>> Live from San Francisco, it's theCUBE! Covering the RSA Conference 2019. Brought to you by ForeScout. >> Hey, welcome back everybody, Jeff Frick here with theCUBE. We're at RSA at Moscone at downtown San Francisco. We're in the ForeScout booth, our first time in the ForeScout booth, we're really excited to be here and we're talking about cyber security, I don't know what the official number is this year, probably 45 thousand professionals walkin' around, talkin' about security. And we've got our next guest on, he is Russell Jones, partner on cyber risk services for Deloitte. Russell, great to meet you! >> Same to meet you as well. >> So, I asked him before we turned on, what's getting you excited these days and he said, everything! So, this is a crazy busy space. What have you been working on lately, what's kind of your take away from the first couple days at the show? >> Yeah, it is a crazy, busy space and if you look at the cyber landscape, everything's moving at the speed of the internet, so it's this cat and mouse game in terms of attackers trying to find new ways to get into systems that is driving the industry. When you talk about health care though, the issue is these systems, like medical devices, often times are connected to people. >> Right. >> And so, the implications of a hack against, let's say, a MRI machine or a fusion pump, could be devastating to an actual person connected to it. And that's really what's driving a lot of innovation in terms of some of the technologies you see, like ForeScout, and also, a lot of what's going on from a regulatory perspective, and also the hospitals and the health care system themselves. >> Right. >> Trying to solve that problem, managing cyber risk as it relates to clinical technology. >> And a lot of that stuff wasn't connected before, right? There weren't IP addresses on every MRI machine or all these pump machines or, you know, you have a pacemaker, all these things. How are they looking at kind of the risk reward from a connected device that gives you all kinds of benefits-- >> Yeah. >> but it does open up this attack surface that previously had maybe an air gap there? >> That's a great point, bottom line is the life saving, life extending attributes of these medical technologies and medical devices far outweighs the risk of cyber, however, we got to be smart about managing that risk. So, we're going to see more connectivity, not less. Train's left the station, in terms of what's coming and in the future of the healthcare, connecting more of, not only the medical devices, but the information in them and being able to share that and then bring it together and aggregate it in ways that, you know, with analytics on top of it allows doctors and researchers in the clinical community to connect dots in ways that solve cancer, solve some different maladies that have plagued us forever. >> Right. >> So I think, on the one hand, it's great, this connectivity is extending healthcare out to people in rural locations and it's also bringing together a lot of different data from everything from your Fitbit to your pacemaker to apps that you have on your phone in a way that's going to benefit us. >> Right, right, so, one of the things about healthcare is they're way out in front of, kind of, not healthcare in terms of regulations. >> Yeah. >> You know, and HIPAA's been around for a long time, GDPR just went into place in Europe last year, so when you look at it from a regulatory environment, which people have to consider, there's not only the complexity of the machines, there's not only the complexity of the security, but you also have regulatory environment. >> Yeah. >> How is the cyber security in healthcare, with their very unique regulations, kind of impacting the way people should think about the problem, the way they should implement solutions? >> That's a good question, I think we've thought about, in the cyber community, forever. We talk about confidentiality, integrity, availability, right, the triangle. When you think about healthcare and clinical technology and medical devices, you need to flip that triangle upside down and the focus is integrity and availability, those things together equal patient safety. So, in other words, as we're connecting more of these devices to each other, to electronic health record systems, to the cloud, the integrity of the information in there, which is being used by doctors and other folks to make decisions about treatment, about surgical procedures, about medicines, it's crucial that that information and the integrity of it is maintained. And then the availability of the device is critical, right? If you're going in to get an MRI and it's down because it's been hacked, there's usually not a spare MRI and so there's a profound impact for patients that are scheduled back to back to back to back to go get that procedure, that MRI that's going to be used by a doctor to do some surgery or some other kind of a treatment plan >> Right. >> So integrity and availability are huge in the cyber world. And, if you look at the regulations, depending on which one we're talking and which part of the world, right? You mentioned HIPAA, we've got security and privacy, you've got GDPR, you've got the FDA that have guidance around what they want the manufacturers to do, building security into the devices. >> Right. >> They all have an impact on cyber and how it's going to be addressed, how we're going to manage cyber risk in the healthcare world. >> Right. >> In that environment. >> And then there's this whole new thing, I went to the Wall Street Journal Health Conference a couple weeks back, I don't know if you were there, but there was two people up where you now you can take your genetic footprint, right? >> Yeah. >> You can take your 23andMe results and after you figure out where your family's from, you can actually sell it back into a research market-- >> Yeah. >> so that doctors and clinicians and people doing trials on new drugs can now take your data in kind of a marketplace, back into a whole nother application so it's kind of outside of the core healthcare system, if you will. >> That's right. >> But I mean, it's basically, it's me, right? (laughs) In the form of my DNA footprint. >> Yup. >> It's crazy, crazy amounts of strange data that now is potentially exposed to a hack. >> That's right, and so the implications there, obviously, privacy, right? That's a huge issue, I think, that we're going to have to address and that's why you see GDPR and that's why you see the California Consumer Privacy Act. >> Right. >> There's a recognition that, again, the train's left the station, there's a lot of good things that come out of sharing data and sharing information, there's a lot benefits that can come out of it for the consumers, patients. There's a dark side as well and that has to be managed. That's why we have the privacy regulations that we have, we're probably going to see more, probably going to see more things like the California Consumer Privacy Act. >> Right. >> More states and eventually-- >> Right. >> probably a federal act for the US. >> Do you think that the healthcare industry is better equipped to deal with GDPR and the California Healthcare Act because of things like HIPAA and they kind of come from that world? Or is this just a whole new level of regulation that they now have to account for? >> I think it's probably a mixed bag. On the one hand, healthcare has been dealing with privacy for a long time, even before HIPAA, right. And then HIPAA has very specific requirements around how you have to manage that information and consent and notifying the patient of their rights. On your other hand, you look at some of the new things, like GDPR, it goes way beyond HIPAA, and I think-- >> It goes way beyond HIPAA? >> Goes way behind HIPAA, like for example, this whole notion of the right to be forgotten. >> Right. >> Right, that's a requirement on the GDPR. That means, me as a patient, if I tell my doctor, I want you to get rid of all my medical records, everything in your system everywhere about me, I want it gone. Not that it makes sense-- >> Right, right. >> but, at least in Europe, if they ask to do that, you have to be able to comply. From a technology perspective and a medical device perspective, some of these devices are very complex, ecosystem of devices, components that make up the product. >> Right >> That's a very difficult thing to do. There's no one delete button-- >> Right. >> that you hit that can delete you from all different instances, downstream from where you came into the healthcare system. >> Right. >> And so, when you think about it from a cyber perspective, it gets to be very challenging. >> The other thing, right, is health care's always under tremendous kind of price pressure from the insurers and the consumers and a bad medical event can wipe-- >> Yeah. >> people out, right? >> Yeah. >> Especially when they're later in life and they're not properly insured, when they're making kind of an ROI analysis on cyber investments versus all the other things they can spend their money on, and they can't spend it all on security, that's not possible, how are they factoring in kind of the cyber investment, it's kind of this new layer of investment that they have to make because all these things are invested versus just investing in better beds and better machines and better people? >> That's the million dollar question. (laughs) I would say, some hospitals and health systems are doing it better than others, so maybe a little bit more further along and mature about thinking about the total cost of ownership and also, the patient factor, right? What has to be balanced, obviously, is not just the costs, but at the end of the day, what's best for the patient. And you hear this term, patient centricity, a lot today. And there's a recognition from all the players in the echo system, it's all about the patient. >> I'm so glad you say that 'cause I think a lot of people probably think that the patient sometimes gets lost in this whole thing, but you're saying no. >> There is an acknowledgement over the last few years and it's called patient centricity, it's an acknowledgement that the way we're going into the future of healthcare and the kinds of medical devices and technology and cloud solutions that are becoming part of the healthcare fabric, they're all being built and geared towards the patient being the center of the equation, not the doctor, not the hospital, it's the patient. >> Right, right, right, that's good to hear. >> And so, to answer your original question, we're in early days and really trying to balance the patient and patient centricity versus we've got vulnerabilities in our environment that could impact the patient and we've only got limited people and costs. >> Right, right. >> Making decisions that kind of balance all of those things. >> Right, alright Russell, last question, we're sitting here in the ForeScout booth. >> Yes. >> Obviously you have a relationship with them, talk about kind of what their solution adds to some of the stuff that you're workin' on. >> So, ForeScout, one of the reasons that we're working closely with ForeScout, their solution, really, they've taken an approach that's holistic around these issues that we're talking about, right, managing cyber risk, complex environment, a lot of different devices that are connected to each other and to the cloud and to the internet. They have built a solution that focuses on ability to have visibility into those devices that are on your network, some of which you may not even know exists, and then being able to kind of build an asset inventory around that visibility that allows you to do things like detect, based on policy, activity that suggests that you might be hacked or there might be some internal processes or players that are doing things that are going to put patients at risk or have you in non-compliance with GDPR, HIPAA and the rest. >> Right. >> And then their solution goes beyond ability to kind of visibility and detect, but to actually do something actionable, right? Security controls and orchestration with other technologies, like Simp Solutions and SOAR Solutions. Being able to orchestrate, hey, I know that I detected some activity on this infusion pump that suggests that we may being hacked, let me send an alert out, but then let me also, maybe, quarantine that part of the network. So, it's the ability to orchestrate between different security technologies that exist in a hospital environment, that's what we like about ForeScout. >> I'm just curious, when they run their first kind of crawl, if you will-- >> Yeah. >> are people surprised at the results of what's on there, that they had no clue? >> I mean, yes and no. >> Yes and no, okay. >> I think, most of the big hospitals that we work with, they know that, what they don't know, and especially when-- >> They know what they don't know. >> you're talkin' about a health system that maybe has a 100 thousand connected medical devices across the health system, they know what they don't know. They're looking for solutions to help them better manage and understand the things that they don't know, that they don't know. >> Right. >> Versus what they do know about. >> Right. >> And I think that's what we bring to the table in terms of kind of cyber risk services Deloitte brings, and then that's what ForeScout brings with their solution to be able to kind of help solve those problems. >> Well Russell, thanks for taking a few minutes out of your day to share those stories, super-- >> Thank you. >> super important work, you know, it's one thing to steal a few bucks out of the bank account, like you said. >> Yeah. >> It's another thing to start taking down machines at the hospital, not a good thing. >> Not a good thing. >> Alright >> Thank you. >> He's Russell, I'm Jeff, you're watchin' theCUBE, we're at RSA in Moscone in the ForeScout booth, thanks for watching, we'll see you next time. (techno music)