[00:00:11] Eddie Borrero: Healthcare is so unique because it has data that most people don’t want to have others know, and it’s highly regulated, and so there’s fines, there’s incentive to pay the bad guys.
[00:00:28] Tom Garrison: Hi, and welcome to the In Technology Podcast. I’m your host, Tom Garrison, and with me as always is my co-host, Camille Morhardt, and today we have two guests. First is Bill Giard, he is VP of Enterprise Architecture and Health Innovation at Blue Shield of California, responsible for the overall technical direction, health innovation and automation. And we also have Eddie Borrero, he’s VP and Chief Information Security Officer at Blue Shield of California, with a passion for diversity, equity and inclusion and holds a number of board seats. So welcome to you both to the podcast.
[00:01:05] Eddie Borrero: Well, thanks Tom. Great to be here.
[00:01:08] Tom Garrison: So today we wanted to jump into the conversation about basically security and security specifically in the healthcare industry. So I wonder if we could just maybe start with you, Eddie, as the Chief information Security Officer, and just talk to us a bit about some of the unique aspects of security when we think about it in the context of healthcare.
[00:01:31] Eddie Borrero: There’s a couple of points to be made here. One is that the healthcare industry is highly targeted by the bad guys. I’m going to use the bad guys as a term to reference things like nation states, criminal organizations, hackers in general. The bad guys target the healthcare industry mostly because as an industry, especially here in the United States, the healthcare industry is years, maybe even decades behind technologically from other industries. So we have a leg down when it comes to having robust security capabilities and controls in place, which is why we’re highly regulated. Additionally, the healthcare industry is well funded, so there’s a lot of money floating around both from a government and a private standpoint, and so the industry is monetized in a way that the bad guys can tap into that.
[00:02:24] Tom Garrison: And Eddie, can I interrupt just for a second? You mentioned that it’s behind technologically, but it’s also well funded. So why is it behind technologically when there is money to be spent if need be?
[00:02:38] Eddie Borrero: Here’s my personal opinion, Tom, it’s because it’s such a diverse ecosystem, there’s still mom and pop clinics and hospitals that are out there that aren’t as well funded as big, gigantic payers like Blue Shield of California. And so the diversity in the size and share of the money, if you will, amongst the entire ecosystem is unequal and distributed ineffectively. And so what that really means is that we’re not pulling all the money together as an industry to make enhancements in how things work. Everybody’s focused on their revenue generation and profitability and using that money to better themselves. And that could be doctors buying new equipment, new surgical tools, et cetera, and that could be payers building out digital models for their processes, all of which are not connected. And so you have, once again, a small clinic of 100 people that has inadequate technology to service their patients.
And then you have a Stanford Medical Center that has a state-of-the-art robotics and surgery, et cetera, those two aren’t connected. And so you see the money not being spent in enhancements as a macro ecosystem, you see the money being spent as enhancements and a particular ability of a entity, a hospital, a doctor, provider and/or a particular business. The government as a whole has said healthcare is a critical part of our nation’s infrastructure, which it is. And so you combine all those things, what we see is the bad guys have been very effective at hacking healthcare organizations, at extracting money from those organizations, either through ransom, so typical ransomware and/or extortion when ransomware doesn’t work. And because the data itself that’s carried about you as an individual in the healthcare industry is very, very sensitive, so think about things like what women in our nation have had abortions, what people have mental health issues, what people have cancer, what people have drug addictions. All that’s collected and consumed and managed by the healthcare industry is the perfect mix of data to extort people with, because as an individual, some of that stuff I never want to get out.
[00:05:08] Camille Morhardt: Could you give us a real world example of that?
[00:05:12] Eddie Borrero: There’s a recent event that happened in Australia, a company called Medibank had a ransomware attack, and Medibank was prepared technologically to recover from a ransomware attack. And the bad guys were really trying to force them to pay to recover their systems. And when they didn’t, they attempted to extort them and say, “Pay us, or we’re going to put all your members that have had abortions on a website to the whole world to see.” Long story short, they didn’t pay the bad guys, the bad guys, for months, continue to leak information about their members in a way that was very impactful to those members.
So now Medibank is under a class action lawsuit. They’re getting hit by regulations of their country. The members are very unhappy. Their business most likely will probably get dismantled and/or repositioned. Healthcare is so unique because it has data that most people don’t want to have others know, and it’s highly regulated, and so there’s fines, there’s incentive to pay the bad guys.
[00:06:17] Bill Giard: We are getting higher levels of awareness with respect to how to care for the member, what is their health history, how do we integrate clinical information from a variety of doctors that the member may see or the patient may see? And so that inflection point that we’re bringing new technology to bear to help improve the health of a member and the patient, is really driving the need for higher levels of integration for that data, which to Eddie’s point is creating an incentive, it’s a higher target area for the attackers to go after.
So the second one on that same flow really is the legislation work that we get from the federal government, from the state of California that really is driving to lower the cost of healthcare and share that clinical information, which we think is a good thing. We think the more that the physicians can work together with the member and the payer, we can actually improve the health of the member and do that at a lower cost, get them care essentially ahead of when they need it versus after the fact when they need to have care. As a healthcare industry, we are seeing not only changes in opportunity improve the health, but really also attacks on our own business. As Eddie kind of mentioned, the attackers are understanding the opportunity, it’s a very lucrative area to go after. And so we’re all under pressures externally to not only move faster, partner together more holistically, but also do that under the ongoing threat that we continue to see as a healthcare industry.
[00:07:48] Tom Garrison: Yeah, I want to explore that last part a little bit more with both of you. What is the reward here? So obviously there’s money, we’ve talked about that, I think that’s pretty clear for everyone listening. But I know when we were preparing for this podcast, we were also talking about some of the other elements that are kind of unique to healthcare in terms of things like the mental burden that it places on people and sort of as a weapon. And so when you think about healthcare information, it has multiple levels of value of emotional toil it can put on people, stress they can put on people that nation states may be interested in, in sowing discontent and tension and whatnot. And I wonder if you could speak with that, maybe we’ll start with Eddie.
[00:08:35] Eddie Borrero: There’s two highly targeted demographics for identity theft. One is the elderly and one is the impoverished, so underprivileged individuals, both of which have been highly targeted from the bad guys for both identity theft and financial theft. Same thing goes is true for our underprivileged, it’s less lucrative, but you have the benefits of obtaining identities of underprivileged adults and youth. And so there’s longevity in the attack span, all of which as an outcome causes mental stress and mental health disorders. Even the financial industry is looking at how theft from our elderly, our senior citizens, has caused an uptick in mental health issues across our elderly community, and that same is true for our underprivileged. So if you’re a nation state and if you have malicious intent against the country, targeting a good portion of the population has ripple effects in association with their families. If you’re really nefarious, imagine the power of having an entire nation’s information around their health.
You can manipulate health, you can manipulate outcomes for individuals, you can extort individuals. Maybe there’s some information in there for a politician or a high level executive that if it got out could potentially impact their career, their livelihood. And so this data that we house as an industry is just so powerful in regards to the most edge cases of manipulation, extortion. And extortion can be have someone give you money for not releasing information, but it can also have a blackmail scenario, have someone do something for you to not release the information. So if you thinking about most nefarious cases, there’s a power of manipulation and impact to communities, cultures, and populations that are potentially impacted when healthcare data is exposed and are breached.
[00:10:51] Camille Morhardt: So what are some of the technologies or innovations or solutions that you’re using or shifts in approach that you’re using with this increase in attack?
[00:11:01] Eddie Borrero: There’s well-known techniques that are being used by the bad guys that are attacking the healthcare industry, and then there’s the fundamental things around security that we have to be really good at. What’s complicated in healthcare is that you also have regulatory controls and guidance that doesn’t actually at times equal protecting against these types of attacks. And so the prioritization, the shift in saying, let’s focus on ensuring our people, as a great example, understand in great detail and with great repetition what they need to do to protect an organization. And so think of things like phishing attacks, it’s used quite a bit as a entry point for attacks against the healthcare industry, to really over-indexing on educating, incentivizing, and building a repetitive work process around how do you protect a company as an individual?
And then technologically, putting in state-of-the-art technologies that can help protect, detect, and respond to attacks in such a way that limits the exposure of data, that really addresses the issue as quickly and as systematically as possible. So reducing the impact, if you will, of an attack as we see it happen all the time. And then lastly, really working to understand the entire ecosystem and supply chain that we use as an organization, and ensuring that their standards and controls are in a position to really help protect against these types of attacks.
[00:12:41] Tom Garrison: So I wonder, Bill, from your perspective, it seems like the industry is, for a lot of very good reasons, all about connectivity, sort of connecting doctors with data and data with other data from other sources. And so that whole digitization, important trend obviously in the healthcare space. As that trend continues with it, the risk of all that connectivity increases from an attack point of view. So I just wonder if you could speak to the dichotomy of, yeah, connectedness, it’s great, you get a lot of value, but also a lot more risk, whereas in the old days, you didn’t have the connected data, but you also had a much, much lower risk.
[00:13:27] Bill Giard: Yeah, that gets into kind of the reason why I think within healthcare, there’s roughly $300 billion in administrative overhead for processing things like faxes that we still use pretty heavily for claims and authorization. And so there’s a timeliness that will continue to drive us to this real-time integration, Tom, that you were talking about. So that trend will continue for lots of very good reasons for the health of the member, for the time limit of care that they can receive. But it does present us with different attack points, our methods for securing our members and our patients health information changes. And so number one, aligning where we need to apply encryption technologies for where we’re transmitting data, that will continue. But number two, also how we store the data, putting it more centrally with more protect and detect controls. Confidential computing is a big effort that we’re focused on, to be able to make sure as we load the data into a central location, that we have the right set of protection controls and detection controls, and that we only send and receive data when we need it.
In healthcare today, we largely send large portions of information individually, point to point systems, and for us to kind of change where we’re going, that means they have to come more central. And so we have to actually approach the security techniques that we’re using very differently than we have before. And that’s not even talking about how technology is changing, how are we responding to things like quantum computing and increase in attack all groups, and what does that do to the underlying infrastructure for key size, and how do we actually make sure that we are doing a paired key management with our providers, such that they have a key, we have a key, and we’re actually are only sharing what we need to, when we need to. So there’s lots of underlying technologies that we’ve been understanding how do we protect the data where our users are accessing our clinical team that may be accessing it on the client, to how they’re accessing it in our systems in the data center, and then how are our partners then interacting?
There’s a whole train of initiatives that Eddie talked to that we call it exquisite at the basics, where we need to make sure that we’re handling the processes to manage things like patching, things like compliance training, phishing, social attacks that may happen at the people, and we’ve got a lot of people that work on improving our member’s health. And then there’s advanced techniques that we want to be able to get all of our systems working on interoperability standards, using single identity and access controls, understanding how the role-based systems work with the interoperability standards in healthcare, the PHI and the HIPAA flows, and what we’re doing in those types of … we can give you a list of healthcare acronyms that we are all kind of pursuing.
To your point, it’s got to be both manage the environment we have today and then build towards where we’re going. And part of that is really getting out of the environment where we’re moving data wherever a provider or decision is needing and trying to put it centralized and then put higher levels of protection controls. But Tom, that conundrum is if you get to that pot of gold, then the risk becomes growth. But we have lots of advanced techniques that segment that out, look at the monitor controls, lots of big tech partners helping us in that strategy. So we’re in a unique situation where we’re able to actually do something that we haven’t been able to do historically.
[00:16:59] Camille Morhardt: I’m very interested in, wondering if you can describe some use cases within healthcare insurance for artificial intelligence. And it could be anything from claims processing, efficiencies to precision medicine or improving treatments.
[00:17:16] Bill Giard: Yeah, I’ll give you two examples because they’re very different examples. One is using artificial intelligence and advanced analytics to understand predictive health risk. And so looking at the clinical data and understanding the member’s medical history, what’s their current environment and their risk of hospital readmissions as an example, or their risk of having a reoccurring cardiac event, because they had one historically. And so we are using artificial intelligence and advanced analytics to understand predictive health risk and then how do we feed that into our clinical teams to give them preventive care or care ahead of where they need it. So that’s one whole framing of using AI in member health.
There’s another one around just using AI and advanced analytics to process the massive amounts of volume of data and transactional processing we get from claims. They just released a new set of mandates to increase the response time that payers and providers have to be able to come back with the decision that says, yes, here’s the care that the member needs when they need it. And so we are also implementing advanced analytics capabilities for prior authorization decisions, by looking at their previous medical history, by looking at the risk that I just mentioned, and be able to auto authorize processes and care that they need.
[00:18:43] Eddie Borrero: Additionally, we use AI and analytics to really understand and respond to attacks very quickly. Just to put some stats out there, we deal with five to seven billion attacks a day as a company, a billion with a B. And so there’s no way we can address that, understand it, deal with it without artificial intelligence, advanced analytics, automation and capabilities and how we respond. I would also say that when I think about the foundational capabilities around security, and I think about the digital transformation we’re driving within the healthcare industry as a company, what’s core to that is identity and access management. For us, that is key and core to not only securing our data, but also connecting members to this digital experience that we’re talking about. So imagine if you had to connect with an ecosystem, which we do, of doctors, business partners, pharmacies, big companies like Google, Amazon, payer information claims, et cetera.
We got to connect all that information on you. And today that’s not centralized and I don’t think all of it ever will be. We’ll have to get to a place where we’re interacting and integrating effectively. To ensure that we’re connecting the right data to the right people and doing that securely identity and access management is absolutely key to ensure we know who you are and that identity can transition and transfer through all the ecosystem of the healthcare industry. It’s a big deal, and AI plays a big part of that, around behavior analytics, what are people doing, what’s normal, what’s not normal, can we quickly make decisions around validating its Bill, and this is Bill’s information when we’re serving, seeing outcomes. And then one more thing that I think about when I think about artificial intelligence and the healthcare industry is the treatments that could potentially come about. And we see it today in genomic research and medicines that are tweaking particular proteins in people’s gene pools to actually cure things like osteoporosis.
Those drugs are discovered because of the research and analytics around the genomic position of different nationalities and people, what their physical makeup looks like. For instance, there’s certain genes that people have in different parts of the world that have predominantly meant they have stronger or more dense bone structure. And by understanding that, pharmaceutical companies, biotech companies are looking at how to create medicine that enact that particular gene in people to build more dense bone structure. You can only do that through advanced analytics and you add AI on top of that, the world of the future is quicker treatments, quicker understanding of cures, and then you think about the ecosystem that Bill and I have been talking about, injecting that with the quicker service, lower cost of healthcare, more equitable health providers across the board that medicine can get to people that can’t today afford it or have access to it.
[00:21:59] Tom Garrison: I’d like to end this in a new and hopefully enlightening way, and that is I’d like to ask both of you to share in 30 seconds or less, your sort of vision for the future of healthcare and what the experience is as a person who, all of us are clients of healthcare, what is that experience going to look like? And maybe we’ll start with you, Bill.
[00:22:26] Bill Giard: Yeah. My vision really is real-time information sharing between the member, the patient, the provider, and their payer, for us as Blue Shield, such that they can get the care that they need when they need it, at the best time and at the appropriate cost. That’s very different than today.
[00:22:48] Tom Garrison: Eddie?
[00:22:50] Eddie Borrero: Yeah. I mean, I share Bill’s vision and dream. The only thing I would add to that is this concept of proactive preventative health. To me, the future is people will have all the information they need that’s crafted and designed for them as an individual, down to their gene structure, around what they can do to stay healthier and what behaviors that they’re doing today that can impact their health. So how do we get to a place where we’re keeping people out of the doctors, out of the healthcare system because the information we have helps them live better and more healthier lives, period. And so combine that with a future of easily accessible health, affordable healthcare, I think the future is bright. I think we have a nation of very healthy, strong people that can focus in on other things than bad health.
[00:23:44] Tom Garrison: Those are great visions for the future and certainly inspiring. Thank you both for joining us today.
[00:23:51] Bill Giard: Thank you, Tom.
[00:23:52] Eddie Borrero: It’s our pleasure. Thanks, Tom and Camille.
The views and opinions expressed are those of the guests and author, and do not necessarily reflect the official policy or position of Intel Corporation.