In this episode of the Outcomes Rocket, we had the pleasure to feature the amazing Stan Mierzwa. Stan is the Director at Center for Cybersecurity at Kean University, where he also lectures in Foundations in Cybersecurity, Cyber Policy, Digital Crime and Terrorism, and Cybersecurity Risk Management.
Stan shares why he is focused in cybersecurity in healthcare and how he is doing it. He discusses the different efforts he and his team at Center for Cybersecurity had done to educate global public health researchers so they can raise awareness around cyber technology and cyber security risk assessment. He cited examples of how they were able to improve processes systems for some clients. This is an episode you don’t want to miss because Stan also provided tips to sharpen your cybersecurity knowledge!
About Stan Mierzwa
Stan is widely recognized as a leader in the field of digital health technology and Cybersecurity, particularly innovations that are both relevant and usable in low-resource settings. Stan is currently the Director, Center for Cybersecurity at Kean University, where he also lectures in Foundations in Cybersecurity, Cyber Policy, Digital Crime and Terrorism, and Cybersecurity Risk Management. Previously, Stan worked at the State of New York, Metropolitan Transportation Authority (MTA) Police as the Lead Application Security. Prior to the MTA, Stan was the Director of Information Technology at the Population Council. Under his leadership, the Population Council’s proprietary, award-winning audio computer-assisted self-interviewing (ACASI) survey software he developed has been successfully used in field- and clinic-based NIH sponsored public health research.
Stan has over 15 published research publications, is a peer reviewer for the Online Journal of Public Health Informatics, and a member of several associations, including the FBI Infragard, IEEE and is a Certified Information Systems Security Professional (CISSP). He holds an MS in Management of Information Systems from the New Jersey Institute of Technology and a BS in Electrical Engineering Technology from Fairleigh Dickinson University and is currently enrolled in a Doctor of Philosophy (Ph.D.) program in Information Technology in Cybersecurity.
Cybersecurity Awareness and Tools for Global Public Health Innovations with Stan Mierzwa, Director at Center for Cybersecurity at Kean University: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody! Saul Marquez here and welcome back to the Outcomes Rocket. Today, I have the privilege of hosting the amazing Stan Mierzwa. Stan is widely recognized as a leader in the field of digital health technology and cybersecurity, particularly innovations that are both relevant and usable in low resource settings. Stan is currently the director for the Center of Cybersecurity at Kean University, where he also lectures in Foundations in Cybersecurity, Cyber Policy, Digital Crime and Terrorism, and Cybersecurity Risk Management. Previously, Stan worked at the State of New York Metropolitan Transportation Authority Police as the lead application security. Prior to the MTA, Stan was the Director of Information Technology at the Population Council and under his leadership, the Population Council’s proprietary award winning audio computer-assisted self-interviewing survey software he developed has been successful in clinical-based NIH sponsored public health research. The bottom line, Stan is a pro in cybersecurity, and we are just being plagued in so many ways by threats to our organization. And what are we doing about it? That’s what we’re going to be talking about today. Some of those things that you could be thinking about and doing to protect you and your organization. So Stan, it’s such a privilege to have you here on the podcast.
Stan Mierzwa:
Hey, thank you Saul for having me and I’m shaking my head. It was a very nice introduction and thank you, and I want to give credit to the teams that have been around me over the years. They’ve always contributed and I have to admit one can certainly not go at it alone. And before we even dive in Saul, I just want to say you have a great voice and I could see you announcing all games or something down the road. I think Bob Costas or something, right?
Saul Marquez:
Oh my god, you’re too funny.
Stan Mierzwa:
You probably heard that before.
Saul Marquez:
I appreciate that. No. Thank you, Stan. I appreciate that. And you’re right. I’ve got to give credit to the people that support these initiatives and great leaders do that. So Stan, a reflection of your leadership style. And so you could be doing cybersecurity in whatever vertical you want it to, but you’ve decided to focus it in health care. Tell us why.
Stan Mierzwa:
Yeah. So for a lot of reasons. But I’ll first say that I’m very fortunate to be part of the team here at Kean University. They’ve provided me excellent support and resources through the Center for Cybersecurity to contribute to areas that have unmet needs with cyber. So think about most recently with the pandemic hitting in 2020. Our center recognize that with increasing cyber threats that resulted, we could and should put forward appropriate information and guidance to those seeking it. Bottom line make it available. Work hard. Get it out there! Outreach to the community at large is one of our three pillars for our center’s strategy and as part of our center’s attention to global public health, we actually submitted our work and I’ll talk about it as we go through this discussion to the annual National Cyber Watch Center’s Innovations in Cybersecurity Education Competition in 2020. And we won in the practice area and we thought, Oh my goodness, it’s just a humble and small effort. But we were seen as innovative in giving back to the global public health sphere, and that sort of validated and pushed us farther and wanted us to do more around this area. But let me just mention quickly Saul that, you know, at the onset, I am not a health care worker. I really, really got interested when I was in charge of a global team, an I.T. team and security team for a very large international NGO that stands for non-governmental organization that was founded by John D. Rockefeller the 3rd and its headquarters is located right across from the United Nations in New York. That position provided me opportunities to travel to 18 developing countries to implement technology solutions that contributed towards making a difference. Right. Health outcomes related. So these locations were, you know, think Africa, Ghana, Uganda, Kenya, Malawi, Zimbabwe, South Africa, Morocco going out to Southeast Asia, Bangladesh, Vietnam, India. This really sparked my interest in technology, but more importantly, implementing technologies wisely and safely.
Saul Marquez:
Well, I think the experience is amazing and the one thing that I really love about the focus that you have Stan, but also the focus that the school you work at is this desire, this fundamental ask of you’ve got to get this out to the people. You know, you’ve got to you’ve got to make it available. You’re not just doing a bunch of research figuring out what works, what doesn’t and then selling it for high dollar and not offering it to others. So big kudos for for the community outreach that you guys do. You know, it’s clear. What you guys do to to add value to the ecosystem, but is there anything in particular that you want to specify around how you’re doing it to the health care ecosystem?
Stan Mierzwa:
Yeah, yeah, absolutely. And so one of the things when it comes to the public health research ecosystem, there are lots of efforts where technology is utilized. So think about electronic data collection. Right? It could be survey systems. It could be data that’s collected as part of a clinical trial. It could be the creation of a tool or technology that is an element that adds value to that research. But at the same time, we want to ensure that those efforts specifically on the ground are not introducing risks. So what we have done, we have taken on several efforts here. One is we published a paper regarding introducing cybersecurity risk assessments for global public health researchers. Not the technologists or the engineers, but for those who are working in public health. We want them to understand how technology could introduce risk. We want them to start speaking the language. So we brought attention to this area via a published paper and a practical toolbox and framework. We want ensure that they’re speaking the same languages and understanding what can go wrong. And so a lot of times these solutions are framed around the genre of something called mobile health, otherwise known as mHealth, electronic health, which is e-health, digital health. Very common today telehealth, I bet most of us are familiar with telehealth, given the pandemic a figure here. Telehealth in 2019, there were about 11 percent of patients that used it. In 2020, it was up to around forty six percent and this number is probably going to be even higher in 2021. And so, you know, our role here is, you know, if you look at the technologies that have been implemented, there was a report from the Verizon Mobile Security Index that looked at eighty five percent of health care orgs acknowledge that a security breach could compromise patient care, and thirty seven percent of the same organizations admitting to sacrificing security to get the job done. So right there, we thought, wait a minute, we got to put forward some guidance, at least awareness around cyber and these technologies that are getting introduced.
Saul Marquez:
Yeah, you know, the numbers are increasing, right? I mean, it’s like the virtual care has gone through the roof with with the pandemic. And I would imagine that the growth of cyberthreats has also gone up. But I’m not sure. We’re curious about about that.
Stan Mierzwa:
They are. They are. They are increasing. Yes. And I’ll just give you a quick example. Inner Trust, an organization that studied one hundred publicly available mHealth apps. This is not too long ago a hundred apps they looked at and they found seven hundred and forty one vulnerabilities. Now that is before others threat actors found these perhaps or maybe they found it ahead of time. That’s an enormous number. And so, you know, our thinking is, well, wait a minute, we we need to do better. We really need to. We may not get it down to zero, right Saul? So I, you know, it’s very hard to go completely secure. But if we can get that number halved, then we’re doing a little bit better, I think.
Saul Marquez:
Agreed. So maybe you could give us some ideas Stan around things that you guys are doing that are helping out that that’s better than not doing anything at all.
Stan Mierzwa:
Yeah. So one of the things that I’ll just and I’ll bring forward our paper. We developed a simple, simple, we think simple. We took best resources available from the finest cybersecurity framework, right? The National Institutes of Standards and Technology. They have a very comprehensive framework available to government agencies, but to the public at large as well. Anyone can use these guidelines documents. We took that and we said, You know, how can we piece this together in a way where those in public health who may not be scientists in the sense of cybersecurity, they’re not computer science engineers, they’re not cybersecurity experts. They don’t get into the flow. The data flow of how traffic moves along the web, maybe without encryption and could be then tampered with. We want to make it so that they can approach it and start to understand it. So we came up with a seven step process, seven steps that these teams could take forward to introduce a cybersecurity risk assessment. So for example, let’s say I am coming up with an app that I’m going to use in my research study. Perhaps it’ll be used in COVID, I don’t know. Or maybe not. And what we would do is, OK, we would say, look at the development framework. So for example, are you in the concept phase? Are you in the. construction phase? Are you in the release phase or retirement phase, for example, of getting rid of a NAP? Focus on that area. Next, We want you to then consider introducing the concept of a cybersecurity risk assessment. So sit down with perhaps your technology teams, those who are really expert and say, look, we have this project we’re working on and we want to partner a bit more with you. And or maybe it goes the other way where the engineers and technologists bring forward if they’re aware of it, a lot of times they may not be aware because these research projects could take on a life of their own. We want the global public health folks to look at the areas they can control. So consider in the cybersecurity framework there are five main functions OK, there’s the identify function, the protect function that detect, respond and recover, detect, respond and recover. It’s very technical leave those for the technology folks, but the identify and protect or functions that someone can understand, even if they’re not cybersecurity experts. So I mean, it could be as simple as what technologies are we using? Are we including a supply chain? Are we introducing data that’s being collected? Do we need to be concerned about security? And from that, what we’d like to do is sit down, pick one of those functions of those areas and just identify the top three cyber threat concerns. Could be anything. You could say there’s a threat with a competitor, for example, and you have to consider that a threat to this work. Or it could be cyber threat actors may want to get this information because it could be used against someone, for example, and then rate it in a likelihood consequence grid – high, medium or low – and then determine if you can make any changes. All right. So it’s a stopgap to determine whether you can make any changes based on the risks you identified. Once you’re done with that, go back to the top, do the seven steps again with the next risk. So it’s introducing risk assessments in cyber with the public health individuals.
Saul Marquez:
Yeah, no, that’s great advice. And it’s oftentimes we get so bogged down with the day to day. Who do you recommend be the one within the organization to spearhead something like this?
Stan Mierzwa:
Yeah, great point. It can come from lots of different areas, but in these research projects that are lots of times will be grant funded. There will be a project lead or in this case, that might be a lead investigator that really should take this seriously more seriously than I think they may have in the past. Right. Because if you think back twenty five years ago, if you were a lead investigator scientist on a project, you would have just perhaps not been so concerned about cyber issues. And you may have just had a team of technologists implementing technology, but there was less of a concern because of our connection these days to using more connected technologies, such as obviously connecting to the web. I think they’re, you know, a an important player in this. Next, I think having those conversations between the investigators and these could be scientists, medical doctors, public health professionals. You know, spending some time with your cyber folks in your organizations, your technology folks getting to know them more, keeping them in the loop about some of these efforts. There could be times when such a research effort will work with third parties and maybe not necessarily the internal technology folks. And I think that’s an important piece as well, getting those two groups kind of together.
Saul Marquez:
Yeah, now great. Great stuff, Stan. And so I’m a huge fan of learning from stories and all the the audiences too. So talk to us about one of the things that you’ve dealt with and how you were able to improve processes systems for a particular client.
Stan Mierzwa:
Excellent. So I have one and it was an oh my moment. We spent months and months working on a project. This was NIH sponsored project where we were working in seven countries in Africa, and I traveled to Zimbabwe to implement and train clinical and research staff in the use of a very customized data collection system we used. You refer to it earlier was called audio computer assisted self interviewing. And in that project, we introduced technology and the use of the secure web, encrypting and sending data up to a secure portal. So before going out to these sites, as any good team would do, they would take on the task of certainly sending out a questionnaire about the available infrastructure. And so I had sent out a questionnaire. Do you have internet and all of the clinics? Is it available? And the answer was yes, yes, yes. You know, I flew eight thousand miles, got to Harare, Zimbabwe, went out to a clinic the first or maybe the second day, and I asked about internet connectivity at the clinic and they said, Well, yeah, we have it, but we just have to hop in the car. And I said, What do you mean you have to hop in a car? Yeah, we have to go a few miles down the road. There’s a hotspot. And I thought, Oh my goodness, we built this system to work, you know, with connectivity from the clinic, not five miles down the road from the clinic and it was built secure. We were encrypting all the data if we had connectivity. So I went back to my room that night and I thought, Oh my goodness, I just flew eight thousand miles. What do I do? Do I go back to New York and say, you know, it didn’t work out? You know, we have to re-engineer and go back. And the answer was no. It was figure something out there on the spot, but take your time and do it so it doesn’t introduce risks. So we had to create a simple mechanism to export the data in an encrypted format to then be able to be taken and have a backup of it, obviously, and take it down the road in a secure way to a site that did have connectivity and then upload it again in a secure manner. And I think the point I wanted to make is, you know, you never know what you’re going to run into, but you’re going to have to be adaptable to the environment. That was a challenge, and it could have probably went south. It ended up working out in that situation. But that was an oh my.
Saul Marquez:
That is an oh my moment. So how long were you over there for?
Stan Mierzwa:
I was there about just a bit over two weeks. Wow. Yeah, it wasn’t an approach a month, but long enough.
Saul Marquez:
Yeah, yeah, that’s interesting. And so you’re able to make make it around that unfortunate mismatch of information, but you figured it out. You’re resilient and you figured out a way to keep things encrypted and secure. That’s certainly an example of what I would call a challenge. I do like to ask all of our guests about biggest setbacks. Would you classify that one as it or do you have a setback uou want to share that maybe you learned a ton from.
Stan Mierzwa:
Ok, well, you know, I’ll tell you. It’s probably going back to when I first started my career. I had taken the path of studying electrical engineering technology back in the late eighties, and I graduated in the early nineties, so I’m showing my age, right? So I came out of school and there weren’t that many opportunities in true engineering that were presented to me and I’ve really seen this as a disappointment. But I want to tell you the story because there are many students coming out of college today with probably challenges given the pandemic, and it’s starting to get better, we see opportunities arising. But that was a really tough time for me and I thought after finishing my degree, it was a challenging degree. I thought, good, I’ll get a job. I studied really hard, I worked hard and it didn’t happen. And so I ended up changing my direction and pursuing an I.T. support position. You know, I was doing technical support, so think of a headset on for eight to 10 hours a day answering technical support questions. But it was that position at a small startup company that got me to land a job at UPS the package delivery company, which was a boon for me because they were big and they had funding and they had resources and training, and in response to my many hours of work with them, I would get trained to or get a chance to travel. So I ended up pursuing a degree in information systems management and that helped change my attitude for the positive. So I switched from working with circuit boards to working with data and the flow of information. And I just want to mention that because it was a setback and it can make you feel not good about yourself. And I think a lot about students coming out of college today or even the last year with the pandemic. They might be feeling a little bit not great. And I say, keep your head up. Maybe you’ll have to find a new way or entry point. But I am so glad that I went the route of this entry level I.T. technical support because it led me to do so many other great things and even get to see the world.
Saul Marquez:
Yeah, that’s so cool, Stan, and kudos to you for being creative and resilient and saying, Yeah, you know what? This is available. I’m going to do this and I’m going to learn and I’m going to build. And you did. And today you’re doing such amazing things in the cybersecurity space. So just fantastic story there.
Stan Mierzwa:
Well, thank you.
Saul Marquez:
So what would you say you’re most excited about today, Stan?
Stan Mierzwa:
So a couple of things. I see a trend. I teach two to three cybersecurity courses each semester, and I’m seeing students from varied disciplines entering the cybersecurity courses. So some entry level courses, intro courses. I will see students from Psychology, Communications, Criminal Justice for sure, because it’s a great mix. Criminal justice and Public Administration with cybersecurity is an excellent combination, and this gets me excited because I know that cybersecurity is not just for the engineers, the computer science folks. We need those absolutely, because there’s some very complicated technologies and programming and design included. But we also need those that understand the risks and how to implement or, like I said, I teach lots of criminal justice students, and it’s important they understand when they go to let’s say, investigate a crime that had technology components, they understand where data and data exhaust and information exhaust and technologies can lend them to their investigation. So this cross discipline of cybersecurity is important, and I think it’s even more important today because of the fact that we’re seeing increases in cybersecurity. And quite honestly, this societal interest will only benefit the people at large. I think in individuals across the globe will benefit from a greater societal interest.
Saul Marquez:
Yeah, no, I totally agree. It sounds like there’s a lot more people coming into your classes from different backgrounds. And you know, today with the many things that could go wrong, it’s important that we even consider, you know, we’re already working and doing our thing. But what can people do to sharpen up their cybersecurity knowledge, Stan?
Stan Mierzwa:
You know, I think any time you have an opportunity to look at resources, I’ll use an example. We have an excellent Center for Cybersecurity website where we provide resources and the resources are varied. It could be those resources for the more tech heavy or tech integrated individuals. But there’s also for the end user, we have lots of resources free trainings. You don’t have to pay for these short videos. Some may be two minutes long, some might be five minutes long. Best practice documents as well. I had an individual come to me late last year and her friend, an elderly friend was scammed and her Social Security number was given away. She had unknowingly gave it away on a phone call to a cyber threat actor and was really upset about this. And I think in that situation, I was able to point her to several free resources and areas she could reach out to in order to get assistance. And I think knowing how to get started when something goes wrong is important. But I think it’s equally important to not just, you know, if you see an article on cybersecurity, say that it’s not for me, you know, it’s too complicated or it’s I don’t understand it all. Stop and try to read a bit about it. You know, that awareness will only help you and all those around to you.
Saul Marquez:
Totally. Yeah. And Stan, you’ll provide a link to where we could go learn more on the website over at your school.
Stan Mierzwa:
I will. Absolutely.
Saul Marquez:
Awesome. So folks, just look at the show notes, you’ll be able to find information around cybersecurity topics that might help you and your business, so big thanks to Stan about that. And Stan, you know, we’re here at the end. Why don’t you leave us with the closing thought and the best place where the listeners could get in touch with you if they had any cybersecurity curiosities?
Stan Mierzwa:
Absolutely. So well, you could always reach me on if you’d like on, I’m not a huge Twitter user yet, but I do have a Twitter account at SMierswa3. You can reach me on LinkedIn and through our Center for Cybersecurity website where I’ll provide the link. But all I would say is, you know, think about the world differently with regard to cyber threats, right? We often say I try to do a little bit of construction at home and I try to teach my kids. I’ll measure twice cut once. Double check. Well, stop and think a little bit more about that app that you’re downloading or a setting or a technology. Think critically to ensure it isn’t introducing any unneeded risks.
Saul Marquez:
Love it. That’s another way of thinking about it. Of measuring twice, cutting once. It’s like before you download that or before you click on something. Just take a step back and think about it.
Stan Mierzwa:
Absolutely.
Saul Marquez:
I’ve been getting a lot of these texts from like UPS and USPS saying that, Hey, your package is ready. And their texts. And I just haven’t I haven’t clicked on them because I could totally tell their spam or phishing attempts.
Stan Mierzwa:
Yeah, if it’s not expected, don’t click on the link. You can call the vendor in that case and verify. You don’t want it, and it’s so easy to say, Well, let me just see if it’s something to be concerned about. And then you just introduced some malware on your device. Double check. Make the call. It’ll be worth it in the end.
Saul Marquez:
Love it! Well, Stan, this has been great. Thanks for some very practical tips around what we could do to protect ourselves with cybersecurity threats. Really appreciate you jumping on with us today.
Stan Mierzwa:
Hey my pleasure, Saul, and good luck. Take care.
Sonix has many features that you’d love including automated transcription, collaboration tools, advanced search, enterprise-grade admin tools, and easily transcribe your Zoom meetings. Try Sonix for free today.
Things You’ll Learn
Resources
Twitter : @smierzwa3
Email: smierzwa@kean.edu
Website: https://www.kean.edu/academics/center-cybersecurity