The healthcare industry is teeming with unstructured data–data that is often extremely sensitive. For CISO Bill Dougherty at Omada Health, protecting this data takes organization, tact, and creativity.
Omada Health is a digital health company that specializes in the prevention and treatment of chronic diseases (primarily type 2 diabetes, hypertension, and musculoskeletal issues). This is accomplished through their smartphone applications, where patients can track their progress and receive access to personal health coaches and specialists. Machine learning helps Omada intervene with patients and help them manage chronic conditions.
It’s a noble cause, propelled forward by both structured and unstructured patient data.
On October 26, Virtru CMO Matt Howard spoke with Omada Health CISO Bill Dougherty to unpack his thoughts on the nature of this data, its governance, and the future of cybersecurity. Here are a few key points from our sit-down with Dougherty. You can also view the full interview for free on demand.
While the world was likely headed to a cloud-based infrastructure regardless, the pandemic catapulted businesses into the cloud out of necessity.
At Omada Health, the same is true—and while many businesses may be reticent to migrate to the cloud for lack of trust, Dougherty explains the inverse. After shifting to a remote-first work model, they closed down a few of their offices, leaving one remaining.
“We designed it in the last year and a half to operate as a co-working space, which means from a security perspective, this is an untrusted office,” said Dougherty. “The network here is no different than the network at an employee's house, or at a Starbucks, or anything else. From a security perspective, we don't trust this network. So my perimeter is now out in the cloud.”
Despite being vigilant to protect his company’s sensitive data in the cloud, Dougherty, like many Virtru Voice of the Customer Panelists, doesn’t fully identify with the term Zero Trust. To him, it’s not descriptive of what security professionals are really trying to accomplish, in contrast to the way things used to be done.
“It's not that we don't trust people or trust other entities; it's the way you approach your computer, and your perimeters, and things like that,” said Dougherty. “In the old traditional world, we assumed that if you're on the internal network, you must be OK. And that was never a good strategy. You had a hardened exterior and a wide-open interior, and you're relying on things like your physical security controls to prevent somebody from plugging into your network. Well, now I don't have a network. And so what you replace that with is a set of controls on your users and your devices to make sure that you don't inherently trust them. You're authenticating them every time. So it's not Zero Trust, but it is kind of a more controlled, or a better-controlled, area where we've pushed the boundary down.”
John Kindervag’s concept of Zero Trust aims to reframe the focus of cybersecurity to the data itself—instead of solely the networks, endpoints, devices, and so on. Dougherty agrees with that in the general sense.
“Generally speaking, yes. I think the data is the thing you're trying to protect,” Dougherty said. “My laptop has no inherent value to it. It's a $2,000 device. Who cares? A health record has a ton of inherent value.”
To Dougherty, the key to protecting data is to have a clear understanding of its nature. As mentioned, Omada is the steward for high volumes of Protected Health Information (PHI). They have a diverse collection of data to protect, including customer data, member data, internal corporate data, finances, and then low-priority data like digital sticky notes. Organizing it all hinges on having a clear system that prioritizes protections for sensitive information.
“You have to classify and inventory your data—that is the asset you're trying to protect—and then apply policies to that. And so I do not put the same policies on digital sticky notes as I do on protected health information.”
On policies, Dougherty explains that data can’t be fundamentally changed to be more secure: We can only modify access controls on a granular level to enact the access that we need.
“If I'm a bank vault and I'm trying to protect bars of gold, then I put layers of security around that. But... if you get it through all those layers, the bar gold is still sitting there,” said Dougherty. “And so you define your data, and you define the assets you want to protect and the policies you want to apply to each of those. But you apply those policies to all the things surrounding the data. And that can be your access, that can be your identity, can be whether or not you trust devices, network policy, legal policy, insurance policy. All of that applies to these things you're trying to protect.”
But what about the world outside of the bank vault? For cloud-centric Omada, their business model relies on trusting SaaS applications to store their data. And this is true for almost all businesses: Industry-standard software is no longer opt-in. We need SaaS to keep up with the market and improve services. So, how do we reconcile these needs?
Dougherty states: The world is not inherently Zero Trust. So it’s up to us to enforce it for our data.
“I can assess [a SaaS provider’s] security controls, and make sure they meet my standards. I can put contractual teeth in into the relationship in terms of liability, indemnity, things like that. We can audit them, but we have to understand that we're all in this boat together,” said Dougherty. “The other thing I can apply is Zero Trust concepts to the access to that tool. So we use single sign-on, we apply multifactor to it. We also use device certificates and geofence them and do other things. So in order to log into one of my sensitive SaaS applications, you must be on a device we provisioned, that we trust, because it's got our certificate on it. You must authenticate using credentials we provided with multifactor. You must be on an IP range that we trust.”
Trust is foundational for Omada’s business model. It’s at the core of what they do, and it comes in many different forms.
“We are doing behavior change,” said Dougherty. “If you want to provide treatment for somebody who has Type II Diabetes, what you're really doing is trying to get them to change their behavior around food, exercise, taking their medication, things like that. And if you do that, you can make them healthier. And in order to get access to those patients, our customers have to trust that we have good security controls.”
Omada has a lot on its shoulders: To help people improve their health, they need to build trust with their customers, and one way of building that trust is safely handling member data. Every day they foster trust through their security practices. That means finding creative ways to safeguard data in a world of risk, particularly when it comes to the SaaS providers they must use to fulfill their mission.
“I have a team of people under me that their whole job is third-party trust,” explains Dougherty. “But for me, it's actually fourth-party, fifth-party, sixth-party trust because my customers are trusting me with their data. I am then trusting a variety of service providers with that data as well.”
Dougherty explains that it’s essential to investigate the practices of all third parties that you entrust with your data.
“I think that when you go beyond the big providers, you now have to really dig in more carefully into, what are their security practices? Are they investing in security? Is it something that is considered strategic to the company and are they doing what they say they will do?”
Sometimes, there’s a functional necessity to use third-party software, even if you don’t fully trust the provider. And when trust isn’t there, you have to take matters into your own hands by having a toolkit of strategies and data protection tools that protect your data wherever it goes.
For Omada, Virtru is just one tool in a long list that enables them to utilize industry-standard tools without sacrificing privacy or security.
“[What] I liked about Virtru was the data never flows to [Virtru]. It's all client-side. You're just providing the ability to encrypt it and the ability to decrypt it,” said Dougherty. “You then become another hammer or drill in my toolkit to say, 'Hey, can I apply Virtru in a specific use case to a specific vendor or a specific partner to add a layer of security when I don't trust them?'”
For example, Omada’s clinical staff needs a place where they can collaborate on a patient or a product. Google Drive is the best collaboration tool for their workflow, but because of security concerns, it’s not allowed at the company. With Virtru’s encrypted document plugin, the clinical staff is able to find a workaround that allows them to use Google Drive but still maintain Omada’s high standard of data security.
“I can use a best-in-class collaboration tool but I don't have to trust the provider of IT with this most sensitive type of information,” said Dougherty. “And I don't have to trust Virtru either. All I'll have to trust is that you are encrypting [data] and decrypting it appropriately.”
For free, you can watch the rest of this webinar on demand. With Dougherty, we discuss the state of cybersecurity in the news, and the future of encryption.
Contact us to learn more about our partnership opportunities.