This Week Health

Don't forget to subscribe!

January 20, 2025: Christian Boucher, Head of Healthcare Strategy and Solutions Architecture at Island, Joins Drex for the News. Can healthcare organizations ensure patient data remains secure without stifling productivity? How do enterprises navigate the challenge of "Bring Your Own AI" and the risks of browser vulnerabilities? What role does human behavior play as IT security's weakest link? Through stories of AI misconfigurations, multimillion-dollar fines, and shadow IT's well meaning workarounds, this conversation doesnt shy away from the complexities of balancing accessibility, security, and user needs.

Key Points:

  • 01:41 Optum AI Chatbot Breach
  • 07:22 Mount Nittany and Online Tracking
  • 10:53 Humans: IT Security's Weakest Link

News Articles:

Subscribe: This Week Health

Twitter: This Week Health

LinkedIn: Week Health

Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[:

Today's healthcare staff needs safe, convenient, and dependable access to patient data across various applications. Island, the enterprise browser, simplifies and secures healthcare data access. It's a new take on the most common application we use every day, the web browser, tailored for the unique demands of healthcare.

Clinicians can safely log in from any device to interact with HealthSystem applications and PHI. Built in last mile controls keep data where it belongs, so access is simple, data is safe, and patient care is smooth. Visit ThisWeekHealth. com slash Island to see Island for yourself.

Today on Unhack the News.

(Intro) what good is security if all it does is, stop people from doing their job or make people find workarounds to do the things they need to do to get jobs done.

the world's most innovative [:

. And now, this episode of Unhack the News. (Main) welcome to Unhack the News. I'm Drex DeFord and with me today is Christian from Island. I'm really glad you're here today, Christian.

Thanks for having me Drex, always a pleasure.

Always a pleasure. we schemed around a little bit over the last week or so about some of these stories. As usual, we will probably talk about the stories. We'll talk about a bunch of other stuff too. Cause that's just how it is when we're together. The first one it's from TechCrunch and it's about Optum.

normal web browser. This is [:

And this was just another one of those stories that I'm like, ah, come on. What was your take on it?

think, the rise of AI in itself is going to change the way, everyone works. And, one of the challenges that we have is to make sure that, data that doesn't belong there doesn't end up there.

Or at least you have the ability to control where that data can, transition to. I think , one of the big conversations we have is, around AI and how that, whether it's chatbots or LLMs. Where does IT governance take, where can they take hold?

How can they control all this spanning? Because again, you have researchers who are hitting various LLMs, they're dealing with their own consortiums that may have their own solutions. How do we, as an organization, look out and try to find ways to, put some guardrails? Again, I said this before, taking the sharp edges off of these interactions is important on security.

My life has [:

when we start talking about the way we look at it is being able to give those organizations control of where that data can flow to. So if we identify patient data flowing into an LLM that may not be allowed, we can redirect, we have controls of that, essentially that presentation layer for end users.

p, because again, you may be [:

And, if you're using multiples, all of a sudden you may be copying, pasting stuff into the wrong one just by happenstance. So how can we help organizations try to figure out a way to better control that and identify. Where the data should go, and if it's hitting the wrong spot, redirect them to the appropriate spot to make sure that protected data stays where it should.

it's interesting. This particular story , it's really about a misconfiguration that exposed an internal AI capability there's another story that I'm going to talk about in the two minute drill this week that is about we talk about bring your own device and the challenge with bring your own device.

done. We've seen it over and [:

It's the evolution of probably the wrong term to use, but it's the evolution of the IT hobby shops inside of our health systems that have occurred. from time to time and had to be sorted out to understand what it is that you really need and why can't you get it from the central standard sort of, system that is more secure and adheres to the architecture and all of that.

This bring your own AI problem. I guess it's a problem. It's definitely a problem if you're doing the wrong thing with it, right? And that's what we see, exactly what you were describing, like people trying to get the job done and they're putting stuff into the GPT online that's probably not stuff that should be shared outside of the organization to, you Whatever, build a business case, write a report, create a PowerPoint deck, all those.

Why

customers are that these are [:

How do we separate them? How do we make sure they may be accessible by the internet? But we don't want to allow that.

And there's so many of them now too, to be able to say you would just have a full time person just blocking these individual things, if that was the strategy.

multiple methodologies, like we can allow.

Only, access through our browser to these corporate resources. So that could solve one of the problems we talked about. Just, internal app that somehow leaked out. But, there are ways that we can configure our system to say these specific solutions can only be accessed through the ION browser.

Someone spins up a Chrome instance on their laptop or, on their workstation, they won't be able to connect to those instances. . So we can do, some call it browser enforcement where you can limit, what you can access. So if. If you only want your enterprise apps to be able to be secured through an island enterprise browser, you have the ability to lock it down so those applications can't be run anywhere else if you want to.

So there's various [:

So it's becoming more and more complex , as AI, gets traction in the industry.

There's another story that you sent to me that you said you thought was interesting. And it's about the Mount Nittany health fine, 1. 8 million dollars, et cetera, on settle an online tracking technology lawsuit.

This is tied back to the use of those online tracker technologies that are embedded in websites that report out where folks are using the website, where they come from. Sometimes it collects personal data, it does a lot of things that most people don't know is even happening when they visit those websites.

What's your take on that?

understanding what drove the [:

And not only that, but then you have this kind of, general Plug in challenge or, extensions that get pulled into browsers. How do you control the exfiltration of data? So that's really where I think precipice of Island was let's take all the things that are great about the browser and let's remove all the things that make it a non enterprise application.

ser without having to put on [:

It's really been one of those things that , it's amazing where you look at across your ecosystems in, it could be in healthcare, it could be anywhere else, but You're trusting this kind of commercialized product to be your enterprise delivery mechanism what's going on behind the scenes?

I get updates and have to reboot my browser all the time. And I know most people do. And I'm also one of those I have 45 or, whatever tabs open at the same time. So it's Oh no, I have to reboot my browser. What am I going to do?

I find it. Very interesting on how much data, like even we can track metrics of, the amount of calls that are happening from websites and all that stuff.

ve available from a browser, [:

It's pretty scary. So having some controls around that, I think moving forward is going to be important for organizations, especially with this finding where they may not even have known what was going on. They didn't install a plugin. Maybe they didn't, I don't know, but the organization's the ability to say from this point on, we're not going to report any data back to Microsoft or Google or any other ancillary solution that may have dropped plugin on our device, giving, that type of granular control of how users.

interact with these, I would say all modern apps are starting to move to web and SaaS delivery. So you're going to have some controls. I think that is probably a wake up call for a lot of organizations, not understanding what's really going on in the mechanics of the browser.

last article today.

It's from ISACA and there's [:

And that whole challenge around humans we both have worked on that issue a lot.

agree. I think that is one of the challenges that I've struggled with throughout my career is, being able to enable Users to interact with the technologies they need to, and hopefully give them the tools that are required to do that.

But unless you are actively in, I was lucky enough to have the opportunity to work, at elbow with doctors and nurses and physicians across our specialties to understand what their needs were, whether it was specific device types how their workflow should be done.

d of initiatives that change [:

It's one of those, continuously changing landscapes that IT is, I think we need to spend more time understanding our users needs because, like you said, Oftentimes, usually it's just going to, this doesn't give me exactly what I need. So I'm going to do X, Y, and Z outside of it.

And then all of a sudden you lose insights into what they're doing. It's not so much a rogue action. It's just, they need to get the job done. So we did, I think giving them the tools that are required and having that open communication line with your operation teams.

The communication is, that's the key.

why you feel the need to go [:

Or maybe a capability that we've given you actually will do that, you've just never been trained on how to do it. Talk, Back to the, human centric approach to IT security, actually. A friend of mine posted something about this and it kicked off a whole conversation and that kicked off a whole back channel, a bunch of conversation.

A lot of these articles talk about just make sure you use MFA and those kinds of things. And that's all great. It really is. And you should be absolutely. But and then, you start coming up with edge cases and people are like, Oh, but that's an edge case. And it's There are lots of edge cases in our business and trying to figure out how to scoop all those up and keep them from happening or letting them happen but doing it in a safe way is tough to figure out.

You know, at the end of the [:

So we have to understand from their point of view, is their main task? Now, all this other stuff gets in the way of that. So we have to make it as seamless and as, painless as possible. Again, some of these things are just mandates from our orgs and from healthcare, regulation agencies.

So we've got to work with them and, like HIPAA guidelines. They always tell you, you got to do X, Y, and Z. They don't tell, they don't prescribe to you, do step one, step two. It's just you get these kind of, ground rules, they can help. But, and the funny thing is that what I've experienced over my time frame, and I talked about this a little bit earlier, standing up an oncology program.

a cardiologist. can't, Just [:

So how do we, have malleable process to be able to deliver what they require, at the same time meeting our general security and data governance requirements. So it's always a moving target, and it's always something that needs You know, it's going to require a lot of interaction from various teams in MIT to be able to support those or else, again, you're going to have these fringe work cases or people downloading stuff from to their local PCs because they can't do the things they need to on their enterprise devices.

walking into a broom closet [:

I'm like, what is this server doing here? And then you finally trigger it down , through our network. I'm like, all right, this is tying back to our. Our neonatal unit, how are we going to, so it's those things where all of a sudden, you as an IT organization aren't giving them what they need, they'll find a way to make it happen.

Again, I think it's one of those things we're going to be continuously battling with as we, manage this kind of Very intricate relationship between the clinical side of the house and what, the back office and IT, requirements needs. And overall it's going to be it's fun.

Yeah, it is fun. Communication is key to the operation. As you said, I think that's the bottom line. Thanks for doing the show today. I really appreciate it. It's good to see you.

Good to see you as well, sir. I'm always glad to have a conversation with you. Hopefully we can do some more of these soon.

I'll see you on the road in:nd while this show keeps you [:

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.

Thank You to Our Show Partners

Our Shows

Related Content

1 2 3 303
Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved