Tausight Features Patient Data Protection at HIMSS 2024

Tausight logo

Newsday: Mandates, Regulations, and Other Ways to Protect Your Data with David Ting

8th Apr 2024

April 8, 2024: David Ting, Founder and CTO at Tausight joins Drex DeFord, President, 229 Risk & Security at This Week Health for the news. As we delve into the conversation, Ting shares his insights on the challenges and opportunities presented by the current state of cybersecurity in healthcare, particularly in light of recent high-profile cyber events. How will increased regulations and mandates impact healthcare organizations, and is there a balance to be struck between compliance and genuine security? Ting also explores the hyperconnected nature of healthcare and the vulnerabilities it introduces. Could the solution lie in not just more regulations but in providing healthcare organizations with the necessary incentives and financial assistance to bolster their cybersecurity measures? Furthermore, we touch upon the potential of AI in revolutionizing healthcare cybersecurity, as highlighted by the partnership between ARPA H and DARPA.

Key Points:

  • Impact of Increased Regulations
  • Financial Assistance and Incentives
  • Securing Pediatric Health Data
  • Partnership Between ARPA H and DARPA

News articles:

 

Read on thisweekhealth.com.

 

Video Transcript:

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on Newsday.

The problem is, it’s really hard, as you fan out the vulnerability surface gets larger and more porous, and it’s easier to get it through one of your vendors could be attack point   📍 📍 My name is Bill Russell. I’m a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts and 📍 we want to give a big thanks to our Newstay partners,

Clearsense, Sure Test, Tausight, Order, Healthlink Advisors, Cedars Sinai, Rackspace, Crowdstrike, and Fortified Health

Hey, good morning, or good afternoon, or maybe evening, depending on when you’re watching this. I feel a little Truman show coming on there when I say that. I’m Drex DeFord from This Week Health. It’s Newsday, and I have David Ting with me.

David, how are you? How’s everything going?

I’m well, Drex, and good to see you again. Good to see you,

too. I’m glad we were able to spend some time together at the big shows, both of them ViVE and HIMSS How did those go for you? They were great. it was nice to see a revitalized A lot of people I haven’t seen in years showing up.

It was a crowded event. was pleasantly surprised. In comparison to the past, it seems to be all the big players were there. The hall was packed. The show was

a little, it felt like the floor was a little smaller, but I don’t say that in a way that is negative. Did you get that feeling too?

Well, we were in the Dell booth and it was different. I felt there was a lot of traffic going both ways in the cross. Alleys, but it is more compact. Yeah. Yeah. I think it’s like Adam’s heating up if you enclo reduce the space. . I like that. I love our conversations because we do have a tendency to wander off sometimes.

Oh, sorry. Into physics or something like that. No. It’s a, it’s great. I love it. Okay. Some articles, some news that is going on right now in real time. There’s a bunch of articles that obviously have been written about change healthcare and you and I have talked a lot about the change healthcare cyber event.

And a lot of those articles, the authors of those articles and the people that are quoted and interviewed in those articles say there’s a few things they think are going to happen. And one of those is the, what they anticipate will be the output of more regulation and more mandates coming for healthcare organizations.

do you think that’s right? Do you think there’s a challenge there? What do you

think? think there’s going to be a challenge. I mean, I think anytime you add more mandates, more regulations, it just becomes a checkbox to say, can I meet all these checkboxes? We know securing IT organizations is difficult and impossible at best.

There’s just so many endpoints, so many pieces of data, so many disparate systems, so many partners. When I was on the Cybersecurity Task Force, one of the government agencies said, hey, we thought it was similar to finance and similar to the other securities, some of the other regulated sectors, then we realized how hyper connected healthcare really is.

You’re not just, like, self enclosed infrastructure. You are everywhere connected to all these things. partners, business, you have business associates, you have clearinghouses, you have payers, you are just counting on everybody to do their job to secure your information. So the best thing you can do is to basically ask everybody nicely to say, can you do your best job protecting your own stuff or the stuff I have to share with you?

And clearly, The problem is, it’s really hard, as you fan out the vulnerability surface gets larger and more porous, and it’s easier to get it through one of your vendors could be attack point. I mean, we’ve heard of air conditioning vendors being used to get into the system, the HVAC vendors.

It’s all. hyperconnected, and I think having more regulations just becomes harder for somebody to follow. Yet, same time, I think what is really needed is to complement, if there are more requirements, is to compensate Using incentives, provide more financial assistance to all these organizations which are so strapped in terms of just staying afloat, much less staying up to date on how to better secure their information.

Yeah, I think you and I talked about this. I think the situation obviously has gotten much worse in the past few years. exponentially increased now that everybody figured out. Healthcare is that soft sector, gee, look at all the things I can do if I break in. All the things that I can create both consternation for the C suite, but also just financial gains that I can do by breaking in.

monetizing on the value of the data. Yeah. I think NIST has done a great job. I think HHS has done great job. It’s following through on all those detailed checklists and complying. if we even mandated more, it’s just going to create more complexity. I think what’s needed is.

Simplicity and perhaps financial assistance to say you gotta do the following or the penalties will be there.

Yeah, and it’s interesting because We also are hearing in some of those articles and some of the other places, the American Hospital Association published a letter last week, I want to talk a little bit about, but so that the other part of those articles talks about the penalties that may be coming in the form of losing some form of reimbursement, Medicare payments if they don’t get the Cyber Performance Goals and CPGs in place.

Now those today are considered they’re recommended. They’re optional, they’re, these are really good ideas, you should do this. I’m with you, compliance is not security. Compliance is people doing their best to check those boxes. And unfortunately, those sometimes also create unintended consequences that create exposure.

And so it really is about sort of holistically building a good cybersecurity program. But I also, I worry about the balance of the, Not providing some sort of incentive resources. I hope those are coming before the stick, part of this comes and making sure that stuff is lined up.

I agree, but I think if you start to say your reimbursements could be tied to meeting the CPGs, what that does is it creates visibility at the C suite. Now you’re really. Saying, I’m going to affect your bottom line, and then you have to start paying more attention. Give more credibility to the teams that are saying, Hey, I need a voice around this table as well, and not just to say, look, my checklist, it’s all checked off.

It’s going to be saying to the CIO, I need to have a security voice, I need to tell you that this Business counts on us doing our job and we need to be adequately funded for it. As opposed to, Oh, can you tell me that we’re in compliance with everything and then stop talking? I think that’s going to be the difference when you hit them at that level.

Maybe it’s not the incentives, but it’s the visibility and it’s the awareness that like you are a public company, you’re cybersecurity. Concerns are going to be required by the SEC, right? But not all hospitals are public organizations, so you don’t have the eight K, you don’t have the disclosures.

So the only way I think you can get that done is perhaps through the threat of withholding your payments.

you see, most health systems, most hospitals, most healthcare organizations probably depend on Medicare and Medicaid for at least 50%. of their revenue. Some of them, it’s sort of up in the 80 90 percent, the government is the primary payer.

So, figuring out those incentives. And creating proper incentives, you’re right. It definitely will drive that conversation into the C suite and keep it in the C suite. A lot of this harkens back to the meaningful use period in 2008, 9, 10, 11 for electronic medical records where there was money that was provided for electronic health records to be, installed provided they were installed and used in a particular way and then the money flowed.

There’s something about this that, that obviously feels familiar. I don’t think we’ll ever get another one of those, whatever meaningful use was, a 40 billion dollar program to do something like this, but you know, anything we could do to make it better I think would be good.

I think so. I think some steps towards helping, especially some of the smaller rural areas that can barely stay afloat with what they have today.

We talked to them and it’s obvious. They are so needy of staff. short on staffing. They’re short on funds to pay for stuff or even outside help. Thank you. That’s where dollars could be well spent because they’re often tied to the larger organizations. They’re the front doors.

That’s right.

They’re the rural organizations that are enjoying referrals to the major, more major health systems. when we talk generally about healthcare systems, we mostly talk about healthcare systems.

The large majority of the health care in the U. S. is provided at these small, rural, critical access hospitals that if something happens to them patients have to drive, a hundred miles to get to the next hospital.

Or they’re connected in directly into the IT system for the larger networks that they’re feeders for, front end.

Right. So there is a chain domino effect that I often think, gee, it’s the small organizations that plug into the larger ones that you need to worry about.

Yeah. Here’s another interesting part of the American Hospital Association letter. You and I just talked briefly about this before, but they point out.

When there was a breach during 2023, anytime there was a breach in 2023, and that breach exposed more than a million records, there was 95% of the time that was a third party business associate, not the healthcare organization itself. you got any comments about that? Thoughts about that?

Well, I’m sure there is an interlinked relationship, because when you hand off all your data to somebody else, you’re assuming that just because they signed their agreements and their vetting, that you are going to be counting on them.

At least on a paper form that they’ve done all the things that they need to do without the, so they’ve attested, but it hasn’t been verified, so I think there is that need to qualify these third parties over and above just filling out a form. The third party risk management programs are really difficult too, right?

Because, If you have health systems that have small teams, or in some cases almost no team, a fractional FTE, that’s working hard to just secure their own organization, and then you’re also asking them to go secure All the third parties, or, make sure that all those third parties are also secure.

I mean, it feels like an overwhelming task.

And they are all dependent, because, where do you stop? And how do you do that? And I think there has to be a better mechanism to do that. And, we’ve been always pushing that it’s got to be more than just an audit, a survey. You need to be validating them with real data, real ground truth.

collecting that and verifying that, Hey, I’ve done all the things that I need to do to secure your data. I’ve patched everything. That I have encryption on everything. That I have procedures. I have backups. I mean, there’s a lot of stuff if you go through the complete checklist that say how do you build, quote, a cyber resilient organization where you’re counting on all these tools.

dependent partners from whom you have no direct control except the contract of your agreement. The other

thing too is that even when they sign off on whatever the checklist is or the thing that you send them, it’s just a moment in time, right? Because as we all see in our own health systems and in our own organizations, There are new patches every day.

There are super urgent. You have to get them installed right away or something bad could happen. All that’s also happening to all your third parties and you’re, you sort of constantly are wanting to check on them too, and making sure they’re doing the right thing. So, yeah, it’s a really tough situation.

And like you said, for third parties and then their third parties

too. And their third parties, exactly. Because they’re not operating on their own. And their friends and so on and so forth. It is a really tough problem. Hopefully. That’s right. The damage that can be caused gets smaller because you fragmented the larger problem to smaller, have smaller and smaller exposure.

In the world where It’s not a matter of if, it’s a matter of when. The only thing you can count on is you perhaps segmented or broken down the problem into smaller and smaller chunks so that you can tolerate smaller losses. Right,

right. it turns out that, when you report to the Health and Human Services Wall of Shame, the breach portal even when a business associate is the one that’s breached, you’re the one that still has to report.

Reputational damage still. Winds up blowing to the health system, right?

Right, exactly. That’s where I feel the CIO’s job in healthcare is incredibly difficult because you have so many places where you’re counting on them to do their job. But at the end of the day, you’re the accountable individual.

And I used to always ask CIOs, how do you sleep at night? How do how do you plan career when everything could change in a moment?

Yeah, so many things that aren’t in your control, the buck still stops with you, right? Interestingly the, there’s one more story I wanted to talk to you about, and we can talk about anything else you want.

But the last story is around Lurie Children’s, and the ransomware gang RISDA, who Obviously locked up the systems at Lurie’s and then allegedly stole data before they did that. So this double extortion process of deploying ransomware and holding you hostage for the ransomware and then also telling you that they have data and that you need to pay them to not release that data.

They stole data and now allegedly they’ve sold it on the dark web. And. In the two minute drill that I did earlier this week, I spent some time talking about why children’s data is so valuable because if you can manipulate a kid’s data and do identity theft with a child, it may be 10 or 15 years before that child applies for the first credit card or tries to get a job and they find out that they have a terrible credit rating.

Like, there’s a lot of bad things that have happened. You Because they’ve never, they’ve sort of never checked their credit rating, right? So children’s data can be especially valuable. It really, it’s a thing that really tears at you because, we all have kids or we all know kids. Sometimes we just don’t know where all that data is stored in a health system though, right?

that’s the other part of this is that we think the electronic health record, but it’s a lot of other places too.

And a lot of it, so, in, for children’s hospitals given the pressures of growing up as a teen if you see your kids growing up through middle school and in high school, and you look at all the issues that they’re dealing with, social issues and so the concern a lot of folks have is what about all these unstructured mental health issues, when you go in a hospital and you talk about your issues, where you’re talking about your kids personal issues.

Those are all unstructured content that are often kept. in different places than just your EMR? And how do you know where all that stuff is? How, again, how distributed is that? How does it sit on different servers, different files, different laptops? A lot of therapists will come in, record all the stuff on their own laptops, and then summarize it for something else.

that kind of data sitting everywhere. So, if you imagine, Not only the compromise of your credit and your reputation, but what happens if they start to extort you and your kids for, gee, those things that you told your therapist when you were 15 or 16, now I can basically ask you over and over again to keep paying.

So you talked about the double extortion. There’s that triple extortion where the data go back right to the individual and you say, Hey, Mr. Ting, your kids, I have their records here and please pay me or I will make this public. And so that triple extortion, worry because I think there’s a lot of data out there that can hurt people as much as they can help people.

And knowing where that data is, I You and I have talked about this, finding that unstructured content is really hard when it ties to individuals, especially with mental issues, certainly in pediatric hospitals that there’s a lot of that. So, we’ve always made it an effort to say How do you help people find it and make sure it meets that requirement that you’ve locked it up properly so that it can’t be exploited?

A lot of this boomerangs back into the beginning of the conversation about the potential regulations that come or the potential penalties that come, a lot of that ultimately is going to be tied to this idea that you have to know where the data is and that you’ve actually secured it, and that again, isn’t necessarily in the place that you would think.

Where you thought it

was. Yeah, amazing. So we talked about this a little while ago, and if you look at all the HHS OCR settlements with the People that have had breaches, they always cite the non compliance of the HIPAA security rule in terms of being non compliant in the complete and thorough assessment of all the risks and potential vulnerabilities to confidentiality, integrity, and availability of all your patient records. that one sentence, which I think I have it tattooed in the back of my head, is the defining criteria by which we have to make sure that we’ve done a good job. And that’s also the thing that OCR will come down on you like a ton of bricks when you say, hey, I lost a bunch of records can I be excused?

And they go here’s the rule. Yeah. You didn’t do a good job, or you didn’t know where all this stuff was, or you didn’t adequately secure it. I think fundamentally, the rules are written correctly. I think the broad avenues by which you can falter makes it hard to do this job unless you can do it not only at a point in time, maybe you surveyed at 50 machines, maybe your auditors did that.

You got to do it continuously and you’ve got to do a thorough job. You need to know every place, whether it’s that laptop that the therapist used, whether it’s a computer where somebody wrote a left it on a shared desktop. Those are the pieces that will compromise somebody’s health in somebody’s will cause a lot of grief for a lot of people besides the financial impact of what it is on your organization.

That’s what I care about.

📍   In the ever evolving world of health IT, staying updated isn’t just an option. It’s essential. Welcome to This Week Health, your daily dose of news, podcasts, and expert commentary.

Designed specifically for healthcare professionals like yourself. Discover the future of health IT news with This Week Health. Our new news aggregation process brings you the most relevant, hand picked stories from the world of health IT. Curated by experts, summarized for clarity, and delivered directly to you.

No more sifting through irrelevant news, just pure, focused content to keep you informed and ahead. Don’t be left behind. Start your day with insight at the intersection of technology and healthcare. This Week Health. Where information inspires innovation. 📍 Increase

📍 Oh, that’s great. Thank you. Hey, I appreciate you being here for Newsday. And anything else that I should bring up that I didn’t mention anything else you want to talk about? so I saw two notices.

ARPA H released their partnership with darpa, which I think is a really good thing. Combining the value of AI with cybersecurity, I mean, partnering with darpa, right? Basically elevating it to saying this is a national security issue, not just a healthcare only issue. I think that’s a really good first step for this country to start.

Taking those things seriously. And connecting the two, like you said. Connecting the two is AI plus cybersecurity for healthcare. ARPA H and DARPA, that’s a perfect combination. I’m looking forward to seeing what happens in there. the Dear Colleague letter was interesting. HHS wrote that, I think, just published it the other day, it was a Dear Colleague, here’s what happened with Change Healthcare, reinforcing again all the points that we talked about when it was written, Dear Colleague, and I thought, oh my goodness, this is a very collegial kind of, hey, let’s take this seriously, but certainly the impact of change and the financial impact that it has had is significant, and I thought that was, well-timed, well-written piece. So you hadn’t seen it. It’s worth looking up just like the A-I-X-C-C is the new grouping for ARPA H and and Darpa the other thing.

So I’ll see your couple of stories and I’ll raise you one more. The Nvidia conference was this week there sort of, big user conference, and they announced a bunch of partnerships with everyone. It’s amazing how it feels like everything is going because of AI, largely driven by AI and AI, Gen AI capabilities. Everything is going to be powered by an NVIDIA chip.

I strongly believe we’re on the cusp of a huge revolution when the power of those computing chips, whether it’s from NVIDIA, AMD, or Intel, whom we work closely with, the ability to execute these neural net and process them well.

Really quickly is going to change. So I was on the generation that built the graphics processing units so that we can render images and video. So we video compression, we could do 3d. We never think of, gee, you could rotate that 3d object in real time and shade it, do all that, everything that the gaming industry now leverages years ago took forever on a mini computer or dedicated machine, then came the chips.

Thanks. The GPU 📍 chip .

You had an off chip processor, right? Yeah. We don’t even think about it now. same thing is going to happen and I’m seeing the same transition from running neural nets on general purpose CPUs like the Intel or RISC machines to these purpose built extension instructions that these manufacturers have, to the purpose built AI machines that NVIDIA and a whole slew of ASICs that are coming out.

From neural net engines that are going to be powering everything. And I think we’re going to change a lot of how we program. The traditional how we program things into basically saying here’s a language model that will understand how to effect the language. What the output of your software product used to be.

We today systematically write decision trees. It will become a neural net.

that’s right. You’re going to have an assistant. You’re going to just tell them what you want and that’s going to, then they’ll figure that out.

Why do I need the computer machines to execute every line that a team of programmers wrote?

I can just have the neural net learn by, hey, here’s my specification, here are all the end conditions, go and figure out that glob in the middle, that will do state machine. See, this is why I love talking to I can tell this whole thing, we could go on for another hour now. I believe we could go for another hour now, right?

I think there’s so much entropy in what you can encapsulate into a language model. Language model being, anything that can represent knowledge, basically. We today, Do it by hand to hand combat, writing lines of logic and then building graphs and building state machines.

It’s all old school. It’s like the crafting assembler language programs and then a compiler comes by and says, Look, you can start to express the problem at a much higher level. Yeah. AI is going to change all that. That’s amazing. Oh, man. That’s actually going to be the final word. David Ting, thank you so much for being on Newsday.

I appreciate it.

Drex pleasure me talking to you as always. Take care.

📍 📍 Thanks for listening to Newstay. There’s a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Big thanks to our Newsday sponsors and partners, Clearsense, Sure Test, Tausight, Order, Healthlink Advisors, Cedars Sinai, Rackspace, Crowdstrike, and Fortified Health

you can learn more about these great partners at thisweekealth. com slash partners. Thanks for listening. That’s all for now

Tausight was founded in 2018 by the co-founder and former CTO of Imprivata, David Ting, with the vision of reducing healthcare-specific cybersecurity incidents by simplifying the way hospitals and healthcare systems detect and manage PHI risk in today’s decentralized healthcare ecosystems. Applying breakthroughs in ML/Federated Learning and NLP, and a detailed understanding of clinical workflows, Tausight developed a revolutionary and affordable, situational PHI awareness platform, giving time back to IT security staff, enabling the free exchange of PHI/EHI, and allowing clinicians to work securely from any device or location.

© 2023 Tausight Inc. All rights reserved.