WEBVTT

00:00:05.300 --> 00:00:08.200
Hi everyone. I bought a bride in the CSO and I'm pleased

00:00:08.200 --> 00:00:11.700
to be joined by Rob Flores the seaside bd-rom.

00:00:11.700 --> 00:00:12.900
Thanks so much for joining us today.

00:00:14.700 --> 00:00:16.000
Father said you're be here.

00:00:16.000 --> 00:00:16.900
Thanks for having me.

00:00:18.000 --> 00:00:21.200
Hey, Rocky, full of bit about yourself and your background

00:00:21.200 --> 00:00:22.300
and also bump biddy.

00:00:23.700 --> 00:00:28.200
Yeah absolutely to my rule after that he is Chief Information

00:00:28.200 --> 00:00:31.800
Security Officer. And so in this role,

00:00:31.800 --> 00:00:36.700
I'm really needing an organizing information security across

00:00:36.700 --> 00:00:42.600
our Enterprise. I t e r r products at commercial offerings

00:00:42.600 --> 00:00:44.100
that we deliver to customers.

00:00:44.100 --> 00:00:52.500
And then also our distribution centers about DD is that were

00:00:52.500 --> 00:00:55.700
a leading Global Medical Technology Company.

00:00:55.700 --> 00:01:01.900
We have bread and butter and your history is in the syringe

00:01:01.900 --> 00:01:06.700
and needle business but also within the last twenty years,

00:01:06.700 --> 00:01:11.500
we've really grown to have quite a portfolio of software

00:01:11.500 --> 00:01:18.300
technology. And so you'll medical technology in a diagnostic

00:01:18.300 --> 00:01:23.100
setting in a research facility to a medication.

00:01:23.700 --> 00:01:28.900
Fencing cabinets and infusion pumps.

00:01:28.900 --> 00:01:37.200
And we have a mobile application, to Cloud solution for all again,

00:01:37.200 --> 00:01:42.200
for advancing the world of help in until you're a PD to sneak

00:01:42.200 --> 00:01:46.100
my mission really about protecting patients and,

00:01:46.100 --> 00:01:48.800
and protecting their safety.

00:01:48.800 --> 00:02:00.100
And their proxies is there is a certain one,

00:02:00.100 --> 00:02:03.600
actually that start off my career and building software

00:02:03.600 --> 00:02:07.100
designing software and has done.

00:02:07.100 --> 00:02:12.300
So, for the medical technology industry before moving into products,

00:02:12.300 --> 00:02:17.100
security and spend some time focusing on how to secure medical

00:02:17.100 --> 00:02:22.000
technology. And until about a little over two years ago,

00:02:22.000 --> 00:02:23.200
I took

00:02:23.700 --> 00:02:36.500
The cheapest security officer mean to the responsibilities.

00:02:36.500 --> 00:02:39.800
I mean your role so you could have bridge at security.

00:02:39.800 --> 00:02:42.900
Everything from that, you said, Enterprise High Tea to product

00:02:42.900 --> 00:02:44.300
manufacturing and services.

00:02:44.300 --> 00:02:46.600
That was sort of the ecosystem of trust,

00:02:46.600 --> 00:02:52.300
if you will, is the concept of trust factor into the responsibilities

00:02:52.300 --> 00:02:52.900
of your job.

00:02:54.600 --> 00:02:58.900
Great question. Bob I would say trust is at the core of everything

00:02:58.900 --> 00:03:04.000
we do in cyber security and it's never more apparent than in an

00:03:04.000 --> 00:03:09.100
industry like healthcare where for example, patients don't

00:03:09.100 --> 00:03:14.300
get to decide what medical devices they are interacting

00:03:14.300 --> 00:03:19.000
is or being supported by Barn.

00:03:19.000 --> 00:03:22.300
You don't need that choice much like you don't make a choice

00:03:22.300 --> 00:03:33.600
on which gas pipeline to provide your local are helping produce

00:03:33.600 --> 00:03:36.600
your meat for your local butcher shop.

00:03:36.600 --> 00:03:43.800
You know he's in our industry and Healthcare trust is it is a really

00:03:43.800 --> 00:03:46.900
important topic because at the end of the day,

00:03:46.900 --> 00:03:52.800
the medical technology company live PD is essential to to healthcare

00:03:52.800 --> 00:03:54.400
to making people help.

00:03:54.600 --> 00:04:02.900
And until I think there's a long history of of a focus on privacy

00:04:02.900 --> 00:04:07.700
in healthcare and I think was quickly emerged here also though

00:04:07.700 --> 00:04:11.900
is the importance of of patient, safety as a relates,

00:04:11.900 --> 00:04:15.600
the cyber security and Healthcare and that's just another

00:04:15.600 --> 00:04:21.200
factor to the equation of when it comes to a medical technology

00:04:21.200 --> 00:04:26.700
company. And and that's also again why we have such a broad

00:04:26.700 --> 00:04:32.800
view and focus on Cypress tree across the Enterprise itd across

00:04:32.800 --> 00:04:38.200
our product of the distribution of

00:04:40.900 --> 00:04:44.500
Do you think that trust is something that we have?

00:04:44.500 --> 00:04:48.500
I hate to say it, trust our business partners to deliver.

00:04:48.500 --> 00:04:51.700
I'm constantly reminded of the adage trust but verify.

00:04:51.700 --> 00:04:57.700
Yeah, he's actually at the PD, we can put you recognize

00:04:57.700 --> 00:05:01.400
the importance of having external third parties provide.

00:05:01.400 --> 00:05:16.900
This is just tional level of reassurance or she is doing an application

00:05:16.900 --> 00:05:21.800
through Underwriters Laboratory for their cybersecurity

00:05:21.800 --> 00:05:24.800
insurance program. One is on our Enterprise,

00:05:24.800 --> 00:05:29.500
it infrastructure and also moves into the way that we should

00:05:29.500 --> 00:05:34.500
work. And then the other one is really about the security

00:05:34.500 --> 00:05:37.300
practices that go into the products.

00:05:37.300 --> 00:05:39.500
The medical technology that we deliver.

00:05:40.900 --> 00:05:43.100
And insult me week.

00:05:43.100 --> 00:05:47.600
Certified a couple of products at the D with you Outsiders.

00:05:47.600 --> 00:05:52.900
And it it's it's again another mechanism really to provide a

00:05:52.900 --> 00:06:03.800
relationship with our customers are in Industries where they're

00:06:03.800 --> 00:06:07.700
producing physical products like that and say this is it may

00:06:07.700 --> 00:06:08.900
be a little bit different to them.

00:06:09.800 --> 00:06:14.400
Certainly no one thing is to have when it comes to product

00:06:14.400 --> 00:06:25.900
security, this is the cecils organization or the security

00:06:25.900 --> 00:06:30.300
team is not necessarily the vote that actually build the top

00:06:30.300 --> 00:06:31.900
or right to talk.

00:06:31.900 --> 00:06:37.900
And in fact, I would argue that it never could be because

00:06:37.900 --> 00:06:42.100
there's not enough people working in cyber security organizations

00:06:42.100 --> 00:06:46.600
at at most companies and there's not even enough Talent Irish

00:06:46.600 --> 00:06:53.900
chorizo supplier for cyber street is actually training.

00:06:53.900 --> 00:06:58.700
You know, our software Engineers painting our R&D organization

00:06:58.700 --> 00:07:02.900
on how to design develop, write software,

00:07:02.900 --> 00:07:09.100
architect system with security by Design and then also thinking

00:07:09.100 --> 00:07:09.200
about

00:07:09.900 --> 00:07:12.300
How how's the customer?

00:07:12.300 --> 00:07:17.000
The end user interacts with that medical technology in our case

00:07:17.000 --> 00:07:23.800
for her product security and then also partnering with our ecosystem

00:07:23.800 --> 00:07:30.200
of stakeholders. And we have Optical, we have a patient in a text,

00:07:30.200 --> 00:07:34.300
but we also have regulators and we have federal agencies

00:07:34.300 --> 00:07:46.300
across the world including the US and Central.

00:07:46.300 --> 00:07:50.300
And the great example that is near the practice of Courtney

00:07:50.300 --> 00:07:54.900
is going to be disclosure and so I'll say it.

00:07:54.900 --> 00:07:56.900
You know, that's that's really part of our principles

00:07:56.900 --> 00:08:01.600
and values model that we often times pay security by Design

00:08:01.600 --> 00:08:04.100
in use and through partnership.

00:08:04.100 --> 00:08:07.100
And so I think those are some of the essential things to focus

00:08:07.100 --> 00:08:07.500
on.

00:08:09.800 --> 00:08:11.000
What do you see as being?

00:08:11.000 --> 00:08:12.600
The greatest risks are Too Faced.

00:08:14.900 --> 00:08:20.500
Joe in healthcare, we have some ugly toes around 2017.

00:08:20.500 --> 00:08:25.600
I was very fortunate to participate in the healthcare

00:08:25.600 --> 00:08:32.400
industry has brought together under a Presidential Directive

00:08:32.400 --> 00:08:41.700
21. And you know we had we had a health care providers

00:08:41.700 --> 00:08:45.200
of the pharmaceutical industry and medical device.

00:08:45.200 --> 00:08:55.400
Manufacturers are several binding obligation cypress trees

00:08:55.400 --> 00:09:05.000
that are specific to the and what that section highlighted

00:09:05.000 --> 00:09:05.500
with that.

00:09:06.000 --> 00:09:12.200
The lifespan of medical technology exceeds the lifespan

00:09:12.200 --> 00:09:14.300
of security for technology.

00:09:14.300 --> 00:09:22.600
And what we have in healthcare is 15 year old Medical Technology

00:09:22.600 --> 00:09:23.100
still in use.

00:09:23.100 --> 00:09:28.300
Today, it is a costly expensive issue to address.

00:09:28.300 --> 00:09:29.800
It is certainly.

00:09:29.800 --> 00:09:45.200
So I think a multi-generational is she which device manufacturer

00:09:45.200 --> 00:09:57.100
control technology that helped out your fire station?

00:09:58.100 --> 00:10:03.100
Everyone's struggling with addressing risk in their legacy

00:10:03.100 --> 00:10:05.600
environments and that's particularly true in the healthcare

00:10:05.600 --> 00:10:06.600
space. I think.

00:10:06.600 --> 00:10:08.200
How do you see that playing out?

00:10:10.000 --> 00:10:14.500
Yeah, you know, there's there's no Silver Bullet when it comes

00:10:14.500 --> 00:10:16.800
to cyber security in general, right?

00:10:16.800 --> 00:10:21.600
And when it comes to medical technology and Legacy Medical

00:10:21.600 --> 00:10:26.200
Technology, certainly there's a lot of great technology

00:10:26.200 --> 00:10:34.300
that's emerging in the space without a network.

00:10:34.300 --> 00:10:36.600
Segmentation that's taking place as well.

00:10:36.600 --> 00:10:40.900
Taking these older Malcolm Technologies off of Enterprise

00:10:40.900 --> 00:10:43.900
networks are adjacent to each other.

00:10:43.900 --> 00:11:00.900
Very vulnerable or very accessible systems answer key to your

00:11:00.900 --> 00:11:04.100
door to your active directory.

00:11:04.100 --> 00:11:07.900
However, the you know what happens there,

00:11:07.900 --> 00:11:09.100
as well as that we lose.

00:11:09.900 --> 00:11:24.500
Benefits of Technology, analytics perspective.

00:11:24.500 --> 00:11:27.200
Preventive, maintenance perspective from a diagnostic

00:11:27.200 --> 00:11:39.700
perspective and until, you know, I think again and Healthcare

00:11:39.700 --> 00:11:42.900
Providers need to prioritize me technology.

00:11:42.900 --> 00:11:47.200
Adopting, the latest and greatest control.

00:11:48.200 --> 00:11:53.900
So you're in an environment where the solution to provide

00:11:53.900 --> 00:11:56.700
their customers are often highly regulated, say that's probably

00:11:56.700 --> 00:11:57.900
a fair statement, right?

00:11:57.900 --> 00:12:02.200
How do you balance the requirements of a meeting compliance

00:12:02.200 --> 00:12:05.700
mandates versus achieving good security because they often,

00:12:05.700 --> 00:12:07.400
they are very different things.

00:12:07.400 --> 00:12:14.400
You here in the US, with the FDA.

00:12:14.400 --> 00:12:17.200
That's he actually has done a remarkable job.

00:12:17.200 --> 00:12:21.400
And in my experience actually helping Propel,

00:12:21.400 --> 00:12:24.500
our cypress tree program to another level.

00:12:24.500 --> 00:12:27.700
I mean, it started with the pre-market.

00:12:27.700 --> 00:12:31.500
A guy insured for cyber Street on the FDA and,

00:12:31.500 --> 00:12:37.400
and also, the post-market cyber security guidelines for that

00:12:37.400 --> 00:12:40.500
was a really provided.

00:12:40.500 --> 00:12:44.700
The foundation of starting point for adopting,

00:12:44.700 --> 00:12:46.100
cypress tree practices,

00:12:48.200 --> 00:12:53.000
Also say that it has it was a starting point and there was much

00:12:53.000 --> 00:13:01.300
more that we can do to mature our practices.

00:13:01.300 --> 00:13:11.800
That's why we many medical technology company and nsta and crafted

00:13:11.800 --> 00:13:14.600
The Joint security.

00:13:14.600 --> 00:13:25.900
It is essentially A playbook that and highly regulated

00:13:25.900 --> 00:13:38.700
like static code analysis.

00:13:38.700 --> 00:13:46.500
How to communicate.

00:13:48.200 --> 00:14:04.500
Provide documentation that I think The Regulators are actually

00:14:04.500 --> 00:14:09.300
I think she has very well in adopting different cypress tree

00:14:09.300 --> 00:14:15.900
practices but I certainly wouldn't wait for work regulation.

00:14:15.900 --> 00:14:19.200
I would say there's a lot of things that we can do now that

00:14:19.200 --> 00:14:24.500
go even Beyond regulation that goes into building a showing

00:14:24.500 --> 00:14:27.900
commitment to their success and that means protecting

00:14:27.900 --> 00:14:39.800
valuable and the great example demonstrating that level of trust

00:14:39.800 --> 00:14:40.300
you

00:14:41.600 --> 00:14:45.100
Well that's you single you leading right into my next question

00:14:45.100 --> 00:14:48.000
which is you know let's walk around to the other side of that.

00:14:48.000 --> 00:14:50.900
How about your customers challenges of justifying and Dustin

00:14:50.900 --> 00:14:53.500
and security? What do you see as the path for them?

00:14:53.500 --> 00:14:55.000
And is their pay off down the road?

00:14:56.600 --> 00:15:00.100
Great question. I would say that and,

00:15:00.100 --> 00:15:04.000
you know, this is just my own observation in,

00:15:04.000 --> 00:15:10.800
and I say, that more secure technology is also more cost-effective

00:15:10.800 --> 00:15:17.700
Technologies. There is a cost to managing managing a residual

00:15:17.700 --> 00:15:20.000
cybersecurity risk in our environment.

00:15:20.000 --> 00:15:23.100
If you don't even working Healthcare, I think,

00:15:23.100 --> 00:15:26.800
you know, if you were can I see if you work in information

00:15:26.800 --> 00:15:30.000
security or you know some other industry,

00:15:30.000 --> 00:15:34.300
I think you can appreciate the things that we have to do to protect

00:15:34.300 --> 00:15:46.700
something that is that this nation is.

00:15:46.700 --> 00:15:49.500
It is in the world is making health care,

00:15:49.500 --> 00:15:55.200
more affordable, more accessible to patient and and so,

00:15:55.200 --> 00:15:55.700
you know,

00:15:56.600 --> 00:16:01.800
Prioritizing security actually is a bridge is one small component

00:16:01.800 --> 00:16:05.600
to bridging that Gap in helping.

00:16:05.600 --> 00:16:08.900
I mean, the destruction of health care if you seen any more

00:16:08.900 --> 00:16:13.400
event as a catastrophic impact, the delivery of healthcare

00:16:13.400 --> 00:16:16.600
and mitigating the event.

00:16:16.600 --> 00:16:21.600
I think it would help us liable Healthcare System.

00:16:24.400 --> 00:16:25.600
Yeah, that's a really good point.

00:16:25.600 --> 00:16:28.400
I was interviewing someone just here, I guess was a couple

00:16:28.400 --> 00:16:32.900
days ago who works with the Irish Healthcare System and they

00:16:32.900 --> 00:16:35.800
were one of those organizations that was hit by a massive

00:16:35.800 --> 00:16:38.900
ransomware attack in his head and they had still not recovered

00:16:38.900 --> 00:16:39.700
at that point.

00:16:39.700 --> 00:16:41.700
You know, it's incredible.

00:16:41.700 --> 00:16:44.700
The amount of organizations like that.

00:16:45.300 --> 00:16:49.200
There's been a lot of discussion in the market,

00:16:49.200 --> 00:16:50.700
I guess, since solar winds.

00:16:50.700 --> 00:16:53.000
We although I think a lot of us been talking about before

00:16:53.000 --> 00:16:56.700
that bit about supply chain Security in some ways,

00:16:56.700 --> 00:16:59.500
your products are the products of the supply chain,

00:16:59.500 --> 00:17:03.600
right? Come back to trust for a minute and and what that trust

00:17:03.600 --> 00:17:04.400
means to your customers.

00:17:06.100 --> 00:17:11.500
Yeah. So, you know, text to Colonial pipeline is another

00:17:11.500 --> 00:17:11.700
great.

00:17:16.000 --> 00:17:22.100
Are you your place gasoline with medical technology and you have

00:17:22.100 --> 00:17:26.100
the same scenario for healthcare with any device manufacturer

00:17:26.100 --> 00:17:32.600
out there. Right now, we as an industry artist by Gene or Optical

00:17:32.600 --> 00:17:37.800
for healthcare providers and and you know,

00:17:37.800 --> 00:17:45.600
it's not easy for a customer to have visibility to that supply

00:17:45.600 --> 00:17:51.000
chain. And so it's important for for manufacturers

00:17:51.000 --> 00:17:54.900
for vendors in any situation, even outside Health Care to provide.

00:17:54.900 --> 00:18:07.800
It's a green call out for ntia off work and this is

00:18:16.000 --> 00:18:20.700
IBD. Do we provide our customers with what we called products

00:18:20.700 --> 00:18:29.400
during white paper and and that list of Technology.

00:18:29.400 --> 00:18:31.900
But the next that also is really operationalizing

00:18:31.900 --> 00:18:40.100
out with her customers for really a Health Care system that

00:18:40.100 --> 00:18:41.900
really requires automation software.

00:18:41.900 --> 00:18:55.400
All that problem is is documenting the practices that we take

00:18:55.400 --> 00:18:57.200
secure our supply chain Finance.

00:18:57.200 --> 00:19:06.200
Are you, did you lie science offer?

00:19:06.200 --> 00:19:14.600
Are you guys today be expecting your security

00:19:16.000 --> 00:19:20.000
Your manufacturing by Matthew distribution centers against

00:19:20.000 --> 00:19:31.100
the inferi such as, in, in Dumb.

00:19:31.100 --> 00:19:42.800
And then, lastly, when writing software, there is no,

00:19:42.800 --> 00:19:53.100
we can't find the app for ages of the human body.

00:19:53.100 --> 00:20:08.900
Develop, strong feelings and our customers.

00:20:08.900 --> 00:20:11.300
And when I mean by that is coordinated,

00:20:16.000 --> 00:20:20.100
Talk about compensation trolls.

00:20:20.100 --> 00:20:28.700
Talk about what they don't know.

00:20:28.700 --> 00:20:33.900
That's great. Thank you again for sitting down with us.

00:20:35.200 --> 00:20:36.600
Thank you. Bob is a pleasure.

00:20:37.600 --> 00:20:38.500
It's all you.

00:20:38.500 --> 00:20:40.100
I appreciate you joining us for.

00:20:40.100 --> 00:20:41.600
See us all on Bob Brighton.