Cybersecurity in telehealth is everyone’s responsibility.
In this episode, Saul Marquez talked with healthcare cybersecurity experts Christine Sublett and Mark Jarrett about cybersecurity in the current telehealth space. Ever since the COVID-19 pandemic, telehealth has been more widely accepted and practiced. As many benefits as it brings, it also comes with potential threats that must be addressed. Christine and Mark talk about how healthcare organizations need to make sure that the ecosystem used for the delivery of care needs secure data privacy for patients. They have come together to write a document with advice and guidance on how to do that. Even though, as a society, we’ve come a long way in the digitization of many processes, there is still room for improvement in cyber literacy, so Mark and Christine explain why educating everyone in cybersecurity can play a big role in the enhancement and strengthening of health and wellness.
Tune in to learn about the work Christine Sublett and Mark Jarrett have been doing to help healthcare organizations navigate the telehealth space safely and provide security for their users!
Christine Sublett is a senior executive and entrepreneur with a proven record throughout the healthcare and cybersecurity ecosystems, with expertise in digital health, health information technology, and medical device industries. She advises early to mid-stage companies’ boards of directors and executive teams on foundational principles of board-level cyber risk and crisis management oversight.
Mark P. Jarrett MD, MBA, MS, HCISSP is currently the Senior Health Advisor for Northwell Health and a Professor of Medicine at the Donald and Barbara Zucker School of Medicine at Hofstra/Northwell. He currently serves as the Vice Chair of the Healthcare and Public Health Sector Coordinating Council, the National Healthcare Sector Chief for National InfraGard, and the Sector Chief for NY Metro InfraGard. He is on the HPH Cyber Working Group Executive Council. His previous position for ten years was as Chief Quality Officer for Northwell Health where he was responsible for system-wide initiatives in quality and safety and also served as Northwell’s Deputy Chief Medical Officer.
He previously served as Chief Medical Officer and DIO at Staten Island University Hospital (SIUH). Prior to that appointment, Dr. Jarrett was Director of Rheumatology at SIUH from 1982-1999. Dr. Jarrett has extensive research experience and has been published on the subjects of immune response in systemic lupus erythematosus, quality, and cybersecurity in health care. Dr. Jarrett is board certified in internal medicine and rheumatology. He is a Fellow of the American College of Physicians and the American College of Rheumatology and past president of the Richmond County Medical Society. Dr. Jarrett earned his medical degree from the New York University School of Medicine. He completed his residency in internal medicine at Montefiore Medical Center, and a fellowship at Montefiore Medical Center and Albert Einstein College of Medicine.
Dr. Jarrett also holds an MBA from Wagner College and an MS in Medical Informatics from Northwestern University. He is also a certified Healthcare Information Security and Privacy Practitioner (HCISPP).
Outcomes Rocket Podcast_Christine Sublett and Mark Jarrett: this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Saul Marquez:
Hey everybody! Saul Marquez with the Outcomes Rocket. I want to welcome you back again to this cybersecurity series in healthcare, that’s October cybersecurity awareness month in our country, and in particular on this series we are hosting a, just an incredible group of leaders within healthcare and in, specifically, healthcare cybersecurity. Today, I have the privilege of hosting two outstanding leaders in healthcare. First, I want to introduce Christine Sublett. She is a senior executive and entrepreneur with a proven record throughout the healthcare and cybersecurity ecosystem, with expertise in digital health, health information technology, and medical device industries. She advises early to mid-stage companies’ boards of directors, and executive teams on foundational principles of board level, cybersecurity, risk, and crisis management oversight, two topics that have been common on our series and we’ll continue to touch on. Secondly, I want to introduce Dr. Mark Jarrett. He currently is the senior health advisor for Northwell Health and a professor of medicine at The Donald and Barbara Zucker School of Medicine at Hofstra, Northwell. He currently serves as the vice chair of the Healthcare and Public Health Sector Coordinating Council. We’re doing this podcast series in partnership with, and the national healthcare Sector Chief for National InfraGard, as well as a sector chief for New York Metro InfraGard. He is also a cybersecurity expert in healthcare, and we’re so excited to have him join us on this podcast series specific to telemedicine and what are we doing to make it safer and cyber-safe, as we’ve been saying in the podcast series. So with that, I want to welcome both of you, Chris and Mark, to the podcast. Thanks for joining me.
Mark Jarrett:
Thank you for having us.
Christine Sublett:
Pleasure.
Saul Marquez:
So one of the neat things that we’ve been doing as part of this series is sort of getting to know what has it been, what’s been the impetus for your interest in healthcare cybersecurity? So I would love to hear from both of you, what got you into the field?
Mark Jarrett:
Chris, I’ll let you go first.
Christine Sublett:
Okay, good, sounds good. So I’ve been in tech more than 30 years, and most of those years have been spent in cybersecurity in some part of the healthcare public health sector. I spent several years at Stanford Children’s Hospital as their security architect and chief security officer. And even though that was more than 15 years ago now, it was apparent to me at the time that, it was critically important for us to find ways to secure our healthcare data, particularly because my concern at the time, and continues to be my concern, is that if we don’t do this well, then we run the risk of losing faith of our constituents, our customers, our patients. And I think we’ve actually seen that over the last many years related to different things. Some of the security and privacy issues, some of it’s around COVID and vaccines and other things where patients may not trust the healthcare sector. And this, you know, Mark and I have had many conversations around these … vaccinations, but I think it’s also just as true around cybersecurity that we have to find ways to ensure that we are keeping data safe and keeping safe our patients.
Saul Marquez:
Yeah, thank you for that, Chris. Definitely, a critical issue that, glad you’re focused on with your experience. Dr. Jarret?
Mark Jarrett:
Sure, thank you, so I came at it actually from the opposite end that Christine, I was in patient care most of my career, taking care of patients. In my last set of work was really as Chief Quality Officer and patient safety officer for Northwell Health, a large health system. And it became apparent to me that cybersecurity is not just about hacking and theft of data and things like that, it truly is a patient safety issue. We are now living in a very digital world in healthcare, and that digital world has many advantages, but has the disadvantage that we are now dependent on digital records, digital information where, in the past we often had paper records which you can tell for altered, etc. So we really living in a very different era and I felt it was important to bring my little bit of tech knowledge together with what I’m hoping is a large amount of clinical knowledge, and hospital knowledge, and outpatient knowledge to bring this all together to try and see how we can help our providers, healthcare organizations, protect patients and the care that they get by practicing cyber hygiene and being secure.
Saul Marquez:
Thank you, Mark. That’s some great comments there. And it really does echo the previous podcast we did with doctors Tully and Dameff around the importance of cyber safety as a patient issue. So I appreciate you revisiting that, it’s critical, you know. Oh, Chris, were you going to comment on that? I didn’t want to.
Christine Sublett:
I was certainly in agreement. And, you know, as Mark mentioned, the safety, cyber safety issue, right, it’s not just related to the patient data itself, it’s also related to devices and software where the potential, because things are network attached, whether we’re talking by WiFi, Bluetooth or other interface, where an attacker doesn’t have to be sitting in the room anymore. And I’m certain your previous podcasts address this in detail.
Saul Marquez:
Oh, absolutely, but you know what? You know, repetition is the mother of skill, and on this series, it’s great. You know, don’t feel like don’t, don’t hold back. I want to make sure we’re taking these points home. So, but I do appreciate you mentioning that, Chris. And so this, look, we’ve got through COVID, we’re on the tail end of it. As a result, virtual visits have become a reality. We found out that patients actually like them and that they are something that works. So with the increase of these virtual doctor visits, how do we keep the data and session secure?
Mark Jarrett:
Well, before I let Chris get into the technical, I always use the comment that telehealth and telemedicine it’s not just a simple phone call. It’s a much more complicated system, as Christine pointed out, with devices, with using the Internet, with using the connectivity means such as WiFi. And the easiest example I always give is the patient who’s sitting at home, who’s 80 years old, who’s figured out how to get their device on their WiFi and therefore make the call, but still has the username is admin, and their password is password1, and that’s about as open as you can get a system, and that’s the reality of what we live with in terms of telehealth. Uh, strictly on, we can discuss on the hospital side hardening things or the provider side, but we have to remember now this involves our patients. And if one thing we’ve learned in COVID, especially as people try to get on websites to register for vaccines, was that we have a wide spread of digital expertise amongst our patients and amongst the community. We have community members who really don’t even have access necessarily to Internet. So any security we put in has to reflect the fact that it’s not just about the provider, but it’s also about the patient and how we can help them maintain security as well.
Saul Marquez:
Some great callouts there for sure. Chris, what are your thoughts?
Christine Sublett:
So I completely agree with Mark that this goes well beyond having a video call, for lack of a better term, with a provider. We’re talking about a wide range of remote patient engagement tools and platforms. And you can have a very secure system, very secure device, very secure platform that, if you’re rolling out to patients, and if it’s difficult for them to use, it’s essentially useless. And so it really is a balance between having what we think of as good security as well as good usability, and the larger health systems in many ways have great advantage in terms of putting in place appropriate security and usability for their clinicians and their patients, but the vast majority of healthcare in this country is delivered by much smaller practices or sole providers. And they mostly think it’s, fair to say, most of them don’t have high levels of security privacy knowledge, and being able to communicate to their patients, number one, that, hey, there actually are security and privacy risks associated with this type of engagement and helping a patient understand that they have some responsibility in this as well. And being able to explain this to people who may have varying levels, including some pretty low levels of technical knowledge, can be very challenging. And I think that’s an area where it’s not enough for us to provide, whether it’s us, the HSCC, or a regulator, is not enough for us to give our clinicians guidance. We have to be able to help clinicians, I think, give guidance to patients.
Saul Marquez:
Well said, and it’s that, a good way to segment and understand it is usability and security. And Dr. Jarrett, you mentioned the password1 username admin. It’s even educating on the basics that you would think everyone knows, but you can’t assume that.
Mark Jarrett:
But unfortunately, it’s not just the general public. Even some of our providers, we’ve tried to educate them and it’s ongoing, and series like this podcast are very important because it’s not only protecting the patients and the healthcare information, which is very critical, but even protecting their own personal privacy that they have to be concerned with and people have always seen this as overkill or gee, you’re just being paranoid. But the number of attacks that occur is so huge throughout the country in healthcare now, and the fact that the information that they can garner by hacking is actually very valuable financially. So if you say that it’s worth $80 a medical record now for the healthcare information on somebody and you can steal 1000 of them, that’s a lot to sell. So we really need the providers to understand that it’s their responsibility, no differently, than they all learn not to leave a paper chart in their car. It’s the same type of thing, and it took a while, I think people are getting there, but unfortunately, I don’t think they’re there yet. And that’s one of the things that we’ve tried to do in trying to provide information that is easy for everybody to understand. I think what Chris said is the large health delivery organizations, large health systems, they have lots of security people. They kind of get it doesn’t mean they’re immune to attack because they’re a very large target, but at least they know what to do. But a lot of other people don’t, and it’s just a matter of education over time. I think it’s getting there, but we have a ways to go.
Saul Marquez:
Thank you for that. Yeah, for sure. And that’s why we’re doing this series. And I appreciate both of you being here with me and with the listeners to help us understand and help us get there. And so zooming back into telemedicine visits, you know, how are they vulnerable to cyber attack? Can somebody hack in and watch a video conference between a doctor and a patient? Help us understand that more.
Mark Jarrett:
Chris, do you want to start?
Christine Sublett:
I do, so Covid really in many ways moved telemedicine forward many, many, many years faster than I think it would have moved. And the great thing that, there are not a lot of great things I’d say about COVID, but that one, I think, is a really good outcome. The federal regulators issued a limited tip, a waiver, so that we could use platforms that had not yet been vetted in any way for something like HIPAA compliance, right? These are considered things like Zoom or Skype or, oh, my gosh, Facebook messenger, I’m sure was being used, Facetime, others. And, but, what this did is really opened up for large segment of our provider population and our patient population, the ability to have these remote visits with their provider. The challenge, of course, and it’s not just with types of products where they aren’t running around saying that they comply with HIPAA or having or haven’t had their security independently validated by a provider by a third party, is that, you know, any product can be insecure. And so it’s, the key, I think, for these products, whether it’s a video platform, audio platform, or other type of remote patient engagement tool, is we have to build them with security and privacy in mind. It’s not enough to think about it later at the end of our development cycle and say, Oh, hey, we’ve got to build this in, let’s go back and try to bolt on because it never works well, it takes longer and it costs more. And so the company making these products, sophomore software and or hardware companies, they have a responsibility, of course, to build security into products, but they do come with risks, and even products that roll out secure, it is not unusual that somewhere down the road a vulnerability is identified. And so part of what we’ve done with the HSCC is look at whether it’s with the telehealth product that Mark and I worked on or other publications through the HSCC that addressed different types of medical devices or other types of hardware and software, looking at the whole product lifecycle and ensuring that we build security into the product, we do the appropriate testing and that we have a program in place to address issues after we’ve been rolled out. So post-market type of security program.
Saul Marquez:
No, I appreciate that, Chris. And being mindful from the minute you build it to how you maintain it is certainly critical, is the issue that people could come in and eavesdrop on the session or is the issue more they get access to your profile in your data, or both?
Mark Jarrett:
Well …
Christine Sublett:
I think all of it is possible. I also think that it goes beyond that, right? It goes to a place where perhaps the patient systems are insecure because they haven’t patched ever or not recently, right? And, or it’s individuals who are in the room, whether it’s in the patient room or in the provider’s room while they’re having the session, so that information is being heard by people who really shouldn’t be hearing the information during your appointment. So it’s not always a technical issue.
Saul Marquez:
Mark, were you going to comment on that?
Mark Jarrett:
No, I was just going to say that it’s true that they can either steal the information, just hacking, get your personal identifiers or your actual medical record, but more concerns, especially as you do certain types of telemedicine, and our health system has done a lot of behavioral health, telemedicine, those are conversations you want to make sure secure people are really talking about things that are really the most personal of all. And it is possible people can hack in and just like you can tap a phone, you can figure out a way to do this if there is not security at both ends, both the patient end, as well as the healthcare, and then how it’s encrypted as it goes from one to the other and back and forth, maintaining that everything is done properly. So it’s not super complex in today’s world, but it just needs to be sort of hardened so that we really know it. And then a very critical thing after that is that who’s ever doing the telehealth provider side needs to have some monitoring of what they’re doing, looking for abnormal activity. You know, the, you don’t want to find out about it because all of a sudden something comes out that information was stolen. You want to catch things early, so you need some monitoring of the system. So it’s really an active process. Again, as both Chris and I were saying, it’s not just a video call or a telephone call. It’s a much more complex visit that requires a lot of work but has a lot of payoff because it is, not only did we see in Covid, but in general, the 80-year-old patient who does not have to come in when there’s 2, 3 inches of snow and ice on the ground to see the doctor when they just have a few questions. It just makes sense, you know, you bring the care to the patient rather than the patient to the care whenever you can.
Saul Marquez:
Yeah, totally agree. That’s fantastic, Dr. Jarrett and Chris, thank you both for that insight. So as we take a look at ownership, you know, like there’s a lot of parties involved here and telemedicine and remote care. There’s the Internet carrier, there’s the device manufacturers, there’s the software developers. Whose responsibility is this?
Christine Sublett:
Everyone’s.
Mark Jarrett:
About to say the same, it’s everyone’s responsibility. As a health delivery organization, we can’t manufacture the equipment. We don’t write the software. We do have agreements with them that they are going to make sure they’re secure and you have to ensure that. On the other hand, they have to make sure that when they put out a security patch, that we’re going to put in that security patch, because if we don’t put in that new upgrade, then even though they have solved the problem, we’ve still left it wide open. So it requires everybody working together. And then it does involve the patient as well, making sure their device is secure, making sure that they have, so it’s really everybody’s involvement, but again, once it’s set up and going, it does not become, just this beginning period where it exploded, of course, said because of COVID, the amount of telehealth visits, that I think has made it a little bit harder. I think, as it becomes more routine, our ways of handling it will be better, and I think both the public and the providers will be better educated.
Saul Marquez:
Thank you for that. Chris, anything you’d add to that?
Christine Sublett:
I would absolutely agree with what Mark has said there. The, I think the, one of the places where we can still do better really is around patient education. Lots of organizations are doing a much better job with educating their providers, but there are still considerable segments of our society who are not nearly as technologically literate as they likely need to be. And certainly, when we’re looking at things like telehealth, it’s important that they understand really basic cyber safety, cyber security concepts, and how to protect themselves better. And so the combined example of admin and password1, it’s amusing, but it’s also horrifying because it’s incredibly common. And so helping users understand that there are ways to manage their passwords, for example, that some of this really does fall out of what I would consider to be the basics that a healthcare organization or clinician would be providing in terms of guidance to their patients. But really, I think it speaks to a broader question of just cyber literacy that we need to do a much better job of teaching just generally in our society.
Saul Marquez:
Thank you, Chris. Yeah, no, I appreciate your comments. And you guys have done an incredible job in particular leading this part of the Health Sector Coordinating Council, the document that was produced, guidance around health, industry, cybersecurity, securing telehealth, and telemedicine. I’d love to give you guys an opportunity to tee this up for the listeners. Folks, we will be including a link to this document, which is very informative. You could download it by visiting our show notes of today’s podcast. But let’s spend a little time there, Mark and Chris, tell us about the document and what people could get out of it.
Mark Jarrett:
Sure, so I’ll start off. The document was published back in April of 2021. Got a little delayed because of Covid, but it did get published, and it really tries to cover things not only for the very sophisticated, from the … viewpoint, but as we’ve been talking about, people who are less sophisticated and give guidance. And we tried to cover a lot of areas defining what telehealth is, what are the risks? Why is telehealth a target? Why do people think it may happen? And then really go into some of the considerations for cybersecurity that organizations should do and conduct in order to make things safer. We also have a little section on policy and regulations, which is constantly evolving, but we’re going to update that eventually. But it’s a good snapshot of what the policy and regulations are, because this is a regulated area, and for good reason. And therefore people have to be aware or, using telehealth, what are the federal and state regulations that may be controlling this area as well. So it’s a easy-to-read document designed for all levels of people trying to read it, and therefore hopefully gather information to understand the problem. There are a lot of other references for this as well, but we think this is a great introductory document for most people.
Christine Sublett:
You know, what I would add there is the, most of the HSCC documents, all of them, is that they address and understand that not all healthcare providers or health organizations or health systems are starting in the same place and or have the same cyber capabilities. And there’s a huge difference in the ability of a large health system and maybe a smaller rural health system in terms of their ability to adequately address cyber risk. And these documents, all the others, they understand this, and what we’ve done is we’ve really said, you know, these are the things that really should be happening, but you can’t do all of this, then do these things right and start essentially it’s always about start somewhere. And then as your capability and your cyber maturity grow, here are the other things that you should think about adding into your telemedicine, telehealth solutions, into your vulnerability management program for your telehealth systems and programs.
Saul Marquez:
Yeah, thank you, Chris and Mark. You know, and what I really love about this, folks, if you, I would hit pause right now and go look at the document. I mean it is, what a great place to get ideas around things you should be looking for. Hey, you could pressure test. If you feel like you’ve got a good program in place, pressure test your program with some of these things because there are even state-specific recommendations around things you should be considering if you’re doing telehealth from a particular state. So just want to give Dr. Jarrett and Chris huge kudos, you and the team that put this together and are making it available for everybody listening today certainly appreciate the hard work and the smart work that went into this document, and for what you guys are doing to educate the broader stakeholder community on cybersecurity in healthcare. As we close, I want to invite both of you to give us a closing thought, and the best place that the listeners could reach out to you and learn more about your work.
Christine Sublett:
Do you want to go first, Mark?
Mark Jarrett:
The best place to go, in terms of learning what we’re doing, is go to the website. I have some other articles on patient safety and cybersecurity that certainly people are free to read. They’re all online in some of the journals. But what I really encourage is not so much about what I or anybody individually is doing, just keep up with what’s going on. You know, as I said, the digitalization of healthcare is here. It’s a definite plus for patient care, whether it be telehealth, electronic medical records, digital X-rays, everything is great. But with like every, unfortunately, turning on its end, with every opportunity comes a threat. And we have to deal with the threats and we can deal with the threats, but it requires a little work on all of our parts. So just try and keep up, look for documents coming from the Sector Coordinating Council on these areas. And certainly, people can reach out to me. I don’t know if you’re putting out our email addresses later or not.
Saul Marquez:
We’ve been doing LinkedIn if you want, we’ll.
Mark Jarrett:
You can get to me through LinkedIn, I’m on LinkedIn, and I’d be glad to answer any questions like.
Christine Sublett:
Same, yes, absolutely. Feel free to reach out through LinkedIn and also glad to answer any questions or provide any guidance I can. To add to what Mark said, keep track of what’s happening with HSCC, and actually think about joining us, right? One of the wonderful things about the coordinating council is that we have a large variety of people and skill sets. And we have folks coming from all different parts of the healthcare public health sector and are always looking for additional people to join us.
Saul Marquez:
Thank you for that, Chris. And folks, you know, that is an opportunity. So make sure if you are interested in doing more, speak up. All of these posts that will be, all these podcasts that we’re publishing, we’re also going to be posting them on LinkedIn. So if something today resonated with you or you’re looking to get more involved, we encourage you to comment on those LinkedIn posts and start a conversation because that’s how we’re going to make a dent in this cybersecurity, cyber safety that we all deserve, patients, caregivers, and stakeholders alike. So Chris, Mark, I want to thank you both for your time. Listeners, thank you for being with us. Hope you got a lot out of today’s episode and looking forward to connecting with you, Mark and Christine.
Mark Jarrett:
Thank you.
Christine Sublett:
Thank you.
Sonix has many features that you’d love including automated subtitles, automatic transcription software, upload many different filetypes, automated translation, and easily transcribe your Zoom meetings. Try Sonix for free today.