Ask the Expert: DevSecOps in Health IT
“Hope is not a plan or strategy when it comes to IT Security”
Chris Rathermel, VP of IT, on why is he leading the charge to integrate and automate security in all that Bridge Connector does
Chris Rathermel serves as Bridge Connector’s Vice President of Information Technology. A Wisconsin native who relocated to Nashville in 2011, he is a problem-solver who has worked for a diverse portfolio of industries, getting to the “root cause” and bettering lives with tech solutions. He adds to the tech “street cred” of the Bridge Connector team, thanks to his rich experience designing, developing and globally scaling IT solutions. Below, Chris is interviewed as part of our “Ask the Expert” blog series, presented in a Q&A format, so you can hear directly from our in-house experts and partners, in their words.
Q: Tech companies are on the cutting edge of innovation. Security is a “must” to keep both IP and and actual customer information safe. And yet, we normally don’t think about security as being an area for innovation. Tell me how you reconcile our organization’s rapid pace of growth and innovation with forward-thinking and, yes, “innovative” security measures as well.
A: My main undertaking here at Bridge Connector, which I would consider somewhat unique, is automating security where possible. That sounds like somebody is looking for the “easy” button, but it’s actually quite the opposite. We’re looking to really integrate security into most everything that we do in an automated fashion, which is difficult to pull off. So we have a division of our technology within our organization called DevSecOps, which is an evolution of DevOps.
DevOps is about taking code from a local developer’s computer, putting that into the cloud, and making it work in production, making it work at scale, and all of those things. DevOps is an area of technology that has been around for a little while but is evolving to encompass security, as DevSecOps. For example, security has historically been its own lane or its own department. But when you are able to effectively integrate security into the development team and into the infrastructure and the architecture, it has more impact, it saves money and is ultimately more (wait for it) secure.
Q: Health care data and its separate HIPAA privacy concerns are not new to you, but here at Bridge Connector, you obviously have these two different ecosystems — information security and then patient information privacy concerns on top of that — that you must balance solutions for. Tell us about how you assess and manage risk, given these two distinctly different lanes.
A: Absolutely. You first have to understand where your secret sauce is. Where is your “gold”? Where do regulations and certifications tell you that you need to operate? And how do you take those various requirements or certifications that you need to be able to work in your industry, then take it to the next level? Obviously, the goal is for me is to always improve from what the status quo is doing, seeking “continuous improvement” in every area of an organization, which happens to be one of our core values here at Bridge Connector.
Then you have to assess where your organization is most vulnerable from a data perspective — where is the “gold” that makes you susceptible to people who might try to steal your data? And how do you protect against that? It’s part of my job to constantly assess our threat profile. I have to be aware of where cyber attacks are occurring geographically, where the people in our industry are getting attacked, and where others are failing at keeping their information secure. You have to do endpoint management, anti-virus scanning, and you need to train your users very well. That’s really where it starts — the human firewall, because if you look at where the most breakdowns occur, email phishing is one of the top threats. You probably have a phishing email in your inbox right now. And it may even be from me, or our security partner vendor who helps us test for this, trying to get you to click on something.
IT’s goals include constantly testing employees’ knowledge and their abilities to identify legitimate links, email addresses, and so forth. Because it’s so easy for just one of your employees who’s not educated enough to click on the wrong thing, to enter their username and password. In making these kinds of critical mistakes, they have just provided access. Nobody “hacked” into anything. You gave them the keys. Social engineering has led to more sophisticated and highly effective phishing scams. This leads to compromises where a lot of machines are going to get taken over with malware, where hackers gather and siphon data for a long time. And then there’s Ransomware which encrypts your data and you must pay in Bitcoin to get the data decrypted. When your machine is infected with Ransomware, you will know pretty quickly.
Q: Lots of areas where you must constantly assess risk, and then Bridge Connector also has a large team of developers. Tell us the areas that you oversee in your role.
A: So you’ve got engineering, which is the people that build stuff. I oversee all of them but our platform team who rolls up to our Director of Innovation, Chris “CJ” Johnson. Then you’ve got infrastructure, which is making sure the lights are on and the servers are up. Then you have security, making sure that the doors are locked. Internal IT makes sure your email works and that if you spill water on your laptop, IT gets you a new one.
Q: You mentioned security vendors that companies can enlist to help test that human firewall, one example of which is email phishing scams. Utilizing these sorts of vendors who help test your employees, has that become the industry norm, or is health care behind the curve when it comes to managing this piece?
A: Unfortunately health care is typically behind in areas of technology, and security is not an exception to that rule. So you’ll see many companies, even here in Nashville, where some big, big hacks have happened. A lot of them have been phishing-related, and in some cases, the hackers have been in their systems for a long time. We’re talking months.
When you don’t have the systems in place to defend against it properly, and train your people against it properly and detect when someone is in your network that shouldn’t be, you’re in a dangerous situation.
It’s one thing to get hacked. It’s another to know it, respond to it, close it, remediate the threat, react to it. That’s the way you should run your security organization. Hope is not a plan. Hope is not a strategy. And it shouldn’t be applied to security either.
Q: How are hackers getting so good at what they do? And where do people that work in health care, or in health IT, need to be better prepared?
A: So much of hackers’ prowess is gained through social engineering. They can go on someone’s Facebook page, look at their age, look at their interests. Then they can go on a corporation’s website and know the names of their C-suite, their board of directors, and so on. So hackers are going to craft an email from an address that looks like it legitimately came from a person of authority within your organization. The email will come from “firstname.lastname@example.org,” so it looks like maybe they’ve resorted to a personal email address, with a message that says, “Hey, my work computer’s down. I’m sending this from my personal address. I really need you to send $1,000 to this wire transfer, and I need it done now.” They’re going to try to evoke fear but also get you to act quickly. Hacker language always speaks with a sense of urgency — “I need you to act now, now, now” — because you’re more likely to make a mistake that way.
Always hover over email addresses to check them for legitimacy, and do the same with links as well. If in doubt, forward it to your head of IT to verify.
Also, review what risk you add by making certain information public. Posting your executive employees’ contact info on the public website might seem benign, however it could be used as intel in a hacker’s attempt to gain access to your systems.
Q: As a health IT company who integrates all sorts of disparate data systems, Bridge Connector is dealing with lots of different data as well — everything from patient clinical data from EHRs, to personal identifier information from a CRM or billing system. Aside from having that data pass through our platform as we’re getting various data systems to “talk,” how else does our organization have to think about how we’re using that data, and steps we’re proactively taking to keep it safe?
A: So it’s an interesting topic, right? Bridge Connector helps companies achieve interoperability. We integrate Vendor A to Vendor B, and we do that smoothly for our clients, so that it makes sense for the health care team to make decisions from complete information — information that can only be gained once you have connected systems. So the data management and security policies are important and part of our core responsibilities.
The retention policy around this data is also important. We provide the ability for a client to look at their data with 100 percent transparency and understand what is happening with it. As our solutions continue to grow, including full-service options, and as we keep building out our platform, we’ll continue to deliver on that transparency so our clients can always have confidence that their data is flowing securely through our system.
Q: And that is why we are so glad to be interviewing you as our in-house expert who is leading our IT security efforts! We’re a young company, and yet, we have all this rich experience in tech and in health care among our leadership — yours included. What prior role of yours most speaks to the domain you own for us at Bridge Connector?
It comes from working at several different-sized companies with different security maturity levels.
Working at Kroll I got a chance to see how industry experts respond properly to a breach. I also got a chance to see how so many companies across the U.S. with sensitive data go through breaches.
I was at a health care IT startup, MEDarchon, where I took them from proof of concept, early days, to making security first for the entire organization. This was a web and smartphone app-based system that improves the clinical paging process with a message prioritization and routing feature. I learned a lot about how to scale DevSecOps from the ground up. Because if you don’t have the trust and confidence of the market, with respect to security, you’re not going to win. It is my personal mission to make sure that we use technology to make lives better, not worse, and a data breach definitely complicates that.
Another thing that I’ve done is take a non-health care company, a company that has a lot of PII, or personal identifiable information, which is the same kind of data that makes it easy for someone to steal your identity. PII wouldn’t reveal that maybe you just had knee surgery last year, but it still needs to be protected. However, it’s not as regulated in the United States as in the U.K. and the rest of Europe. GDPR, which went into effect around a year ago, speaks to this and is gaining a lot of traction. U.S. companies are now having to bolster their policies and procedures to give more rights to people over their own data, giving less ownership of that personal data to the companies who might have acquired it. As for how this will play out with policies in the U.S., it might be 10 years from now, but that’s definitely the direction most countries are going in. And the internet makes all countries “players” within the global economy every day.
Q: So here you are, at another health care tech startup. What lessons did you learn before that you’ve been able to apply here — how to manage growth, scaling a young company?
A: Yeah, so the hard part about security, no matter how long the organization has been around, is that you’re going to have the individual that says, “We’re secure. We’ve done everything that the regulations ask, that the certifications require, and we’re good.”
And we know those individuals are operating in this gray area, attesting to things that they maybe don’t feel as confident about, or maybe they have a policy but aren’t really practicing it. Maybe they’re practicing it, but they don’t have audit controls in place. Maybe all of that is great, but they also in the back of their head know that there’s this other back door that people can use to get into their systems and their process. And they’re not doing anything about it.
What I’ve tried to do in every past role, especially in partnerships and with clients, is to be as open and transparent as I can — about what we’re doing and where we are in our maturity level, because it’s easy to tell when that’s not true. The people that do this for a living, in procurement and security assessment, and who vet you as vendors and partners, they can tell as well.
Everyone has risk. No matter how long a company has been around, nobody is 100 percent secure. Because hackers are always one step ahead. It’s about managing risk and understanding if a hacker were to break through a line of defense, when are you going to be able to know about it? What amount of data can they access? So I’m constantly working to improve that. It’s like the saying that the best teachers are also lifelong learners. You can never learn all there is to know where it comes to improving your DevSecOps practices.
Q: You also touched on GDPR earlier. What’s the lay of the land with it here in the U.S. — has GDPR trickled down to policy or regulatory changes that are needed in our health care system yet?
No, I don’t think so. This may be another side effect of health care being a little bit behind the times in some areas, but any GDPR compliance stateside has thus far been company-driven. The climate, domestically, is much more along the lines of, “Companies have access to data, they own it, and it’s their job to protect it.” While GDPR is much more about, “I, as a consumer, own my own data.”
And U.S. health care has really struggled around this idea — that patients ultimately own their own data, and have more authority over it, than corporations should.
Q: It’s interesting to think about, but if we’re all consumers in what is ultimately a global company, why is it that most major health care companies Americans might be familiar with are not “global” in scope. Is this a consequence of each national government having such different regulations?
A: The global economy has trickled into so many other industries, health care from a regulations standpoint, and just because people are physically in one spot. It just kind of makes it easier to manage their care central to where they are located. Maybe that will change as transportation evolves with high-speed rails, as planes get faster, and as people become more transient in the workforce. Take some of our employees, even at Bridge. They might be on the West Coast for six months, and then they’ll be on the East Coast for another six months. So managing that from a continuity of care perspective with health care, that could evolve to include different countries.
Q: Speaking of how companies are called to increasingly address data in more of a global context, tell us more about your tenure at Work Institute, when you helped to bolster their security. This yielded some international-scope clients, including some major defense contractors.
A: I was at Work Institute for four years, during which time we did expand considerably outside of the U.S. We got PII data out of companies’ HR systems. These might be companies that need help with their turnover, or they’re seeking a more engaged workforce. They’re going to send demographic data like name, phone number, email address, actual address, date of birth, years of experience in the individual’s role, hire date, start date, salary. It’s not a person’s social security number — we never grabbed that, because we didn’t want it. And certainly, that’s another area of security we should talk about: don’t have access to data you don’t need, because it just adds more risk.
In the era of “Big Data,” the assumption is for companies to say, “Give us all the data.” Well, are you actually going to do anything with it? Does it pose more of a risk for you than not?” Storage costs have gotten incredibly cheap, so people have this misconception, “Oh, the more data I have, the more valuable my company is.” Certainly, this may be true for a lot of companies, but you have to also take into account what amount of risk it adds.
This also feeds into your retention policy. Maybe you needed certain data before, but you don’t need it now, some 10 years later. You have to set policies and procedures around when you will de-identify that data, or delete it.
Q: What’s going on with APIs and HL7 in health care, what are some best practices you can share with us as our integrations services go?
A: The buzzword out there right now is definitely FHIR. And FHIR is, certainly, a better technology and a better schema to use. But so many of the older healthcare systems are dependent on traditional HL7. It’s really about clients partnering with integrations vendors like Bridge, so that they never even have to worry about what the schema is. They can send us HL7, and we can send FHIR out the other end, to the provider that wants that. So, it at least alleviates half of the problem of having to work with HL7s, because they’re a little messier.
Q: What is Bridge doing that is unique that made you want to come work here?
A: If I’m being frank, working in health care, for a lot of people, is painful. In IT, many of us were working with old, antiquated systems. You maybe got into it thinking, “Hey, I’m an IT nerd. I really just want to work in an altruistic industry and help patients and improve patient outcomes.” But it’s a thank-less job when you’re restarting servers that are super old, because they don’t work anymore, or when working with really ugly code and third-party systems.
That’s not the case at Bridge Connector. We’re really disrupting the market in a lot of ways. We’re taking problems that have existed since the dawn of computers, connecting systems together and getting data from Point A to Point B, but we’re handling data in very interesting ways. We’re handling data in a way that really makes our processes scaleable, so that we can pass those cost savings on to different providers. We can make their lives and their administrative burdens less of a headache, so that they can focus on other areas of innovation.
When you think about the opportunity cost of providers’ pain points, there’s a lot of money, and a lot of people spending time on a lot of ugly areas of technology. And wouldn’t it be nice if those people and those technologies were spent better innovating in healthcare, actually having a better impact, actually improving patient outcomes? It’s a mission we need to address, and that’s why I’m here.