Part III: The Future of Technology in Home Care Services

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses on how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Show Highlights

In the third episode of this series, Matthew D Edwards and Jeff Huber, CEO of Home Instead Senior Care, discuss how the traditional business model must adapt and evolve in the face of three megatrends: 

  1. The fastest-growing age segment is 85+ and its effect on every developed system. 
  2. Healthcare delivery is moving from a fee-for-service and volume-based model to outcomes.
  3. Digitalization of everything and this industry’s ability to adapt and succeed.

Key Takeaways

  • Leading a cultural change of a large distributed network that needs autonomy and a certain amount of uniform systems and processes to unlock a digital future that meets business and security requirements.
  • The foundational work required for a future where big data and artificial intelligence analytics truly play a very predictive and prescriptive role.
  • Getting an organization and its people to leverage digital-enabled tools and think differently about how care is provided – while ensuring regulatory compliance.

About Our Guest

Jeff Huber, CEO of Home Instead Senior Care

As Chief Executive Officer of Home Instead, the leading global provider of home care services for older adults, Jeff Huber leads the company and its franchises in their commitment to addressing the challenges of the aging global population by promoting consumer choice in care. In his four years as CEO, he has also increased the organization’s commitment to leadership development and training to empower professional and family caregivers and to advance the mission of Home Instead Senior Care: To enhance the lives of aging adults and their families.

Read the Transcript

00:05 Matthew D Edwards: Welcome to the long way around the barn, where we discuss many of today’s technology adoption and transformation challenges and explore varied ways to get to your desired outcomes. There’s usually more than one way to achieve your goals, sometimes the path is simple, sometimes the path is long, expensive, complicated and or painful. In this podcast, we explore options and recommended courses of action to get you to where you’re going, now.

00:58 Matthew D Edwards: Welcome to another episode of The Long Way Around The Barn. My guest today is Jeff Huber, the CEO of Home Instead, whose mission is to enhance the lives of aging adults and their families. Jeff, good morning.

01:09 Jeff Huber: Good morning. It’s great to be with you, thank you.

01:11 Matthew D Edwards: This episode continues my conversation on how technology can improve the lives of our aging population through the use of remote monitoring solutions using Internet of Things or connected things technologies, while also ensuring purposeful comprehensive privacy and information security practices along the way. So Jeff, the name of your organization is Home Instead Senior Care, and people can learn more about your organization by visiting Teach us a little bit about your organization. What are your organization’s aspirations? What do you offer folks today? Teach us.

01:52 Jeff Huber: Yeah, great. First, I’m really pleased to be with you, so thank you for having me. Home Instead Senior Care is the world’s leading provider of in-home care for seniors. We were founded right here in Omaha in 1994 by Lori and Paul Hogan out of a very personal need they were experiencing. Paul’s grandmother, Eleanor Manhart, was the matriarch of a very, very large family. She had 12 children, 50 to 60 grandchildren, and as many great-grandchildren. She was widowed, living alone in her apartment in downtown Omaha, and was in her late 80s and was in failing health. She couldn’t even get out of a chair. She was becoming very frail. And so the family surmised that Grandma Manhart, she only has a few more months and so let’s make those the best they can. They made a couple of decisions, the first one is there’s not gonna be any nursing home. The second was they were gonna move her into the home that Paul Hogan grew up in, down at 38th and Cass, his mother’s home. And third, they were going to surround her with a schedule, they’re gonna take all these cousins, aunts and uncles and put together a schedule and figure out how they could be with Grandma Manhart, to get her engaged in things that really gave her meaning and purpose, like getting to daily mass or those kinds of things.

03:26 Jeff Huber: And what they found, instead of having just a couple of months to live, Grandma Manhart did a remarkable U-turn when she got really plugged back into and having a support system around her, and she actually went on to live 11 very fruitful years. And that caused Lori and Paul to just wonder, first, what do other families do that don’t have 50 first cousins in town and all these resources? But also they saw the power of socialization, interaction, things like making sure she had three square meals a day, and how that had a transformative effect on Grandma Manhart’s life. And so, Paul had always wanted to have his own company, he’s an entrepreneur heart, he was working for Merry Maids, which was an Omaha-based franchise home cleaning company, where he learned franchising and he learned home services. And so he put together a business concept and struck out on their own with three young kids and one on the way and being the sole bread winner, classic American entrepreneurial story.

04:40 Jeff Huber: That was 1994, so fast forward to today, we’re the world’s leading provider of home care services. We have about 1200 franchises operating in 14 countries around the world, we’ll provide more than 90 million hours of care to our clients. Today we’ll be in probably 85,000 or 90,000 homes around the world. We’ll employ more than 100,000 caregivers this week through our network of independently-owned franchises. We have a particularly heavy emphasis and expertise in caring for people with Alzheimer’s or other forms of dementia and multiple chronic conditions. So that’s a little bit about Home Instead and our 26-year history.

05:25 Matthew D Edwards: Yeah, that’s outstanding. And all of those things being focused on in-home care or aging in place.

05:33 Jeff Huber: Exactly. So the name implies, it’s home instead of a nursing home or something. The truth is, we can provide care to clients wherever they call home. Most of our clients, it’s the traditional home that you would think of, but we provide an awful lot of care to clients who live in a facility of one sort or another.

06:00 Matthew D Edwards: Very good. So you very well know how times have changed through the years, and the needs of people, and the logistics and complications of home and staff and training and verification of quality of service, and all of those things have impacted your business and likely a lot of other people’s business, to just say, “Hey, what we did yesterday still works well, but now we need to consider these additional things or different things as well along the way.” And even this recent pandemic, if you will, has probably, I would guess, impacted in some way, shape or form some of the decisions that you and your teams have to make in order to take care of people and just love them in place.

06:46 Matthew D Edwards: This podcast that we’re working through is really talking about of the technology that continues to be created and adopted and evolved and available in the home care space and the senior living space, just to people in general. We spend a lot of time just talking about, “What is available? What do you do with it? How does it work? What are the risk exposures? And then what are the decisions that leaders need to make in order to provide the best quality of service using the newest sensible technology while also having the right protections in place along the way?” Specifically around privacy and information security, because they’re more difficult than just a Saturday afternoon jaunt and they’re getting more complex. In the world that you live in, the work that you do, the folks that you work with on your teams, your leadership teams, your operational teams, as well as the clients that you serve, do you see technology changing the way home care service providers and workers do their jobs today different than yesterday, or do you see it changing even more drastically in the future?

07:57 Jeff Huber: Well, there’s a lot to unpack there. First I would say, the way we look at the world is at the intersection of three global mega trends. The first is what you talked about, which is aging. We’re about to undergo the most massive demographic shift in the history of the planet. For the first time there are more old people, in developed countries at least, more old people than young. That’ll be true within 10 or 15 years across the board. 85 plus population is the fastest growing segment of the population. So we’re really at the very front edge of a 30-year surge in the oldest of the old, and that’s having ripple effects on every system that’s been developed. I like to talk about the inversion of the aging pyramid, right? So if you think of the traditional age pyramid where the oldest is at the top and the smallest segment of the population and the youngest is at the bottom, that’s literally going through a period of inversion. And so every system that we have today has been built for the traditional pyramid, whether it’s transportation or retirement systems and savings, vehicles or education, it’s all been built for… So that’s creating all kinds of pressures on those systems, and the world needs to rethink, every system needs to re-think. So, that leads me to the second major global trend, which is the transformation of the healthcare delivery system, that’s where it’s gonna be felt most acutely.

09:40 Jeff Huber: So not only do we have this massive population, but they’re living longer. The life expectancy is up more than 25 years since the end of the Second World War. With that brings a huge influx in multiple chronic conditions. And so there’s this big movement in healthcare delivery moving from a fee-for-service or a volume-based model to outcomes. And what we know about our types of services is that when we’re part of the care equation, our clients’ usage of that healthcare system go down dramatically, particularly with someone who has Alzheimer’s or other dementia, and we can care for them at home more cost-effectively, better outcomes and higher quality of life. So I like to say the future of the hospital looks a lot like your living room, because the home is really gonna be the only scalable place where we’re gonna be able to care for this massive influx of seniors. And then the third, getting into your world, the third global mega trend, is really the digitalization of everything. Now that the Internet’s three decades old and we’re seeing the transformation that’s happening on every business model, radical new business models disrupting old, and those companies who can lean into those changes and adapt are the ones that are gonna have success in the future.

11:16 Jeff Huber: So that’s sort of the context in which we’re looking at the world and this whole big question that you’ve posed, and I think it’s just… With all of that, technology absolutely will play a role in helping to solve that. So we talk about we need to expand the capacity of the world to care for seniors. Technology should do just, it should enable us to expand capacity. So the big challenge for us is taking… We’re a very high-touch organization, a very high-touch approach, we’re in our client’s home, in the US at least, on average about 25-26 hours per week. And we like to say we’re barely not analogue, we’re so high-touch. So the challenge for us is to take that footprint that we’ve spent 25, 26 years developing and retrofit it with some digital-enabled tools, giving our caregivers and our franchise owners some new tools and capabilities to deliver more care and more effective care, do more with less, more predictive and prescriptive types of care. So is technology gonna play a role? Absolutely. What that looks like precisely is yet to be told, but we can get more into our experience and learning so far.

12:44 Matthew D Edwards: That makes sense. So you’re expecting out of those three ideas that you brought up, the three things that you’re paying attention to, you’re expecting that the technology is not only going to impact the operation from the perspective of your company, but it’s also going to impact how the elders are able to take care of themselves through the years, as well as how they engage with your organization. You didn’t say all of those things, but that’s an extrapolation that I’m reading, it sounded like you’re asserting technology is one of the three legs that are going to create change ripples, and you’d like to be at the head of it.

13:22 Jeff Huber: Yeah. At the intersection of those three, we looked at that and said, “Okay, our traditional business model, given those three global mega trends, we need to evolve our model.” And what remains true for us is the delivery of highly personalized care at home. How we do that going from a purely caregiver, physical presence in the home at all times, needs to evolve and we need to give our caregivers and their families who provide most of the care some new tools and capabilities and the ability to use data and to provide insights in how we can do all of that better.

14:06 Matthew D Edwards: From your perspective, do you think the home care industry itself, the senior industry itself and/or your organization from a risk appetite perspective, do you think in general that the adoption of new ideas like new tech, is the industry ultra conservative? Is it somewhat moderated? Is a leading edge? How do you see it today versus the future?

14:32 Jeff Huber: Well, I think the aging space itself is garnering a lot of attention in innovation and technology and how we care and keep people safe and secure at home, or care for them in different ways. I don’t know that I can speak for the entire home care industry. Our experience has been in leading a large multinational franchise company that has an awesome group of franchise owners, but they’re also very entrepreneurial. I’m confident we’re gonna be able to solve the technical challenges ahead. The big issue that you’re really asking about is leading a cultural change of a large distributed network that we have some controls over, but it’s franchising. And so, there’s a large underlying cultural shift that needs to happen and a mentality that needs to be open to doing things differently in new ways around technology. That’s a journey we’ve been on. I think this Covid situation has really opened the minds of our network and softened maybe some of the defenses against those things, and has actually helped us with the adoption of some of the digital tools we’ve been rolling out.

15:56 Matthew D Edwards: Sure. So Jeff, based on the things you’re talking about then, entrepreneurs obviously are, by definition, moderated or managed risk takers themselves trying to understand, “How can I provide value? How can I enable a profitable experience all at the same time?” Otherwise, they’re no longer in business. But they need to offer a value, a good value proposition, or nobody’s gonna come calling any way. So while Home Instead is enabling basically an oversight or portfolio management or an enterprise view into how to franchise and enable home care, does that then suggest that a lot of these different franchise owners may adopt some of these new ideas at different velocities? And then does that different velocity… How much autonomy is there and how do you regulate or normalize those things?

16:50 Jeff Huber: Yeah, we could have several podcasts on that topic alone, I think. I sort of view the first 25 years of our existence as really establishing this business model, bringing it to scale, creating this massive footprint that we’ve developed. We’ve got a ways to go in the expansion, lots of room there. But in that, we have learned so much from our franchise owners and provided enormous amount of autonomy to them, to help us learn and create the model. I think we’re at a point now where we really understand that and we’re… Part of the cultural shift I talked about is really moving them from running this business however they want, I’ll put an asterisk there ’cause I’ll come back to that, to a more uniform way of doing things, more uniform systems and processes that are really gonna be essential for us to unlock a digital future. We can’t have thousands and thousands of iterations of how this business operates.

18:03 Jeff Huber: The asterisk I wanna come back to is while we’ve provided a great level of autonomy, we also have had a very finite set of standards, but we’re extremely serious about them at how the business operates at the local level, that really all have to do with the safety and security of our clients. So we’re very uncompromising on those things, yet at the same time, exactly how the business operated was a lot of latitude granted at the local level. So again, we’re moving from sort of choose your own adventure in terms of systems and tools and processes, to a much more uniform, digitally-enable future. And we’ve had some challenges in leading people there, but now the network is really starting to get it and embrace it.

18:56 Jeff Huber: And part of your question was… There’s always a bell curve with adoption of anything within our system, and so we’ve got the early adopters and we know who they are, and many of them oftentimes are out ahead of us, frankly, on ideas, we don’t pretend that we have all the best ideas, we really try to tap into the ingenuity of the local franchise owner, who was on the front line solving very real problems and they’re incredibly innovative and smart. And so we try to tap into what they’re doing, breaking those best ideas, and then your resources and bringing them to scale, but so when we’re trying to introduce a major change, we really focus on what we call the ready and the willing, which are that front end, help us learn and iterate, and then usually there’s a big group in the middle that is waiting and seeing…

19:46 Jeff Huber: They might have some skepticism, wants to see what the ROI is, or how hard this change is gonna be, or those kinds of things, and then usually if we do our job right, they come on board pretty quickly. And there’s always a group at the end where we have to get them on board by mandate, so right now, we’re really moving in our digital transformation, I’d say from the early adopters to more moving that big middle group on board, we’ve got a lot of the things figured out, ironed out, we’ve done a lot of the hard internal work to sort of enable scale. And so we’ve been sort of setting the table for this for years now, and now it’s really time to start leaning into it and accelerating that transformation.

20:33 Matthew D Edwards: Is it accurate then for me to summarize some of the things that you just said to say that as an enterprise organization, you’re working to normalize or streamline some things for a number of reasons, and that can be a cost of ownership or general in economic considerations. It may be for regulatory compliance or privacy or confidentiality or those types of ideas as well. But at the same time, you’re still wanting to enable autonomy and independence or independent evolutionary thinking at the franchise level. So you’re working to, which is a continuous job, evolve both what can be normalized and what should be independent or individual and when? And that’s kind of the model that you’re evolving on right now. Is that a good summary?

21:22 Jeff Huber: I think that’s a really great way to summarize it, and another way to say it is that there’s this constant tension between those two things, and at different points of your evolution, you’re sort of setting the dial, either more towards autonomy, more towards structure. So that’s where we’re at. Yeah. That’s a great summation.

21:42 Matthew D Edwards: Okay. That sounds like a kind of a normal model for larger organizations anyway, where that cost intention of, “Yes, I want to enable you to do what you need to do, however, also I need to make sure that it’s predictable, repeatable, audible, compliant.” Let’s be responsible here, we wanna be in the newspaper or the media for the right reasons, so let’s make the right decisions together, so that makes a lot of sense and it’s hard all of the time, as I’m sure you and your team would communicate. So as it relates to the home care industry, a lot of these new technologies that are coming out, there has been technology available for long time in various iterations.

22:28 Matthew D Edwards: Some of the newer things, for example, companies that are implementing connected things or Internet of Things solutions, for example, a single physical device unit that goes inside one room that doesn’t touch anyone, but it monitors all behaviors all of the time, collects all of the data, patterns, it finds patterns, it makes decisions, it asserts potential, but it does predictive analytics as well, for example, gait analysis. In order to predict a fall, there needs to be data, the data has to be collected across time, which then creates patterns, which then elucidates or reveals a possibility, which then alerts people so they can make decisions, and that actually sounds spectacular.

23:15 Matthew D Edwards: So that you could know in advance, “Hey. It looks like mom’s having some trouble right now, and maybe I’m just gonna go hang out with her for a little bit and we’ll go see how the day goes together.” With that though, comes a ridiculous amount of information, so for example, when you’re talking about your organization and multiple franchises, multiple countries and all kinds of clients, if all of those were operating together and all of that data was being collected just to do predictive analytics on a fall, do you think or have you perceived or do you understand in your own house or in other organizations, how people might be prepared to start collecting more data more often? It is a little bit of a paradigm change between, “Here’s what I entered at the end of my shift.” Versus sensors that are collecting data 70 by 24 x 365.

24:17 Jeff Huber: Again, you ask really big thought-provoking questions. I think there is absolutely a future where big data, artificial intelligence analytics is gonna play a very predictive and prescriptive role, and for those of us who are out there looking at the future like that, our minds tend to go right there. And in fact, my mind has been there for a while, I’m very fortunate to say that some tables where they’re sort of cast in the future for healthcare and those kinds of places. The challenge is, we got a lot of work to do before I think that can happen, and we can’t put the cart for the horse.

25:07 Jeff Huber: In fact, in our business, we’ve had to go back and do a lot of the really nitty gritty, un-sexy work, to lay a foundation that would eventually unlock the kind of future you’re talking about. I’m talking about… And this might sound really rudimentary, but remember, we’re barely not analog, things like single sign on or those kinds of things. I’ve learned more about those kinds of things than I ever thought possible when I was wanting us to have a dashboard that said, “Hey. These five clients are at a 95 probability for a fall today, we need to do something about that.”

25:52 Jeff Huber: So we have to really start at the very foundational level, so we’ve spent the last few years really putting in the stuff that doesn’t really… Isn’t real sexy, you don’t really talk about it at conventions to your people, it’s quietly happening in the background, but we’re starting to sort of come out of that phase, and now we’re starting to be able to deliver some of those more value-add things. For us, we’ll get there, but we’re really starting more with enabling, giving our caregivers new tools so they can do their job better, connect with the office better, connect with family better, having some remote capabilities so we can be more efficient with our limited human resources. So we can get eyes into the home without having to send a nurse across town to be there and evaluate a situation, we can do that remotely.

26:54 Jeff Huber: A lot of the things that require a lot of time and manpower and a lot of friction, we’re able to begin to automate and streamline, so that’s really where our immediate focuses. But we do have our eye on that end game of being able to use huge data sets, you know $90 million of care and 85,000 homes, and then you give it in 25 hours per week that should… We should be able to unlock, use very powerful data sets to be able to provide more predictive, more prescriptive care. It’s just we’re not there yet.

27:35 Matthew D Edwards: Yeah. No. The idea of digital transformation is actually an interesting and also useless word, like saying cloud or quality, those words mean something different to anybody that you talk to, and so it’s difficult to talk about. But the idea behind digital transformation is really multiple things, and it’s the process is it’s the tools, it’s the people as well as the company as a whole. And so, to just pick up a new Internet of Things device and call that digital transformation is actually completely miscommunication, the whole idea.

28:12 Matthew D Edwards: It’s how do we take our entire organization and optimize how we get to the desired outcome, which is to enable people to age in place, to love them where they are, to be helpful when they need us and be out of the way when they don’t. And that requires us to talk about everything, not just a trip to the Home Depot or a trip to Best Buy and buy something really cool and plugging into the network, so it’s a lot of work, and so you’re talking about a lot of behind the curtain stuff that then nobody wants to talk about, that everybody has to do, that maybe some people haven’t had to do yet. So yeah, there’s a lot of work for the no contest.

28:51 Matthew D Edwards: So when someone like you in a leadership role sees something in a magazine or sees a commercial or an advertisement in an article or whatever it is, along the way of saying, “Hey. Look at me, I’m technology company 12, I’ve developed this brand new and amazing device or this new software or I have this new widget. And then someone like you and your role probably is inundated with 10, 20, 50 or 100 different companies all coming to you with their particular widget. And some companies will assert, “We have a comprehensive solution.” And some will say, “This will fit into your solution.” If you take all of that and just say, “Hey, that’s fine.” Let’s put it to the side. In order for you to do what you need to do to love and engage and care for people, what would be, from your perspective, an actual useful way for technology solution providers to come alongside you and work with you and help you solve problems?

30:00 Jeff Huber: Well, that’s a good question. And you’re right, we are inundated with all kinds of opportunities, and the big challenge for us is sorting through those. So the main thing I did, or we did, I should say, when trying to solve for this, was to really formalize our innovation function. We’d had a lot of innovation, and like I said, we’ve got hundreds and hundreds of franchise owners out there solving problems. And so we try to tap into their ingenuity all the time and bring the best ideas to scale. And that worked great, but when we were thinking about, “Okay. We really need to take our footprint and our high-touch approach and give it in some digital capabilities.” The possibilities for that were endless, and to try to solve that problem, I wanted to formalize our innovation function, so we acquired a digital marketing company that we had a lot of experience and trust with, and kept the digital marketing function alive, but also gave it a charter that said, we need you to help us think about what a digital enabled future looks like for Home Instead, I wanted it to be outside of our organization, because I wanted them to be free of legacy thinking and systems and tools.

31:31 Jeff Huber: And so, that I think it served us really, really well. We’ve sort of wound down the digital marketing part, we really built up that innovation function, and now that team is part of us, just on the outside still, so they can sort of be free of to, “This is the way we’ve always done it.” thinking. But they now have a charter and a process and a way to evaluate all those, and they’re going after sort of stop doing activities, kinds of innovation, that sort of incremental innovation. But there’s also the big sort of game changer types of innovation, that’s how we sort of think of it, and they’ve got a finite budget and a charter to do that. And so I sort let that group take on the challenges or sort through as they get process. So to get specifically to your question, if somebody wanted to come alongside us and maybe pitch something to us, the best way I think would be to go through our innovation group who has a formalized way of evaluating all of that.

32:43 Matthew D Edwards: That’s fair. So you have an incoming process to filter and prioritize? That’s a really great way to do that. Very often do you hear about people saying, “If I buy this tool then… ” Or, “If we change this part of our business, then… ” And in many cases, they may not fully understand what they want it to look like on the other end of that, but they absolutely feel like if they make this change, then whatever change happens is probably gonna be good. So it sounds like you guys are on the front end of that, you’re saying, “Hey. We know we need to evolve, but it needs to be on purpose, so let’s go do this on purpose.”

33:28 Jeff Huber: Exactly, they’ve got their charter and where we started, there’s about a two-year process. Well, after the acquisition, it took us a couple of years to sort of get the right people and talent in place and sort of the structures in place, and then the big charter for them was like, “Okay. How do we create a digital pipeline into our client’s home?” We knew we wanted to get tools into the client’s hands, into the home. So then we started looking and knowing that we’re a home care company, we’re not a tech development company, so we tried and failed at that a couple of different times, so knowing that we really… This is gonna be about partnerships and funding, so that process, we evaluated it, electricity ran through it, and it was aimed at the senior space, I think we took a good hard look at just about everything out there, and at some point you gotta stop evaluating and put in, and understand this is a journey, there’s no end point, this is just a continual evolution.

34:38 Jeff Huber: But we made a big move with a company called GrandPad, made a strategic investment in that organization that, one, had a really, we thought elegant solution, they took a very… With a very mature tech leader, founder, so many of these organizations are… Solutions that come forward come from really bright young minds, but it might really be a tech innovation challenge as opposed to trying to practically solve a solution. So this was a very mature leader solving a very practical solution, or problem that he had found in his own life, figured everyone else is dealing with it too. Great value alignment with our organization, and it’s been wonderful, and now we’re starting to…

35:31 Jeff Huber: We’ve had to make some adaptations to that tool to make it really a good tool for our caregiver workforce, but also understanding that this is this is an entry point for us, this is not the end, and they’ll always be something next, and that’s why I’m grateful we have innovation team in place to sort of always be evaluating what the next thing is. The big thing for us, as though we have to begin getting our organization used to using digital-enabled tools and thinking differently about how they provide care, because the current model of one caregiver for one client, going back to these global megatrends, isn’t gonna be scalable in the future, we have to create scale and increase capacity.

36:15 Matthew D Edwards: Right. That makes a lot of sense. So Jeff, last question, and this has been outstanding so far, thank you. What we’ve seen in many industries is a shift to now include on-purpose, amplified and communicated, the role of chief information security officers or some senior leadership role whose job is to enable and ensure regulatory compliance, ideas, information security ideas, privacy and confidentiality in particular. As the industry has changed and even as your own organization has changed, how do you see the role, the public role, the amplified role of information security and privacy changing from yesterday to day and tomorrow, if you will?

37:09 Jeff Huber: Yeah. Well, again, you’re asking really big questions and that one, we could go down a number of different paths with, culturally speaking, just as we’re all wrestling with our individual rights and privacy and security of our information in this new world, but yeah, part of the nitty-gritty, un-sexy work I referenced earlier had to do with creating a data governance program and understanding how we were gonna collect, normalize, store, secure, and then finally analyze and use appropriately this various data that we’re anticipating collecting. And then multiply that against operations in many, many different countries, all with different security acts.

38:10 Jeff Huber: And so, it’s been a huge focus for us. And our regulatory and compliance group here, part of our legal team, has grown significantly, we’ve made big investments and bringing on personnel who can understand and help keep us safe and get the appropriate certifications in that area. So that we are safe and secure, we’re using information securely, not invading anyone’s privacy or overstepping their… Trust is so important to us, having a philosophy that this is really gonna be all about enhancing care and providing more personalized services, we’re not looking to sell this data or use it in some sort of commercial, we’re not looking to monetize it in any way, we just wanna do a better job of what we’re doing, so that’s a bit about… We had to sort of get right in their own minds about this philosophy and approach, and then make big investments in all of those different pieces I just referenced, including making sure we have people who understand that world really well and can keep us in track.

39:25 Matthew D Edwards: Yeah. It’s a lot of work, it’s a lot of work for everybody. Not just you, whether you have country by country governance, you also have the state-by-state governance, and then you have industry governance on top of that, it’s a lot of work and it has to be done on purpose.

39:42 Jeff Huber: It’s enormously complex. I think the most important thing is you have a… Really, a philosophy and approach, so many people sort of get big eyes and see dollar signs in when they think about monetizing data, that’s not at all been our approach. So we had to get aligned philosophically on all of that and then put those pieces in place. Yeah. And it’ll be never ending, and one of the internal challenges is getting… We’ve been a care company, we support franchise owners in providing care who… These are people who recruit clients or train caregivers and pair them up in a very high in-touch way.

40:31 Jeff Huber: So getting internally an understanding about, “Hey. What the future lies, we have to continue to evolve our business model.” Which involved investments in these things that maybe our frontline folks didn’t quite get like, “Why are we hiring all these lawyers and what’s all this data stuff about?” So it’s been a huge internal education, I’ve had to learn a lot, our whole teams had to learn a lot, we’ve brought in a lot of talent to help guide us there, we’ve brought in some outside resources to help guide us there, and then internally and I…

41:07 Jeff Huber: What’s really exciting about that is it’s been frustrating at times. It’s been a learning curve for everyone, but I think we’re all starting to get it now, and where I feel like we’re starting to reach a tipping point within our network. So that’s been a really rewarding journey, and I know we’re gonna have other setbacks and other frustration points along the way, but I think we’re now aligned as an organization, so that’s been a very gratifying experience.

41:40 Matthew D Edwards: That’s great. The net of the whole conversation that you’ve communicated is, “We’ve had a great journey, and we want to continue having a great journey, and that means we never get to rest.”

41:53 Jeff Huber: It proves that constantly, we’re constantly having to evolve. And so the key competency for a good home instead team member is the ability to adapt and change and look at that not as a threat, but as an opportunity to grow and evolve. And so I think we’ve got our collective mindset right there.

42:14 Matthew D Edwards: Very good. Well, Jeff, this has been outstanding. Thank you for taking the time to meet with us to teach us about your organization, about the journey that you’ve been on and where you guys intend to head and are heading. And man, we look forward to paying attention and seeing where you go and learning from you again, and look forward to talking to you again. Thank you.

42:36 Jeff Huber: Yeah. Well, I appreciate the opportunity.


Part II: Putting Together Information Security and Privacy Plans that Matter

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Show Highlights

In the previous episode, we focused on purchasing and securing IoT monitoring devices, implementing platforms and securing the data associated with them. This time, Rebecca Herold and Nathan Gibson join us as we explore the role and value of whole organization information security and privacy plans. Do you have them? Should you have them? And what do they look like?

Key Takeaways

  • Creating an Information Security Plan that achieves compliance and ensures the data is protected in the manner the organization needs. 
  • Putting a framework in place that addresses the full lifecycle of data and ensures human behaviors follow the plan with regular checks, tests, communication, and training to confirm everyone in the organization is aware and following the plan. 
  • How senior leaders must stay aware of how well the organization is implementing and evolving the plan.
  • Successful security and privacy programs are the ones that coordinate closely and often report to the same person in the organization.

About Our Guests

Rebecca Herold has over 25 years of IT, info sec, and privacy experience. She is the owner and CEO of The Privacy Professor, founded in 2004, and Privacy Security Brainiacs, founded in 2020. Rebecca hosts the radio/podcast show, “Data Security & Privacy with the Privacy Professor.” She is an expert witness, entrepreneur and author who has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 20 books to date, chapters in many books and hundreds of articles. Learn more about Rebecca.

Nathan Gibson is the Chief Security Architect and Director of Enterprise Security Architecture at Allstate. Nathan’s information security journey spans multiple industries including our nation’s Air Force, healthcare, fintech, residential and commercial security, with a heavy focus on cloud engineering security. 

Read the Transcript

00:56 Matthew D Edwards: Welcome to the long way around the barn. This is the second episode in our series, discussing remote monitoring, management, security and privacy in the senior living industry. Last week, we focused on purchasing and securing IoT monitoring devices, implementing platforms and securing the data associated with them. This week, we dive into the role and value of whole organization, Information Security and Privacy plans. Do you have them? Should you have them? And what do they look like?

01:28 Matthew D Edwards: We have two exceptional experts for today’s discussion. Rebecca Herold has over 25 years of IT, info sec and privacy experience. She is the owner and CEO of the Privacy Professor, and most recently, Privacy Security Brainiacs. Rebecca hosts the radio podcast show Data Security and Privacy with the Privacy Professor. She’s an expert witness, entrepreneur and author, who has received numerous awards and recognitions for her work throughout the course of her career. Rebecca has written 20 books to date, chapters in many books and hundreds of articles. And Nathan Gibson. Nathan is the chief security architect and director of enterprise security architecture at Allstate. Nathan’s information security journey spans multiple industries, including our nation’s Air Force, the healthcare industry, Fintech, residential and commercial security, with a heavy focus on cloud adoption, engineering and security.

02:29 Matthew D Edwards: Thank you for joining us today. Question one, whole organizational information security plans, and basically senior living organizations, as they become more and more technology-savvy and dependent, the number of moving parts and exposures to risks and liabilities is only going to increase. Do you guys recommend the organizations formally create and implement whole organizational information security plans, for example, if they don’t have them already, should they? And if they are going to put them in place, what should they look like? How do they know when they’re done? What is a good model? What is an information security plan and why should the C-Suites and leaders and senior living communities have them? Nathan, would you like to lead us off, sir?

03:20 Nathan Gibson: Sure, I think that the short answer for that is yes, but there’s a long conversation surrounding that. There’s a right way and I think a wrong way for implementing information security plans. And if you go out to NIST or different federal guidance, NIST is National Institute of Standards and Technology, they’re gonna have sample templates for an information security plan. And if you’re implementing them for the right reason, which would be you’re truly looking to protect your customers or protect those people that you’re caring for and the data, then you’re actually gonna look at it and understand what it is. If you’re simply trying to check a box from a compliance perspective, then it’s very easy to take those and copy paste and label that, Hey, I have an information security plan, and you’re checking a box.

04:18 Nathan Gibson: And there’s a difference between being compliant and being secure or actually protecting the data the way you should and the way you want to. And each organization, I think depending on the technology they offer, is gonna have a different set of standards and a different set of policies because their technologies are different. So if they look at it from, “Hey, we’re gonna bring in this capability and spend the time to document a particular policy for when that can be used and how it must be used, and technical guidance,” that collection of documents over time, that becomes your information security standard.

04:57 Nathan Gibson: Those are the types of things I think organizations should strive for. A lot of times, the technology they’re using is gonna be based off a vendor. So it’s also equally important for them to understand the vendor and understand those vendor’s privacy policies and practices and procedures, and maybe even that vendor can help them institute their own standards based off other customers that are using their product. So even though they may not have those skills in-house, they can ask for that question, ask for that service when they’re purchasing that particular product or capability from vendor, can you help me implement internal policies and standards to appropriately operationalize this product or this service?

05:43 Matthew D Edwards: Okay, Alright, Rebecca, what are your thoughts on this?

05:47 Rebecca Herold: Yeah, absolutely, and I agree with what Nathan said, and I would add to that too. A lot of folks who are listening, if they’re from senior living organizations or they have loved ones who are there, I think also add to just that need that Nathan talked about. Just think about all of the information that is within senior living organizations. And it’s not just technical, in fact, there is so much information within these organizations that is written down on paper, that is written on whiteboards, that is written on bulletin boards, that are on chalkboards, that are on the outside of people’s doors when you go to visit a resident.

06:39 Rebecca Herold: So it’s so, so important to make sure that all of that information is protected. And the best way to make sure that you’re protecting not just your residents and your visitors, but also just think about the actual organization itself, you have a reputation, each senior living organization wants to be trusted. If you don’t have a strong and consistently followed security program with some applicable rules that are specific to your organization and your risk environment, then you’re going to have bad things happen. It could be accidentally, maybe somebody wrote their password down and left it on the registration desk, and somebody saw that when they came in to see someone, or maybe a sales person saw that when they came in.

07:43 Rebecca Herold: All of a sudden now someone else knows what perhaps your ID and password is to get into the Senior Living Organization website. Or if they see files of your residents, do you know how lucrative it is to have the personal information of senior citizens and use that to perform identity fraud and other bad things. So, there’re so many reasons, as Nathan said, beyond compliance, certainly compliance is there to set up really the minimum necessary to make sure you have basic security controls in place, but you also must always go beyond those basic minimums to identify where are these additional problems that you might not have in a check list, but still are problems.

08:44 Rebecca Herold: Somebody brings in an Alexa because they know that the residents are going to enjoy that. Well, you know what, Alexas are really cool. I’ve been experimenting with one since last December, and they are fun, you can play some really cool music, I love Ella Fitzgerald so much. I play music by here, I know the Senior Living Organization folks would love to hear all their old favorites, right. But if you have that going and it’s not a 100% perfect, it’s also taking information based upon keywords and storing it in the cloud. And that information has been compromised before, has been misused before, it has been shared with third parties before. So you need to just make sure you know what your environment is like and where all the risks are. You might have these digital spies and other types of spies on feet coming in and out of your organization that you don’t know about, so… Yeah, you need to… Every organization needs to have a information security and privacy program in place. No organization cannot have one today and still be safe from bad things happening.

10:16 Matthew D Edwards: That’s a really good call out that I’d like to amplify, if you don’t mind, which is, Rebecca, you mentioned that information security plans don’t only cover technical things, but it covers all types of information and that behavioral… It’s behavioral information, it’s experiential information, and as well as the technological considerations. And so a lot of people that we’ve run into through time have assumed that common sense was common and that passwords shouldn’t be stored on post-it notes, or passwords shouldn’t be stored out in plain sight for everyone else to use or that entire staff shouldn’t be using the same login credentials for one application, those types of things. I think that those are the types of things that you’re referring to also, which is to have a plan, talks about the behavioral, experiential, the technological, all of the aspects of data, not just I bought a device, I plugged it in, and now I have a plan. Am I getting that correctly?

11:33 Rebecca Herold: Yes, and I would add to that, it must consider the full life cycle of information as well because there are some significant risks when you’re collecting information. When you have new residents come into your senior living organization, think about it, they fill out how many forms? And I know because as we talked about before the show, my mother was in a facility because of early onset Alzheimer’s, and then my father was in a facility because of cancer. And when filling out so many forms and so many times you’re filling out 20 forms and they’re asking you the same thing on 10 of those pages, where are those pages going physical, that’s physical information. And they say, “Well, don’t worry about it. We’re going to input this into the system, so then it’s… All that going to be safe in our computer.” Well, where are you putting the physical paper when you’ve got it input into the computer. Will you throw it away?

12:47 Rebecca Herold: There it comes to the end of the life cycle, right. You’ve input it, and now how are you throwing that away? Can I find my information that I just put down for my parents back behind your facility in the alleyway dumpster? A lot of people find information there, so even that physical information, you need to make sure that you deal with that, too.

13:14 Nathan Gibson: And I would add on to what Professor Herold was saying. In between there, likely what’s happening is they’re collecting that information on paper, and then what’s that data input process? What’s that look like? If they get so many forms, and this isn’t just the initial… This is if they have Medicaid claims or Medicare claims potentially. Is that sitting next to a scanner, just a pile of paper sitting there waiting for the night crew to come in and scan those and input into those systems, while they’re sitting there, who has access to that data?

13:48 Nathan Gibson: I think you mentioned spies with feet, right, who’s coming in and out of your facility. How you’re locking those up, and that’s where your information security program can be as simple as setting some operational processes, document, saying, Hey, when we collect this document from the patient or a patient’s relative, this is the place that it goes and have a discussion around, how are we securing that, how long does it sit there? Who’s authorized to get access to that and then what’s the next step. And just documenting that process right there, that simple thing is not a complex thing, but that’s part of your information security program and your plan and becomes an operational standard at that point.

14:37 Rebecca Herold: Well, and I wanna just quickly emphasize, I love that you brought that up, Nathan, because having it documented is so important because the people in your organization will not consistently follow these practices if it is not written down. If you have just one person who’s not doing something, that one person could cause a huge problem, a huge breach or a huge outage because they didn’t consistently follow what everyone else was doing, it needs to be written in policies and procedures.

15:18 Matthew D Edwards: One of the things I wonder then, and you guys could both expound on this, one of the things I wonder then is when you’re talking about the data, all of the different forms of the data, you’re also talking about the types… If you’re talking about the types, but you’re also talking about locations. And so as part of an information security plan, then do you recommend or what do you recommend as it relates to in order to have a policy or a procedure or to have an opinion, you need to know what you have, you need to know where it is, and you need to understand who’s accessing it, how it’s being used, all of those types of things, is understanding that if it’s an asset inventory or it’s an inventory of all data in the organization, do you consider that to be a critical component of the information security plan itself?

16:09 Nathan Gibson: Absolutely. First off, I would assume, and professor can probably speak more to this based off her experience, but there are some standard forms that is usually filled out when somebody is being admitted into a facility or transient through a facility and understanding what data you’re collecting on those forms and classifying that data, and then from that point, setting rules around that data classification, knowing that, Hey, this particular form does have sensitive data, so we’re only going to allow it to be stored in these locations, so once you collect it, we’re only allowing it to go in this location, and understanding that and putting that in policy and then enforcing that. I think it would also add is, it actually helps the organization take security out of it, helps them be more streamlined. If you have a new employee that comes in, what better way to quickly get them up to speed, than having exact operational standard that they can read on how they collect data where it must go to maintain a consistent, predictable, repeatable operation for the business and onboarding new employees quickly.

17:19 Nathan Gibson: So I think, yes, it does become more difficult when you’re dealing with paper documents, that has to probably change quite a bit. But yes, knowing where that data’s at, and what data you’re collecting is something that should be in your standard and your organization’s way of classifying it. We consider this extremely sensitive data, so therefore only these roles or titles within the organization can have access to it underneath these circumstances, that’s super critical to have in your plan.

17:55 Rebecca Herold: To add to that, just think about it, how can you protect data and make sure it’s used appropriately, unless you know exactly what information you have and in what form it is, and where it’s located. I mean my gosh, just imagine, what if every one of us had 20 credit cards, but yeah, we didn’t keep track of where those credit cards were. Now, maybe there might be a credit card in your home safe and you have it locked up, that one’s probably pretty secure. But what if you have five of those credit cards out in your… Maybe in your automobile and you go to a restaurant to do it and leave it in there… Somebody gets your credit card. Are you gonna even know that if you didn’t know your credit card was there to begin with? So keeping track of all of your information is kind of like keeping track of your own personal values, because if you don’t know where things are that you value, and if you don’t know how to protect them, then things are going to happen to those valuables and you’re going to really be sad and mad at yourself for not securing them and keeping track of them to begin with, that’s the same way with any business.

19:15 Rebecca Herold: A business has to consider information as being valuable and they need to know what information they have so that they can then determine how they need to protect it in all the locations where it’s located. Because kind of like Nathan was talking about with the classification and so on, if you have certain high value information and it’s located some place that might be a high-risk area, like out in a public area, that will need much more security around it than if you had it some place perhaps within many walls, within the center of a building that all have locks on them and very tight access controls.

19:58 Matthew D Edwards: Alright, alright, that’s good. So let me summarize these things, if you don’t mind. So far, basically what I believe you both have well-communicated is, hey, an information security plan is non-negotiable, it must exist if you’re a business and you have employees and clients, you’re likely collecting information, and that’s not just technical things. So while we’re talking about the senior living community, and we’re talking about the adoption of Internet of Things devices and technology and networks, where there’s a whole lot of data and privacy and planning that required there, it also includes everything leading up to and around it, and afterwards as well, which could be paper-based, it could be experiential, it could be relational, communicative, Post-It notes, the doors. So what data do you collect? Where is it located? Who has access to it? And then what’s your plan, what’s the plan to collect it, what’s your plan to store, what’s your plan to share and engage with it. So it has to be done on purpose, and while we all want to trust, we need to have a plan and then trust that we’re all using the plan as opposed to just trusting the merits of good character and great people and sometimes hairy days and, it’s a tough day.

21:20 Rebecca Herold: Exactly, and I might add, make sure you know if people are using their personally owned devices and include those devices in your program, because you absolutely have to protect data everywhere, even if it’s not on your organization’s own computer systems within your own facility walls. And I know in a lot of organizations, people are now, especially with work from home, people are using their own personally-owned laptops and… Oh my gosh, I’m looking right here at a USB drive that has 64 gigabytes of storage on it, and I know a lot of workers who use these handy-dandy tools to take home and do work at home. Or they probably already have them there, and it’s easy to collect because this one only costs $9 and so I could have probably a dozen of those, make sure all of your program covers those personally owned devices and storage devices and that you have training so that the people using them, know how to secure them.

22:37 Nathan Gibson: And what the professor just said on training, that’s the most key part. Having a information security plan and doing regularly training on that and testing the effectiveness of your training is important. You can document everything, but if you’re not training your employees, you run into situations where, somebody may be just trying to do their job in just situational… I see it all the time. Somebody calls into make a payment and your computer is down. Okay, I’m gonna pull out a sticky note here, what’s your credit card number, and write that down on the sticky note, what’s your CVV, the security code on the back. And the expiration date and everything, and they stick that on their desk, and then later that day when the computer comes back up, I’m gonna go process that payment now. What happened to that sticky note that has that payment card data on it, or what happened to that sticky note that had that person’s social security number on it?

23:42 Matthew D Edwards: And your training on your information security plan isn’t about this is our policy, you must read it, take a test and follow it. It’s more about, Hey, this is what we are charged with, this is why we’re trying to protect data, here are the threats to that here, the people who are trying to gather that, to bring that threat awareness or the vulnerability awareness to the employees, so they can do their part in those situations where the policy may not cover it exactly. It helps bring them that situational awareness so they can do their part to continually protect the data, so that training is a key part.

24:20 Matthew D Edwards: That makes sense. So training needs to be a part of this on purpose. So let me transition this conversation to privacy. Do you believe that privacy is a component of the larger information security plan, or is a privacy plan its own entity? What’s your perspective on that, and then what composes a good privacy plan in an organization that’s collecting not only paper-based data, but they’re also collecting data based… Device-based data all over the place, what are your thoughts on privacy and what does that look like for folks?

25:02 Rebecca Herold: Well, privacy definitely has a lot of overlaps with information security. I mean, you have to protect the information, certainly. I think a very common misconception is that privacy means that you only protect data by encrypting it or it’s just about confidentiality. It goes so much more beyond that. Privacy means that you are giving the individuals about how their private and personal information applies, you are giving them some control over that information, you’re letting them know, Hey, here’s the information we’re collecting from you, and by the way, here’s how we’re using it, and here’s who we’re sharing it with, and here’s how long.

25:56 Rebecca Herold: We’re going to keep it and retain it, and here’s how you can get access to it, because we wanna make sure that it’s accurate because if this information is not accurate, it can have impact on your personal life when that inaccurate data gets out there and is being used to make decisions about your life. So yes, I’ve been doing privacy and information security management since around 1993, when I wanted to address privacy. I was responsible for creating the security requirements for what that was going to be… And I think it ended up being the first online Internet Bank in 1994. And I was establishing the security requirements and I was doing research and I found the OECD privacy principles. I thought, these make lot of sense because this is a bank, and a bank has a lot of personal data. I happened to know the CEO and I thought… I’ll mention to him that it’s important for the legal counsel to address privacy.

27:20 Rebecca Herold: Well, at that point in time, just think about it, ’93-’94, there were no laws or regulations, so the General Counsel said “Sounds like a good idea, but it’s not my problem because there’s no legal requirement”. So the CEO told me, “Hey, Rebecca why don’t you go ahead and take care of privacy while you’re doing security,” and that’s where I learned throughout the years that it’s so important for security and privacy areas to work together. I think we need… You asked before about, should that be part of the program? Should it be separate entities? I say that it should be… Maybe possibly two areas, but they have to be integrated. And in fact, I see the most successful security and privacy programs are the ones that really coordinate closely and often report to the same person in the organization.

28:18 Rebecca Herold: They don’t have the privacy officer reporting to the General Council and the security person reporting to the CIO, they actually have a Chief Information Assurance officer who is responsible for all information and that comes down and covers privacy and security equally. And they’re kind of outside of the CIO and the general council area. Because I’ve learned from just experience, if you start getting put into the IT area, or into the legal area, oftentimes needs and risks do not get addressed appropriately because you don’t have enough authority in that organization to say “We need to do this. It’s important.” Sometimes you get overruled in these organizations, when you’re talking about senior living organizations, those might have a little bit different setup with regard to executives and their org charts, but still they need to understand that you need to address security and privacy, the different issues between them. But at the same time, they can’t be done in isolation of each other, they have to work cooperatively in order to be successful.

29:43 Matthew D Edwards: Well stated.

29:46 Nathan Gibson: Yeah, I would echo what Professor Herold said. I work closely with my counterparts on the privacy side, the chief privacy officer, and very passionate group of privacy, I guess, I would call them engineers, architects, but more often advocates is the best way I can describe it. Now to answer your question about how I see privacy and information security, and it may take a little bit different view on this, the privacy folks also have kind of an ethical watchdog component to it. It’s not just about what data you’re collecting, everything Professor Herold said absolutely… But they’re also there to make sure that the organization is doing the ethical thing. We are collecting this data specifically and solely for this purpose, and when another group or department comes by and has great innovative ideas, that’s absolutely fantastic. That privacy plan and those privacy professionals are there to say, “Hold on a second, I’m gonna be the voice of the customer. Have we communicated with the customer that we’re gonna do this? We need to give them the option to choose whether or not they want to do this.” It’s going beyond typical, this is what exactly the law says I can and can’t do with this data from a privacy perspective.

31:17 Nathan Gibson: And it’s more about, “Hey, are we doing the right thing by our customers? Do our corporate policies, do our corporate standards and procedures reflect our ethics and our values as it pertains to protecting our customers data, only using the data in the way we stated we would use it, not trying to blur between the lines or trying to figure out how to make an extra buck or whatever.” They are that advocate, they’re speaking on behalf of the customer. And the security plan is a component of privacy in a sense, because part of security is okay when it’s on technical solutions, how do we make sure it’s encrypted or how we make sure that it’s secure in transit or it’s only being stored where we allow it. That’s one small component of a larger privacy plan, which is more around communicating and being ethical and truthful on what data we’re collecting, what we’re using it for, and giving people the opportunity, a choice, to update that data or ask us to get rid of that data, if needed. That’s really a privacy plan in the privacy program and the professionals that operate them.

32:33 Matthew D Edwards: So if I could summarize, based on what I’ve heard so far, before we move on to another interesting question, it sounds to me like the idea of information security plan must exist, the idea of privacy on purpose must exist, and whether they are one idea or two ideas, they’re basically so interwoven that they must both exist.

33:00 Rebecca Herold: Well, I was just gonna say, when you’re talking about that interweaving, definitely, I wanna give kind of a real world example, too. And I’ll use HIPAA because I know that senior living organizations as covered entities, most of them are anyway, under the Health Insurance Portability Accountability Act or HIPPA. We have the privacy role and the security role. And I know that a lot of organizations deal with each of those requirements separately in the organization. However, real world, the privacy rule requires that you give your patients, your residents access to their personal information. So oftentimes that information is given to them via online portals. Now the privacy office is going to say, “Okay, well, we’re going to make a policy that we must give all of our patients, all of our residents access to their health records,” that means that privacy real requirement.

34:07 Rebecca Herold: Well, who’s going to have to implement the actual access to that information within the system? It’s going to have to be the IT area, and the information security area has to be involved because in order to meet the privacy real requirements, which also include a very wide requirement to follow the security role, have safe guards in place, they are going to have to be able to implement security over the way in which patients are given access to that patient information. They have to work together because the security officer, they need to understand if what they’re giving access to is everything that is necessary to meet the privacy real requirements and then to log for the accounting of disclosures requirement, that access not only by the patient, by other people who need to get access to it as well.

35:09 Rebecca Herold: So those of your listeners who might have responsibilities for these might recognize that, yes, accounting of disclosures and access to information in all forms, not just digital, but also physical, you have to coordinate how that is done securely with the security officer as well. So I think that’s a very important real world scenario that every type of organization has to deal with.

35:38 Matthew D Edwards: Well, let me take that material then and transition to my next question for you both, which is, let’s say for organizations where the senior leadership said, Okay, I can understand why this is important, so I should have an information security plan, and that requires a list of things that I need to go do now that I have historically not done, including information security training. And I need to have a privacy policy, privacy plan that’s put in a place that is, to your point earlier, Nathan, giving the customer a choice and or acting on behalf of the customer while pursuing business goals and daily operations. So the senior leadership says, We need to have these well done, we are now persuaded, we’re going to get it done, and so they work diligently to put them in place.

36:32 Matthew D Edwards: For organizations, whether they have experience with it or not, after they have these in place, they have an information security plan, they have a privacy plan, all is right with the world, and they believe that things are great. How do senior leaders and these organizations stay aware of how well their organization is actually doing implementing these ideas. In other words, just because we have it doesn’t mean we do it, but if we are implementing and doing these things how do I know on a regular basis as a leader, if I’m not involved in it day-to-day, how do I know that we’re doing it well? Or doing it at all for that matter, how do they know? Nathan.

37:20 Nathan Gibson: Yeah, so, essentially, what we do in our role is called effectiveness testing. How effective are our administrative controls, our operational controls and our technical controls? And part of a healthy information security program is to have appropriate effectiveness testing. And effectiveness testing can be anything from audits like we are probably mostly familiar with. Somebody comes in and actually takes a look at your policies, your standards and your procedures that make up your information security plan, and then they observe day-to-day operations and historical artifacts and actions to see if people are actually adhering to those policies and standards that you have in place.

38:11 Nathan Gibson: So having an effective testing program, both internal and external, whether you contract occasionally with an external third party to come and evaluate or have somebody dedicated internal whose job is to go through and just randomly spot check these standards and the processes and procedures as they are in action. The other thing is to have a healthy reporting mechanism for employees that when they do see something that violate standards or procedures, that everyone’s comfortable with elevating that so that organizations can understand, employees won’t have fear of reprisal necessarily because they violated a particular standard, violating HIPAA privacy rule.

39:02 Nathan Gibson: It sounds like a pretty scary thing, but if a process or procedure is broken or training is ineffective… We talked about training earlier, the organization needs to know that. So it’s important not for leaders to necessarily have heavy-handed approach to policy violations, but more treat those as opportunities where you’re testing your program and you are making changes, whether that be enhanced training or whether that be a total change of procedure because you found out something you documented in the past. May not be applicable today or may not be working today because new technology came in or new processes came in place. Employees are innovative all the time, they may find out ways to do things better and cheaper, but we may need to amend the policies and processes or tweak their innovative ideas to ensure that it’s still meeting the initial objectives of that information security program and plan.

40:04 Rebecca Herold: And I would add, too. All of this is so important to be part of a full risk management program, that’s a subset of your overall security program. What Nathan talked about, one of the things I love, and I think the different types of senior living organizations and other healthcare organizations can do as well. And I think Nathan mentioned this, but I wanna highlight it because I found it’s very, very useful. I used to call them doing a work area walk-throughs. I do them after hours, but basically what I would do is I’d get my team together, and I do this for other clients too, and we would go through the areas and just see in the areas where people have their work stations, are they still logged in. Are they logged in and actually in this screen where patient data is being shown, do they have files laying on top of their desk? All the different things that you can actually see, and here’s when, oh, this is still common today, 25 years later, 30 years later, it’s still common today, sticky notes under your keyboards with your passwords written on it. Do the work area walk-throughs. This not only helps you to find where people need more training and not just formal training, but also reminders.

41:36 Rebecca Herold: They’re fun things to do, different types of activities so people can see what they’re doing with regard to how they would handle security and privacy. Another thing I’ve done with some hospital systems is I have use case exercises. So I get different teams together within an organization, give them a scenario, it’s usually a breach or some other type of security incident and see if they can follow the published security and privacy policies within the organization, in order to appropriately address that situation. You have your policies and procedures written for your employees to follow. So do you know if they’re going to be able to follow them when they really need to in disasters or business recovery, and certainly…

42:30 Rebecca Herold: In Iowa with the derecho, we had a lot of disaster recovery and business continuity being tested here in the past week. So doing those use case exercises is another way. You can call that it falls right under your training requirements for many different regulations beyond HIPPA, but it’s not a formal training where they’re sitting there looking at their screen. They’re actually doing things and it’s something that sticks in their mind for quite a while. And also doing other types of fun things. Have guest speakers, and I don’t know if any of you remember Clifford Stoll? Clifford Stoll wrote The Cuckoo’s Egg. He actually, in 1987, busted the first huge ring of Russian hackers into a university on the west coast because he noticed a two or three cent discrepancy within the system and he just wouldn’t let it go. And why would he let it go because everybody told him that two cents was within their range of acceptability for errors, and he was like, no, this isn’t right, so anyway, read that book, The Cuckoo’s Egg, it’s still very good.

43:47 Rebecca Herold: I had him come in to be a guest speaker, and he was so good. He kind of reminded me of Einstein in the way his look and his hair especially was, but talk about engaging. And it got people interested and it made them think about security for many, many months after that. And how do I know? I know, because I saw the number of hits on our internet website was so high for many months after he was there, and people were calling and actually giving me… Calling when they saw a concern, is this a problem? Should we be worried about this? And I love that because it meant that they had really taken in that message of information security is important and it’s important to recognize when something might be wrong. So all of this falls under risk management, because it is helping everyone in your organization to identify where risks may be, and also then take actions when they think there’s a risk and they need your help as security or privacy officer to let them know whether or not that is something they need to be concerned with.

45:12 Matthew D Edwards: Let me summarize some of the things I think we’ve talked about today, and then I’m interested in some final thoughts that you may have yet unspoken. Basically, what we’ve discussed is Information Security and Privacy plans must exist. And in order to do those things, you need to know what you have, where it is, who’s engaged with it, how it’s being utilized, and its full life cycle from birth to end of life cycle and what you’re gonna do at each stage along the way. And that includes everything from paper to marker boards, to Post-It Notes, although there should be no Post-It notes all the way out to the digital stuff, which includes the adoption of Internet of Things devices for remote monitoring in order to enable autonomy for our elders and eventually, maybe even us. So the privacy and security plans need to exist, it needs to be done on purpose, but then after it exists, you need to put in place a framework or a behavior that says, Hey, I’m going to regularly check, regularly test, regularly train to make sure that everyone is informed, everyone is practicing, everyone is heading in the same direction in the way that we need to.

46:27 Matthew D Edwards: So the things that you’ve communicated should be no surprise to people, which is, Hey yes, you need to have them. Yes, you need to do it on purpose. And by the way, you’re actually never done. So after these things come to exist, you haven’t said it, so I’m asserting it, but you’re never done. These exist, they have to continue to exist, you have to continue to train, continue to practice, continue to audit and test and verify and validate, you’re never done. So thank you for articulating these things because it’s not only Internet of Things, it’s everything inside the organization, but I wonder, do you have any parting thoughts for us that you haven’t mentioned yet, Nathan, Rebecca, any additional thoughts you’d like people to consider along the way?

47:25 Nathan Gibson: Yes, I would just say it may seem overwhelming at first, information security program or plan, and if you don’t know what that is, you may have a tendency to go Google that. The good news, bad news is there’s gonna be a plethora of information out there and there’s a lot of guidance. One of the most common is the National Institute of Standards and Technology, specifically, the special publication 800 series. It’s a great resource to go out to learn about what you should be thinking about in your information security plan, but don’t get overwhelmed by it. You can start simple by creating simple procedures about, Hey, when we have this form that needs to fill out, here is our procedure on this form, customer fills it out and we do A, B and C with it all the way from when they finish it and hand it off to you to when you eventually hand it in the shredder. Detailed description, plans and all that is, is giving your employee and your staff directions on how to do your business, but you’re adding in the security components in there to make sure you understand every step of the way, so it can be that simple.

48:42 Nathan Gibson: And over time, as you create more and more simple documents like that, that becomes your information security plan. That is helping you ensure that you’re protecting your clients and your customers and consumer’s data at that point, and then you can use those references like NIST to help you understand, “What am I not thinking about? What else do I need help with?” And it can help guide you, so don’t let it overwhelm you.

49:14 Matthew D Edwards: Yeah, very good. So use NIST 800 series as an excellent starting point, but start small. Rebecca.

49:23 Rebecca Herold: Yes, and I would add. Everyone needs to remember and think about the fact that these concepts that you use to secure what’s within your organization, these apply to your own life. Everyone basically now has their own computers, everyone has their own smart devices or own smart phones, WiFi networks, I mean, not everyone, but it’s getting there one of these days, it will be ubiquitous. It will be pretty much anywhere you go, you’re actually going to be, if not leaving a digital vapor trail around you, you’re going to be passing through other people’s digital vapor trails because everyone is having computing devices. So when you think about developing these controls, think about the fact that you can use these same concepts, and same controls within your own home. You can use them within your own WiFi network at home and so on. So you need to keep that in mind and just view this as an opportunity to use what you’re doing at work to also improve your own home life with regard to your digital assets and your paper assets and secure them better as far as that goes.

50:50 Matthew D Edwards: Well, this has been an outstanding conversation today. And I am confident that in just the short amount of time that we’ve been together, we haven’t even come close to communicating or amplifying all of the things that are occurring in both of your minds this entire conversation. So thank you for distilling a lot of your experience and your thoughts and your perspectives down into smaller bite-sized chunks for everybody to think through.

51:18 Matthew D Edwards: Today, we’ve talked about information security plans, we’ve talked about the value of privacy plans and doing both of those things on purpose and a lot of the work that goes into getting there. But then we’ve also talked about after it’s in place, how do you know you’re doing the right thing correctly and completely on a regular basis, well into the future? These aspects, these conversations help people get started, but there’s a whole lot of work after that, and they’re probably going to have to have one or more people who exist in the company to do these things on purpose on a regular basis. And both of you have experienced leading and guiding and training those types of organizations and those teams and those implementations companies large and small, so thank you for taking the time to teach us. Thank you for a wonderful conversation. And I look forward to talking with you both again in the future.

52:15 Nathan Gibson: Likewise. Thank you, Matthew.

52:15 Rebecca Herold: Oh thank you very much. I enjoyed it.


Part I: IoT Devices, Data, and Exploitation

Enabling Better Health Care & Senior Care Outcomes with Technology

This series focuses on how the health care and senior care industries are enabling more autonomous living opportunities for all ages while improving and expanding care in face of the exponential growth of the senior population. These industries face labor shortages and a strain on existing systems that must evolve and scale while meeting information security and privacy requirements.

Our first episode in the series addresses critical factors when purchasing monitoring devices, securely storing, moving, and using the collected data that is exponentially accumulating, and how to mitigate the exploitation of these systems.

About Our Guests

Xavier D. Johnson is the Founder of Enterprise Offensive Security in Detroit, Mich. He also serves as a Secondary Cybersecurity Instructor at the University of Michigan, the Director of #MISEC, a Founding Organizer of DEFCON Group for Detroit, Show Host on How They Got Hacked, and Founder of Red Team Clothing.

Nicholas Starke is a highly skilled security researcher and penetration tester focusing on Internet of Things (IoT) security evaluations. Nick’s primary area of interest within IoT is networking equipment, ranging from Small office / Home office routing equipment all the way to carrier grade/ISP equipment – and everything in between. Right now he is focused on enterprise-grade networking devices as part of his role as a Threat Researcher at Aruba Networks, a Hewlett Packard Enterprise company.

Read the Transcript

01:00 Matthew D. Edwards: Hello and welcome to the inaugural episode of Long Way Around the Barn. Today, we are starting a series focused on remote monitoring, management, security and privacy in the senior living industry. In today’s session, we will discuss IoT devices, data, and exploitation. Very simply put, what do you need to know to purchase, implement and manage remote monitoring devices? How do you securely store, move and use the collected data? And how do you mitigate the exploitation of these systems by external actors. My guests include Nick Starke, a threat researcher at Aruba, a Hewlett Packard company, and Xavier Johnson, a full-time ethical hacker and part-time cyber security instructor at the University of Michigan. Welcome, gentlemen.

01:50 Xavier Johnson: Thank you for having me.

01:51 Nicholas Starke: Thank you.

01:54 Matthew D. Edwards: For a senior living community interested in adopting some of the the newest connected remote monitoring technology that exists, what do you believe are some of the most important things leaders of senior living communities must consider when they’re purchasing, implementing and using connected devices in their communities and networks? For example, remote vital monitoring, daily activity monitoring, geographical movement mapping, predictive analytics and contact tracing. What do you think are some of the considerations that folks should review as it relates to hardware, network, Cloud platforms, data collection, use? Xavier, what are your thoughts on this?

02:29 Xavier Johnson: First thing that comes to my mind, privacy. The considerations of maybe where you sourcing data, excuse me, the actual hardware that this data is flowing on to, where else could it be going to? If we’re dealing with a piece of hardware that has a system on the chip, how easy is it to update the firmware on that specific device? What is the life cycle of that? And what’s the management of it? How much of a pivot… Much of a pigeon hole does it put you in? If you deploy it, do you get stuck with one particular vendor? Using one specific stack? I don’t wanna name and shame, but we all know those environments where when you go to go replace the one thing, you gotta replace the whole thing unless you’re gonna continue to go on the life cycle, and eventually they’ll upsell you on replacing the whole thing. When we’re talking about assisted living, and we’re talking about devices that are supposed to be there to help offset the load and to load balance and to create a higher quality, we still have to make sure that we’re doing right by way of privacy and assuring that there are ways to maintain and update these devices.

03:49 Matthew D. Edwards: Good call. So privacy number one, and then also making sure that we don’t put ourselves in the corner such that we’re not able to change, or that when we do want to change, we don’t end up having unplanned costs and complexity along the way. That’s a good call. Nick Stark. Mr. Stark, what are your thoughts on that?

04:11 Nicholas Starke: Vendor lock-in is definitely an issue you wanna consider. The adoption of open standards with whatever communication protocols are implemented in the devices that will allow you to build on top of whatever you’ve deployed quite easily, as long as they’re not using proprietary protocols and things of that nature. In addition to privacy, I would say security is a big issue too, because of privacy. Because there is sensitive data being collected and stored, you wanna make sure that no one who is unauthorized gets access to that data while still maintaining the people who do have authorization, that they can still have access to it. So it’s balancing those two things.

04:57 Matthew D. Edwards: That’s a good call. So making sure that we’re balancing privacy and security. From your perspective or from your experiences, Nick, in different organizations, have you found that people undervalue or overlook or just assume the relationship of permissions and access with devices? In other words, have you seen through time that people are most excited to plug things in and least excited to think about how to secure them?

05:32 Nicholas Starke: Yes, so I think there’s the issue of, you get a new IoT device and you plug it in. It’s the configuration of it, right? Not only just the device with the network that it sits on and everything, and I see a lot of times that the amount of configuration needed isn’t performed, and that results in security holes, exploitation vectors that open up, the device itself probably needs to be configured in some manner, and so does the network it sits on. So there’s two different levels of configuration that you need to do, and a lot of times I don’t see end users performing the amount of configuration that they need to perform in order to keep the devices safe and the data safe, and provide that level of privacy that is expected.

06:16 Matthew D. Edwards: Right. Okay, so there needs to be a plan. It’s just that simple. There needs to be a plan for the device, there needs to be a plan for the device ecosystem, in other words, one or more devices, and possibly spanning multiple vendors. And there for sure has to be a plan for the network, the network configuration, the device configuration, the security around it and the privacy. So this isn’t so simple as someone at an organization going and making a bulk purchase from Best Buy or some other store and plugging it in and everything rocks and rolls, but there needs to be a plan for what problem do you wanna solve? There needs to be a plan for the device, even the firmware, as you brought up, Xavier. So it sounds like there needs to be a lot of forethought, is the summary, there needs to be a plan.

07:11 Xavier Johnson: Certainly, and you know what else, Matthew, I’d like to toss in there, there needs to be room for innovation and room to play. And I think that as a security person within a company, as security engineer, we often are saying, “Hey, you cannot do this. Thou shall not.” And us as testers when we come in and we do our scans and we do our thing, and we reinforce why you shouldn’t, but I think there’s room for us to all play nice together, and figure out a place on the network where we can go out and vet these things. Where we get ahead of some of these problems. Maybe we start to think about our networks the same way that marketing thinks about campaigns, and start to have more of an A/B environment beyond just prod-dev, like, “Hey, we wanna try something out, let’s low balance some of our more stable users, our younger users in this case, that may take less attention over to something that may have a higher risk and reliability, but has all of these other features.” And I know we’re talking about lives here, so you have to be careful, but what I’ve noticed in healthcare, especially in the smaller clinics, as a tester, you find these doctors, they run the show at these clinics, and so they plug whatever they want into the switch, when you’re not around as a system admin.

08:38 Xavier Johnson: So this is just a toy, this is the latest thing that they got on the show room floor at a trade show, and sometimes they forget it’s plugged in. Sometimes they don’t change the default passwords. Most times they don’t, and it could be a week, it could be any given… It could be moments. You’re talking about the potential to compromise. So it’s something that, there’s multiple angles that you got a plan for, you don’t wanna put people in a box and then make them go stir crazy so that they just do outlandish things without your permission. You wanna have a process in place so they can actually feel empowered when they hit the trade show floor to ask the right questions like, “Hey, I’m gonna take this to my team and they’d gonna put this in our special network, what do you want to let me know before I do that? What should I know?”

09:27 Matthew D. Edwards: That makes sense.

09:29 Nicholas Starke: I wanted to speak to something that Xavier just mentioned. An important part of this is how you build and validate the configuration that you’re building, the system that you’re building. I think external validation is gonna be really important, getting… Not only just checking all the check boxes on the compliance side, but performing security audits, penetration tests, things like that, of these deployed networks beyond what the manufacturer is doing on the manufacturer side, they need to be doing the same thing, and that should be a question that you ask as you’re potentially gearing up the purchase system like this, is, do you have a software bill materials? Do you perform regular penetration tests? Do you adhere to the compliance regulations around HIPAA for protecting health data? And what do you do to meet those compliance standards? These are all questions you should ask going into going into purchasing a system like this.

10:40 Matthew D. Edwards: That makes sense. So just again, it comes back to, I’m sure that we’re not touching the depth and breadth of the things that you guys have seen and regularly test, but the net of the conversation so far is, know a problem you wanna solve, have a plan, and then figure out how to make sure you can evolve. Test and evolve and not get boxed in, privacy and security have to be done on purpose, they don’t accidentally come with the device when you take it out of the box. Alright, those are fun conversations, and that then spans across to everything where the hardware, the network, the Cloud. And the data collection in particular is a big deal. So for example, with the idea of Geofencing, organizations that are interested in Geofencing are looking for ways to identify where are all of my staff? My healthcare worker staff. And putting in place ideas that says, “If this part of the building, then these conditions. Else this part of the building, then these conditions.” And so on. So behavior driven, Geofencing if you will. Similarly though, there are understandably some parts of the building where our elders, our family members should be in the senior living communities and some that are probably off-limits, dependent upon. I’m sure they wouldn’t wanna turn me loose in one of these buildings.

12:12 Matthew D. Edwards: They would have to tell me, “Matthew, you stay on this side of the building. Please and thank you.” But they are leveraging Geofencing to understand where people are and where they should be. Also leveraging, there are some interesting new technologies that are monitoring your location in the building. But in relation to your activities, in other words, how many times have you been to the sink to get water? And/or have you taken your medicines? And/or your times that you’ve taken for personal time, if you will, in the restroom. And so monitoring all of these things, not because there’s an interest in knowing your details, but rather enabling autonomy is the goal, enabling autonomy. But it means we’re collecting data on everything all day, every day for all of our elders or family members, as well as all of our health care workers. In this world where there are so many devices collecting so much of that data on so many people, we’re gonna just have a lot of data. What are your thoughts? How do you guys react to that? Nick, will you start us out on that? How do you react to that many devices for that many people with that much data? What do we do about that? How does a person in charge of a senior living community make sure they’re doing right by the healthcare workers and doing right by the elders or our family members? And they stay within the law, but still add value?

13:46 Nicholas Starke: My first thought is, protect that data, you have got to do everything within your disposal to protect that data. But at the same time, you need to allow people who are authorized, access to it. From a security perspective, you need to have good access controls surrounding that whole database, if you will, the collection of data that you’re siphoning up from the devices, there needs to be auditable, discernible access control lists that determine who has access to it and who doesn’t. Another problem you’re gonna run into is just the amount of data, with all these devices collecting all this data all the time, you’re gonna just have… Terabytes and terabytes, if not petabytes of data. So you need a place to store all that, that will scale, because if you don’t have that, all of a sudden your devices will not be able to send data to your central system and you have an availability problem. So the ability to scale is going to be very important, even just from a security perspective, not taking into consideration the business value of being able to scale.

15:04 Nicholas Starke: I think maintaining Cloud platforms for your stuff is a good way of meeting that scale, the Cloud engineering stuff is built so that you can scale it out to millions of users collecting all this data at once… And it’s much more difficult to do that on-premise, so I would definitely look into Cloud options.

15:32 Matthew D. Edwards: Okay, that’s a good call out. Xavier, what are your thoughts on the volume of data? And the method of collecting, managing, securing. What are your thoughts on the Cloud stuff that Nick was just offering up as well?

15:48 Xavier Johnson: So we talk about the data lake, as it’s called. There are a couple approaches you could take to it, and I’ve been involved with both of them, at least two of them. One of which is the on-premise method. This is gonna require you to have military grade security, encryption, up-time. If your housing secrets there that are military grade, it makes sense to do that. I’ve been lucky enough to work for some smart people that solve some hard problems that keep us safe, and I’ve been able to work in startups where things move faster and you grow on demand. Where the growth looks like a hockey stick, and sometimes you do things that are maybe short-sighted, but to get the job done, and so we wanna make sure is with both of these approaches, be it if we move fast or if we want to roll our own and move really slow. The things that we want to do is as very fundamental, keep people away from the data.

16:55 Xavier Johnson: Humans and data just don’t mix, so that means a lot of controls right there, we’re talking five to seven layers of controls from access on the physical layer, access in the digital world, encryption, the amounts of keys that it will take to actually decrypt any one piece of information and the separation of those keys over people, over a number of people. So you treat your data like you would a nuclear missile, it is that level of important to you when you’re talking about if someone’s brushed their teeth, or if someone’s taken their medicine. These are very, very intimate things that are otherwise not captured or even captureable without some of these endpoints.

17:44 Xavier Johnson: And so you have a huge responsibility no matter which way you take it. And I would say that with regard to Cloud and the adoption of Cloud. One fundamental on Cloud is encrypt everything. Just encrypt everything. I forget the actual saying, something like, “Dance like everyone’s watching, encrypt like no one is.” Or something like that. Or the inverse, dance like no one’s watching, encrypt like everyone is. Because they are. And so even on your local environment, that last mile, I find a lot of people will encrypt up to that point, then it’ll be on the private network and they’re like, “Oh okay, cool.” Because it costs so much to do encryption, “Cost.” We’ll just plain text it until it makes it to the database where everything is encrypted by default on the disk, and that’s where people like me actually go to go look with our Wireshark to get all of the free and clear packets. So take the time, be meticulous and create what…

18:45 Xavier Johnson: In the Cloud we call it defense in-depth, so putting multiple layers of defenses that are available, be it encryption, again, digital access control, physical access control, and there are ways to be able to create these layers in front of whatever it is that you’re guarding, the Cloud makes it really, really easy to do that, but at the expense of capital. So both of these solutions end up costing you money at the end. It comes down to how much data you have, what level of secrecy that data has, and how complex the systems are. How old your systems are that are already existing, because if we’re talking about somebody like ADT, which could very well get into this business because they’re already into monitoring and security, they may have a standard data lake, they may not have anything in the Cloud, or they could just scale on demand like this. So I feel for the CTOs and CISOs that have to solve exactly what to do with this level of data, because we thought social media was gonna generate a lot of data. This is gonna generate a lot of data, this and combined with mobility, ’cause this is kind of extension of mobility in my mind, this is the medical end of mobility, keeping our elders self-sufficient longer keeping an eye on them without being overly involved with them. I think that that’ll create data that we’ve never had to house, or seen.

20:17 Matthew D. Edwards: That’s a good call. So the Cloud conversation, so the capacity to store… That’s a big deal, because the volume of data is just ridiculous.

20:28 Xavier Johnson: I’m almost giddy about how much it is.


20:31 Matthew D. Edwards: But the capacity to store then to your point earlier as well, Nick, is availability. As the data surges or as it just increases, you need to be able to recognize it, and capture it and contain it.

20:46 Nicholas Starke: And act on it.

20:48 Matthew D. Edwards: And act on it, absolutely. So there has to be a plan when it goes back again to having a plan on purpose, there has to be a plan to know where it’s coming from, to be able to handle it, to be able to store it. And then to your point, it has to be secured, to both of your points, it has to be secured is just a non-negotiable. And in particular, healthcare, therefore HIPAA, and in some cases HITRUST, and there may be some additional considerations that if they don’t currently exist today, they will need to exist. For example, when you consider state-by-state privacy laws, and then an elder or a senior family member and/or someone else in the family says, “I wanna know all of the data that you have on my dad. Now I want I want you to remove it.” I wonder if that’s come up yet? And if that’s where that’s heading, you absolutely must have a plan for the data, or that is gonna be a miserable and a horrible experience to figure out, what data do we have? And where is it? Now, how do I extricate it from my large, large vault of data. Have you guys had those opportunities yet or to look at, “My gosh, how do I get that needle out of the haystack from the privacy laws?”

22:09 Xavier Johnson: Not State side, but GDPR hit everyone in the product market in the mouth, square in the mouth. I worked at a company called DynaTrace a few years ago, and we had a large number of people in Europe that use our product. The users of our private data actually gets collected as well, so we had to figure out a way to actually go in and literally find the needle in a haystack, and that goes back beyond any data that’s even just live, that’s all of copies of that data, there is literally no one blanketed way to solve that problem, it will really come down to data classification, and I know that’s an umbrella term, but whatever that means for your organization, some people are small and nimble and they could potentially have a separate database for all of those users with different web endpoints where they house things in different regions thanks to the Cloud, and completely separate out those types of users. But when you talk about state level, that becomes much, much more difficult.

23:22 Matthew D. Edwards: That makes sense, GDPR. So a lot of these communities that we’re talking about right now may actually be domestic US, and they may have extensions down into Canada or Mexico, for example, but it could very well be that some of these organizations have international footprints outside this particular continent. Those are good considerations, good call out.

23:46 Xavier Johnson: And even if you look at New York and California, the way that they’re moving with their data privacy laws. They’re gonna have state level versions of GDPR, very soon, if not this decade… I can’t imagine it not happening this decade actually, it will be a problem that we have to solve as a community on the domestic level of data classification. And it’s a good problem to solve, a lot of people who get into HIPAA compliance should already have a strong data classification program because of… It’s not a requirement, but that’s something, that’s a huge consideration that I’ll be honest with you, I didn’t even think about.

24:27 Matthew D. Edwards: That’s a good one though. So the net on this conversation on data, guys, I think what I’ve understood for you is, understand your points of origin, understand your traffic and demand capability, have the ability to receive it and store it and encrypt everything, encrypt everything. But then on the tail of that, you have to have the ability to honor and obey, be compliant with, if you will, privacy laws along the way, which is, “Hey, I know it’s encrypted, I know you have all the stuff on my dad. Now, I want you to show me what you have, now I want you to remove it please.” And so state by state privacy laws, big deal. So if you’re an organization that has different types of data, you need a data classification plan, and if you’re an organization that has different types of data in different states, it’s even more important to have a data classification plan. So this is no plug and play job, this is not order 50 IoT devices from company 12, plug them into the net and I’m a rock star, and now I have marketing materials. There needs to be a plan or you’re gonna be in the paper for all the wrong reasons.

25:39 Matthew D. Edwards: So in terms of being in the paper for all the wrong reasons, let’s talk about exploitation. Nick, from your perspective on the work that you do nowadays, your responsibility is to see attack vectors, and assess the quality of a solution that’s being proposed, assess the method of securing and attacking it and destroying it. And similarly, Xavier, your responsibility among other things is, you’re hired to just go into various situations, and ethically and responsibly and above board, take it down. So I have questions for both of you, and I’d love to hear from both of you guys on this, but Nick, would you start us off on exploitation of the systems, if you were responsible to go into any of these senior living communities who’ve recently adopted and implemented large Internet of Things device networks, or remote monitoring networks, if you will, managing geofencing and personal data, and all of that. And your responsibility was to prove to them, “Hey, this is secure, or is not secure, and here’s how it’s not secure.” Where would you be inclined to start?

27:00 Nicholas Starke: Sure. So, I think the logical place to start in this type of assessment is to define a threat model, right? Define all the attack vectors that could be used against whatever system you’re evaluating, and then just go through each one of those, and see if you can attack it in that manner. So, securing IoT devices is more difficult than securing regular systems. A lot of times, because less protections are built in place to the IoT device, whether it be because the manufacturer didn’t spend enough money to build security into it, or there was problems along the assembly.

27:39 Nicholas Starke: So, with the addition of more security problems, you’re gonna have more attack surface, and there’s gonna be more ways to attack these devices. I would start by individually looking at the devices that are on the network, or attached to the hub, if you will, and just try my normal tools, to see if I can get into them. One of the things I wanna call out here, part of the threat model is going to include the patients themselves, right? You know, whether they don’t wanna be tracked, and they break the device on their own, or they try to get into it to manipulate the data that goes over the wire. The patients themselves are going to be part of the threat model, part of the attack surface that is part of the system.

28:34 Matthew D. Edwards: That makes sense. I hadn’t considered that. So when you’re considering all of the different ways to penetrate or manipulate the system, it needs to be all devices or all points of origin, and some of those points of origin are actually our elders, or parents, or our family members themselves. Not because, perhaps, most of them desire to do bad things, but rather they might not favor the circumstance, and have some particular opinions, and that could compromise the data, or the equipment. I can certainly see myself doing things just to mess with data analytics people, and making repetitive trips to illogical places, just to create heat maps that don’t make any sense. I think that’d be hilarious.

29:17 Nicholas Starke: Or that could be accidental too. That could be a factor, as well.

30:21 Matthew D. Edwards: Sure. That’s a real good call out, is, the threat model has to exist, and that threat model has to include all points of contact. It doesn’t mean you’re labeling granddad as a bad guy, but you have to consider granddad as a point of origin for data. Therefore, how do we make sure it’s good data and secure data? I hadn’t thought of that one. Xavier, if you were to walk into the situation and your responsibility was to prove, or disprove, or enable more secure solutioning, what do you consider to be some interesting approach points?

30:03 Xavier Johnson: I love Internet of things. Internet of Things is, in my mind, mobility, right? It allows us to be able to stay highly mobile, and collect different things from other things. And there is a entire network that we… It’s a new network, that we have never really seen before, so much so that we’ve had to make new IP addresses for them. And we’re on the very front edge of this. And so, for IoT, I would attack it like I would every other high-mobility system, Radio? So, there’s gonna have to be some kind of GPS, if not cellular, if not Bluetooth, if not Wi-Fi. Because you’re not gonna run miles and miles of copper, right? So, radio. So, I will probably start there. And then, if I was able to get a foothold, let’s say, from radio, I would see if there was a way for me to send endpoint to endpoint communications, because there’re probably a whole another layer of SD Care API communications that only could happen on that route, machine to machine. So then, you have the potential for a worm, over wireless. And then, if I wanted to attack it from, let’s say, the server side, well, I know hardware folks aren’t the best at software, and software folks aren’t the best at hardware. And so, being able to…

31:37 Matthew D. Edwards: They would all disagree with you, in all of the directions, right now.


31:37 Xavier Johnson: Love IoT.


31:38 Xavier Johnson: So, we’re talking about potentially having… Most likely, having RESTful endpoints that have some type of authentication, most likely OAuth or SAML. Things that we see and that we know, right? And that we know how it could be misconfigured, and we’re trying to, from the server side, trick… Send commands to endpoints, right? So, there’s this wireless side, there’s this management API angle, there’s this machine-to-machine angle. And then, my end goal is… If I’m proving the point, and this is a controlled environment, because I would never want to do this in real life, I would try and demonstrate how ransomware would work… Kind of a ransomware worm, I get one endpoint from a mile away, using my radio. I get one endpoint a mile away, and that thing is a worm, and it goes into a community that may have three or four different systems, and compromise all of those systems, using just one rogue trojan.

32:45 Xavier Johnson: These are things that we have to think about, because we’re putting a lot of compute, potentially, into a bracelet, necklace. We’re already carrying them around in our pocket… And we have to treat it the same way, because if I can send bad packets over cellular, just to mobile phones, we have the same risk. So, we’ve seen these problems, and we know how to address them. But these are the things that I would test for, to make sure that they have been addressed, because most of the time, the things that I test, it’s not like they’re zero days, they’re often 900 and some odd days.

33:21 Matthew D. Edwards: So you mentioned earlier endpoints, so the idea of endpoint security may or may not be something that all of the technology shops and CTOs, CISOs, and senior living communities are aware of, if they haven’t had to play with an API-driven platform or Cloud solution, can you expound a little bit on that as well, and as well as you, Nick, as it relates to if IoT and then platforms or Cloud ecosystems or endpoints, what does that mean to them? How are they gonna make use of it? And some of the implications it sounds like it’s an attack vector?

34:04 Xavier Johnson: I’d say agents, agents are our current way to approach endpoint security, having an agent on the endpoint, it’s gonna create overhead always, so that’ll need to go into the spec, maybe this agent is maintained by the actual provider of the hardware, as kind of a selling point, I’m not 100% sure. These are just ideals. But I would say that that’s the current day way to approach it, I think the next gen way to approach it would be more potentially agent and combined with something that looks at the network traffic, something that happens upstream to actually block known bad activities on the network level or activities that aren’t white listed. If you know that this thing is only supposed to do one of 100 interactions, the moment it gets action 101, smack it down and say, “Hey, do you know that this is happening? Is this something that you wanna add as an action?” Because those protections upstream are probably gonna be what allows for these endpoints to not just continuously get dossed and knocked offline. ‘Cause at a point we’re dealing with small bit compute up against a world of hurt. Also segmentation and having these things away from the public where they could potentially be tampered with to begin with. And start there, too.

35:32 Matthew D. Edwards: I think that we’re probably talking about a platform-based conversation, one main platform, one platform, very many different vendors, vendor classes, device classes, all of that, is probably its own deep and wide conversation, and we’re just glossing over the top of it to say, “Hey, it’s a thing, you need to know about the thing.” But Nick what are your thoughts on that in terms of implementing Clouds and platforms and all of these endpoints, it looks like a giant bowl of spaghetti.

36:03 Nicholas Starke: Sure, so I don’t know too much about endpoint security, but I’ll talk about a few things I do know. One is, you’re gonna want to purchase a solution from a vendor, I don’t know which vendor is the best this week, but there’s a lot of vendors in this space and you’re gonna wanna go with one of them, you’re not gonna wanna try to roll your own. The other thing I know is that you’re going to need a person to manage that solution, basically as a full-time job, if not a whole team of people to manage it, depending on how large the network is. So there’s personnel involved in rolling out an endpoint protection solution. Really, that’s all I know about it. So I’ll…

36:48 Matthew D. Edwards: But part of what I think you’re suggesting is that the Cloud platform itself is its own conversation. And so if you’re gonna have, more or less you’re saying, you can roll your own, but why? It makes more sense to go find ecosystems that already exist and put those together, I think is where you’re heading, as opposed to let me custom wrap all of the things on my own.

37:18 Xavier Johnson: It’d be nice if it was open source, so that when I get bored, I can go play with it as an attacker, I can think about it as a DevOps guy, think about it as a system admin, I can think about it as a software engineer, so I can make it better more than likely, but if you black box it, then I have to go through HR, I don’t wanna go through HR. So if we can move some of this stuff that’s gonna matter to us in the future, because let’s be real, we will have this technology while we’re still young and able. Let’s make sure that we formed the right mentality, let’s not just make it a black box, let’s try and get this as open as possible so that we know that our grandkids and great grandkids are doing right by us, hopefully.


38:12 Matthew D. Edwards: Did you have anything you’d like to add on top of that Nick?

38:17 Nicholas Starke: In my experience, yeah, open source is such a great way to go, but I have this conflicting idea in my mind that when it comes to the actual devices that are being deployed to our elders, I almost wanna say, lock down that firmware that goes on those devices don’t make that open source. Don’t even make that public. Make that very, very hard to come by. I think that from my perspective, if I can get access to the firmware of a device, I can get into the device. So I think firmware security is a very, very important topic when it comes to discussing the security of the actual device, and it’s not so much on the Cloud platform, but the devices themselves. And I know that flies in the face of the idea of open source, I don’t really have a way of reconciling that cognitive dissonance there, it’s just, in my experience, that’s been a big attack vector.

39:18 Matthew D. Edwards: That’s your job though, from your perspective, if you can get the firmware it’s over.

39:21 Xavier Johnson: And I’ll be honest Nicolas, I’m probably still gonna get the firmware.

39:28 Nicholas Starke: Yeah, that’s true. Even if you don’t have it on a website somewhere, you can always desolder it, the eMMC chip off the board and dub it there.

39:36 Xavier Johnson: I would probably do the logic analyzer route talking to ones and zeros, get really ugly looking code and assemble a really ugly looking C. But you know what’ll stay the same? That API key. So it makes sense to… That upstream, no matter what, that Cloud platform, that platform that we’re talking about has to be hardened, has to be prepared for that kind of attack, as to make it harder for me and not just, “Oh yes, a key.” Has to have something else too, something that’s only generated at boot that I have to literally tap into the boot sequence of the device to go and steal the key, and it’s new every time. Has to be something that’s outer world for to be truly secure on the endpoint level, so it will have to happen on a layered approach, it will have to happen at the network. It will have every layer of the OSI model basically. There will have to be some kind of account for this, otherwise, I’ll be honest, I’m uncomfortable if we don’t at least get seven of those controls in there.

40:43 Matthew D. Edwards: Fair enough. Well if you would, I quite enjoyed this conversation with you gentlemen, and I very much value you taking the time out of your schedules to talk with this about these things. We think that the senior living community in particular, as are very many other industries they’re at the front end of adopting Internet of Things technology devices, and the devices have matured very, very much through the years, predictive analytics predicting a fall is a very big deal, but in order to predict a fall, there must be gate analysis, to have gate analysis there must be data, to be data there has to be full-time collection so that only through time can you understand patterns, and then predict variances from those patterns. And that’s the only one example of the inclusion of this technology in the senior living community. Now multiply that by every room in a senior living community, in every building, on every floor for every resident, and now add multiple layers of other devices over the top. If you’d allow me, and some of the summary ideas that I believe that we’ve talked about today, and I think brings us to good close in this conversation so far: Is you need to have a plan.

42:06 Matthew D. Edwards: If you are an administrator, a C-Suite leader in any way, shape or form of a senior living community, and you need to address nursing shortages, you need to address having to re-architect based on COVID, you need to address a surge in a residence, or elders, or folks who are in your care. If you would like to adopt Internet of things technology solutions, you need a plan, and that plan is not something that’ll be solved on Saturday with pizza and Mountain Dew, it’s not something that’ll be solved at Starbucks with too much espresso, it’s something that requires you to recognize it’s an entire ecosystem, an entire plan, it’s an entire team and it’s an entire set of training and learning. The devices themselves need to be secure and compliant, where you’re going to put the data. There needs to be a plan for how you get it, how you’re available, how you secure it, how are you compliant with Privacy?

43:06 Matthew D. Edwards: They’re going to attach to something else larger, called a platform up in the sky basically, Cloud-based platform, unless you’re gonna build all that stuff in your house, which I can tell you based on our own experience, building platforms for other companies. The unprofessional indirect or direct answer is “No, just don’t do it.” The recommendation would be, use systems that are already out there, public cloud solutions, private cloud solutions, but get platforms that exist that are secure and you can connect all of your things up to that, and then after you have the data, the compliance, the devices, you’re still talking about all of the ways people could attack you, and it could be through employees through the elders on the premises. It’s a big deal for companies that haven’t put together information security plans or privacy plans yet.

44:54 Matthew D. Edwards: Please do. For those that already have them, you’re going to have to put an entire next chapter, giant chapter, onto your plans, because Internet of Things changes the way your organization operates, and what we’ve learned from Nick Stark and Xavier Johnson this morning in our conversations is… In our very short time together, we’ve only scratched just such a small part of the large surface of what should you get? How do you get it? How do you implement it? How do you service and secure it? And above all else, take the time and to go talk to folks who are above board, professional, ethical people, who can tell you the top five ways that you’ve overlooked and you still need to secure your ecosystem because there are so many moving parts. Think about this, and this would be our closing thought for the day, if I put 10 or 50 different monitoring devices into one room, for one resident, and I have 500 rooms, and I have 10 buildings, and I own 10 campuses across the US. And then I tell you, “Are you collecting data on my dad, show me what data you have, and now get rid of it.” How are you going to prepare for all of those things? It’s not on Saturday, it’s going to be through months and years of work and it’s gonna be on purpose with on-purpose people and solutions.

45:34 Matthew D. Edwards: Xavier, Nick, thank you very, very much for taking the time to talk with us and teach us today, it is much valued, much appreciated. And I look forward to questions that we’re gonna get, and I look forward to talking with you guys again in the near future. Thank you.

45:49 Xavier Johnson: Thank you Matthew.

45:49 Nicholas Starke: Thank you.