What's Up with Tech?
Tech Transformation with Evan Kirstel: A podcast exploring the latest trends and innovations in the tech industry, and how businesses can leverage them for growth, diving into the world of B2B, discussing strategies, trends, and sharing insights from industry leaders!
With over three decades in telecom and IT, I've mastered the art of transforming social media into a dynamic platform for audience engagement, community building, and establishing thought leadership. My approach isn't about personal brand promotion but about delivering educational and informative content to cultivate a sustainable, long-term business presence. I am the leading content creator in areas like Enterprise AI, UCaaS, CPaaS, CCaaS, Telecom/5G and more!
What's Up with Tech?
Securing Healthcare: Imprivata's Cybersecurity Innovations, Legacy System Challenges, and Future Insights
Interested in being a guest? Email us at admin@evankirstel.com
What makes healthcare such a prime target for cyberattacks, and how can we protect sensitive health information without burdening medical staff? In our latest episode, we promise to answer these questions with the expert insights of Joel Burleson-Davis, Senior Vice President of Engineering at Imprivata. Joel reveals the high stakes involved in healthcare cybersecurity, the unique challenges posed by a mix of legacy and modern IT systems, and the critical need for security solutions that integrate seamlessly into clinical workflows.
Further, we explore the intricacies of managing legacy technology in healthcare, especially when it comes to identity management. Joel shares strategies for prioritizing critical assets and users, ensuring security and operational efficiency for frontline workers and third-party vendors alike. We also highlight advancements in security technology such as passwordless authentication, aiming to reduce the user burden while maintaining robust protection. To cap things off, tune in for a forward-looking conversation about the future of healthcare innovations and how Imprivata is leading the charge.
More at https://linktr.ee/EvanKirstel
Hey everybody, Fascinating discussion today as we dig deep into the world of identity and access management in healthcare, a topic that should be important to us all. Joel, how are you? I'm doing well. Evan, how are you Doing great. Thanks so much for being here. I know you're a busy guy these days, lots of work to do, but maybe introduce yourself and the vision, the mission at Imprivata.
Speaker 2:Yeah, so I'm Joel Burleson-Davis. I'm the Senior Vice President of Engineering at Imprivata, who is focused on identity and access management. In particular, I cover our security products anywhere from identity to governance to privileged access, security to data science and machine learning. Trying to keep the world safer. We really focus on healthcare, but other industries as well, particularly regulated industries, and I always say that our motto is, or our mission and vision is, to effortlessly ensure appropriate access If you're supposed to be accessing something that should feel like magic and happen. Our mission and vision is to sort of effortlessly ensure appropriate access right, if you're supposed to be accessing something like that should feel like magic and happen automatically and you're not supposed to.
Speaker 1:It should feel like you're hitting a brick wall. Wouldn't that be nice? Well, it's such a crucial topic in healthcare. I'm in Boston your headquarters is here in town as well Lots of health care institutions that are under tremendous pressure from a security standpoint. Why is health care such a target and why is it so crucial? In health care, your approach from other industries that are, you know, equally important to us all.
Speaker 2:All right, well, I'll try to answer those questions. I'll start with the first, like why is? Why is health care a target? And there's a few reasons for that, one of which is that the sort of information and operation of healthcare is very valuable. Right, health information is extremely valuable. It's like often more valuable than a credit card on the sort of in the dark web and stuff like that. So there's this dynamic of that. It's a relatively high value target and over the last decade that shifted from not only the information that's available in health care but the sort of ability to create urgency.
Speaker 2:If you are like a ransomware gang and you take over a hospital system, because you're talking about sort of life and death of humans, not like loss of, you know, not just loss of financial, you know loss of money from, you know taking down a bank or something like that, you're you're like, you're like messing with life and death and that really creates urgency. And so you know, malicious gangs, like you know, ransomware gangs, have found pretty good success because that creates, you know, and us, of course. Obviously it's like if ransomware is taken down a hospital, you want to get that up and running as fast as possible. So, like babies and nick you don't die and things like that. So there's a real sort of urgency dynamic there and sort of.
Speaker 2:The other reason that health care is a good target is that there is a wide diversity and fracturing of the technology stack there, anywhere from you know legacy technology that was deployed 20 years ago to like absolutely brand new technology, which creates a really easier or broader sort of attack surface for sort of malicious actors to go after. And if you think about you know other industries, many other industries don't have the sort of longevity that healthcare costs. Right, there's literally some hospitals that have been operating in that building for 150 years and stuff like that. So that also creates a lot of sort of technical debt, and so that mix makes it a really valuable and key target for sort of malicious actors.
Speaker 1:Yeah, absolutely so. Many vendors, dozens of vendors in a typical healthcare system, IT complexity, all that stuff. So, putting the tech aside, I mean how should leaders rethink their strategy, let's say, before they start talking technology and implementations and all that good stuff that we like to dwell on?
Speaker 2:Yeah, yeah, the other you know very specifically talking about this is, you know, having just talking about why this is such a big target. If you're a CISO or you know some leader inside of a health care organization, you sort of go, oh no, let's drop as much security into this operation as possible because we're a huge target. But again, you can't really do that because you're talking about, you know, providing healthcare. You're talking about, you know, nurses not software developers, sort of being the end users that sort of bear the burden of all of these security measures. And so, you know, when you think about needing to solve this real problem of needing much more enhanced security and, you know, more enhanced authentication around accessing privileged information, all sorts of stuff, you have to be able to do it without pushing that burden of security onto end users like radiologists and nurses and doctors. So the focus really should be sort of solving that security problem without, you know, putting undue burden back on that sort of end user workforce, and that creates a pretty big challenge.
Speaker 1:Well, it's a great goal and we love our nurses and doctors and they're certainly overwhelmed from all sides A lot of burnout, not just from IT and applications and tech, but from patient care so that's an excellent goal.
Speaker 2:Right, I was going to say you have a nurse that's on a 12 hour shift and you know one person's died in the ER on a 12 hour shift and you know one person's died in the er and you know she realizes that she spent an hour putting in passwords or you know, on you know complex tech stacks and stuff like that. You're gonna just explode their brain and they're gonna figure out a way around that because they don't want to put up with that. They want to help people yeah, I love that philosophy.
Speaker 1:So how do you help make it easy for clinicians without compromising on security? In broad strokes, like, what are some of the big ideas?
Speaker 2:So the approach that we have is trying to fundamentally understand the workflow and the work that those end users do. Here in Pravada we actually have an entire clinical team of pharmacologists and nurses and doctors that actually go walk the floors with our customers to understand how people are using this technology and then that is fed back into our product organization. So good examples of this you know we have some for our single sign on product. We realized that there's this like super deep technology stack of you have to log into your workstation, you have to log into the virtual environment, you have to log into the application and then inside the application are additional logins. All of those have to meet security standards. All of them have to be unique, right? So if you think about it, you know you have a nurse trying to log a vital sign into an EMR and they may have to put in four to five different 16-character passwords, which is just maddening, which is why they like post it now onto the screen.
Speaker 2:Here are the four passwords you need to know and generic logins and all sorts of stuff. So one of the things that we did there was to sort of take all of that and just like fill those passwords with them. They can log in with a badge and then we will take that, identify them. You know, badge plus password once and fill that across the stack so they don't they don't ever have to touch it. The authentication window comes up and then EMR we can fill that in so they just like stop touching that.
Speaker 2:That's been great. And there's well on the other side of that, for you know, talking about this sort of vendor ecosystem, we've created a platform where sort of vendors you know if you're an MRI vendor or if you're an EMR vendor you sort of have one-click access without additional privileges, without knowing passwords. You know, with employment verification and MFA, you know one-click access into remotely into a healthcare system so that you can sort of focus and get to work. You know if systems are down, getting them back up, if systems are broken, getting them back up, and so we're really focused on making sure that anybody interacting with the systems, security is there and friction gets away as much as possible.
Speaker 1:Wonderful goals. So you know I love speaking with people like yourself who are in engineering. You're not in marketing. No disrespect to the marketing people but all the buzzword these days are around AI and ML. It's in every discussion and presentation and meeting. But you know, practically speaking, how do you foresee AI and ML, improving identity and access management?
Speaker 2:approaches in healthcare. I think it's going to be an incredibly useful tool. You do have to be careful and mindful of what you do. I mean, there are privacy and security standards around using health information to feed large language models that are on the public internet. That's a no-no according to HIPAA. That's a no-no according to HIPAA. But you know, any tool like that or any sort of new technology that emerges, we, like people and like we have as well, will find good uses for it.
Speaker 2:A few of the things that we've done that's pretty interesting is to leverage purpose-built models, neural networks and machine learning for sort of the analysis of who's accessing patient records to see if there's policy violations, you know.
Speaker 2:Another one is like who is accessing drug cabinets and are they really dispensing you know the proper opioids not opioids, opiates to the patient or are they diverting that and stealing those right?
Speaker 2:Like leveraging machine learning and AI to solve these really interesting and hard cases to solve with sort of normal engineering. And we've done that and we will continue to sort of do stuff like that and that's been very useful. You know some of the buzz around JetGPT and large language models and all that stuff is going to be interesting. But I see like we have to get a little further into the dynamics around privacy and accessing some of this most sensitive information for humans, you know, inputting that in some sort of public database. So I think that will be some time coming and I know there's like legislation around figuring out how to do that and there are customers that we've worked with that are trying to stand up private large language models to sort of circumvent that like house in their own data center, an LLM, so that they can actually process you know, patient health records and that's got, I think, some promise.
Speaker 1:Fantastic, well, great opportunity. On an optimistic note, and we're also seeing the world of work is so different now, both pandemic than it was even, you know, a few years ago, with telehealth and telemedicine and, you know, remote patient monitoring and specialists moving around different healthcare systems. How do you think about the security challenges in this new world of remote access and wearables and remote hospital at home and all of these different modalities?
Speaker 2:Yeah, I mean I think number one. My first response is, like a security engineer is like freak out a little bit and I've been a lot of people did that when you know suddenly the organizations and you know parts of your you know hospital or your organization that had never worked from home, like overnight, is working remotely and many people sort of stayed that way and so it's like, oh, there's a massive explosion of like the attack surface and so it's like, oh, there's a massive explosion of like the attack surface. Are we really set up to support, you know, people remotely and vendors remotely and access to this protect information remotely? I think people have gotten past freak out at least I have and started looking at real solutions and I think you know privileged access, security in general is a good focus for that right, if you really think about the fundamentals of that, it's you know, the principles of least privilege and even more so it's this idea of zero standing privilege and sort of forgetting the old sort of mentality of castle and moat right, like if you're inside my building walls, you're safe, if you're outside these building walls, you're safe, and sort of these building walls, you're safe, and sort of building newer, modern security infrastructure on those principles of sort of zero standing privilege and principle of least privilege and really thinking about who's accessing what right.
Speaker 2:What is the identity accessing the sort of asset? Is that a super important critical asset that's protected information, yes or no right that might have a particular security policy? Is this a super risky or not risky identity? Or is it some third party that I don't actually know who they are, who's employed them? If so, I need a different sort of security posture against that and sort of building up what would be a security program, thinking in those ways what is the riskiness of the identity, what is the riskiness of the asset they're accessing, whether or not they?
Speaker 1:Yeah, well said and, of course, you're intimately familiar with HIPAA. But there's, you know, emerging new compliance requirements being added every year. How do you think about compliance and staying compliant while keeping things secure?
Speaker 2:according to some of our like legal counsel and we have like privacy council on staff, they say something changes every day.
Speaker 2:You know, which I think is maybe an exaggeration, but you know around the world, right, if you think about operating a global company like us, that that's, that's roughly true and I think you know.
Speaker 2:One of the things that's been helpful is if you approach your program build right Whether it's us as a software company or a healthcare system as like an enterprise if you approach those leveraging solid security principles and governance principles, you will find that you stay compliant and have the sort of resources and foundation to continue to be compliant as things evolve. A good example is like if you're building software, if you've followed a privacy by design, you know architecture, then when new privacy laws come out you're probably going to be fine or at least you have a pretty good foundation to get fine relatively quickly, good foundation to get fined relatively quickly. So I think it has a lot to do with understanding that often regulation that comes out is really setting a relatively low floor of compliance that most people will get by if they are following really good principles of sort of governance and security, or at least they will have a foundation to meet those requirements if they did follow those.
Speaker 1:Yeah, well said. You mentioned technical debt at the beginning and we all have the experiences of seeing back machines and pagers and CD-ROMs in our healthcare network, sadly. How do you think about all that legacy technology and not a lot of free money floating around in healthcare to just upgrade and move to the next big thing? How do you work with legacy systems to improve identity management when there's all of this ancient history still to deal with?
Speaker 2:Yeah, I think first you have to go through a few phases. First you have to accept the fact that that exists. It's not going away. A lot of these, a lot of sort of legacy systems this isn't a healthcare manufacturing has a similar problem, where there's a lot of capital expenditure that's happened to purchase. You know particularly devices.
Speaker 2:When you talk about operational technology and you know often those are 10-year, maybe 15-year refreshes because that's how long that technology, you know, that operational technology can be in use, and so you just have to accept the fact that things aren't going to get perfect and super modern really quickly. You know, because people are going through normal sort of capital purchasing exercises and so something might be from, you know, 2009 or something like that and may not support some of those standards. So I think you then look around at your identity and security providers for people that have understood the reality right, instead of solving for just super clean, modern. You know cloud native systems that everybody's using. They've understood the reality of the industry and they're trying to solve that. You know. So it's anywhere from. You know auto filling passwords, because passwords are going to have like exist. You know to like leveraging RFID because there's no keyboard and you still have to pass information to a system.
Speaker 2:So you know, some vendors are pushing the absolute edge of being modern but they don't support anything legacy, some vendors that are doing just legacy technology and I think you really have to think about if you're talking about a giant industry like healthcare there is going to be both of those. There is going to be bleeding edge and super legacy, sort of coexisting. You will have to accept the fact and solve for both of them.
Speaker 1:Yeah, really, really well said. So for healthcare leaders looking to revamp their you know integrated access management strategy or discipline, you know where do you start. Is there like an I am for dummies book that you can recommend? Or you know what are the baby steps, first steps towards really upgrading or renewing their approach here?
Speaker 2:Yeah, my it's always. Yeah, it's like baby steps, it's always starts low.
Speaker 2:So really start to identify like this is the advice I try to often give, the most critical.
Speaker 2:If we talk about criticality and I like to use that sort of language of criticality and there's like criticality in terms of like business continuity, criticality in terms of like value to the business and criticality in terms of like urgency and like healthcare you're talking about, maybe like life and death urgency, like certain you know surgical theaters or ER room or ER departments, and so you know, really start thinking about what are your critical users, your critical assets, and solve those first. Those are going to be the first ones to solve. A good example is passwords and nurses don't mix very well. So, like, solve that maybe, and so you can get them back to taking care of patients and not worrying about their. You know five to six different 16 character. You know number, letter, symbol, capitalization, sort of password, and on the security side, like we all know that you know between passwords and like the you know really large third party vendor ecosystem, those are like the number one reasons that you're going to get breached.
Speaker 2:So then you know, solve for that first right. If you can sort of solve on the security side for the number one reason you might get breached, which is third parties, and if you can solve on this sort of, you know, critical workflow side in terms of frontline workers, like you get pretty far, pretty fast and then you work back. You know, once you've figured out your priority or your hierarchy of criticality, you just you know, one step after the other right, do one, do the next. And you know, as your program matures over time, you will get there.
Speaker 1:Oh, well done. Well, that's advice we can all onboard. What are you looking forward to the rest of this year personally, professionally, I know there's a lot going on in the industry. What's on your?
Speaker 2:radar. What's on my radar for the most part is, you know, sort of more of this how do we make and this is what my teams are working on as well it's like, how do we accelerate security to keep sort of malicious actors at bay and keep people from, you know, cursing our name every time they see our logo or something like that? Right, like, how do we not pass the security burden on to end users, which is something that's really happened? I like the fact that, like ransomware gangs, right, like the ransomware has become such a scourge upon the entire world, how do you start improving security without just crushing end users? Figuring out ways to do that? We recently joined the FIDO Alliance.
Speaker 2:We're working a lot on passwordless and that's all cool technology. Incorporating those technologies of super enhanced security list and that's all cool technology and sort of incorporating that in. You know that those technologies of super enhanced security, right, unlocking a cryptographic key with your face and that logs you into a system versus a password, right, that's like super cool and being able to do that with a frontline worker and a third party, you can do sort of ID verification and you know, authentication in a way that's a lot less you know reduces friction for those end users, whether they are again like a technology rep from a third party or like an end user nurse, and so I think that that's really exciting technology. Many industries aren't ready for it yet, but like they will get there as part of the future, and so that's going to be a fun thing to work on for the next quite some time.
Speaker 1:Yeah, fun and optimistic. I love that there's a light at the end of the tunnel here for many of the challenges we're facing today. We just need to get there. Thanks so much for sharing the time and the vision of where we're headed. Very interesting, exciting times ahead, Joel.
Speaker 2:Yeah, thank you. Evan, thanks for having me.
Speaker 1:Yeah, thanks everyone for watching and reach out. Follow Improvada. They put out some great content on the various social channels. It's where I came across them. Thanks so much, take care.