necessarily mean that that whatever they watched is then subsequently incorporated into their day to day work routine, does it?
[SEHGAL] We set it so the videos they're watching will be tied to the work routine. Yes. Interesting. Interesting. Yeah. Because it because it's shown with their examples in mind.
[HOWARD] Right. Well, it is getting late here. Not really, but I know it's late in Japan, and I wanna thank the two of you and especially Tyson for being up and joining us here today, and having this conversation. We are very grateful for the two of you to kindly share your expertise and your thoughts with your peers who are out there kinda just, on the journey, so to speak, and trying to improve their organizational and security posture with respect to data and health care. It's certainly not an easy thing, but positive steps forward are good for everyone involved. And, before we wrap up, I'm just curious, Tyson, any last words of wisdom you might offer, you know, folks that are watching today?
[KOPCZYNSKI] Again, keep it dead simple. Keep it very user centric. At the end of the day, a more secure enterprise and ecosystem ultimately isn't about the security team itself and what they're doing. It's what the organization and its users and kind of partners are doing. And so the more you can make it user centric, the more you can make it dead simple. At the end of the day, you're gonna have better security.
[HOWARD] Interesting. Thank you for that. How about you, Sumit?
[SEHGAL] I just wanna end with a question actually that came up about metrics or KPIs. Yeah. I wanna end with that. That's actually a good dovetail. What I was gonna say was to Tyson's point, keep it simple. When you're talking about metrics and how you're communicating success, instead of focusing on raw numbers or even security type data, minimize that and limit it more from a what is the outcome of the security effort to the organization. So in our case, for example, I report on every quarter, have we improved our response timings? How effectively can we recover systems? What was another metric, for example, would be what are the types of reasons for incidents to happen, and then what has been the training mechanism after that to see if those type of incidents have gone down. So those are examples of ways you can communicate that would showcase value for these initiatives for your organization. Outside of everything that Tais and I talked about, that will help you achieve adoption, not only at the c levels and the board, but it's more adoption. Tyson said to the practitioners, you're talking about the boots on the ground. Right? The nurses, the technicians, the unit secretaries, and stuff like that. So that's where you can make that effort happen if you communicate like that as opposed to just the raw numbers. But that was the only thing. Otherwise, keep the scope small and have fun. Technology has come a long time. This used to be much harder to do fifteen years ago. This is much more simpler, and the barrier is much more simpler. Leverage the automation. It can help you, and some of it is actually very cool stuff. So play with it. Enjoy yourself because security is kinda depressing to begin with anyway. So, but, that was my response.
[HOWARD] Well, in the spirit of ending on a positive note, let's all be happy and and and and be grateful for the opportunity that we have a hard problem to solve that isn't gonna go away anytime soon. And, again, thank you both for being here and sharing your expertise and perspective, and thanks for all of our registrants and attendees here today. We will catch up with you next time. Take care.
[SEHGAL] Thank you.
.jpg)
