 From San Francisco, it's theCUBE. Covering RSA Conference 2019, brought to you by Forescout. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're at RSA at Moscone in downtown San Francisco. We're in the Forescout booth. Our first time in the Forescout booth, we're really excited to be here. We're talking about cybersecurity. I don't know what the official number is this year, probably 45,000 professionals walking around talking about security. We've got our next guest on. He is Russell Jones, partner on cyber services for Deloitte. Russell, great to meet you. Same to me too as well. So I asked him before we turned it on, what's getting you excited these days? And you said everything. So this is a crazy, crazy busy space. What have you been working on lately? What's kind of your takeaway from the first couple of days of the show? Yeah, it is a crazy busy space. And if you look at the cyber landscape, everything's moving at the speed of the internet. So it's this cat and mouse game in terms of attackers trying to find new ways to get into systems that is driving the industry. When you talk about healthcare though, the issue is these systems, like medical devices, oftentimes are connected to people. And so the implications of a hack against a, let's say a MRI machine or infusion pump could be devastating to an actual person connected to it. And that's really what's driving a lot of innovation in terms of some of the technologies you see, like ForestGal and also a lot of what's going on from a regulatory perspective, and also the hospitals and healthcare systems themselves. Trying to solve that problem, managing cyber risks as it relates to clinical technology. And a lot of that stuff wasn't connected before, right? There weren't IP addresses on every MRI machine or all these pump machines, or you have a pacemaker, all these things. How are they looking at the risk reward from a connected device that gives you all kinds of benefits, but it does open up this attack surface that previously had maybe an air gap there? That's a great point. Bottom line is the life saving, life extending attributes of these medical technologies and medical devices far outweighs the risk of cyber. However, we got to be smart about managing that risk. So we're going to see more connectivity, not less. Trains left the station in terms of what's coming in the future of healthcare, connecting more of not only the medical devices, but the information in them and being able to share that and then bring it together and aggregate it in ways that with analytics on top of it, allows doctors and researchers in the clinical community to connect dots in ways that solve cancer, some different maladies that have plagued us forever. So I think on the one hand, it's great. This connectivity is extending healthcare out to people in rural locations, and it's also allowing bringing together a lot of different data from everything from your Fitbit to your pacemaker to apps that you have on your phone in a way that's going to benefit us. Right, right. So one of the things about healthcare is they're way out in front of kind of not healthcare in terms of regulation. And HIPAA's been around for a long time. GDPR just went into place in Europe last year. So when you look at it from a regulatory environment, which people have to consider, there's not only the complexity of the machines, there's not only the complexity of the security, but you also have regulatory environment. How is the cybersecurity in healthcare with their very unique regulations kind of impacting the way people should think about the problem, the way they should implement solutions? So that's a good question. I think we've thought about in the cyber community forever. We talk about confidentiality, integrity and availability, right, the triangle. When you think about healthcare and clinical technology and medical devices, you need to flip that triangle upside down. And the focus is integrity and availability. Those things together equal patient safety. So in other words, as we're connecting more of these devices to each other, to electronic health record systems, to the cloud, the integrity of the information in there, which is being used by doctors and other folks to make decisions about treatment, about surgical procedures, about medicines. It's crucial that that information and the integrity of it is maintained. And then the availability of the device is critical, right? If you're going in to get an MRI and it's down because it's been hacked, there's usually not a spare MRI. And so there's a profound impact for patients that are scheduled back to back to back to back to go get that procedure, that MRI that's going to be used by a doctor to do some surgery or some other kind of a treatment plan. So integrity and availability are huge in the cyber world. And if you look at the regulations, you know, depending on which one we're talking about and which part of the world, right? You mentioned HIPAA, you got security and privacy, you got GDPR, you got the FDA that have guidance around what they want the manufacturers to do building security into the devices. They all have an impact on cyber and how it's going to be addressed, how are we going to manage cyber risk in the healthcare world, in that environment. And then there's this whole new thing. I went to the Wall Street Journal Health Conference a couple of weeks back. I don't know if you were there, but there was two people up for now. You can take your genetic footprint, right? You can take your 23andMe results and after you figure out where your family's from, you can actually sell it back into a research market so that doctors and clinicians and people doing trials on new drugs can now take your data in kind of a marketplace back into a whole nother application. So it's kind of outside of the core healthcare system, if you will. But I mean, it's basically, it's me, right? In the form of my DNA footprint. It's crazy, crazy amounts of strange data that now is potentially exposed to a hack. That's right. And so the implications there are obviously privacy, right? That's a huge issue, I think, that we're going to have to address and that's why you see GDPR. That's why you see the California Consumer Privacy Act. There's a recognition that, again, the trains left the station, there's a lot of good things that come out of sharing data and sharing information. There's a lot of benefits that can come out of it for consumers, patients. There's a dark side as well, and that has to be managed. That's why we have the privacy regulations that we have. We're probably going to see more, probably going to see more things like the California Consumer Privacy Act. All states and eventually probably a federal act for the US. Do you think that the healthcare industry is better equipped to deal with like GDPR and the California Healthcare Act because of things like HIPAA, and they kind of come from that world? Or is this just a whole new level of regulation that they now have to account for? I think it's probably a mixed bag. On the one hand, healthcare has been dealing with privacy for a long time, even before HIPAA, right? And then HIPAA has very specific requirements around how you have to manage that information and consent and notifying the patient of their rights. On the other hand, you look at some of the new things like GDPR, it goes way beyond HIPAA. And I think- It goes way beyond HIPAA. It goes way beyond HIPAA, like for example, this whole notion of the right to be forgotten, right? That's a requirement on the GDPR. That means me as a patient, if I tell my doctor, I want you to get rid of all my medical records. Everything in your system everywhere about me, I want it gone. Nothing that makes sense. Right, right. But at least in Europe, if they ask to do that, you have to be able to comply. From a technology perspective and a medical device perspective, some of these devices are very complex. Ecosystem of devices, components that make up the product. That's a very difficult thing to do. There's no one delete button that you hit that can delete you from all different instances downstream from where you came into the healthcare system. And so when you think about it from a cyber perspective, it gets to be very challenging. The other thing, right, is healthcare is always under tremendous kind of price pressure from the insurers and the consumers and a bad medical event can wipe people out, right? Especially when they're later in life and they're not properly insured. When they're making kind of an ROI analysis on cyber investments versus all the other things they can spend their money on and they can't spend it all on security, that's not possible. How are they factoring in kind of the cyber investment as kind of this new layer of investment that they have to make because all these things are invested versus just investing in better beds and better machines and better people. That's like the million dollar question. I would say some hospitals and health systems are doing it better than others. Maybe a little bit more further along and mature about thinking about the total cost of ownership and also the patient factor, right? What has to be balanced obviously is not just the cost but the end of the day, what's best for the patient? And you hear this term patient centricity a lot today and as a recognition from all the players in the ecosystem, it's all about the patient. I'm so glad you say that. I think a lot of people probably think that the patient sometimes gets lost in this whole thing but you're saying no. There's an acknowledgement over the last few years and it's called patient centricity. It's an acknowledgement that the way we're going into the future of healthcare and the kinds of medical devices and technology and cloud solutions that becoming part of the healthcare fabric, they're all being built and geared towards the patient being the center of the equation. Not the doctor, not the hospital, it's the patient. Right, right, right, that's good to hear. And so to answer your original question, we're in early days and really kind to balance the patient and patient centricity versus we've got vulnerabilities in our environment that could impact the patient and we've only got limited people and costs. Right, right. Making decisions that kind of balance all of those things. Right, right, Russell, for last question, we're sitting here in the Forescout booth. Obviously you have a relationship with them. Talk about kind of what their solution adds to some of the stuff that you're working on. So, Forescout, one of the reasons that we're working closely with Forescout, their solution really, they've taken an approach that's holistic around these issues that we're talking about, right? Managing cyber risk, complex environment, a lot of different devices that are connected to each other and to the cloud and to the internet. They have built a solution that focuses on ability to have visibility into those devices that are on your network, some of which you may not even know exists. And then being able to kind of build, you know, an asset inventory around that visibility that allows you to do things like detect, based on policy, activity that suggests that you might be hacked or there might be some internal processes or players that are doing things that are going to put patients at risk or have you in non-compliance with GDPR, HIPAA and the rest. And then their solution goes beyond ability to kind of visibility and detect, but to actually do something actionable, right? Security controls and orchestration with other technologies like SIM solutions and SOAR solutions. Being able to orchestrate, hey, I know that I've detected some activity on this infusion pump that suggests that we may be being hacked. Let me send an alert out, but then let me also maybe quarantine that part of the network. So it's the ability to orchestrate between different security technologies that exist in a hospital environment. That's what we like about Forescope. I'm just curious when they run their first, you know, kind of crawl, if you will, are people surprised at the results of what's on there that they had no clue? I mean, yes and no. I think most of the big hospitals that we work with, they know that what they don't know. And especially when you're talking about a health system that maybe has 100,000 connected medical devices across the health system, they know what they don't know. They're looking for solutions to help them better manage and understand the things that they don't know that they don't know versus what they do know about. And I think that's what we bring to the table in terms of kind of cyber-risk services, Deloitte brains, and then that's what Forescope brings with their solution to be able to kind of help solve those problems. Well, Russell, thanks for taking a few minutes out of your day to share the stories. Super, super important work. You know, it's one thing, you know, to steal a few bucks out of the bank account, like you said. It's another thing to start taking down machines at the hospital, not a good thing. Not a good thing. All right, these Russell, I'm Jeff. You're watching theCUBE. We're at RSA in Moscone in the Forescope booth. Thanks for watching, we'll see you next time.