 Live from Las Vegas, it's theCUBE. Covering NetApp Insight 2017, brought to you by NetApps. Back to our live coverage, it's theCUBE here in Mandalay Bay in Las Vegas, I'm John Furrier, the co-host and co-founder of SiliconANGLE Media with Keith Townsend, my co-host, CTO advisor. Our next two guests is Sheila Fitzpatrick, the Chief Privacy Officer for NetApp and Michael Archuleta, CIO, HIPPA and Information Security Officer at San Rafael Hospital. Thanks for joining us. Great topic, privacy, healthcare, ransomware, all these hacks going on, although it's not a security conversation, really is about how data is changing. Certainly the HIPPA has got history around protecting data, but is that good? So all kinds of hornet's nest of issues are going on. Michael, well, all for the good, right? I mean, everything's for the good, but at what point are things foreclosed, like role of tech, what's your update on healthcare and the role of data in kind of the state of the union? Yeah, absolutely. So data right now is one of those assets that's really critical in a healthcare organization. I mean, when you look at value-based care on improvements utilization of real-time data, it's really critical that we have the data in place. But the thing is, though, is data is also very valuable to hackers. So it is really a major problem that we're basically having in healthcare organizations, because right now healthcare organizations are one of the most-attacked sectors out there. I was basically stating that there's an actual poll out there that stated that 43% of individuals don't even know what ransomware is. And you figure, in healthcare organizations, we're really behind the curve when it comes to technology. So, I mean, when you bring that into, and you say, okay, guys, what's ransomware? What's cybersecurity? What's a breach? Everyone's like, well, I don't know what it is. So it becomes an issue. And the thing is, though, is the culture has not been fully developed in organizations like healthcare because we're so behind in the curves. But what we've been focusing a lot on is employee cybersecurity awareness, kind of bringing in that culture, having individuals understand. Because as you were stating, too, I mean, healthcare information is 10 times, 20 times more valuable than a social security and a credit card on the dark net right now. I mean, if you figure, PHI contains a massive amount of data, so it is very profitable. And these individuals go in, hack these systems because, of course, healthcare organizations are so easy to hack. They place it out on the dark net. You go out, you buy some bitcoins. You can go and have some good identity theft going on. And I mean, we have a massive issue here in the States with substance abuse. So if you want basically a script or you want multiple scripts with different identities, go out there and purchase those specific things. So it is a problem. And then on my standpoint is, imagine if this was your mother's, your father's, your grandma's, any family member's information. That's why data is so valuable and it's so critical that we take care of the information as securely as possible. But it starts with the people. Because I always say at the end of the day, our employees hold the keys to either letting the individuals stay out or inviting them in. So it is a problem, absolutely. Shil, I want to get your thoughts because obviously the segment here is why data privacy is always one of the top five concerns for CXOs. And obviously the tagline NetApp has for this show is change the world with data. There's a lot of societal impacts going on. We're seeing it every day in front of our eyes, certainly here in Vegas and then throughout the world with hacks, Equifax just still in memory there. And there's going to be another Equifax down the road. The hackers are out though, that's security concern. You got developers that are getting on the front lines, getting closer to business. That's a trend in the tech business. Data privacy has always been important. But this means that there's a confluence of two things happening right now that's really the collision course. Technology and policy. Privacy is a policy of things that people spend a lot of time trying to get right. And for all the right reasons, but to make some assumptions here and could foreclose and all penalize them, have a penalty on the future. How should CEO's, COO's, CDO's, chief data officers, chief everybody, they're all at CXOs, think about privacy. Well, I think it starts at the fundamental and you're absolutely right. There's a real misperception out there around privacy. And I always tell people, people that know me know that my pet peeve is when people say to me, we have world-class security, therefore we're good on privacy. I literally want to slap them because they're not the same thing. If you think about the, if you're going to move that way, if you think about the analogy of the wheel, data privacy is that full life cycle of the wheel. It's that data that you're collecting from the time you collect it to the time you destroy it. It's the legal and regulatory requirements that say what you can have, what you can do with that data, obtaining the consent of the individual to have that data. Certainly protecting that data is very important. That's one spoke on that wheel. But if you're only looking at encryption, that wheel's not going to turn because you're literally encrypting data you're not legally allowed to have. So if you think about the healthcare industry where I absolutely agree, the data that you deal with is one of the most, you know, it's the most valuable data and sensitive data individuals can have. But oftentimes, even healthcare organizations don't even know what they're collecting or they're collecting data that maybe they don't necessarily need. Or they only think about protecting that protected health information, but they don't think about the other personal data they collect. They collect information on your name, your phone number, your home address, dependent information, emergency contact. That's not protected health information. That's personal data that's covered in privacy laws. Well here's the dilemma I want to ask you guys to react to because this is kind of the reality as we see it on the queue. We go to hundreds of events a year, talk to a lot of thought leaders and experts. You guys are out in the field every day. Here's a dilemma. I need to innovate my business. I got to do a digital transformation. Data is the new competitive advantage. I got to surface data, not in a batch space, it's real time so I can provide the kinds of services in real time using data. At the same time, that's an innovative, organic growing, fast paced, technological advancement. At the same time I'm really nervous because the impact of ransomware and some of these backlash events caused me to go pause. So the balancing out between governance and policy which could make you go slower versus the let's go, move fast, break stuff. Let's go build some new apps. I want to go faster. I want to innovate for my business and for my customers but I want to screw myself at the same time. How do you think about that? How do you react to that? And how do you talk to customers about that when they try to figure it out? So that's something, that's an area that I spend a lot of time talking about because I'm very fortunate that I get to travel the globe and I'm meeting with our customers all over the world. And those same issues, they want to adapt to new technology. They want to invest in the cloud. They want to invest in AI, internet of things. But at the same time, I keep going back to, it's like building a house. You have to start with the ground floor. You have to build your privacy compliance program and understand what data do you need in order to drive your business? What data do you need to support your customers, your patients, your employees? Once you've determined that fundamental need and what your legal requirements are, that's when you start looking at technology. What's the right technology to invest in? You don't start that journey by deciding on technology and then fit the data in. You have to start with what the data is and what you want to do with that data, what service you're trying to provide and what the basics are, and then you build up. So foundationally, data is the initial building goal? Absolutely, you don't build a house by starting with the second floor. If you start looking at tools and technology to begin with, that house is going to collapse. So you start with the data and then you build up. Michael, you're in the front lines and the realities are realities, your thoughts. Absolutely, so you have some excellent points and the thing is, at the end of the day, I always say security at times is inconvenience. I mean, we add two factor authentication, we add all these additional fundamentals in what we basically do, but the bottom line is we're trying to secure this data. There has to be security governments to really focus on, okay, this is the information you need. We need to kind of go through legal, we need to go through compliance, we need to kind of determine that this is going to be ease of access for your group and we need to make sure that we are keeping it secure as well, too. I mean, the bottom line is innovation, of course, they want to do so much disruption, et cetera. It's absolutely amazing, you know, I love innovation, honestly, but we still have to have some governance and focus on that and keeping it secure, keeping it focused and having the right individuals really communicate. How do you tackle that as a team? With your team, it's cultural organizational behavior or project management, product planning, how do you deal with the balance? Well, at the end of the day, you know, the CEO of NetApp basically states it starts from the top down. You really have to have a data-driven CEO that basically understands at least the fundamentals of cybersecurity, information technology, innovation, have those all combined in together and having that main focus of governance so everyone has that full fundamentals of understandments, if that makes sense. So, let's talk tactical. You know, we've talked at the high level. I love it that you brought in the global conversation into this, you're taking a global view. We talked a little bit before those shows. There's a mixed mess in taxonomy. Here in the U.S., we're focused first on security, maybe, and then, secondarily, on this concept of PII, which really doesn't exist outside of the U.S., now we have GDPR. Talk to us about the gap in understanding of GDPR and what we consider as PII here in the U.S., and where U.S. companies need to get to. Okay, that's a great question. So, the minute that an individual talks about PII, you automatically go U.S. centric, understanding that you must operate in a purely domestic environment. The global term for personal data is personal data. It's not PII. There is a fundamental difference. In the U.S., there is a respect for confidentiality, but there's no real respect for privacy. When you talk about GDPR, that is the biggest overhaul in data protection laws in 25 years. It is going to have ramifications and ripple effect across the globe. It is the first extraterritorial data privacy law, and under GDPR, personal data is defined as any piece of information that is identifiable to an individual or can identify an individual either directly or indirectly. But more importantly, it has expanded that definition to include location data, IP address, biometric information, genetic information, location data. So if you have that data and you say, well, I can't really tie that back to a person, if you can go through any kind of technology process to be able to tie it back to a person, it is now covered under GDPR. So one of the concepts under GDPR is privacy by design. So it's saying that you have to think about privacy very similar to where we've always thought about security up front. When you're investing in new technology, when you're investing in a new program, you need to think about, going back to what I said earlier, what data do you need? What problem are you trying to solve? What do you absolutely have to have to make this technology work? And then what is the impact going to be on personal data? So I absolutely agree, security is incredibly important because you need to build a fortress around that data. But if you haven't dealt with the privacy component of GDPR and other data protection laws, security would be like me going down and robbing a bank, coming home and putting that money in the vault in my house, locking it up and going, that money's secure, no one can get to it. When the police come knocking on my door, they're not going to care that I have that locked in a vault. That's not my money. And you have to think about personal data the same way. And certainly healthcare information the same way. You need the consent of the individual and you need to articulate what you're going to do with that data, be transparent. So the laws are not trying to inhibit or prohibit technology, they're just trying to get you to think about. So Michael, as we think about this, how it impacts GDPR specifically, the healthcare industry taught the dinner about this a little bit. We're talking about medical records, doctors, medical professionals like to keep as much data as possible. Researchers want to get to as much data as possible. What are some of the ramifications or considerations at least for the medical industry? Yeah, absolutely. So, you know, on your standpoint there, as you stated, you know, at the end of the day, when we basically look and we focus on our security governance, we kind of, we go over the same fundamentals as you were going, you know. What information is basically needed to access that information for the patient? What is needed from the physician standpoint? What is needed for the nurses standpoint? Because the thing is, is, we don't just open it up to everyone, you know, like on it coming in by different specific job functionalities, you know, we kind of prioritize and put different levels of, this is the level of data this individual basically needs versus this individual. And the thing is, is the beauty about what we basically have focused on a lot too, is we develop the overall security governance committee that kind of focuses on, you know, the specific data's from HIPAA, high tech and the different laws that we're focused on in healthcare. And, you know, we really have started focusing a lot on two factor authentication with accessing information. So we're really utilizing some of those Vasco tokens, RSA tokens with algorithm changes, et cetera. But at the end of the day, the thing is, is the main focus is what information do you need? And the bottom line is too, is it has to have that specific culture of understanding that cybersecurity and data is very important. And the thing is, is on a physician standpoint, they want access to everything, literally everything. And that's understandable because these individuals are saving lives, but the thing is though, is there has to be governance in place, and they have to have that understanding that this can be an issue moving forward. These are the potential problems of a breach that could basically happen. This is the information that you need. If there's more information that is needed, it will go through the security compliance governments committee. It's a hard job. I mean, if they want the nirvana, they want the holy grail, they want everything right there. Thanks for coming on. Appreciate making it aware of the data privacy issues. Sheila, thanks so much for coming on. Michael. I'll give you guys a final word on how management teams, executives should align around this important objective. Because there's some inconvenience happening in the short term, but automations coming, machine learning, all this great stuff is being promised and looks good off the tee, as they say in golf. But the reality is, there's a lot of lip service out there. So the tagline, oh, we're strong on privacy. So walking the talk is about having a position. Not just the tagline or the talking points, having a positioning around it first and getting an executive alignment. So final point, what's your advice to folks out there who have either thinking this through hard? Is it a matter of reducing choices, evaluation? What is your thoughts on how to attack and think about and start moving the ball down the field on privacy? Well, that's a great question. I think certainly at NetApp, and as you mentioned earlier, I mean, our executive team and certainly George Curry and our CEO absolutely has a philosophical belief in that fundamental right to privacy and respects the fact that privacy is key to what we do. It has to become a competitive advantage almost in an accidental way because we take it so seriously. It's a matter of balance. Absolutely, we need to take advantage of new technology. We're a technology company. We're building technology, but we also have to respect the fact that we operate around the world and there are laws that we have to comply with and those laws dictate what data we can and cannot have and what we can do with that data. So it's that balance between data's our greatest asset, we need to protect it. It can also be our greatest detriment if we're not treating it in a respectful manner and if we're not building technology that enables our customers to protect that fundamental right to privacy. Michael, from a management team perspective, honestly, functioning with an alignment implies a well-oiled machine. Not always the case these days, but how do you get there? What's your advice? You know, my advice is speak the language. CEOs, CFOs, administration, they basically don't want to hear this tech-lingual at times, okay? Have them understand the basic fundamentals of what cybersecurity is. What it can do to the operations of an organization, what a breach can do financially to an organization, really have those kind of put in place. Bring that story to the board of directors. Have them kind of focusing on the fundamentals this is why we're protecting our information and this is why it is so critical to keep this information safe. Because the thing is, if you don't know how to tell the story and if you don't know how to sell it and really sell it to the point, you will not be successful. So it really starts from the top. That's a great point, Michael. And we hear all the time too, the trend now is IT has always been kind of a cost center. Security and data coverage around privacy should be looked at not so much as a profit center, but I'd say you could go out of business so you don't treat it as maximizing your efficiency on costs. The effectiveness of privacy is a stay in business table stake and that has an impact on revenue, so it's quasi top line. Well, absolutely. If you think about the sanctions under the new GDPR alone, you could have one day to privacy violation that could, the sanction could be equal to 4% of your annual global turnover. So it is something that- It's a revenue driver. It's a revenue driver. It's something you need to take- It's a revenue saver. It's a revenue saver. Well, for some companies it's become a revenue driver. This is the mindset. Most people think P&L, oh, the cost structure profit center, from that profit center they're doing sales. This is a new dynamic where risk management actually is a profit objective. Absolutely. Guys, great topic. We should continue this back in California. I'd love to. Michael, thanks for coming on and sharing the CIO perspective and the healthcare. Thank you very much. Great content. It's theCUBE breaking it down here, getting all the data and keeping it public. That's our job is to make all our data public and sharing it on siliconangle.com and thecube.net. More live coverage here in Las Vegas with NetApp Insight 2017 after the short break. We'll bury your breakers. Status quo measures.