Hello everyone, and welcome to the Rethink Health Podcast. I’m your host, Maria Palombini and I lead the IEEE Standards Association Healthcare and Life Sciences Practice. The practice is a platform for multi-disciplinary stakeholders from around the globe, who are seeking to develop solutions for driving responsible adoption of new technologies and applications that will lead to more security, protection, and universal access to quality of care for all individuals. And with that, I would like to welcome TR Kane from PricewaterhouseCoopers to the podcast today. He’s been working in the area of patient privacy to address the risks of the cyber world across a technical discipline. Currently, his role is Cybersecurity and Forensics Partner, Global Third Party Risk Leader, US Strategy and Transformation Leader at PricewaterhouseCoopers. So TR, can you share with our audience a little bit about the great work you’ve been doing at PwC? And some of the things that you’re seeing like trends and global challenges from where you’re sitting right now?
Yeah, you bet Maria. So I’m seeing a number of trends facing healthcare, with first being really the increased use of third parties. If you think of healthcare organizations, whether you’re talking pharma, providers, or even the payers, you have this ecosystem of data and trust, that continues to expand from organizations directly controlling it, to really placing more reliance on contractors, the cloud, suppliers, business partners, and vendors that have effectively become the key components of those healthcare organizations processing, storing, manipulating, transferring, regulated patient and even employee data. I think the second thing that I’m really seeing and where I spend a bulk of my time, is really the need for tying business and cyber risk. It’s greater than ever, from medical devices to technical platforms, expanding platforms within healthcare to patient care platforms as examples, that all must be managed, they need to be monitored, and they need to be reported upon effectively. So I’m getting a lot of demands and asks for calls and even at the board levels around how we get cyber risk aligned to patient safety and business outcomes.
So what we’ve seen in the world of cybersecurity has been this focus on prevention, like how do we stop the problem before it happens. That’s what we think is the best solution. However, we’re seeing more of a trend, and you mentioned this earlier, towards risk mitigation, this concept of forensics in the whole episode when these breaches in this quote unquote warfare starts to happen. So maybe you can explain some of these concepts to our audience and why they’re just as important or more important, rather than just working on the prevention, the vaccine for the problem and how we’re actually looking at preventing the risk in that situation. And maybe what you see companies doing better or not so great in embracing this concept, in better managing risk overall in a connected healthcare system.
First and foremost, connected healthcare platforms are really increasingly touching patients and expanding across the healthcare industry. So one of the things not just from a risk perspective, but from a trust perspective, it’s becoming the core of the focus coupled with the mechanisms to manage risk that lends itself to establishing that very trust. As platforms are rolled out, even risk management oversight, technical forensic investigative capabilities, and other detective technologies, the industry really is starting to look at more independent organizations to help edify the trust gap. So things like tie trust, getting those independent outputs, but also having a strong cyber and privacy set of embedded controls around their patient and clinical healthcare platforms. And what I mean by that is, we can’t just simply rely on an independent third party to check the box. It’s really how we embed new products, medical devices, the rollout of technology, even acquiring. There’s a lot of M&A activity within healthcare right now. How do we ensure that we have the right governance and the right processes to really embed the controls to protect the very data that we need to protect, i.e. privacy and the mechanisms being security. And it’s really striking that right balance between the patient and doctor experience, compliance, risk reduction, while also managing costs in concert.
Additionally, more and more healthcare companies are starting to use endpoint detection and response. So different EDR solutions to help gather data from endpoints. But I think this is the key, while it is still reactive in nature, it does help begin to mitigate risk once an attack has been identified. However, it’s not a proxy for overarching cyber risk management, and the alignment to organizational risk and business outcomes. It’s reframing cyber risk as a business risk and not taking that legacy view that cyber is just a technology risk. I think the last thing that’s also very important as we’re seeing organizations, as I think about risk, mitigation and detective capabilities, is aligning specific playbooks around incident response and resiliency. So playbooks around what we do with medical devices for each? How do we handle phishing? How do we handle ransomware? That to me this is very important because you’re cross threading all the different organizational constituents that need to be part of those business risks, not just treating it solely as that cyber responsibility to respond, handle, and mitigate, because it’s not.
We see an emergency and companies start throwing money, quote unquote, at the problem investment. There’re figures ranging from 100 million US dollars plus to be invested in the next five years to 15% increase in cybersecurity measures. It’s not just about throwing money at the problem, right? What is it that would be the most effective way to invest this money so that these organizations can get the best return on investment for the money that they’re putting into the problem?
I’ll tell you this is probably the number one set of discussions around this topic that I’m having with executives. And what we’re really seeing is the need for cyber risk quantification. It’s the trend we’re seeing grow exponentially. So directly aligning risk and controls to prescriptive calculations of associated dollars for those risk controls or quantifying the risk of not doing something. I.e., what’s the cost of a record for a breach times the number of records a provider maintains, equals a specific dollar value, plus compliance penalties? CIOs and CISOs alike are really starting to learn that their boards and specifically CFOs really want a better articulation of why am I spending this percentage of my organizational dollar on specific initiatives. They want alignment of the cost, the risk, and the business outcome versus hearing. We have X amount of tools, we scan X amount of endpoint devices every month, and we have anomalies detected in our environment. That is unquantifiable. And it’s not actionable for a board or even an audit committee. So CISOs and CIOs alike are really pivoting their agendas, to be risk based and risk quantified to directly align to their business stakeholder expected outcomes.
One of the concerns we keep hearing about similarly is, hopefully this money is going to be used in a way that’s going to deliver. So let’s see how that goes. We have this constant debate that regulators should do more or should require developers and software engineers to do more. I guess the question is sitting from your perspective, do you have a similar perspective where regulators need to step up and start making these mandates in, or do you think this is more a market driven approach incentivizing these technologists to embrace this concept to start delivering on this idea of more security and more protection of privacy?
Specifically around medical devices, net new products that are emerging into the healthcare industry. They’re just simply not enough regulatory protocols, controls, and oversight, like you may see from the OCC and the FFIEC and financial services. So I think there’s a greater need for regulatory monitoring and enforcement. And those are both important. Because monitoring doesn’t necessarily mean tickets are being written, I think you need to have real enforcement and look at the clear difference between financial services and the enforcement of their regulations. There is a clear difference in response and reaction when systems or products have been exposed due to a breach in financial services versus healthcare. So I think if you’re gonna move the needle, you need to have healthcare regulatory bodies set standards, but I think it needs to be in cohort with medical doctors and the broader medical community, but also with the manufacturers to align on those standards. It shouldn’t just be at the policy level, I think it needs to go a level down at a technical security level, and not just be a guideline, not be a recommendation, but be a federal mandate with defined penalties for non compliance that are tracked, reported and enforced on an ongoing basis.
What do you see as the greatest cyber threat and consequence in the healthcare system that maybe others are not fully migrated to, or maybe it’s just not gotten the whole exposure like we think it has been?
The attack surface has grown exponentially across healthcare organizations. And when I say exponentially, it is moving at a velocity faster than healthcare organizations budget to keep up with them. So if you think of healthcare interconnected ecosystems around biomedical devices, mobile phones and devices, laptops, mobile workstations within hospitals, all the way third parties are being leveraged for outsourcing data and data handling, the greatest threat becomes the lack of clarity around where my data is, how my networks are segmented, how I’m effectively monitoring third party risks, and the emergence of cloud based solutions, which really has enabled business leaders to pursue digital solutions without always interacting with or betting cybersecurity until it’s post contract. And I think that’s when you start to see data risk exposure, when you haven’t kind of taken a step back to look at, are we programmatically thinking about how we’re going to have a business outcome, with the right level of control, protecting both patient health safety, as well as patient data safety.
We’re at a revolutionary point. And I know that sounds bold, but we are at a revolutionary point in history with respect to access to data, enter connectivity options, use of medical devices, and how those medical devices connect to other devices. And this increasing attack surface that malicious actors are preying on and the velocity by which emerging healthcare treatments are being introduced and performed, as well as the mechanisms by which data is stored, and by whom is continuing to increase with use of the cloud. Knowing that the health care organizations, the government, and independent firms alike are trying to move at a similar pace is important for folks to know. The threats are known. The velocity by which medical providers and technologists and independent assessors and consultants are trying to attack it, it’s not quite there, but I think folks are really doubling down. So my recommendation, you know, for the audience would be kind of in the meantime be safe, stay healthy, and look out for one another and know that your clinical and technical teams are really doubling down to protect you.
You have shared so many great insights today and I want to thank you for joining the conversation and being with us. And many of the concepts TR mentioned today are just in various activities that we have at the IEEE Standard Association Healthcare and life Sciences Practice. And most notably, we are doing a five part virtual workshop series on global connected healthcare cybersecurity, I invite you to visit ieeesa.io/cyber2021 to learn more about the series, so if you want to get involved in any of our work, I invite you all to visit our website at ieeesa.io/rethink, and we look forward you to joining us in our next episode until next time.
How you manage and quantify risk will determine how fast you can minimize impact and reassure public trust in the connected healthcare system. Can connected healthcare be a risky business for you, the patient, and every stakeholder involved?
Listen to our discussion with T.R. Kane, Cybersecurity, Privacy & Forensics Partner, at one of the world’s top 5 consultancies, PwC [PricewaterhouseCoopers], as he explains how we need to better strategize planning and response to cyber vulnerabilities in the healthcare ecosystem. Tune in for insights on some of the best lifeline strategies for managing organizational and patient risk in this rapidly emerging domain.
- IEEE SA Healthcare and Life Sciences Practice
- IEEE SA 2021 Global Connected Healthcare Cybersecurity Virtual Workshop Series
- IEEE SA IoT Ecosystem Security Industry Connections Program
- IEEE SA Transforming the Telehealth Paradigm: Security Privacy, Connectivity, and Accessibility for All Industry Connections Program
- IEEE SA Tech and Data Harmonization for Enabling Decentralized Clinical Trials Industry Connections Program
- IEEE Global Wearables and Medical IoT Interoperability & Intelligence (WAMIII) Program
About the Guest:
T.R. Kane is a Cybersecurity, Privacy & Forensics Partner at PwC who leads the Strategy, Risk and Compliance business and is also the firm’s Global Third Party Risk Leader. Based out of Cleveland, Ohio, T.R. has specialized in the area of operational and systems risk management, with a concentration in data privacy and cybersecurity, since joining PwC in 1996.
He has been actively involved in assisting clients throughout the United States, South America, Canada, Africa, Middle East, Asia Pacific, and Europe in developing, maintaining, and assessing their overall Privacy and Cybersecurity risk profiles.
T.R. has a deep IT risk management background which he blends with his technical cybersecurity and data protection knowledge. His wide range of technical security experience includes state and federal regulatory security compliance, security strategy development, Incident Response, Data Loss Prevention, and cloud computing. His focus has included leading global strategic engagements for Fortune 500 organizations, as well as 3rd party suppliers, vendors, and contractors on behalf of his clients.
Follow T.R Kane on LinkedIn.