Preventing cyberthreats webinar

Welcome to Becker's Data and innovation virtual

event and the featured session deterring

bad actors from accessing imaging

data is your secure,

My name is brian Zimmerman. I'm the A. V. P.

Of client content strategy here at Becker's Healthcare

and I'm thrilled to be today's moderator.

Before we dive into the discussion, I'm going to walk

us through some some housekeeping instructions.

You can submit any questions you have throughout today's

session in the Q and A box on your dashboard.

Today's session is also being recorded and

will be available after the event. You can

use the same link used to log into today's session

to access that recording

and if you have any any technical difficulties

please um and enter a message

into the Q and a box there. We've got folks ready

on the back end to help out.

So with that I want I want to go ahead and introduce

our two terrific speakers today.

So we're joined by Mike's White. Chief

information security officer would Change healthcare.

Mike has spent over 20 years leading and advising

organizations on information security and business

resiliency risk in high risk business

environments.

Mike's deep healthcare experience spans

leading information security functions at a

top player performing security consulting

for numerous providers. Mike has also

served and led numerous organizational functions

he's built and deployed a risk assessment

model used to measure the maturity

of security controls and the corresponding risk

reduction of control improvements.

Dr Sonia Gupta is the chief medical

officer at Change Healthcare and

an abdominal radiologist at

radiologist. Associates of florida.

DR Gupta has consulted for google.

IBM Watson health ran A I and

G. With former faculty appointments

at Harvard Medical School and Temple Temple

University School of Medicine. Dr

Gupta is the chair of the GoBI

AI advisory board and is an

advisor to Mass mutual Ventures Southeast

Asia. She is a board member of the american

board of artificial intelligence in medicine

and an editorial board member of the applied

radiology medical industry section,

Dr Gupta is passionate about the possibilities

of AI in healthcare and mentoring the next

generation of physicians. Mike

Dr Gupta thank you so much for for taking

the time to be a part of the session.

Thank you for having us.

Thank you.

So just to set the stage here

with some some initial comments, attacks on health

care providers are of course increasing.

We've seen cyber thieves hold ransom

data shutting down critical hospital systems

until hospitals pay ransom for that data

and the cost here of of course are large

and patient care can also be affected.

And of course this, this is primarily caused by

malicious software called ransomware which

encrypts sensitive data until a key code is

provided. And this can be and

it's very easy for this to infiltrate

the hospital system. Um you know, it's

as simple as an unsuspecting employee clicking

on a phishing email and then you're

in deep trouble.

So in order to prevent these episodes,

cybersecurity protection must keep pace

or even be ahead of these increasingly

sophisticated attacks.

So with that sort of setting the stage here,

I love to just hear about,

you know, the speaker's concerns

are around cybersecurity

and mike. Can you build on that that

very brief overview that, that I just shared

with folks out there, what, what more would you have?

Yeah, I guess I would add.

I've been in healthcare cybersecurity

for quite a few years and I think one thing that we've

noticed over the years is that

health care has been lagging behind as it

relates to cyber street maturity.

We haven't had the kick in the rear end that we needed

um, to get more serious about it as

other industries have, for instance, you know, financial

services has really been heavily regulated

for for a long period of time. They were one of the early

um targets of cyber security

attacks. And as a result, regulations

were put in place, They've put in um well

funded and mature programs, they really

provide them a leg up and and a better defense

defensive scenario um, with

the cybersecurity attacks of today. And

I think, you know, that hasn't gone unnoticed by,

by the bad guys. And what we've seen as a result

of that is, is a significant uptick

in the attacks on, on healthcare entities

and, and you know, I think providers, we've seen

a 70% increase in

the reported us seriously

pretty incidents in the past year

And and these aren't cheap. You know, we're

averaging about 9.3 million or $9.2

million dollars per incident for these incidents.

And we've seen healthcare entities with

documented public um, costs

related to the security incidents in excess

of $100 million. And so this is serious

business. It's impacting

not just um, their financials, but

their ability to deliver care as well. I mean, there's

there's been entities where they're having to turn

away patients and and divert, you know,

trauma patients to other facilities simply

because their systems are down. And so

it's not only a very serious impact on the ability

to to run a healthcare entity,

but also it's, it's becoming more and more impactful

on delivering care as well. And we've seen that

from our perspective when we sit in the healthcare

ecosystem where we've seen a lot of

our customers

become compromised, where we've had to work with

them to cut off access and ensure we protect

ourselves from their situation, but also

help them get back on their feet when they do

clean up the incident and get back up and running

is reconnect systems with them. So it's

become much more challenging and much more disruptive

to the entire healthcare ecosystem.

And I think one of the reasons why is

of course, as I mentioned, the maturity

that we see in the health care entity space,

but also because the folks that are attacking

us are becoming much more sophisticated and creative

in how they're doing so,

um you know, as I mentioned they've they've realized

that health care is a good target. And

not only that they realized that healthcare data

is as valuable as it is, it's a lot easier

to cancel a credit card number and have a new one

overnighted to you the next day and you're back up and running.

And the impact to you is you know, fraudulent

charge that you don't have to pay in your credit card bill.

But when someone steals your healthcare data, it's

much more valuable in the sense that they can continue to

use that over time. You can't really cancel

your healthcare record, I can't really cancel who

I am. And so what you see is is

things like fraud or blackmail or or all

sorts of ways in which that data is used which

makes it more valuable to these Attackers

and it makes us you know bigger targets for

them. And and 11 thing we've

seen in the last several years is it was around

October of 2020 when the federal

government um released a number of advisories

indicating that that there was targeted

attacks on the healthcare ecosystem. So

if you can imagine in the midst of

COVID when we're all scrambling

and of course, you know, providers are overwhelmed.

Um there was folks out there that were specifically

targeting the U. S. Health care system and

trying to take down hospitals and payers and

and and middlemen like you know, change healthcare

where we provide a lot of services to both sides of the

the the the coin and

it's just become much more hard to

prevent these sorts of attacks.

And one of the primary ways we're seeing is typically

most attacks start with a phishing email,

typically an email where they're trying to trick you into clicking

on something, they're trying to socially engineer

you to doing something that you would normally do.

And the whole intention is to establish a foothold

into your environment

and and once they have that foothold um

it really becomes paramount and identifying

them because their their whole goal is to get

into your environment and pivot and move throughout

the environment and find areas where they have

the they can identify the

most valuable data and also inflict the

most pain on you. And the whole premise around

ransomware is put you in a position

to where the pain that you're experiencing is

so great, but you will happily pay that ransom

because that's the best way out of your scenario

that you're in. So it's it's been a it's been

pretty, you know awful to watch it happen.

But at the same time, you know, the methods

that these folks are using are based

upon them trying to extract dollars

from institutions, you know, and healthcare

entities are a very valuable target

for them. Thank you, Mike

and dr Gupta, I want to get your perspective as well.

But Michael followed for you just

because I think everyone listening

or watching this right now has encountered a phishing

email and it's, it's a lot of them

are, probably some of them are just very obvious,

right? Like they're just very like blatantly

like you're not gonna get me today. Like this is,

this is bad work. But I think so when

when folks see here phishing email, they

might conceptualize that. Well, that's not gonna happen to me.

Um, can you talk a little bit about

how sophisticated some of these phishing

emails can be and how, you know,

we like to think all of us, even

security experts, I imagine like to think we're all

sort of immune to these sort of

provocations. But I would

venture to guess that we're not, am I, am I

on to something that

Yeah, I mean the reality is these folks can get

very surgical and there's a, there's a term called

spearfishing when they're specifically targeting individuals

and when they take that more targeted approach,

Like a lot of the fishing you see is kind of spray and pray

if you will, they're just shooting out a bunch of emails and hoping

someone clicks on it and then something bad

happens. But, but when you get into scenarios

where folks are targeting a specific entity,

they're doing their research. They're finding out who are your vendors

and who are your business partners and how can I mimic

ways in which you conduct business,

such that that email that arrives in your inbox

looks very real.

Maybe it's from your ceo with a sense of urgency

or things like that. And and they're really

operating in ways which, which again

are much more complicated and

difficult to identify. And

you know, I always joke around with with our team if we want

to fish, people will just think ups emails

at christmas time because everybody's looking for their tracking numbers.

But the reality is that while that is

a very easy way to get a lot of even, you know,

suspicious people like myself

um when you when you get into another level

where you're mimicking

maybe a business partner that you do business with.

And they're trying to trick folks that we are doing an employee

survey or things like that that are run

of the mill type of things where normally someone's gonna click

that link and enter their information.

That's when it becomes a lot more complex when

they're when they're when they're actually doing the research on

the on the entity

and trying to target that entity in a very specific

way. Um that that you know, would

would easily fool most folks,

thank you Mike and dr Gupta, can you speak

to this issue

specifically from a physician's perspective,

clinician's perspective um why should

clinicians and physicians be really concerned about

cybersecurity and what else would you add to what

mike's laid out so far.

Yeah, I mean, I think it's a newer issue for

us because if I think about when I was

in medical school and early in my residency, we

were making the switch from paper

charts to computers and you know,

using HR So we're not always

we have not always been in the habit of having

all of this information on a computer

system, you know, because before we weren't

really worried that somebody would walk into the hospital

and walk out with a bunch of patient binders and

charts.

But now, with everything increasingly being

in the cloud and, you

know, being on a computer system, more security vulnerabilities

certainly come up

and we want to make sure that we're able

to keep that patient data secure

and, you know, like Mike mentioned,

we're increasingly seeing these phishing attacks

and,

you know, our worst case scenario is that the,

like a critical system of the hospital, like radiology

for example, gets completely shut down and we have

to divert patrons because when you

think about it,

almost every patient that comes to the

hospital or to an outpatient imaging center

gets imaging done. You

know, that's just part of your healthcare journey.

And if that system goes down

because it's vulnerable because,

you know, we are using older technology,

you know, different parts of the

hospital system got upgraded at different

times as we were making these transitions

from, you know, paper to computer

and then from computer to computer

then it really makes us vulnerable.

And what our worst case scenario is

that the system goes down and then our surgical

colleagues or oncologists are

having to delay patient care because they're

waiting on imaging results. And

what we really don't want is that a radiologist

or a cardiologist has to physically walk to a

scanner, you know, to get that information

because it's not available in our computer system.

And when we talk about these sophisticated

phishing emails, you know the

physicians and all of our staff are

obviously drowning in emails. So it's

easy for some email like that to slip in.

And if you think the email is coming from your

boss or you think it's the hospital

itself saying that we need some information

to do this, you know, upgrade because we

get those emails about changing our passwords, you

know every 30 to 60 days. It

would not be you know, easy

to fathom that. We would click on that email to

say we need to change your password or

they'll threaten you and say you're gonna be locked out

of the computer system completely. You

know, you can't get into your patient charts because you

need to do this

um thing where you need to update something or

change your password. So it's

you know, we like to think that we would be too sophisticated

to fall for something like that. But that's a real threat

and we want to prevent that,

make sure that we don't have patient care delays

and you know, we're able to take care of our patients,

especially during the last two years

when we were really stretched them.

Yeah. And as he laid it out there, I mean,

no physician wants to go through sort of the scenario

that you laid out that sounds

um challenging to say the least.

But I also say to to your point about

being sort of a wash and emails, um

there's so it is, we're

so aware right now in healthcare media

as well as sort of the burden that that is on physicians

and clinicians.

And I'm curious what we would say dr Gupta

if an added focus on cybersecurity

sort of um and I'm thinking here

about maybe perhaps an added apparatus

more clicks potentially for clinicians.

Does that have the potential in your mind to

sort of add to this administrative burden

and potentially make burnout worse? Can

you speak to that a little bit?

Yeah. You know, we do have a renewed

focus on burnout and it is really

an epidemic in health care right now.

But the goal is that if we

have better technology that's more advanced,

we should really have the exact opposite,

you know, especially with cloud technology, we

should have improved efficiency

and less clicks and less pauses.

Um because I think the issue right now

is when we talk about a computer system

upgrade in the hospital, we think of a

delay

and what we really want is with a cloud

technology platform. We really

want those updates to happen seamlessly

in the background. So the way we think

about our gmail or our iphones,

you know, those things just update and we never really

think about it

and it shouldn't be that in a hospital we

have to think about it and watch a system crash

because it's supposed to be updated.

So you know that burnout piece

is supposed to get better in an

ideal scenario.

And I think it's important to note that

right now we do have a lot of different logins

and passwords and that is probably

a security vulnerability because there's one for my

email, there's one for the E H. R.

That's inpatient outpatient then potentially

for your pacs and imaging viewer and

that causes more confusion and really if

you had one login and it was all secure

that would prevent it.

And so that's really ultimately the goal to ease

that burnout.

I appreciate that Dr Gupta and I think

that brings me where I want to go next, which is really

digging a little bit deeper on imaging but also

focusing on the cloud here as well.

And I'm thinking that, you know, can

the the cloud for some folks perhaps might

just be, make them feel a little bit vulnerable,

right? That some leaders out there might feel

that the best way that they can

protect their data, keep their arms around their

data is to keep it inside the four walls of

the hospital

and and you know I

can't help but think that these data

breaches really reinforces

that that sort of mindset

mike, can you talk about

that just a little bit how how

um you might address that sort of mindset

shift especially as we think about imaging

and and and and sort of some of the scenarios

Dr Gupta Gupta laid out.

Yeah absolutely. And I think you

know, one thing that we've seen is is with

with on prem data centers and

your own hosted solutions and kind of managing

your own I. T. Estate.

What what many health care entities have fallen into

the trap of is that they have a lot of debt. Now

they have a lot of technology debt that is difficult

to manage. You know they've been so focused

on care delivery and keeping systems

up to date as Dr DR dimension

is disruptive. You know updating

an imaging system. It's not a fun thing

for a hospital go through a process like that where

hey you have to apply a new patch or you have to upgrade

to a new version or guess what? The server that you're,

you're, you're imaging system, your pack system

runs on is on a date, you have to update

that all of these things are disruptive

to the care delivery scenario. And

I think you know a lot of this is is based upon the

fact that we were all in legacy

that we're all but many many entities are legacy

data center environments where you

know you're applying technology resources

that are in high demand and hard to get

um to try and manage this stuff and also update

systems that, let's face it, our aging

um and need to be updated without

disrupting the entity's ability to deliver

care. Many many industries you have

those, you're fortunate to have those maintenance windows

where you can get things done.

Unfortunately hospitals don't have that luxury.

You know people are are servicing patients

24x7. They're they're they're inviting

patients on a regular basis

and so they don't have those those wonderful

I. T. Maintenance windows where where people like

me can go in and update the

entities healthcare systems to

properly run and be secure and patched properly.

So it presents a challenge to them.

And what we've seen is the move to the cloud.

Um the fear with that I

think it's more related to the unknown, you know that

someone else has my computers in my data.

The reality is is that done properly and

built well. Um the cloud is

more secure I would say than

than a non prime solution because you can update

things in a more seamless fashion where you're

not necessarily impacting up time and

care delivery and things like that. So you can do some

seamless updating.

Um

and and really enable an entity to run

24 by seven, you know, without

having those downtime periods. And if

you think about that, think about you know when

you go to netflix and you can't watch a movie

or go to amazon and you can't shop, you know, these are

all cloud based systems that are always working

and don't think for a second, they're just sitting

there letting those systems age and get old

and insecure and things like that. No, they're constantly

updating them in the background

and in the cloud works in a similar way

in a in a healthcare setup. You know if you if you build

an imaging system like we have a change

in a cloud based scenario and done properly

and understanding how you're gonna handle

that data and how you're going to secure that data, you

can actually deliver a solution

that can be more helpful to an organization

than than hindering them because now I can

always rely on my my cloud based solution,

I can get to it from anywhere. I need to I

don't have to worry about you know, think about it

doctor good to mention is you've had hospital

systems and you know many, many organizations on

multiple hospitals

um they've updated their technology footprint

over years. And so now you have version

one in this hospital and version two in this hospital

and so on and and just think about

how complex it is to keep all of those systems

up to date on the latest version and

not impact downtime and ability to deliver

care.

Well now in a cloud based scenario, you're able to

do a lot of that sort of stuff in a seamless fashion

and you're, you're not impacting your organization

in a negative manner. So, so we we've

learned is that building a solution like this

and doing it right and doing it, you know, in accordance

with, with good security frameworks

and following a proper controls,

um, really can deliver not only

a very secure solution, but a

more robust solution that's, that's more manageable

for an entity to consume.

Yeah, this is the side, but on

the amazon component, how easy it is. A part

of me wishes that it wasn't so easy to be

able to be easier on my pocketbook,

right? Like it is uh, extremely

convenient to the point where the amount of cardboard

that is sometimes on my front porch is a little embarrassing.

Um, but but mike follow

for you there around sort of

some of the hangups that that might exist

in some folks minds around cloud technology.

I think some of that might be associated with

unpacking some of the buzzwords for folks that

might not be as

um, in tuned with, with, with the technology.

So thinking here about phrases like cloud enabled,

cloud native,

um, can you maybe unpack

those buzzwords for, for our attendees out

there, especially as you know, concerns

or is related to security.

Yeah. And so I think, you know, one thing that we've

seen over the last, you know, five or 10 years

is that there's been a big push um and

healthcare has been behind the curve and this, admittedly

I've watched it at my old employer and

and and now at my current one where you've

seen entities say I want to be in the cloud,

it's easy to say, but doing it that's pretty

challenging. You have to kind of re factor how

you think and how you operate, how you build things.

And one of the ways in which folks, you know, get to the

cloud is they want to be a cloud company, want to

I want to market that is they take

on prem legacy solutions, you

know, stuff that was in my data center and I move it

aWS or google or or

or or Microsoft and and I have them host

it for me. And all I've really done is changed

the four walls that my system sits in,

I really haven't changed that, that solution

to be cloud native. And so when I when

we say cloud enabled, we're talking about stuff, you know,

when you when you reference that were saying I took an

old legacy solution

and I kind of bolted it together in a way that allows

me to host in the cloud, which may

or may not be a good thing, depending on your scenario,

but what we've, we've decided is that building

cloud native solutions really enables

us to be more flexible and how we operate

that. We can, we can scale more easily. We,

we can, we can um deploy better

security solutions more easily. Um

we can, we can upgrade and patch things

in a very easy fashion where

now I'm not, you know, bugging one of my customers

that has an imaging solution on prem and saying, hey,

here's a patch, you need to apply or hey, we need

to get into your system and provide an update. Now we can

just do it on the fly and and automatically

your system is up to date, it's always gonna

be current, you're never gonna have to worry about, oh

gosh, I got version two here in version four in

this hospital. No, it's, you're leveraging

one solution

and from multiple places and

now you have all your data in one place as well, so it makes

it a heck of a lot easier for you to consume

that solution. Um, but but I think the big

difference is is that you have to be intentional

about building in the cloud, it can't be something that you're

just gonna move there because again, there's

benefits and there's downsides to doing that,

but when you're intentional about building something in the cloud,

you can take full advantage of all the cloud

capabilities exist.

Um, the elasticity, you know, it can, it can, it can size

up and size down based upon the usage and the

demand placed on the system. These things are really

important for folks using solutions like

this, especially when you consider the imaging solutions

and just how, how much churn there must be

to, to be able to, you know, scroll through, I've

gone through like M R I images and cat scan

images of myself for various things

and you know, the cd burners just spinning

forever in legacy systems when I've had

those images and now you're able to do that much

more easily and you're placing that that

compute load

in the cloud environment as opposed to to your,

your local system. So in our

minds it makes a lot of sense um

for folks to migrate to solutions like

this, it's just just better enables and

cities and not only that you're not having to pay

for the care and feeding and support of the system

in your data center on prem and you don't have to upgrade

your servers every couple of years and things like that.

Appreciate that mike, thank you for, for, for the,

for the deep clarity there

um dr Gupta, I want to turn back to you

now and set to

set the stage for my question. Um,

I think, you know, the

migration to telehealth amid Covid 19

I think was

so fast um and so

executed on such a large scale that I

think it surprised a lot of

folks in health care in terms of how nimble

healthcare organizations can actually

be when it comes to technology.

And I think that evidence sort of begs the question

when we're thinking about

imaging um specifically

um and and we think about you know, this

day and age, everything is so convenient.

You know, we can deposit money into our

bank accounts with the snap button.

There are just so much, so much convenience

and technology

and so why can't we have

the same level of convenience when it

comes to sharing imaging data between

providers? Can we get there?

It just seems like it's something that should absolutely

be on the table considering just how

transformative healthcare organizations

are actually capable of being.

Yeah. I mean, I think you're absolutely right Covid

19, you know that the pandemic has really

shown us how nimble we can be

and how remote health is possible.

And I think it really changed the paradigm

with patient care as well because

now patients want access

and should have access to their imaging data

when they go from doctor to doctor or hospital

to hospital. And I think that's been

a huge challenge because we've been trying

to protect that information And

you know, I like to always give the example of when I upgrade

my iPhone, I still have pictures from 10 years

ago that will come with me, you know, every

time I get a new phone. But then

when our patients are walking literally

across the street from one

hospital system to another, they can't

take their images with them and

they might have to have them burned on a cd potentially

that's physically walked over. And

so you're right. It seems odd

that, you know, we're not yet there. And

I think a big part of that has just been that

we've had this emphasis on security

and you know, this is really why we're talking about cybersecurity

today because we're talking about new

ways of protecting patient information,

but also giving them that flexibility

of being able to go from one

hospital to another if they need to

and to also own their data because at the end

of the day it's their imaging, you know, I

should be able to carry around my

x ray on my iphone just

the way I have those pictures, you know,

forever potentially. But that's not

been the case. And so I'm hoping

that as we move towards

cloud technology and

you know, cloud native specifically as

mike was mentioning that we're able to

do

new things and really, you know, push

on innovation and enable patient care,

you know, to a much higher degree and ultimately

reduce cost and improve that

efficiency for patients because what

I really don't want is a patient having to have

all their imaging work up done again,

you know, let's say they move

and many people did move during the pandemic

and you know, you moved from new york

to florida for example and now

suddenly you have to have everything redone

all your lab tests and all your C. T. Scans

because we're not able to enable

that transformation of information

easily. So that's you know, that's

something that we really have to focus on

as a community and

you know, another great thing about the cloud is

it enables us to use ai so we can

help some of these challenges and

efficiencies and you know,

be able to reach a more confident diagnosis

and expedite our workflow and

you know, that's really what I want to see us moving towards

and I'm glad that we're talking about it today because

I want attention to be directed

towards this, you know, cybersecurity

and how that will ultimately improve our patient

care. Such

an important point about how its security

of course is

we have to have here but security.

Once we have that that information is secure,

then you can build and transform patient care.

Um and you set you you touched a little

bit on some of the transformations that

are possible, how it would influence care

and diagnosis.

Is there anything you didn't mention that that you

are particularly fascinated by or

or or watching or optimistic about

the potential for this technology to transform

patient care. Anything else you can flag there

for for attendees.

I'm most excited about being able to

have access for patients

to special specialist.

So, you know, now you have patients

who may be in a more remote location that

with telehealth can have access to a specialist

without leaving their house. And I think that

was something that we didn't really focus on or think

about as much, because

if you think about a particular patient

population, you know, many of them are frail,

they're not feeling well. Do you really want

to make them drive in a car for an hour

or two hours or even have to get on a flight

to get to a specialist in person?

And, you know, then they're struggling with parking

at the hospital as far away from the actual,

you know, office that they have to get to.

Sometimes they have to get a wheelchair to get there,

and they're not feeling good during that entire

time, you know, they don't feel well and

to be able to just have them be at home

and be comfortable with their family support,

but to still offer them that high level

of expertise, you know, from

that specialty physician in a remote setting

is really what I'm most excited about, because I

think ultimately we're offering them

better care and they don't physically have

to go to that big city hospital

for that care because they can get it from home.

Thank you so much dr Gupta and thank you, mike

as well, this has been a real

pleasure for me to come on here and

moderate this conversation.

Alright, so so we've covered a lot of ground

here before we sign off though, I think

let's try to leave some folks with

some some really tactile

action steps, they can wrap their heads around. So

what preventative measures can folks

take out there? What are some steps that can be

taken to to really help

protect against these? And what would you, what

advice would you give folks Mike? Can you step

up and weigh in first year?

Yeah, absolutely. I think, you know, one

of the things that we frequently see in the in the healthcare industry

is is technology debt. And I think one of

the most important things you need to do is keep

your systems up to date.

Every institution has some sort of legacy

technology solution, some form of technology

debt that they're trying to clean up. And

I think what we often see happen is folks

acquire too much of that and they kind of

get behind the eight ball to where then it becomes

more and more difficult to clean up.

Um So keeping on top of that on a regular basis

prevents you from ending up in a scenario

where there's a significant security risk and you have

end of life systems or or technology debt

that really limits your options on how

you can address that security risk. And so having

up to date systems is paramount to maintaining

a secure environment, I think another one is

to factor access

um I think, you know, I'm not alone in being

annoyed when I have to enter the pin into my online

banking account in addition to my user name and

password, but it's also very important

in keeping those accounts secure.

Um so anytime you're you're having

having the option to use two factor, you always should

take that option simply because the end

of the day it's easy to lose the user name and password.

There's constantly ways around using admin

passwords and two factor really helps strengthen

the access controls that we put in

front of solutions.

And another one is is email security. I

think you know we spend millions

of dollars in security technology to change healthcare.

And one of the things that I've always, you know, imparted

on the rest of the organization is look all

that spend can be undone with one person

um all it takes is one mistake. And so we really

also spend a lot of time on security awareness with the

organization, having training courses

and and and doing phishing tests and getting people

used to spotting these sorts of attacks

and operating securely not only so

that they can prevent these sorts of activities from

happening, but also so they understand the important

role that they each play in our organization,

we kind of refer to them as our human firewalls

because that's in reality what they are.

Um and one last thing I will say is is

as folks move into the cloud and

and as you you look at leveraging cloud

environments. One of the big things you need to do

is consider, how is that entity securing

the cloud environment, what standards are they applying?

Are they using a security control framework? Do they

have any kind of certifications that that

bless those environments to say yes, this

organization is doing it the right way.

And that's a big thing to make sure you're looking out for

when you do weight into those waters and start leveraging

cloud solution,

appreciate that so much mike uh dr

Gupta, what would you add to that list?

I think I would echo mike's mention

of the emails, you know, they can be sophisticated

and we know as physicians and our

hospital staff just get tons and

tons of emails so something can easily slip

in there that can look like it's coming

from your boss or just something that,

you know, like an employee survey that just easily gets

your attention. And then you just click on that link

and I think it's something that we may need to also start

talking about with our patients because

again, these sophisticated phishing emails can

go to patients and they could be Impersonating,

you know, the hospital system and say they have

an unpaid bill for example, or

they could impersonate their doctor and say they have

results waiting for them and again, you know, click

on this to get your patient results. And

so we really want to avoid that. And

so just that increased scrutiny

and awareness and education of the community.

Excellent. Well dr Gupta mike.

It really has been a pleasure being a part of this discussion

today. Thank you. Thank you so much for taking the time.

Thanks. Thank you.

I also want to thank today's featured session sponsor

Change Healthcare. If you'd like to learn more,

please consult the resources section of your session

console.

Thank you for joining us at Becker's Data Innovation

Virtual event,

enjoy the rest of your day.