>> Narrator: Live from Las Vegas, it's The Cube, covering NetApp Insight 2017, brought to you by NetApp. >> Welcome back to our live coverage. It's The Cube here in Mandalay Bay in Las Vegas. I'm John Furrier, the co-host and co-founder of SiliconANGLE Media, with Keith Townsend my co-host, CTO Advisor. Our next two guests is Sheila Fitzpatrick, the Chief Privacy Officer for NetApp, and Michael Archuleta, CIO HIPPA and Information Security Officer at San Rafael Hospital. Thanks for joining us. >> Thank you. >> Thank you very much. >> Great topic, privacy, healthcare, ransomware, all these hacks going on, although it's not a security conversation, it really is about how data is changing, certainly with the HIPAA, which has got a history around protecting data, but is that good? So, all kinds of hornets' nest of issues are going on. Michael, all for the good, right? I mean, everything's for the good but, at what point are things foreclosed, the role of the tech? What's your update on healthcare and the role of data, and kind of the state of the union? >> Yeah, absolutely. So, data right now, is one of those assets that's really critical in a healthcare organization. When you look at value-based care, on improvements, utilization of real-time data, it's really critical that we have the data in place. But the thing though is, data is also very valuable to hackers, so it is really a major problem that we're basically having in healthcare organizations, because right now, healthcare organizations are one of the most attacked sectors out there. I was basically stating that there's an actual poll out there that stated that 43% of individuals don't even know what ransomware is. And you figure, in healthcare organizations, we're really behind the curve when it comes to technology. So when you bring that into, and you say okay guys, what's ransomware, what's cyber security? What's a breach? Everyone's like, well I-- >> Malware, resilient things. >> I don't know what it is. So it becomes an issue, and the thing though is the culture has not been fully developed in organizations like healthcare, because we're so behind in the curves. But what we've been focusing a lot on, is employee cyber security awareness, kind of bringing in that culture, having individuals understand, because as you were stating too, I mean, healthcare information is 10-times, 20-times more valuable than a Social Security and a credit card, on the dark net right now. If you figure, PHI contains a massive amount of data, so it is very profitable, and these individuals go in, hack these systems, because of course, healthcare organizations are so easy to hack, they place it out on the dark net, you go out, you buy some Bitcoins, you can go and have some good identity theft going on. And I mean, we have a massive issue here in the States, with substance abuse, so if you want basically a script, or you want multiple scripts with different identities, go out there and purchase those specific things. So, it is a problem, and then on my standpoint is, imagine if this was your mother's, your father's, your grandma's, any family member's information. That's why data is so valuable, and it's so critical that we take care of the information as securely as possible, but it starts with the people, because I always say at the end of the day, our employees hold the keys to either letting the individuals stay out, or inviting them in. So it is a problem, absolutely. >> Sheila, I want to get your thoughts, 'cause obviously this segment here is why data privacy is always one of the top-five concerns for CXOs. And obviously, the tagline NetApp has for the show is "Change the World With Data". There's a lot of societal impacts going on. We're seeing it every day, in front of our eyes, certainly here in Vegas and then throughout the world, with hacks, Equifax just still in memory there. And there's going to be another Equifax down the road. The hackers are out there, lots of security concern. You've got developers that are getting on the front lines, getting closer to business, that's a trend in the tech business. Data privacy has always been important, but this means that there's a confluence of two things happening right now, that's really that collision course: technology and policy. Privacies and policy things that people spend a lot of time trying to get right, and for all the right reasons, but I'll make some assumptions here, and could foreclose and all penaltize them, put a penalty for the future. How should CEOs, COOs, CDOs, Chief Data Officers, chief everybody, they're all CXOs, think about privacy? >> Well I think it starts with the fundamental, and you're absolutely right, there's a real misperception out there, around privacy. And I always tell people, people that know me know that my pet peeve is when people say to me we have world-class security, therefore we're good on privacy. I literally want to slap them, because they're not the same thing. If you think about-- >> She's closer to John. >> Yeah, you better move that way. If you think about the analogy of the wheel, data privacy is that full life-cycle of the wheel. It's that data that you're collecting, from the time you collect it to the time you destroy it. It's the legal and regulatory requirements that say what you can have, what you can do with that data, obtaining the consent of the individual to have that data. Certainly, protecting that data is very important, that's one spoke on that wheel, but if you're only looking at encryption, that wheel's not going to turn, 'cause you're literally encrypting data you're not legally allowed to have. So if you think about the healthcare industry, where I absolutely agree, the data that you deal with is one of the most valuable data and sensitive data individuals can have, but often times, even healthcare organizations don't even know what they're collecting, or they're collecting data that maybe they don't necessarily need, or they only think about protecting that protected health information, but they don't think about the other personal data they collect. They collect information on your name, your phone number, your home address, dependent information, emergency contact. That's not protected health information. That's personal data that's covered under privacy laws. >> Here's the dilemma I want to ask you guys to react to, because this is kind of the reality as we see it on The Cube. We go to hundreds of events a year, talk to a lot of thought leaders and experts. You guys are on the field every day. Here's the dilemma: I need to innovate my business, I got to do a digital transformation. Data is the new competitive advantage. I got a surface data, not in batch basis, real-time, so I can provide the kinds of services in real-time, using data, at the same time that's an innovative, organic growing, fast-paced technological advancement. At the same time, I'm really nervous, because the impact of ransomware and some of these backlash events, cause me to go pause. So the balancing out between governance and policy, which could make you go slower, versus the let's go, move fast, break stuff, you know, let's go build some new apps. I want to go faster, I want to innovate for my business and for my customers, but I don't want to screw myself at the same time. How do you think about that? How do you react to that? And how do you talk to customers about that when they try to figure it out? >> So that's something, that's an area that I spend a lot of time talking out, 'cause I'm very fortunate that I get to travel the globe and I'm meeting with our customers all over the world. And those same issues, they want to adapt to new technology. They want to invest in the cloud, they want to invest in AI, in internet-of-things, but at the same time, I keep going back to, it's like building a house, you have to start with the ground floor. You have to build your privacy compliance program, and understand what data do you need in order to drive your business? What data do you need to sort your customers, your patients, your employees? Once you've determined that fundamental need and what your legal requirements are, that's when you start looking at technology. What's the right technology to invest in? You don't start that journey by deciding on technology and then fit the data in. You have to start with what the data is, and what you want to do with that data, what service you're trying to provide, and what the basics are, and then you build up. >> So foundationally, data is the initial building block. >> Absolutely. You don't build a house by starting with the second floor. If you start looking at tools and technology to begin with, that house is going to collapse. So you start with the data and then you build up. >> Michael, you're on the front lines, and the realities are realities. Your thoughts? >> Absolutely. So you know, you have some excellent points. The thing is, at the end of the day, I always say security at times is inconvenience. I mean, we add two-factor authentication, we add all these additional fundamentals in what we basically do, but the bottom line is we're trying to secure this data. There has to be security governance, to really focus on okay, this is the information you need. We need to kind of go through legal, we need to go through compliance, and we need to kind of determine that this is going to be ease-of-access for your group, and we need to make sure that we are keeping you secure as well too. The bottom line is innovation, of course, it won't do so much disruption, et cetera. It's absolutely amazing. You know, I love innovation, honestly, but we still have to have some governance, and focus on that in keeping it secure, keeping it focused, and having the right individuals really-- >> How do you tackle that as a team, with your team? It's cultural organizational behavior, or project management, product planning. How do you deal with the balance? >> Well at the end of the day, the CEO of NetApp basically states it starts from the top down. You really have to have a data-driven CEO that basically understands at least the fundamentals of cyber security, information technology, innovation, have those all combined and together and having that main focus of governance, so everyone has that full fundamentals of understandment, if that makes sense. >> Let's talk tech. You know, we've talked at the high level. I love it that you brought in the global conversation into this, you're taking a global view. We talked a little bit before the show, there's a mismatch in taxonomy. Here in the U.S., we're focused first on security, maybe, and then secondarily on this concept of PII, which really doesn't exist outside of the U.S. Now we have GDPR. Talk to us about the gap in understanding of GDPR, and what we consider as PII, here in the U.S., and where U.S. companies need to get to. >> Okay, that's a great question. So, the minute an individual talks about PII, you automatically go, U.S.-centric, understanding that you must operate in a purely domestic environment. The global term for personal data is personal data, it's not PII. There is a fundamental difference: in the U.S. there is a respect for confidentiality, but there's no real respect for privacy. When you talk about GDPR, that is the biggest overhaul in data protection laws in 25 years. It is going to have ramifications and ripple-effect across the globe. It is the first extra-territorial data privacy law, and under GDPR, personal data is defined as any piece of information that is identifiable to an individual, or can identify an individual either directly or indirectly. But more importantly, it has expanded that definition to include location data, IP address, biometric information, genetic information, location data. So if you have that data and you say well I can't really tie that back to a person, if you can go through any kind of technology process to be able to tie it back to a person, it is now covered under GDPR. So one of the concepts under GDPR is privacy by design. So it's saying that you have to think about privacy very similar to where we've always sat about security up front, when you're investing in new technology, when you're investing in a new program, you need to think about, going back to what I said earlier, what data do you need? What problem are you trying to solve? What do you absolutely have to have to make this technology work? And then, what is the impact going to be on personal data? So I absolutely agree, security is incredibly important, because you need to build a fortress around that data. If you haven't dealt with the privacy component of GDPR, and other data protection laws, security would be like me going down and robbing a bank, coming home and putting that money in the vault in my house, locking it up, and going that money's secure, no one can get to it. When the police come knocking on my door, they're not going to care that I have that locked in a vault. That's not my money. And you have to think about personal data the same way, and certainly healthcare information the same way. You need the consent of the individual, and you need to articulate what you're going to do with that data, be transparent. So the laws are not trying to inhibit or prohibit technology, they're just trying to get you to think about-- >> So Michael, as we think about this, how it impacts GDPR specifically, the healthcare industry talked to dinner about this a little bit. We're talking about medical records, doctors, medical professionals like to keep as much data as possible. Researchers want to get to as much data as possible. What are some of the ramifications or considerations at least, for the medical industry? >> Yeah, absolutely. So you know, on your standpoint there, as you stated, at the end of the day when we basically look and we focus on our security governance, we go over the same fundamentals as you are going. What information is basically needed to access that information for the patient? What is needed from the physician's standpoint? What is needed from the nurse's standpoint? Because the thing is, we don't just open it up to everyone, like on a coming in by different specific job functionalities, you know. We kind of prioritize and put different levels of this is the level of data this individual basically needs, versus this individual. And the thing is, the beauty about what we basically have focused on a lot too, is we developed the overall security governance committee that kind of focuses on the specific datas from HIPAA, high-tech, and the different laws that we're focused on in healthcare. And you know, we really have started focusing a lot on two-factor authentication with accessing information, so we're really utilizing some of those VASCO tokens, RSA tokens, with algorithm changes, et cetera. But at the end of the day, the thing is, the main focus is what information do you need? And the bottom line too is, it has to have that specific culture of understanding that cyber security and data is very important. And the thing is, on a physician's standpoint, they want access to everything, literally everything, and that's understandable, because these individuals are saving lives, but the thing is though, there has to be governance in place, and they have to have that understanding that this can be an issue moving forward. These are the potential problems of a breach that could basically happen, this is the information that you need. If there's more information that is needed, it will go through the security compliance governance committee. >> It's a hard job. They want the nirvana, they want the holy grail, they want everything right there. Thanks for coming on, appreciate making aware of the data, privacy issues. Sheila, thanks so much for coming on. >> Thank you. >> Michael, I'll give you guys the final word on how management teams and executives should align around this important objective? Because there's some inconvenience, it happening in the short term, but automation is coming, machine learning, all this great stuff is being promised. Looks good off the tee as they say in golf. But, the reality is that there's a lot of lip service out there. So the taglines, oh, we're strong on privacy. So, walking the talk is about having a position, not just the tagline or the talking points, having a positioning around it first, and getting an executive alignment. So final point: what's your advice to folks out there who either are thinking this through hard? Is it a matter of reducing choices, evaluation? What is your thoughts on how to attack and think about, and start moving the ball down the field, on privacy? >> Well that's a great question. I think certainly at NetApp, and as you mentioned earlier, our executive team, and certainly George Kurian, our CEO, absolutely has a philosophical belief in that fundamental right to privacy, and respects the fact that privacy is key to what we do. It has become a competitive advantage, almost in an accidental way, because we take it so seriously. It's a matter of balance. Absolutely, we need to take advantage of new technology. We're a technology company, we're building technology, but we also have to respect the fact that we operate around the world, and there are laws that we have to comply with, and those laws dictate what data we can and cannot have, and what we can do with that data. So it's that balance between data's our greatest asset, we need to protect it, it can also be our greatest detriment if we're not treating it in a respectful manner, and if we're not building technology that enables our customers to protect that fundamental right to privacy. >> Michael, from a management team perspective, obviously, have functioning with an alignment, implies a well-oiled machine. Now always the case these days. But how do you get there? What's your advice? >> You know, my advice is speak the language. CEOs, CFOs, administration, they basically don't want to hear this tech lingo at times, okay? Have them understand the basic fundamentals of what cyber security is, what it can do to the operations of an organization, what a breach can do financially to an organization. Really have those kind of put in place. Bring that story to the Board of Directors, have them kind of focusing on the fundamentals on this is why we're protecting our information, and this is why it is so critical to keep this information safe. Because the thing is, if you don't know how to tell the story, and if you don't know how to sell it, and really sell it to the point, you will not be successful-- >> That's a great point, Michael. And you know, we hear all the time too, the trend now is, IT has always been kind of a cost center. Security and data governance around privacy should be looked at not so much as a profit center, but as a, you could go out of business. So you don't treat it as maximizing your efficiency on costs, the effectiveness of privacy is a stay-in-business table stake. And that has an impact on revenue, so it's quasi-top line. >> Well absolutely. If you think about the sanctions under the new GDPR alone, you could have one data privacy violation that could, the sanction could be equal to four-percent of your annual global turnover. So it is something-- >> It's a revenue driver. >> It's a revenue driver. It's something you need-- >> It's a revenue saver. >> Yeah. Well for some companies-- >> It's a revenue saver. >> It's become a revenue driver. Yeah, absolutely. >> Most people think P&L, oh, the cost structure, profit center. If net profit, and then sales, this is a new dynamic where risk management actually is a profit objective. >> Absolutely. >> Absolutely. >> Guys, great topic. We should continue this back in California. >> I'd love to. >> Michael, thanks for coming on and sharing the CIO perspective. >> Thank you very much. >> Great content. It's The Cube, breaking it down here, getting all the data and keeping it public. That's our job is to make all our data public and sharing it on SiliconANGLE.com and TheCube.net. More live coverage here in Las Vegas, with NetApp Insight 2017, after this short break. (electronic theme music) >> Narrator: Calling all barrier-breakers: status quo-smashers.