Information security with Todd Friedman, chief information security officer, ResMed

In this episode of the Post-Acute POV, our host Navin Gupta, SVP of the home and hospice division at MatrixCare, is joined by Todd Friedman, chief information security officer at ResMed, and Brian Tolkkinen, director of information security at MatrixCare. The three discuss the importance of information security, and the key roles played by concepts like monitoring, compliance, vulnerability, response, and training.

Join Navin, Todd, and Brian as they chat about healthcare being a top target for hackers, with the immense value placed on medical records, making EHR security more important than ever. For leaders, operators, and providers seeking a better, more secure enterprise solution, this episode offers an easy-to-follow primer of the most important information. Listen to their discussion below.

Topics discussed during today’s episode:

1. [01:22 – 04:37]: Todd and Brian introduce the unique threats and requirements that healthcare organizations should not ignore to keep their patients’ information secure.
2. [05:15 – 08:15]: Todd explains how an organization can create a successful enterprise-grade security program with senior management support and overall alignment.
3. [08:53 – 11:03]: Brian details the elements needed for a successful enterprise security program from a governance and risk management perspective.
4. [11:53 – 16:50]: Todd and Brian explain how healthcare providers can assess the investment necessary when building a successful enterprise-grade security program.
5. [18:24 – 21:18]: Todd and Brian discuss what questions a provider can ask to select the right technology vendor for their needs. Is there a point person responsible for security? Have they had breaches in the past? If so, how were they patched? Does the vendor have customers you can speak with prior to deciding whether to move forward?

Resources

• Learn more about MatrixCare at: https://www.matrixcare.com/
• Find out more about our information security program: https://www.matrixcare.com/security-program/
• Listen to more episodes of the Post-Acute POV

Transcript:

Speaker 1

Hi, and welcome to The Post-Acute POV, our discussion hub for healthcare technology in the out of hospital space. Here we talk about the latest news and views on trends and innovation that can impact the way post-acute care providers work, and we take a look at how technology can make a difference in today’s changing healthcare landscape in both home -based and facility-based care organizations and the lives of the people they serve. Today we hear from Navin Gupta, senior vice president of Home and Hospice Division for MatrixCare, and his special guest. Let’s dive in.

Navin Gupta

Greetings. My name is Navin Gupta. I am the division head for the Home and Hospice Division at MatrixCare, and welcome to our mini series focus this time on the topic of enterprise solutions, and we will discuss the critical topic of security. Joining me today is Todd Friedman, he is the chief information security officer at ResMed, and Brian Tolkkinen, he is the director of information security at MatrixCare. Welcome.

Brian Tolkkinen

Thank you.

Todd Friedman

Thank you very much.

Navin Gupta

So, let’s talk broadly first from a security perspective. Does healthcare have unique threats and requirements that providers should be paying attention to? Todd?

Todd Friedman

Yes. To elaborate, healthcare is a really interesting space and it’s the number one target of hackers. And part of the reason for that is just the amount of money that you can get from healthcare records. A credit card record was always a target. Banks were always targets. Those are worth around $5 and 40 cents a record. But a healthcare record is up to $250 per record. And the reason for that is that you can’t change the information. You can change your credit card information, but you can’t change health information. And a lot of it can be leveraged, and so there’s a lot of people that would like to have that info beyond just the monetary value. So, it’s a really big target.

Navin Gupta

It’s interesting. That’s new data for me, just to understand how much more valuable these records are. Brian, anything you want to add from the perspective of what is unique from a security perspective when it comes to healthcare?

Brian Tolkkinen

I think we can add that, with the healthcare industry’s move to electronic health records and with the increased use of telemedicine, for example, healthcare providers have to be concerned about protecting systems’ information and operations in the interest of protecting patient safety and employee safety. And this is in addition to the typical concerns like negative impact to brand and reputation. And healthcare providers in the United States are subject to HIPAA, of course, and other regulations that add to the potential impact of a data breach. And so this can involve significant civil monetary penalties and corporate integrity agreements that require additional provider investment to address areas of identified deficiency.

Brian Tolkkinen

So, there are unique and difficult threats and challenges for healthcare, and unfortunately added risks associated with the pandemic only amplify these healthcare-specific risks. And we’ll talk more about the pandemic in a minute. But all of this really underscores the importance of partnering with technology providers that invest appropriately and continually in information security and that ultimately that providers can trust to protect their information and health records to protect patient privacy, to help protect patient safety, and ultimately to do their part to protect the provider’s business.

Todd Friedman

Healthcare is targeted for another reason, too, in that traditionally healthcare hasn’t had the best security in certain sectors. And if you think about the complexity of a hospital, for instance, and all the different medical devices and the age of some of those devices, it can be really difficult to manage. And some of those become targets. So, think of a medical device that’s been in place for 14 years that’s running XP. It’s not patchable. It’s not supportable anymore, but the cost of changing that out could be very high. And I think hackers have seen that as a soft target that’s desirable. And like so many, we talk about healthcare in particular, you can also talk about small and medium business challenges which so many companies fall into. The majority of American companies are 50 people and under, and they typically don’t have the budget or they don’t feel the need to have dedicated security controls. And so if you’re impacted by any disaster, whether it’s a fire or a flood, it’s very difficult to recover. But if you’re hacked, then you’ve got trust issues as well so it’s even more devastating.

Navin Gupta

Yeah. So, I’m hearing it’s higher vulnerability, right? Maybe because some of the aging platform there. Higher value in terms of the cost associated with the records. There are uniqueness to the security when it’s tied to healthcare in particular. And all of this really then speaks to my following question is, many organizations, many technology partners can be selling solutions and they’d love to call their solutions enterprise solutions, so to speak. What does it really mean? So, for an organization to have a successful enterprise grade security program, what does that really look like, Todd?

Todd Friedman

That is such a great question, in part because every company is different. Every industry is different. And even within companies, different divisions can be different. And so I think one of the big priorities is to have senior management support. If it’s not important to somebody within the organization that defines strategy and has a role in prioritization and budgeting, it’s going to be really tough to create a successful security program. For me, I’ve got great senior management support right now. And that means that when there’s tough decisions that need to be made, I’ve got support for that. So, if it’s a change in process or if it’s a big investment, or if it’s a merger and acquisition and there was a high enough risk, I need to make sure that security gets factored into that decision.

Todd Friedman

So, I think that a company needs alignment as well with that business strategy. So, you need senior management support, but also alignment. And as a security leader, I need to really understand what’s important to the business. What are the priorities? What is the risk tolerance? And I’ll talk about that in a second. But I’ve worked in a couple of different industries. And one of the things that I found is that there are different priorities. And if I try to go with other priorities that don’t resonate, it’s pretty tough to be successful. But I worked at a music company for many years and the main concerns were music piracy, the stealing of our assets. And it wasn’t about compliance in that case. I worked for a toy company and we were totally focused intellectual property protection and brand protection. And so that created a very different requirement for a security program.

Todd Friedman

And of course, in healthcare where we’ve got so many compliance obligations and we are so focused on protecting our patients, the data and the systems and maintaining trust, that those are the things that get factored into that program. So, you almost work backwards from there to say, “What do we need to do to be successful to cover those things?” And of course, the tools that we have are people, process and technology. The people, building a security team and keeping a security team is really tough right now. They say there’s 650,000 unfilled security roles in America alone and three million worldwide. And so creating an environment where security people can be productive, can do their best work is such a priority for me. I spend a lot of time on it.

Todd Friedman

You’ve got processes like incident response and things that the business need to do. And really what that means is pushing security down beyond just the security team or the IT team. Security really needs to be everybody’s job. And that means making decisions. Thinking before you click on a link in a really suspicious email. That’s a decision that you make in real time, and that’s how you protect things. And not just at work. In your personal life as well. And sometimes that personal life and the work life overlap. And then the third thing is tools. And there’s certain tools that you need to have for a security program. You need to be able to know where your assets are and be able to manage them. You need to be able to monitor your environment, look for anomalous behavior and knowing when you do have a problem so you can act and respond very quickly.

Navin Gupta

Yeah. Just even thinking about your example, whether the industry was the music industry or toys or healthcare, that security is not an afterthought. It’s tied to the strategy, right? And I love the different examples you gave from what the strategic intent were for each of these verticals here. And then just having the executive alignment and support. And obviously the people, process and technology element just rounds out the next level of detail for a successful program. Brian, what about some of the other elements that are there from governance and risk management and several other layers for a successful security program?

Brian Tolkkinen

Yeah. An enterprise security program really goes way beyond the types of programs that you’ll typically find with smaller technology providers, or even that you’ll find with some larger technology providers who haven’t kept pace with the evolving threat landscape and with investing in building and maintaining a program. It does take considerable time and investment to put a comprehensive program into place because of its significant scope, much of which Todd alluded to. And so to help with that a little further, I’ll briefly describe some of the key functions and teams required to make all of this work. Governance, as you mentioned, which provides oversight and sets the tone for how we operate internally and externally and sets our approach toward risk appetite and puts all of the other needed functions and components of an effective program into place and makes sure that they’re operating effectively.

Brian Tolkkinen

And then a formal risk management discipline is needed as well to identify the organization’s risks and to address or treat those risks. We also need a compliance function and an audit function. So, compliance makes sure that we’re operating in compliance with regulatory and industry requirements that are appropriate for the business, and audit observes the operating effectiveness of those safeguards to be sure that we are actually doing what we say we do for compliance. And then we also need security architecture and engineering functions for the design of security controls and for the effective implementation and integration of those solutions or protections into the operations of the business and systems. So, there’s a lot to that.

Brian Tolkkinen

And then we also need security operations or a security operations center with advanced tools for maximum visibility into our systems, for continuous around the clock monitoring so that we can detect and respond to security events quickly. And then Todd mentioned security incident response. This is also a very formal discipline that is needed. It needs to be embedded within teams across the organization to make sure that security events are addressed as quickly as possible to minimize the impact of those events for the provider and for the healthcare provider. So, a lot goes into establishing and maintaining a true enterprise security program.

Navin Gupta

I love that. I think oftentimes when organizations are looking to embrace a new enterprise level solution, particularly in the healthcare world, we are talking about EHRs in general, a lot of emphasis is paid to the clinical and operational and financial, but just being able to tease out, from an IT and security perspective, the layers that are there to be able to assess maturity. And security is not a one time thing, right? That you’d one and done, so to speak. How should true enterprise technology partners be investing in security? So, I think that’s a question. If I’m a provider, healthcare provider, I’m working with a technology partner, my trusted partner, beyond what we’ve just talked about, how should we be assessing investments that would be happening there? So, Todd, what do you think from an investment perspective?

Todd Friedman

I look for partners that care about security as much as I do. And so you want to look for early indicators. And so it could be things like, we evaluate the security programs and controls that they have in place. We look at things like cyber insurance. We look for contractual controls. And talking about cyber insurance for a second, it’s really expensive. I mean, it’s pretty expensive typically, but this year because of ransomware and other events that have happened with the insurance companies, the cost is going up between 150 and 200%. So, think about that.

Navin Gupta

Wow.

Todd Friedman

But I think that that’s a really interesting indicator of the risks to us and our business as well. I like looking at cyber insurance because it’s smart money. These guys are having actual losses. The losses are increasing to the point where they’re having to dramatically increase pricing or changing the terms of the insurance. I’m going through this right now, so it’s pretty close to my thinking. But I look at what they care about, and it is things like ransomware and it is the healthcare industry. It is medical records. So, when I’m looking at partners, I will look at whether they have cyber insurance. If you’re working with a number of partners that you rely, on and especially if they have access to your environment or if they have access to your data, it’s a good idea to double check and make sure that they still have cyber insurance to make sure that those security controls are still in place.

Todd Friedman

Another thing is contractual controls, making sure that you’re protected upfront. And a contract is your friend. You hope to never have to go back to it, but sometimes you do and you have to say, “Look, this is what we agreed to.” And I like to think about when you have a cyber breach. Let’s say a third party causes a data breach. And I’m thinking about Target and their air conditioning vendor that didn’t have appropriate security controls and led to one of the biggest breaches in history, one of the biggest embarrassments and one of the biggest hits to trust ever. That’s something to think about. How do you make sure that those partners have those same controls in place? How do you limit what they have access to? And that contract is a way to put those controls there, to say, “Look, if there’s a breach, here’s what you’re responsible for.” Now, ultimately nobody knows the name of that air conditioning vendor. Everybody knows the name of Target. So, that’s why I think you have to even put more due diligence up front.

Navin Gupta

Yeah. Wow. I think those are great financial element from an investment perspective. And you’re right. If we are working, which we all are, working with third party organizations, there’s an ecosystem that emerges and the sharing of data and the data rules around that and protection becomes important. Brian, anything else you want to add?

Brian Tolkkinen

Yeah. A few areas come to mind. First, technology partners as a reorganization does need to invest in people continually. People are the most important component in a security program. The most advanced and costly tools and solutions won’t do any good without proper staffing and training. And the example Todd used of the Target breach was a perfect example of that. And as discussed here, there are a lot of different types of skills and disciplines needed. So, we need to invest in people. And unfortunately, as Todd pointed out, security professionals in today’s market are very scarce. So, businesses often need to spend more time looking within their current talent people to identify individuals to invest in who have potential and who have an interest in working into job roles over time. But this can go hand in hand with establishing a security advocacy program or a security champion program within the organization where volunteers on various teams can get additional security training and act as advocates for the security program and act as go-to resources for their teams.

Brian Tolkkinen

Second, I think it’s important to be smart about leveraging third parties in various ways. Bringing in a third party firm, for example, to conduct security risk assessment can bring added expertise and can bring credibility to the assessment process. And this can help management understand the risks and to make related treatment decisions. Also, hiring an audit firm to first help to obtain compliance for government or industry standards, and then to audit the operating effectiveness of those related security controls and issuing an opinion or an audit report regularly can significantly improve credibility and trust with the customer base, right? Through that third party assurance.

Brian Tolkkinen

And then third, expanding the risk management function to include a formal program for vendor or supplier risk management to address security within that business’s supply chain is an area of increasing risk for all of us, and increasing importance as we’ve seen with the SolarWinds supply chain attack where some of the most security sophisticated and largest technology firms were affected. So, there’s a lot of work in this area with identifying all of the vendors for the business, addressing risk for each, working directly with the vendors where there are areas of concern, and with documenting and tracking assessment activity over time. So, implementing a fire risk management program often requires a dedicated specialized team with specialized tools and training. But again, it is an area of increasing importance.

Navin Gupta

Tom, Brian, this is such great content. High quality, educational, right? So, when we talk about investment, we talk with cyber insurance with certain people and tools and processes and all of this, so it just becomes apparent when organizations can claim in many ways to be having enterprise offerings, enterprise solutions, enterprise positionings, but really the detail’s critically important to be able to assess the maturity. Did you really have all of these elements in place? It makes a big difference for a provider to choose a technology partner, whether they have these fundamentals in place, because inevitably security will be a huge topic that will be lurking behind their day-to-day operations that are going on. Which many times you don’t notice until there is an incident. That’s when security takes center stage. So, thank you for sharing that.

Navin Gupta

Maybe just a final question, and I’d love to end with this. We want to be able to identify, maybe, couple of questions that, if I’m a provider, I’m an operator, I’m looking to adopt a new enterprise solution, could be an EHR or an ancillary platform, here are some fundamental questions that I can ask, I could put on the table to assess the maturity. We talked a lot already, but are there a few things that we can arm providers to be able to essentially utilize in their discovery? And we’ll take these questions and we’ll post them. So, Todd, what are some of the things that come to mind and say, “Hey, here are the fundamentals. Make sure you ask these things”?

Todd Friedman

We look at a lot of different vendor solutions. We have canned questions. And one of the things that we try to do is to understand how big the risk is for that vendor. Because it takes time and it takes effort. But when we do find a vendor that we feel that the risk is big enough to do a deep dive, we want to make sure that there’s somebody there that’s responsible for security. And that may sound trivial, but oftentimes there’s not. It’s somebody else’s job or it’s spread among a number of people. And as you know, if a bunch of people are doing something, then nobody’s doing it. And so finding that point person and being able to get to them and to be able to ask questions about their security strategy, about the investment, if they’ve had breaches in the past. Talk about, are they patched? Some of the basic questions that we would ask about our own companies. And that is about hygiene. Making sure that they’ve never had a security incident.

Todd Friedman

And I think it’s really important to talk to other customers. And especially, there’s so many different factors when you’re choosing a new partner because they are a partner in every way. But talking to other customers and finding out, “Have you had security issues? How did they respond to them? How serious did they take them?” I think that those are all indicators. And this is going to sound odd, but I think sometimes it’s about a gut feel and it’s about the passion of the person that you’re talking about. You can see that they take it seriously and that they take pride in the security part of their jobs. Sometimes you’ll speak with vendors and it’s, “Yeah, we meet the minimal requirements.” And you say, “Okay, well then that’s what I’m getting. That’s going to be the quality of the security of the tool.”

Navin Gupta

Yeah. That’s great. Brian, we’ve got a couple of quick minutes. Anything that you want to add that we can help equip providers as they think about enterprise security?

Brian Tolkkinen

Yeah. Just a handful of typical questions that we might ask depending on the nature of the vendor and the services they’re providing and the risks involved. But similar to what Todd said, asking about the tenure and the training of the chief security officer, the number of dedicated resources on the security team and the training in industry certifications held by members of the security team as well can help give an idea of the supplier’s maturity. Also, asking whether the vendor has a formal risk management program in place and about those procedures and about the nature of the vendor’s own supplier risk management program is important as well, again, given the evolving threat landscape there.

Brian Tolkkinen

And then asking about specific protections against ransomware can be really useful in determining the level of investment scope and maturity of a vendor’s program, because that particular threat can have such a broad impact in an organization, and so many aspects of their program would need to come into play with that type of an incident. And then asking about security incident response procedure. And lastly, asking for customer references can help give helpful insight that you might not get directly from the vendor or supplier.

Navin Gupta

Yeah, I think customer reference is a great one. We’ve had even, within our space, a competitor that had a security issue and the impact it has on a healthcare organization, the clinicians trying to provide care and the systems are unavailable or compromised or potentially have incorrect data, medication data, let’s say the risks are so significant that the maturity and assessment of the security program is a key cornerstone to an enterprise solution. Todd, Brian, thank you so much for your effort in educating us. I know there are other white papers that you both have contributed to. We’ve done podcasts in the past on this topic, and our desire has always been to educate the industry. And so thank you so much for your contributions. This is going to go a long way in helping providers.

Brian Tolkkinen

Our pleasure. Thanks for the opportunity.

Todd Friedman

Thank you very much.

Speaker 1

That concludes the latest episode of The Post-Acute POV from MatrixCare. We have a lot of guests and topics coming up that you won’t want to miss, so be sure to subscribe. If you’ve enjoyed today’s podcast and if you have a topic you’d like us to discuss, leave us a review. To learn more about MatrixCare and our solutions and services, visit matrixcare.com. You can also follow us on LinkedIn, Twitter, and Facebook. Thank you for listening. Be well, and we’ll see you next time.