In this episode of the MatrixCare Podcast, Navin Gupta, SVP of the Home and Hospice Division at MatrixCare, sits down with Todd Friedman, Chief Information Security Officer at ResMed, Brian Tolkkinen, Director of Information Security at MatrixCare, and Stephen Squires, Director of Information Security at Brightree, to discuss the non-negotiables every provider should have when engaging with digital healthcare. Discover basic best practices to keep your data and information secure and tips on how to react to incidents or breaches.

To properly protect your organization’s information and ensure compliance with regulatory and industry requirements, it’s imperative to have a strong security program. Listen in as they dive deeper into what ResMed’s security program entails and what providers should look for when creating their own security strategy.

Transcript

Speaker 1: Welcome to the MatrixCare podcast from the software leader for out-of-hospital and long-term care. MatrixCare is dedicated to sharing knowledge and empowering providers across the care continuum, including home-based and facility-based care organizations. Today we hear from Navin Gupta, senior vice president of Home and Hospice Division for MatrixCare and his special guest. Let’s dive in.

Navin Gupta: Just this year alone, in the middle of the pandemic, we have heard news of some of the largest data breaches. A month or so ago, Twitter witnessed one of the most public attacks where prominent account owners, essentially, Obama, Elon Musk, Bill Gates, and there was several others as well, hackers were able to reset their password and impersonate them. Earlier this year, in March, Marriott had almost 5.2 million accounts compromised, MGM Resorts has had 10 million guests whose accounts were compromised. And the pandemic also has given rise to Zoom. I think everyone now use the word Zoom as a way to… Essentially, it’s synonymous with online meetings and, not surprising, Zoom attacks have been on the rise and passwords being compromised and passwords being made available.

Navin Gupta: The topic for today is obviously information security, the non-negotiable, in digital healthcare acceleration. I am pleased to have on this podcast three, incredibly special people who I really consider giants in their respective discipline.

Navin Gupta: First joining us is Todd Friedman. Todd is the chief information security officer at ResMed. He’s been with ResMed for over five years. And prior to that, he was at Mattel and Universal Music Group. Next joining me is Brian Tolkkinen. Brian is the director of information security, SAS operations. Brian has been with MatrixCare for 20 years and he plays a lead role in all aspects of security for MatrixCare. And finally, my third guest is Steve Squires. Steve is the director of information security at Brightree is a sister company of MatrixCare. We both share the same parent company ResMed and Steve’s played many roles. He’s been a systems integrator and an IT manager. But now, he manages all of the security infrastructure at Brightree. So, welcome to the three of you.

Brian: Thank you. Thank you Navin.

Steve: Thank you.

Brian: Yeah. It’s really good to be taking part in this discussion with you guys and to be sharing with our customers. This type of transparency and sharing is so important to MatrixCare because when it comes to information security, within the healthcare industry especially, we’re all in this together. So, the threat environment is evolving so rapidly with new pressures related to COVID-19, as Navin noted, continuing rapid advancement in technology with the increasing sophistication of threats and threat actors, the risk is just rapidly increasing all the time, and healthcare’s been hit extremely hard, as we all know. So, we want an openness with our base and our partners so that we can share and learn from each other. We do talk directly with many of our customers regularly and openly, but this podcast is just one more way we can do that, we can share. So, thank you Navin for making that happen.

Navin Gupta: That’s great. And security is a very [inaudible 00:03:27] and training: security policies, risk management. We go much deeper technically into IP restrictions. The goal of these podcast’s episodes that we’ve done has primarily been to educate our clients, partners, and really focused on industry topics and make them accessible and relevant. So we will lift the curtains in one sense at a higher level and discuss the topic more strategically.

Navin Gupta: So let’s begin by getting a point of view on what makes a great security program. How can companies essentially best be protecting their sensitive data? So Brian, I’m going to begin with you. I know security governance is a big topic. Help us understand what role does that play in being able to craft a great security program?

Brian: Yeah. When I think about security program development, I start with development, or I should say governance, in my mind. A security program just can’t be effective without top-down sponsorship and oversight. This begins with the board of directors and with senior management. Governance involves top-down oversight of a framework or a system, and that system ultimately ensures that business assets are protected and that, therefore, the mission is protected. Right? So with that in mind, I’ll list just a handful of things to help with this context and we’ll speak more to some of these later as we go. Thinking about security governance and what it is, what it does, governance sets the tone for how we operate internally and externally; it establishes our approach toward risk, including our risk appetite.

Brian: Second, governance makes sure that the information security strategy aligns with and supports our business objectives – very important. Third, governance has regular risk assessment conducted to identify risks that could prevent the business from achieving its business objectives, could include or would include pandemic and natural disasters, for example. And then, governance puts into operation a compliance program, and this is to be sure that we’re operating in compliance with regulatory and industry requirements, and really whatever else has been mandated by the company in our policy. So that’s the compliance program.

Brian: And then, lastly, governance has independent audits conducted to verify operating effectiveness of the controls or safeguards that we put in place. We do this in a risk-based way and we do this to verify that we do what we say we do for our policy and procedure; and then, also to verify that risks are being adequately addressed. So just briefly from the top-down, the organization, governance is very involved; it ties into the overall program through risk assessment, compliance, independent audit. As subsidiaries of ResMed, with ResMed being a global medical devices manufacturer, the bar is held very high for us. Board-level sponsorship and oversight is strong with focus committees off of the board, and with direct line of sight, and board level communication with the chief information security officer. That would be Todd. And this is the good thing; it’s a great thing for MatrixCare and Brightree, and ultimately, for our customers and their patients.

Navin Gupta: It’s great. Brian, I think just understanding the framework with which we operate, as you said, it’s the executive sponsorship from the board level all the way, as we’re thinking about risk assessment, thinking about risk mitigation, and thinking about audits, et cetera. So it’s really a good framework to be thinking about as we think about the security program. Steve, let me toss this one to you. Another area, as we think about security programs, is how do we handle vulnerability management? And so what can you tell us about that?

Steve: Sure. As you talked about those huge breaches and the ones that have been happening for seems like forever now.

Navin Gupta: Yes.

Steve: There was a gap, there was a vulnerability there that allowed those threat actors to get in there and expose or do some malicious actions there. So, when it comes to vulnerability management, it’s a key component. Now, there’s also the accidental; there’s misconfiguration when it comes to vulnerability management. So somebody could open a port that shouldn’t be opened.

Steve: The key thing here is to know your environment and this can be done from performing vulnerability scans. So starting with those externally facing systems, which have the highest potential risks. Those are the ones that are on the internet and can be touched and seen by anybody in the world. Those systems that store PHI, PII, and then moving to internal systems, so those vulnerability scans can give you a good lay of the land from external systems to externally-facing systems.

Steve: And so, you can get an idea of what ports and services are exposed and then decide where necessary, if they’re necessary, and that they need to be protected or hardened against abuse or attack. Another part of the vulnerability management piece is patching. So we hear a lot about this and a lot of nasty exploits are out there and it’s because people don’t patch. So, those externally-facing systems need to be looked at and determine if there’s any vulnerabilities there that exist. Most attacks and most vulnerabilities that get exposed are three to four years old. They’re not currently new ones. They’re old ones – tried, tested, true vulnerabilities that have been there forever. And then, cyber criminals are banking on the fact that our patching regimens are lax or non-existent. So that just makes it easier for them to get a foothold.

Navin Gupta: Yeah. It’s surprising. I know just today, Microsoft… my Windows laptop was insisting… well, the last several days… “Hey, you need to reboot because we need to do an upgrade.” Right?

Steve: Right.

Navin Gupta: And so, it really depends and making sure we’re proactively managing all of the patches and upgrades and be able just to scan as you, as you essentially said. Todd, I want to ask you this question. A, I just wonder how do you sleep well at night? Security, you got such a big responsibility, a tremendous job that you do. And the why and the what is always really important from the big picture perspective. So, in your viewpoint, what is the importance of good, robust security programing?

Todd Friedman: Thank you for asking. Actually, thank you so much for having us on this podcast. I think one of the most important success factors in having a good security program is having support from the company and from stakeholders. And just the fact that we’re here talking is a big indicator that security is important to MatrixCare and to ResMed, our parent. So, I think part of the answer to the question is, the industry that you’re in. And it’s company-specific, so different industries have different risk tolerances. Healthcare being so heavily regulated, traditionally has a lot of controls in place. But more importantly, when patient safety’s involved, it’s a whole other level. It’s a whole other level of importance. And so, having a good security program, I think, has a much greater need and much more support within healthcare.

Todd Friedman: I can tell you that working for ResMed for over five years, I’ve never had better support and more focus. I report directly to the CEO of the company and we’ve met every month since I got here and he takes a very genuine interest. When you hear him in interviews, people ask you, “What keeps him up at night?” And being breached is the number one thing he says all the time. It’s that important. And so, I’m very lucky to have that kind of support because not all companies put as much of a priority on security. But there’s things that are really important in having a good program and I think part of that is what Brian and Steve talked about is critical, but very tactical stuff that you have to do, and there’s checks and balances and ways to measure that it’s being done.

Todd Friedman: But I think there’s a really big people factor as well. So Navin, you are a great supporter of security and in your role that’s so critical. And my job is to understand what the business requirements are for security and making sure that we’re focused on the right things, the right priorities, the right risks for the company. And having personal relationships and having personal support, I think that’s a really important success factor. I don’t think it’s ever been more important and especially in healthcare because, as you mentioned, there’s breaches all the time.

Todd Friedman: But one thing that’s happening at the same time is that our patients and our customers are becoming more [inaudible 00:12:07]. The laws are changing. I work internationally, so GDPR is a privacy law and the things that it establishes and requires are just so different from what we had in the past. The timing for having a good security program has never been better. But to answer your question about how do I sleep at night, ResMed is a sleep company at its core, right?

Navin Gupta: Yeah.

Todd Friedman: Sleep-disordered breathing, sleep apnea treatment is so important to us. One of the reasons that I love coming to work every day, what gets me up in the morning more than what keeps me up at night, is that I’ve been a ResMed customer for almost 10 years. But I sleep well at night too because I’ve got people like Brian and Steve on my team who are so dedicated, so skilled and continually improving themselves. Our adversaries are improving all the time; they have unlimited funding and we have to stay in front of them, so we need the right kind of people to do that job.

Navin Gupta: Todd, what a great response. I think I’ve heard Mick talk about breaches and what’s on his mind on interviews when he’s done at CNBC and many other places as well. And I loved your response also from the fact that what you’re really touching on is culture, so you see this being important and champion. At the end of all of the data that we have, we have patients and we have got residents and it’s incredibly important to them and to our providers that we are taking this very, very seriously. I see this DNA of the importance of security just permeating every, every part of our organization. It’s not something that’s just a bolt-on, but it really is something that’s fundamental to how we see and how we deliver deliver care. So, thank you again for that.

Navin Gupta: I want to keep pulling on this thread. I think it’s just great, great responses. Brian, let me toss this one to you as we think about risk. Now, risk is incredibly important for organizations’ ability to manage that. So, in the context of security, help us understand risk management.

Brian: Sure. So, the compliance requirements for MatrixCare and Sarbanes–Oxley, and all of these require formal risk management. I mentioned earlier that security governance establishes our risk appetite in our approach toward risk and that governance has regular risk assessment conducted to identify risks that could prevent the business from achieving its objectives. But if we move down a bit to a lower level, security management also includes maintaining an inventory, for example, with system and data classification, and also, continually working to identify and track and to treat those risks. So at MatrixCare, we contract with a third-party security firm for annual security risk assessment. Those results, by the way, are made available to our customers in an attestation letter provided by the firm. But you’ll hear a theme here today that we do heavily leverage to parties around risk treatment. Do we accept the risk? Do we invest eliminating the risk or reducing the risk in part?

Brian: And then, all of this also informs our business continuity plan. And business continuity planning is the process of creating a prevention or recovery system from potential threats, such as natural disasters or cyber attacks. And again, this is all to protect our people and our assets. So, we lump business impact assessment and business continuity planning into the annual risk management program as well.

Brian: Now, as subsidiaries of ResMed MatrixCare and Brightree, we do benefit significantly from ResMed’s enterprise risk management team. This team conducts risk assessment for the organization. They do provide us valuable ongoing input for the continual development and maturing of our programs, but they’re also very disciplined about keeping their level of engagement between our teams, such that it doesn’t undermine their objectivity in their annual risk assessment of our programs, so we benefit there.

Brian: ResMed also has an independent audit function, is also global. They do have an auditor, by the way, formally with EY, who is nearly dedicated to our SAS line of business – fantastic resource for us. The independent audit team also conducts… Well, they conduct annual internal audit, so that includes audit for financial risk and IT general controls for Sarbanes–Oxley, for example. And again, the focus is to be sure that we do what we say we do in our policy and procedure; and then to verify that risks are being adequately addressed by the organization.

Brian: For those working to establish a formal program, who might not be as far along with it, I would say here, again, that working with a third party security firm to do annual security risk assessment will likely make a lot of sense. It certainly has for us. It will carry a credibility with your customers, your partners, and worst case, with government investigators. It can provide helpful trending to track and communicate progress with management. We make a targeted investment. Is it making an impact? That kind of thing.

Navin Gupta: So Brian, I think I learned more about InfoSec. I know, certainly, from you and our customers prospects, in many ways, they ask us questions about risk management. And just learning the internal audits, external audits, our ability to use third party organizations, at least gives me comfort that we are… how seriously we take this, and just some of the advantage that you listed of having ResMed as a parent organization, the expertise that they bring to us, obviously Todd as well. So I think that’s helpful. I think I also love that you put it in the context of if somebody is looking to birth a security program. Good ideas around governance; good ideas about, how do you view risks and how do you manage the risk that’s associated with that?

Navin Gupta: You talked about vulnerability management a short while ago and I know monitoring goes hand in hand with it. Talk to us a little bit about what do we do with regards to monitoring? What does monitoring look like in a good security program?

Steve: Right. So again, following that theme of knowing your environment, you want to centrally collect all those logs you’re getting from all those different systems. I mean, you can’t sit there and look at 80 servers and look at the logs there for odder anomalies. So the key is to do a central logging to be able to collect all those logs in one place to allow you to do… look at those for indications of compromise, right?

Navin Gupta: Mm-hmm (affirmative). Mm-hmm (affirmative).

Steve: So looking for odd things happening and also to secure the logs themselves. So one of the first thing that so many… the malicious hackers going to do if they get into your environment is try to delete those breadcrumbs showing that they got into your [inaudible 00:19:28]. So having those logs centrally stored somewhere else off the server helps you protect that information to be able to see that at all. So, when it comes to being able to collect those logs, know your environment; then you can start looking at creating alerts from things that are odd or not the norm.

Steve: For example, having someone logging in, in one geographical location to your domain, and then log in from another location from your domain in Australia. So, that’s going to throw off or that should throw some alarms there to say, “Why are they logging in, in the United States and also in Australia?” So that helps you see that there’s something up. Or if a user gets added to a deleted [inaudible 00:20:20] that they shouldn’t be. So, this all helps prevent potential compromise later on. So, we’ve seen that AI and machine learning have come a long way. They’re still not perfect by no means, but they’re going to continue to evolve and that’s going to definitely add a powerful defense tool as they get better.

Steve: I think we, Brightree and ResMed and MatrixCare, have done a good job of identifying that those logs contain important information, like we saw with the Target breach years ago. They saw that initial attack, but it wasn’t being properly looked at and addressed. So being able to have those logs there and also have somebody to look at them, of course. Which is another big strength that we have with our security operations group that allows us to collect these logs and then have people look at them and say, “Huh? That’s weird.” Right?

Navin Gupta: Yes.

Steve: So then, they can go back and investigate that further and, hopefully, prevent an attack from even starting.

Navin Gupta: Yeah. Wow! On the monitoring side, you touched upon a lot of different topics and I think technology, especially with AI and ML allowing us to be able to really react in a timely fashion and learning from past incidents. I know when we’re traveling internationally, very often, you use your credit card and if you’ve not informed the bank that you’re going overseas, they realize, “Hey, most of your shopping, you do it…” I live in South Florida… “you do it in South Florida. What’s this transaction happening in London?” for example. And that’s just one simple example of just acknowledging the same thing as you just talked about log-ins happening from various different places.

Navin Gupta: Todd, I want to ask you this question about no matter if you have the perfect security program, inevitably, there will be a time where you’re going to have an incident of sorts. And an organization, its ability to re respond to the incident, help us, just talk us through what does good incident response look like?

Todd Friedman: Now, I’m so glad you asked me this question. As you know, MatrixCare and ResMed are both innovative health tech companies and data is so critical to us. And so, protecting that data is a core goal for us, even personally, as a purpose and a mission. If I think about my role as a CISO, it’s really three things. And number one is making sure that we do everything that we can to avoid being breached in the first place and protecting that data; but like you said, it’s not an, if, it’s a when you’ll be breached. And so the second priority that I have is making sure that we’re able to respond well.

Todd Friedman: Steve mentioned some incidences before where bad things happen to companies and they handle the incident response poorly; it ends up being so much worse for them and for their customers. And I’ve got a third goal that’s not relevant to this question, but it is understanding where our business is going and that our security program can enable secure innovation and progress without much friction.

Todd Friedman: But that incident response piece is so important. We invest a lot in this, to be honest, both financially and time-wise. And the way that we do that, is we make sure that we’ve got a plan. And so the way we’ve done our plan is that we’ve got an umbrella plan. It’s very high level. And then we create runbooks that are specific for different groups. So, Brian would have a runbook specific to MatrixCare. I might have one for Oracle. I might have one for ransomware. And so, those runbooks are very tactical. Our plan within those runbooks, we’ve defined roles and responsibilities, which is so important.

Todd Friedman: When something bad happens, people just want to know what their job is and what they need to do and what success looks like and we want to make that as simple as possible, so having that documented plan is critical. Having good contact information. You do not want to find out, you don’t know how to reach key people in the time of a crisis. We do a lot to define process documentation, again, so you’re not winging it. You want to be able to respond as quickly as possible. If you’ve got a data leak, you need to make sure that you stop it as quick as you can and that process documentation is key.

Todd Friedman: One of the big success factors that we see is testing and having tabletop exercises where you pull people together and you say, “Okay, we just had got hit by ransomware; here’s how it’s spreading.” And having a scenario that actually evolves like a real scenario would; that is a great exercise and it’s fun. I’ve never been in one that I didn’t learn something and where the people that are participating in learn something. It’s through that, through that testing, that we’re able to go back and continually improve our plans. We learn things every time there’s an incident and we update those plans to make sure next time that we’ve got it covered. So I think these are all really important things.

Todd Friedman: But I touched on third-parties and I think for incident response, it’s important to have good third parties that are defined ahead of time because you can’t do everything. No company can have every resource that it needs. And so, you need to be able to call in experts if they’re needed. An example of that would be like a forensics expert. So, if you have a breach, you might want to bring in a third party and you would do that through legal. There’s reasons for that, but you would engage them. You want to make sure that if you have cyber insurance that they’re covered in the cyber insurance and there’s no surprises, but you want to make that relationship upfront. You don’t want to be trying to find a vendor at that point. You want to have those relationships. So, this is complicated stuff, but if you can start small and test, and then improve, it can evolve very quickly into something that’s robust and actionable.

Navin Gupta: Wow, Todd, honestly, I’m blown away. Just the layers of defense that’s built in from the things I’ve said, having these playbooks that could be tactical, but very, very important when an incident happens that the organization knows how to respond. Having clarity into the roles and responsibility, who does what, and the timing of how that engagement happens, to scenario modeling and be able to run these different threats essentially, and be able to essentially exercise whether your plans are going to work or not. And then, I think the point that you touched upon, the ability to bring in experts and having those relationships in place, so that you’re not scrambling because time is of the essence when an incident does happen.

Navin Gupta: So, again, this was absolutely informative and educational for me. Thank you really, Todd, Steve, Brian, for your expertise, your commitment. As I said, what you bring and what you do. A lot of times it happens in the background. Most people are not thinking necessarily about all that goes into ensuring that we are able to preserve and protect our data, our infrastructure. But more importantly, what this translates into is being able to give our providers, our clients, confidence that we’re watching things that are critically important to them.

Navin Gupta: Because at the end of what they do is being able to provide care to patients and residents and for them to know that ResMed and MatrixCare and Brightree are deeply committed to this area of information security. As I said, we’ll probably come back and do a part two. We barely scratched the surface, but this has been incredibly helpful. Thank you to the three of you.

Todd Friedman: Thank you for the opportunity.

Brian: We’d love to do it again. Thank you Navin.

Steve: Absolutely. Thank you.

Speaker 1: That concludes today’s episode brought to you by MatrixCare. We hope you enjoyed it. Be sure to visit us at matrixcare.com for more information on our solutions and services. Please subscribe to our podcast, so you don’t miss an episode, and leave a review if you enjoyed this episode or have other topics you’d like to hear discussed. You can follow us on LinkedIn, Twitter, and Facebook, to hear more from MatrixCare. Thanks for listening and we’ll see you next time.