Episode 119:
Hidden Security Vulnerabilities in Healthcare Portals

Episode Transcript

Welcome everybody to another episode of Compliance Conversations. I am CJ Wolf with Healthicity. And today we're going to be talking about security and how to prevent what a lot of us fear in compliance, right? Making sure that our protected health information is secure. And our guest is Rui Ribeiro from J scrambler. Welcome, Rui. 

Thank you. It's a pleasure to be here. 

We're glad that you're willing to take some time and share a little bit about this important topic. But before we get into our topic, we'd love to hear about you. Tell us a little bit about yourself and what you're currently doing and the work that you're involved in. 

So, my name is Rui, you already mentioned it. I founded a company called Jscrambler with my co-founder Pedro Fortuna with a mission to secure the client side of web applications. When we start doing these missions of founding a company, bringing people together, down the road we understand that the problems that we are facing are much larger than what we initially were looking for. So down the road, we understood that we were focused on data privacy, that we were focused on making sure that when the user was engaging on a website, which can be an hospital in this case, or an healthcare provider, they are sharing a lot of data with them and that data is vulnerable. It's mainly vulnerable to third parties, third party access, be it conscious or unconscious, be it an attack, a misconfiguration, or different problems that arise from all of these technologies working together. And this has brought Chase Cranberry up to this point. We have been mainly focused over the past couple of years in terms of data, on payment data, But we have also expanded into the health care because, of course, payment aid is very relevant, but protected health information is, I would say, even more relevant for patients. for the users. 

Yeah, absolutely. And as compliance officers, of course, we're concerned with protected health information or PHI, but all data, like you're talking about, payment data is also. And security strategy and vision really is, we're not saying let's just protect our PHI, let's protect all sensitive data, right? And so I appreciate you having experience in that area as well, because I think Probably the principles, the concepts and the strategies are probably pretty similar is what I would think. So let's jump into our topic a little bit. And a lot of us in compliance are looking at the proposed rulemaking to amend the HIPAA security rule that HHS came out with in January. I'm curious that you were telling me before that there's one big area that the rule does not include, and that's kind of what you focus on, which is the client-side protection a little bit. Tell us a little bit about that, the client-side protection. What do you mean by client-side protection? I'm assuming you mean the hospital or the provider. And why is that so vital to the mission that we want to reduce risks in healthcare organizations? 

And I forgot to mention that we are a very technical company and we focus too much on the technicalities. So when we're talking about the client side, we're mainly talking about the end user. So when you are engaging with a browser. And these things is like, when you're talking about like, they forgot to address this problem is from a technical aspect, they focus too much on cybersecurity aspects, cybersecurity attacks, and not so much on naming where you should be addressing data privacy concerns. If you look at it today, there's data at rest on the servers, and there is data that you are either inputting or outputting out of your systems, which is normally through a browser or a mobile app. In the case of healthcare, mostly through browsers. And that's the client side. That is the moment where the end user is interacting with that data. And it is the moment where where if you basically look at it, you're either capturing this private information or you are displaying it through the results that you have provided through diagnostics and all of those processes. I see. So that's kind of where, let's say if I'm a patient and I enter my, there's a portal of medical records, right? I've received services at a hospital or a doctor's office, and now I want to go in and access the note or my latest lab results. So you're talking about that moment in time, right? That moment in time. 

And that moment is more critical than most people think about it because, first, it's an interaction. Second, it's dependent on the user. And third, we have evolved server-side security a lot, but client-side security, so at that at that exact moment is not so sophisticated. In most situations, you have about 60 different vendors coming into play to ensure that whole interaction. For example, imagine that you had to see a video. an healthcare provider is not going to develop a video player. They're going to bring in a video player from a third party, or they are going to use data analytics from another third party, like Google or someone else. All of these things come together to make that interaction. The question is, is there a security model in place so that a video player is not able to access your private information? And that's where we come in. So looking from the compliance perspective, when you're dealing with compliance, you have to work with marketing, you have to work with security, you have to work with the web development team, you have to work with so many people and understand their language, which is incredibly complicated and mostly with technical people like sometimes we are. And so we try to break those barriers. So we come in, We provide the solutions that someone from compliance is able to understand, like what type of data do you not want to share with third parties? What type of data is allowed? Would this third party, like a video player, should ever have access to X, Y, and Z? And we are not only able to monitor it, but also enforce those behaviors, which is a technology that is missing from the browsers and from all of those other parts of the tech stack. And we have been doing it for a long time in payments. But when we designed the technology, to be honest, like payments was at the bottom of our priorities. It was mostly other types of private information that we were more focused on. But since then, the needs have been increasing because of credit card scheming and all other types of attacks that are targeting the payment industry. And if you look at it, that affects all of the industries in different forms. 

So what are some of the solutions that exist to kind of help mitigate that risk? Do you have any examples? Yes, I think it's like we, there is technologies that are already in place, even for the browser, for example, content security policy. So which vendors are allowed to be here? But most of the time when you go to an organization, they don't know how many vendors are there. Where are they coming from? Because it's different departments adding to the stack different elements. Like I was saying, like a video player would... Would the person from the compliance team know about a third party that's being used to play a video on that page? Most likely not. That's right. But that video player has the potential to access all of the login data of your users. Why? Because most likely, for example, it was designed for a company such as a Netflix where all the content is behind the paywall. So it has a lot of capabilities if it's wrong. If it's properly configured, it will only play a video, but it has the capacity to access login information or it could only play content if it goes through a login process. So if you look at it, there is a lot of things that can go wrong and not all of them are attacks. So first, what we have to make sure is we have to inventory all of those third parties. You can do it manually. We can try to use technologies that is very tough to manage, or you can use a solution such as Jscrambler that really maps those third parties from all the interactions in real time and through all the year. Because what happens today on a vendor doesn't mean anything a few weeks after. because they can change their scripts, they can change their strategies. And I do think that I was listening to another call, another session that you recorded, which was with Aaron Bennett. And he was saying like, when you look at the pixel from a third party, you try to understand what data they are collecting today. And he said, but you cannot control what they will collect in the future. And that was a topic that he was saying, like, you cannot control what they will collect in the future. Our objective is, yes, you can. If you use solutions such as JScrambler, you can define clearly what type of data they can access and what type of data they cannot access at all. And this plays very well into the, of course, the deeper, IPA and also all the organizations that are focused on the privacy, which is if you don't have controls and if you don't monitor, how can you prove that you are, as an organization, how can you prove that you are having an active role at making sure that your patient data is secure? Yes. So it starts really, it's like a chicken and the egg problem. It's not when you find problems that you need to react. It's like, how do you make sure that you have the systems in place to control and avoid those problems altogether? 

Absolutely. Well, this has been great so far. We're going to take a quick break and then we're going to come back and let's talk about that a little bit more. Welcome back from the break, everybody. We're talking about prevention. And I think what you just said before the break is spot on. A lot of our compliance officers work with security officers. So chief information security officers or CISOs, and they look at the security rule and what you said is absolutely right. You can identify a risk, but now the question is, what did you do about it? And I love that idea of having something to say, well, we identified this and this is what we did to try to mitigate that risk. That's really what you're saying, right? 

Yes, I am. And I would say like our objective as a company is in the long term is I will go to a security officer or to a compliance officer and say, you have your social security number, you have your this, this and that. Who should access it and when? and then make sure that we set up all the systems so that no one else can access that private information. Because we need to start talking, not about encryption and whatever, and very technical topics, and talk about the customer and the data. If you started the discussion by that point, in our case, for example, when we were talking about payments, it was pretty clear. We just want X, Y, and Z to be able to access payment data. No one else. While when you are in a payment page for PCI compliance, that's why the reason why we are pushing this type of technology. But when you're interacting with a payment page, you have a lot of third parties there. Now you even have like AI, whatever, to help you in that process. Who is to say that AI chatbot is not overstepping in accessing data? Not in a purpose for an attack, but in the purpose of it was not properly configured. To give him context, to give good answers, some companies might think, okay, it's important that they know which page... they are looking at and what's the context of that page. It recently happened, or a few years back, that Google Pixel or Facebook Pixel was everywhere on websites, even on health care hospitals. And they were leaking loads of information about individuals such as you and me. And when we were appointing some cancer, periodic cancer screening, part of the process of our day-to-day lives, they would infer that we had an interest in cancer. They, the companies. And then they would sell that information to even other third parties. And since then, I know that things have evolved a lot, but to be honest, they have only tried to solve this problem by limiting a little bit the access to this type of information. The question should be in a different way, which is like, it's not the vendors, it's the healthcare groups that need to have control of this. It's not Google, it's not Facebook that needs to decide which data they want to share. 

Exactly, because it's the healthcare organization's data, it's their reputation, it's their patients. So are there certain areas that you think healthcare organizations might not be addressing? Any examples of those? Are they missing the mark? I think that most of them, if you ask any of these compliance teams that are working hard on this, how many vendors or which vendors you guys have on your webpage, they won't be able to answer that question. If they're not even able to answer who, then what they are doing is not an answer that they are going to be able to reach. And to do that, they're going to have to ask a lot of teams. And the problem is, if they ask today, they will get one answer. If they ask in five, they will get a different answer. Because most of these teams, they have several objectives. And I would believe, for example, the marketing team is under a lot of pressure to bring additional customers, to bring additional people to the website. And some vendor tells them, I'm going to give you the best exposure ever. And the guys that come to our website, they are going to convert like in 10, one is going to convert. I assure you, they're going to put that on the website. And then the security team might notice it and say, oh, that shouldn't be. And we kind of are, we'll be brokeraging all of these interests together because we end up helping everyone in the process. We have to put compliance team because then they have the control, they have the visibility. We have the security team because we are monitoring all these third parties. They are able to say, okay, it's okay for you to use this vendor. We are constantly monitoring every session and the marketing team, they can adopt other tools such as AI tooling and all of that, because they know that they have the controls in place and they have the approval from all of them. Going back to that same scenario on that other meeting, he said, most of the time the marketing and web teams work together, but they leave out the security guys and they leave out the compliance guys out of these meetings. Right. We don't want that. We want them to all be part of that decision. Yeah. Because first it's public facing. Then experience has shown that the liability is a very big risk and you will lose customers and you will have a huge impact for the organization. 

Yeah. You mentioned before that you worked a lot kind of on the payment side. Can HIPAA and can we learn anything from... what you've experienced from PCI and anti-skimming kind of requirements and those sorts of things. Tell us a little bit about what you've learned there and can it apply or can we apply some of those lessons? 

I think that there is a direct application. Like PCI was very brave and the organization was very brave to point out that when you're paying something on a webpage, you need to... The payment pages as a... a type of profile that has a very important type of data, which is used for fraud, which is a credit card and payment data. And they clearly stated, you guys need to have control over these third parties. This is, I'm oversimplifying and the PCI people are going to, and I'm part of that whole process, but I'm trying to simplify the message. But if you need to have control, you need to know who they are, and you need to make sure that you limit their reach. They came up also with suggestions on how you can do it, but basically the main idea is this one. This was very brave because up until a few years ago, people would say the web part is of no importance. There's no data there, which is stupid because if you look at it, there is data there because I just typed it in. And there is data there because I just looked at it. So the data is there. While it is spread across all the users, if there is a method for you to be in every user, and there is, because you have all these third parties embedded into the page, it's not just under your control, the company's control, because all of these third parties are there, then there is a method for you to access all of the users' data by them accessing their own data. So they were very brave to spot that and to put that in a requirement for all the companies that accept payments to implement. And this has led to an industry maturing. And for example, today, I don't think you will be able to do a vacation without us, Jay Scrambler, being in the background, helping to make sure that no one is stealing your credit card. We have customer type airlines, media streaming companies, hospitals, mostly on the payments, but also because there are some very sophisticated companies out there, also in the healthcare space, also in the broader privacy aspect of the organization. And it's incredible how volatile this is because you have different rules like you booking an appointment or accessing your patient data from one region in the us you are going to load a different set of vendors then you are on another region on the us or if you are abroad accessing your data because the privacy laws are very complex and even changing a computer or changing from computer to mobile, it's incredibly volatile. And that's why it's a big challenge for compliance teams because even if they look at the snapshot, they are not seeing, not even the tip of the iceberg, they're just seeing that there's something out there that they should be worried about. 

Right. Well, Rui, this has been fascinating. We're getting close to the end of our time, but I like to, if you have any last minute thoughts or recommendations, where would you recommend that compliance teams start when they start to think about some of the risks that you shared today? So 

there's no point in raising a risk if you have no way to solve it. Gladly the risk that we are pointing at, we have a way to solve that. I would say, ask your teams, which of party vendors are there, okay? If they want, they can cross-check with us because we have free reports and our team can help them see if what they got back is the truth or it is something that they believe to be true, which most of the time there is no real intention. There is no, it's just like, it's so volatile. that they sometimes, they really don't know that they brought in vendor X, vendor Y, and vendor Z to the picture, and that some of them could be a big risk for the company. Again, there's no point in raising problems if there were no solutions, but there are solutions out there and they can implement them rapidly. 

Well, excellent. Excellent advice. And Rui, thank you for taking the time to sit with us and to share some of your experience. We really appreciate it. Okay. Thank you. Thank you very much. And thank you to all our listeners for listening to another episode. As usual, if you know of other experts or topics that you want to hear about or hear from, please let us know. And until next time, take care, everyone.