Hello everyone, and welcome to season two of the IEEE SA rethink health podcast series. I’m your host, Maria Palombini and I lead the IEEE SA Healthcare and Life Sciences Practice. The HLS practice, as we like to call it, is a platform for multi disciplinary stakeholders from around the globe, who are seeking to develop solutions for driving responsible adoption of new technologies and applications into the domain. Hopefully, the end outcome will be more security, protection, and universal access to quality of care for all individuals. We know that cybersecurity is evolving constantly from increasing policy to a changing threat landscape. This season brings all these conversations from these experts on the growing epidemic of cyber warfare breaches as we see on health data and health technologies, and how they’re looking at it both at the regional level and the trends we’re seeing across the globe. Together, we’re hoping that with solving these problems and the benefits of these devices, we will reengineer the strategy to better patient privacy and overall security. So with that, I would like to welcome Roque Juárez from Mexico to our discussion.
Hello everybody. Thank you, Maria, for your introduction. And I’m going to share with your audience about this fascinating domain.
We can’t wait and I know you have a really diverse background in security intelligence. I know that you’re currently at IBM Mexico. So with that, why don’t you give us a little bit about yourself, some of your speciality, especially in your work in IT security, some of the things you’ve seen throughout the years, how they change or maybe gotten better, new developments, especially being in Mexico, you come with a different perspective, as all our experts from around the globe.
Of course, my pleasure, Maria. I have to say that I’ve been involved with information security, IP security, and now cybersecurity. Since I was at university, I perceived that this area was so fascinating since the first time I met some news regarding the historic hackers such as Captain Crunch and Kevin Mitnick. I thought, and I was sure that this area was going to be in the focus of so many industries, because all of them were getting support by it more and more. So I got engaged, and I couldn’t leave it. I think it will be the best part of my life for the rest of my life. It has been evolving so quickly. We can say that maybe if 15 or 20 years ago, cybersecurity or information security as the main and the holistic concept. It was not in the focus of many organizations or in the focus of many regulators. And we have to say that it is a natural evolution process. Especially in Latin America it is a challenging domain. Because sometimes, historically talking, cybersecurity has been perceived as a business blocker. For every control you decide to deploy, you’re going to blow up the business vision, mission, and main purposes.
But in current times, and due to this pandemic, we can see that all the organization’s no matter which is the sector of the industry they are in, they have to transform the core business. Most of this transformation is supported, at least enabled, by technology. Healthcare industry is one of these industry sectors that is being impacted with this accelerated evolution. Now, we can say that in Latin America and globally, industries have been engaged with IT and in cybersecurity issues sometimes before the healthcare industry.
For example, traditional industries such as financial services, insurance services, ecommerce, these industries have to be focused on cybersecurity and IP security, they developed a business with engaging customers and these business environments. Because the nature of the core processes are supported by IT. Some other industries as manufacturing or healthcare for example, IT is a standardized technology, so in this case now, healthcare is taking advantage of this standardized technology provided by the traditional IT to develop the new patterns in the core business. Now, we can see that healthcare industry, the core devices, the core apparatus, the industry uses to make the main objective of the industry, like laboratories, hospitals, and these kinds of organizations. Institutions are taking advantage of these IT standards and technology and devices. But now, these new industries that are taking this advantage are facing new challenges that they were not aware to handle. And it is not a critique. And now, the hacker has to develop to embrace different kinds of services and processes to make this transformation a tangible thing. I’m talking about business or core processes, but they have, for example, the patient support processes as registration as the following up about the patient status and things like that, and administrative and management processes. In this big picture, healthcare has to handle a lot of challenges due to this standardization of the technology that they are using for the core business.
I think you’re giving such a nice macro introduction. You know, I could sense from your passion right away that you’re into this. You’re already jumping into our next segment, the core. You already started to preface this that you know, healthcare underwent a major digital transformation. We all know this, like anything else in the digital era. Obviously there wasn’t always or there is not so much a focus on cybersecurity or the cyber breaches and the vulnerabilities compared to other sectors that were more traditionally attacked, like banking, insurance, finance, e-commerce, that were first on the hit list. You mentioned there’s some real critical challenges that have emerged. Can you share exactly what you envision or your perspective on those challenges and how they’re impacting overall the healthcare industry?
Yes, of course. The first important thing to keep in mind is that, based on some cybersecurity industry reports that have been published at the beginning of the year, we can see in the IBM x-Force Threat Intelligence Report, this industry moved from place 10 in 2019, to place seven in 2020. The most common attack factors that we can see that the attackers used were around ransomware, data theft, and server access attacks, but we can see that these attacks are related to common IT standards or common IT technology used to support some other processes or services that were not the core processes. Based on what we mentioned about this digital transformation and this adoption, I can see three main challenges. The first one is that the healthcare industry is adopting its core technology. I mean, some years ago, IT was just a group of support services for administrative tasks and things like that. Although the new medical devices are running on common IT loggers, I mean, operating systems, networking applications, software engineering, things like that. So they are exposed to the vulnerabilities discovered reported on these IP assets. That’s the first main challenge. The second one, the numbers are not related to the priority. I think these three challengers have the same level of priority. Let’s see why.
The second one is privacy on personal info. And most of us can think that the privacy is just for the patients. We have to think about the privacy of the information collected from the collaborators or employees, it is at the same level of importance as the patients want. So the essence of this industry, the healthcare industry, requires that the data from people have to be collected and exchanged because of its process nature. This data is considered in most of the laws and regulations all around the world, as personnel and sensitive, the most important sensitive information. All the organizations that collect or change this information, that’s to protect it at the same level of risk as the most valuable information. If you are like most people, and you identify or classify your processes and business information as relevant and confidential, the personal and sensitive information that you have, it doesn’t matter if it is from your collaborators, employees or patients, it has to be ranked or classified at the same level. So the level of protection that you have to deploy on this info is crucial. And it can represent investment and efforts to protect. That’s the second main challenge.
And the third one, since all the research and all the investigations and collaborations around the vaccines, especially because of the COVID-19 pandemic, specifically talking, there’s a new confirmed challenge related to hacking the infrastructure with these researchers, or investigations are done. This could affect the integrity, availability and confidentiality of the results of the research and investigation. But what is more that we have to think about, is that some attackers make phishing campaigns against common and end users or common people as you and me where they distribute emails or some advice around the internet, which turn people or to access information or some advantage around vaccines. They are trying to steal the information or personal bank accounts and things like that. We cannot lose the idea that the protection of the information around research and investigation plus two components. I think all the organizations in the healthcare industry have to pay attention to that, because the integrity and the reputation of the brand the organization can jeopardize.
That’s fascinating. We’ve had many of our expert guests pinpoint the fact that they need to embrace just in general, the situation with these vulnerabilities as organizational risk, not just a product risk. So I see that you as well share that same point of view. We’ve had different research and I’ve had some of my guests say that the Latin American region is a little bit behind In creating strategies for response or anticipating these kind of breaches in connected health applications as they continue to gain speed within the region, and given your work there and being from the inside, is there anything that you’re seeing in trends that seem to be that there’s more attentiveness to the challenge? Are you seeing some new ideas, either from government or from just industry, the area, trying to address some of that growing challenge that’s happening not only in Latin America, but this is a global challenge, but perhaps bird’s eye view from where you are, see what’s going on?
That’s an interesting point, because healthcare organizations in Latin America are making big efforts to close the gap. Maybe the starting point of these challenges for these organizations is not easy. It’s not easy for anyone. But in this part of the journey, they have not been trying to address the problem, but just investing in technology.
Right now, and I think it is a global symptom, all the organizations are swimming in a pool of tools and technological platforms, trying to reduce or mitigate the risk associated with this changing threat landscape. They are trying to address the challenge with a wider view, which is positive in my perspective, because they are trying to share the concerns with the C level, they are wanting to drive this challenge as a corporate a challenge, not just IT or technological approach, they are trying to move the needle around holistic effort: people, technology and processes. This is a group of premises that they are trying to work and develop. What is more, currently, they are not trying to acquire more technology, or replace all the hardware and software that they invested in previously, what they are trying to do is to develop capabilities around these three premises I mentioned. It’s not easy, because right now there’s a lack of resources due to the pandemic and the economic situations, it is not easy to get all the resources the organizations need to address and to show the challenge. But they are trying to make a clear association between business needs, and not just the regulator requirements. They are trying to add customers and business environment requirements to these benefits and risks associated with the technology, and IT technology-supported core processes in the healthcare industry. Latin America is making progress. I think it is not as fast as required. But we are not doing nothing.
One of the things that I’ve been reading more in the headlines, and it’s unfortunate because we’re in the middle of a public health pandemic, and we’re worried about obviously saving lives, opening data to help research. But yet we’ve seen this increase of attacks on general healthcare institutions and COVID-19 specific research institutions. Can you share your perspective on what’s driving this increased appetite for these hackers? Like what’s their motivation? Or are they getting access to something that they weren’t gaining access to, before that? What’s really fueling this rage?
It is a question without an easy answer. Because I think that mostly people have associated all the cybersecurity issues as a teenager driven event in the past. And nowadays, I got to say that when we read the newspaper, or we read on the internet, or somewhere else, that an attack was successful, maybe we are associating an image with a teenager in underwear in the parents’ house, playing games with computers. This is not any more like that. These cyber crimes are at the same level as organized crime. We have to stop thinking that this is a teenager’s matter, these are relevant and cooperated industry matters. Based on that, we can see that the fuel for these hackers could be to sell in black markets, all the information they can get from these investigations or research. It can be associated or classified as an act of vandalism. The other component of this equation could be, as I said before, to get personal and sensitive information that can be sold again, in digital black markets. If we can check in different reports around the amount of money that black markets related to cyber crimes is generating, we can get the answer to these questions.
Absolutely, just another level of complexity to deal with in the midst of this challenging time. So I asked this of all my guests: from a point of view, we hear debate that this is a we need more policy to address the issue of cyber vulnerabilities in the connected healthcare system. We hear others who say that it should be market driven, engineers, and technologists need to step up for the benefit of the service they provide to customers. So we’re hearing all these different things. From your perspective, what do you think? Or what’s your perspective on where we need to start pushing more of these opportunities, whether it’s policy, whether it’s development of technical standards, whether it’s incentivizing industry to sort of step up and start addressing these kinds of issues at the foundational layer?
You work up an important and relevant actor in this play. I’d have to say that the work that regulators are doing is essential, but it is our starting point, it is not the destination. When you are working just for the regulator to be compliant with the regulator, you are not doing things right. I mean, to be compliant with the regulator has to be a natural symptom that your IT and cybersecurity operation is aligned with the business requirements and the regulatory requirements. But most of the time, what happens is that an audit by the regulator is going to be executed next week, so I’m going to be prepared. You are not doing anything to change your current threat landscape, your current vulnerability landscape, not in the benefit of your business, just to be compliant. So that’s what I said that it is a starting point, you are going to have some indications to be compliant with but the challenge for the administrators, the cybersecurity responsibility in the organization is to understand these regulations, and to translate the business environment to the business context. So you are going to be aligned and you are going to be compliant. It is a starting point, in my perspective. Another important thing you mentioned, when you work in an industry, you can make such progress as developing standards as sharing concerns or lessons learned. It is not an issue that is not a problem we are going to fix alone, to collaborate, to embrace we need to enhance all these efforts that regulators and organizations or standards organizations are doing too. How? Most of the times when a law or some regulations are going to be published or standards are going to be published. There’s a period where you can contribute, share your concerns, or share your experience and this can be used to develop a link. So this is a way. I mean there’s not a silver bullet. There is no procedure to follow. But I think it is a good starting point, right?
Yes. You covered so many great things and you know, some of the points that I’ve just picked up really quickly are common themes that we’ve talked with other guests from around the globe that you hit on just the same. First of all, cybercrime is an organized crime that is no longer a teenager thing or something just as happens because someone has nothing better to do. And at the same time, that cybercrime is an organizational risk, and we’ve heard this recurring theme as well. I think an important point that you also brought up just as a note to everybody, we do have a common theme where we say policy needs to step up a policy is definitely not the end game. I think you reinforce that point as well. The third part is, we hear a lot of investment going into technologies and how you know, we can deal with the issue of cybercrime and cyber breaches. But the question is that, it’s not just about investing in the technology, like you said, it’s trying to fix the problem. We have to try to get to the problem. The sad part is that usually when we move up higher on the level on a scale, we think it is usually a good thing. But the fact that healthcare is moving up as an appetizing place to be breached, is not such a good thing. So this is something for our audience to keep in mind. You brought up so many great insights, common threads, what do you think is the most important call to action in the healthcare domain? You know, we’re talking a wide risk of hospitals, facilities, pharmaceutical companies, technologists, regulators, patient advocates, patients themselves, there’s a lot of people and entities in the mix. What do you think is a really important call to action?
Again, it is a complex situation, as you were describing. But what I would say is that the first big step is to bring these new risks to the table with the sea level in the health care organizations. I think this could be a big step for the industry. In the meanwhile, we can reinforce some more tactical and operational actions to make this change. It is not an easy problem, but how do you eat an elephant? A piece at a time right? So, to make progress based on legal changes or legal efforts, but not to stop the airport, I could say that let me share a general call to action. Secondly, to integrate the filter technology cybersecurity risk in the organizational risk. When you are managing your organization or corporate risk, healthcare cybersecurity risk has to be there. Third one, to manage all the vulnerabilities and monitoring of the healthcare technology stack, as part of the corporate program will their abilities management program, put to work with manufacturers and service providers to define security and operations requirements as part of the design. This is an important thing. We mentioned that sometimes this cybersecurity is not considered in the beginning. This is why, because when you are designing, you are not taking cybersecurity in mind. So if we push these actions with the manufacturers and service providers, the landscape is going to change. And finally, last but not least, to train people in cybersecurity as part of the daily activities. It is not just your employees, your customers, your administrators, your operators. As I said before, one of the premises is based on people. It doesn’t matter how much you invest in cybersecurity, if you have people who is not trained in cybersecurity, or people who is not changing his or her passwords, just to put an example, because you’re not going to tell him or her to change the password, they are going to change the way they perceive and interact with cybersecurity. So I can say that could be the main group of actions to execute and to have in mind.
That says a very important call to action. And I think that something for our audience to think about, that this cyber challenge is like a large elephant in our way, and we can attack it all at once we have to do a little bit at a time. Roque brought up many great concepts today that we are currently addressing in various activities in the healthcare and life science practice. I want to share with you all that we are hosting a five-part virtual workshop series in 2021, called Global Connected Healthcare Cybersecurity. And we’re presenting it in collaboration with the Northeast Big Data Innovation Hub, out of the campus of Columbia University in New York. This workshop series is designed to really produce pragmatic outcomes, and build the framework for these much needed solutions to response to prevention, to preparing strategy and everything in between. And if you’re interested in attending and being part of the open collaboration to develop these solutions, you can see them on demand, just register free and you can see them anytime at IEEESA.IO/CYBER2021. And just let you know, we have many different incubator programs where we incubate ideas for standards or best practices in telehealth we have them in decentralized clinical trials, a mobile health app certifications, obviously, and WAMIII, which is Wearables and Medical IoT Interoperability Intelligence. So if you would like to engage in conversation about what you heard today about overall what’s going on in the industry, please be sure to check out our IEEE WAMIII channel. And you can learn more about all of our activities at IEEESA.IO/RETHINK. Thank you audience for joining us today and tuning in. And we wish you to continue to stay safe and well until next time.
What can an emerging Latin American region teach us when it comes to cyber risk management in the digital healthcare transformation?
We sit down with Roque Juarez, Security Intelligence Specialist at IBM in Mexico, to get an understanding of how basic principles can be critical to cyber threat management in connected healthcare systems regardless of whether you are an emerging or established economy. If you think COVID-19 pandemic slowed down the rate of threat, think again.
Tune in as Roque shares how COVID-19 made it more appealing for hackers to breach labs, healthcare systems, and any repository of patient health data and research.
- IEEE SA Healthcare and Life Sciences Practice
- IEEE SA 2021 Global Connected Healthcare Cybersecurity Virtual Workshop Series
- IEEE SA IoT Ecosystem Security Industry Connections Program
- IEEE SA Transforming the Telehealth Paradigm: Security Privacy, Connectivity, and Accessibility for All Industry Connections Program
- IEEE SA Tech and Data Harmonization for Enabling Decentralized Clinical Trials Industry Connections Program
- IEEE Global Wearables and Medical IoT Interoperability & Intelligence (WAMIII) Program
About the Guest:
Roque Juárez is an information security professional with 19 years of experience in different roles and responsibilities focused on business development and commercial strategies execution, information security consultant and technical security solutions sales in Mexico and Latin America, such as Business Partner Sales Representative, Information Security Sales Manager for Mexico, Central America and Caribbean Region, Information Security Consultant, Consulting Manager, Information Security Senior Consultant, and Project Manager, helping diverse industries to adopt information security as part of their of way of doing business in the multi-dimensional landscape of threats.
Follow Roque Juárez on LinkedIn.