John Frushour, New York-Presbyterian | Splunk .conf19

>>Is and who we are today as
as a country, as a universe.>>Narrator: Congratulations
Reggie Jackson, (inspirational music) you are a CUBE alumni. (upbeat music)>>Announcer: Live from Las Vegas it’s theCUBE covering Splunk.Conf19. Brought to you by Splunk.>>Okay, welcome back everyone it’s theCUBE’s live coverage here in Las Vegas for Splunk.Conf19. I am John Furrier host of theCUBE. It’s the 10th Anniversary of
Splunk’s .Conf user conference. Our 7th year covering it. It’s been quite a ride, what a wave. Splunk keeps getting stronger and better, adding more features, and has really become a powerhouse from a third party security standpoint. We got a C-SO in theCUBE on theCUBE today. Chief Information Security, John Frushour Deputy Chief (mumbles) New York-Presbyterian The Award Winner from the Data to Everywhere Award winner, welcome by theCube.>>Thank you, thank you.>>So first of all, what
is the award that you won? I missed the keynotes, I was working on a story this morning.>>Frushour: Sure, sure.>>What’s the award?>>Yeah, the Data Everything
award is really celebrating using Splunk kind of outside
its traditional use case, you know I’m a security professional. We use Splunk. We’re a Splunk Enterprise
Security customer. That’s kind of our daily duty. That’s our primary use case
for Splunk, but you know, New York Presbyterian
developed the system to track narcotic diversion. We call it our medication
analytics platform and we’re using Splunk to
track opioid diversion, slash narcotic diversions, same term, across our enterprise. So, looking for improper
prescription usage, over prescription, under prescription, prescribing for deceased patients, prescribing for patients that you’ve never seen before, superman problems like taking one pill out of the drawer
every time for the last thirty times to build up a stash. You know, not resupplying
a cabinet when you should have thirty pills
and you only see fifteen. What happened there? Everything’s data. It’s data everything. And so we use this data to
try to solve this problem.>>So that’s (mumbles) that’s great usage we’ll find the drugs, I’m going to work hard for it. But that’s just an insider
threat kind of concept.>>Frushour: Absolutely.>>As a C-SO, you know,
security’s obviously paramount. What’s changed the most? ‘Cause look at, I mean, just looking at Splunk over the past seven years, log files, now you got cloud native
tracing, all the KPI’s,>>Frushour: Sure.>>You now have massive
volumes of data coming in. You got core business
operations with IOT things all instrumental.>>Sure, sure.>>As a security offer, that’s
a pretty big surface area.>>Yeah.>>How do you look at that? What’s your philosophy on that?>>You know, a lot of what
we do, and my boss, the C-SO (mumbles) we look at is endpoint protection and really driving down
to that smaller element of what we complete and control. I mean, ten, fifteen years ago information security
was all about perimeter control, so you’ve got firewalls, defense and depth models. I have a firewall, I have a proxy, I have an endpoint solution, I have an AV, I have some type of data
redaction capability, data masking, data labeling capability, and I think we’ve seen.. I don’t think security’s changed. I hear a lot of people say, “Oh, well, information security’s so much different nowadays.” No, you know, I’m a military guy. I don’t think anything’s changed, I think the target changed. And I think the target
moved from the perimeter to the endpoint. And so we’re very
focused on user behavior. We’re very focused on endpoint agents and what people are doing on their individual machines that could cause a risk. We’re entitling and providing privilege to end users today that twenty years ago we
would’ve never granted. You know, there was a few
people with the keys to the kingdom, and inside the castle keep. Nowadays everybody’s got an admin account and everybody’s got
some level of privilege. And it’s the endpoint, it’s the individual that we’re most focused on, making sure that they’re safe and they can operate effectively in hospitals.>>Interviewer: What
are some of the tactical things that have changed? Obviously, the endpoint obviously shifted, so some tactics have to
change probably again. Operationally, you still got
to solve the same problem: attacks, insider threats, etc.>>Frushour: Yeah.>>What are the tactics? What new tactics have emerged that are critical to you guys?>>Yeah, that’s a tough question, I mean has really anything changed? Is the game really the game? Is the con really the same con? You look at, you know, titans of security and think about guys
like Kevin Mitnick that pioneered, you know,
social engineering and this sort of stuff, and really… It’s really just convincing a human to do something that they shouldn’t do, right?>>Interviewer: Yeah.>>I mean you can read
all these books about phone freaking and going in and convincing the administrative assistant that you’re just late for meeting and you need to get in through that special door to get in that special room, and bingo. Then you’re in a Telco
closet, and you know, you’ve got access. Nowadays, you don’t have to walk into that same administrative assistant’s desk and convince ’em that you’re
just late for the meeting. You can send a phishing email. So the tactics, I think,
have changed to be more personal and more direct. The phishing emails, the
spear phishing emails, I mean, we’re a large
healthcare institution. We get hit with those types of target attacks every day. They come via mobile device, They come via the phishing emails. Look at the Google Play store. Just, I think, in the
last month has had two apps that have had some
type of backdoor or malicious content in
them that got through the app store and got onto people’s phones. We had to pull that off people’s phones, which wasn’t pretty.>>Interviewer: Yeah.>>But I think it’s the same game. It’s the same kind to
convince humans to do stuff that they’re not supposed to do. But the delivery mechanism, the tactical delivery’s changed.>>Interviewer: How is Splunk involved? Cause I’ve always been
a big fan of Splunk. People who know me know
that I’ve pretty much been a fan boy. The way they handle large amounts of data, log files, (mumbles)>>Frushour: Sure.>>and then expand out into other areas. People love to use Splunk
to bring in their data, and to bring it into, I hate to use the word
data leg but I mean, Just getting…>>Yeah>>the control of the data. How is data used now in your world? Because you got a lot of things going on. You got healthcare, IOT, people.>>Frushour: Sure, sure.>>I mean lives are on the line.>>Frushour: Lives are on the line, yeah.>>And there’s things
you got to be aware of and data’s key. What is your approach?>>Well first I’m going to
shamelessly plug a quote I heard from (mumbles) this week, who leads the security practice. She said that data is the oxygen of AI, and I just, I love that quote. I think that’s just a fantastic line. Data’s the oxygen of AI. I wish I’d come up with
it myself, but now I owe her a royalty fee. I think you could probably
extend that and say data is the lifeline of Splunk. So, if you think about a use case like our medication analytics platform, we’re bringing in data sources from our time clock system, our multi-factor authentication system, our remote access desktop system. Logs from our electronic
medical records system, Logs from the cabinets
that hold the narcotics that every time you open the door, you know, a log then is created. So, we’re bringing in
kind of everything that you would need to see. Aside from doing something with actual video cameras and tracking people in some augmented reality matrix whatever, we’ve got all the data
sources to really pin down all the data that
we need to pin down, “Okay, Nurse Sally, you know,
you opened that cabinet on that day on your shift
after you authenticated and pulled out this much
Oxy and distributed it to this patient.” I mean, we have a full picture and chain of everything.>>Full supply chain of everything.>>We can see everything that happens and with every new data
source that’s out there, the beauty of Splunk is you just add it to Splunk. I mean, the Splunk handles structured and unstructured data. Splunk handles cis log fees and JSON fees, and there’s, I mean there’s
just, it doesn’t matter You can just add that stream to Splunk, enrich those events that
were reported today. We have another solution which we call the privacy platform. Really built for our privacy team. And in that scenario, kind
of the same data sets. We’re looking at time
cards, we’re looking at authentication, we’re
looking at access and you visited this website via this proxy on this day, but the
information from the EMR is very critical because
we’re watching for people that open patient records when they’re not supposed to. We’re the number five
hospital in the country. We’re the number one hospital
in the state of New York. We have a large (mumbles) of very important people
that are our patients and people want to see those records. And so the privacy platform is designed to get audit trails for
looking at all that stuff and saying, “Hey, Nurse
Sally, we just saw that you looked at patient Billy’s record. That’s not good. Let’s investigate.” We have about thirty
use cases for privacy.>>Interviewer: So it’s
not in context of what she’s doing, that’s
where the data come in?>>That’s where the data come
in, I mean, it’s advanced. Nurse Sally opens up the EMR and looks at patient Billy’s record, maybe patient Billy wasn’t on the chart, or patient Billy is a VIP, or patient Billy is, for whatever reason, not supposed to be on that docket for that nurse, on that schedule for that nurse, we’re going to get an alarm. The privacy team’s going to go, “Oh, well, were they supposed
to look at that record?” I’m just giving you, kind of,
like two or three uses cases, but there’s about thirty of them.>>Yeah, sure, I mean, celebrities whether it’s Donald
Trump who probably went there at some point. Everyone wants to get
his taxes and records to just general patient care.>>Just general patient care. Yeah, exactly, and the privacy
of our patients is paramount. I mean, especially in
this digital age where, like we talked about earlier, everyone’s going after making a human do something silly, right? We want to ensure that
our humans, our nurses, our best in class patient
care professionals are not doing something
with your record that they’re not supposed to.>>Interviewer: Well
John, I want to hear your thoughts on this story
I did a couple weeks ago called the Industrial
IOT Apocalypse: Now or Later? And the provocative story
was simply trying to raise awareness that
malware and spear phishing is just tactics for that. Endpoint is critical, obviously.>>Sure.>>You pointed that out,
everyone kind of knows that .>>Sure.>>But until someone dies, until there’s a catastrophe
where you can take over physical equipment, whether it’s a self-driving bus,>>Frushour: Yeah.>>Or go into a hospital
and not just do ransom ware,>>Frushour: Absolutely.>>Actually using industrial
equipment to kill people.>>Sure.>>Interviewer: To cause a lot of harm.>>Right.>>This is an industrial,
kind of the hacking kind of mindset. There’s a lot of conversations going on, not enough mainstream conversations, but some of the top people
are talking about this. This is kind of a concern. What’s your view on this? Is it something that needs
to be talked about more of? Is it just BS? Should it be… Is there any signal there
that’s worth talking about around protecting the physical things that are attached to them?>>Oh, absolutely, I mean this is a huge, huge
area of interest for us. Medical device security
at New York Presbyterian, we have anywhere from about eighty to ninety thousand endpoints
across the enterprise. Every ICU room in our
organization has about seven to ten connected
devices in the ICU room. From infusion pumps to
intubation machines to heart rate monitors and SPO2
monitors, all this stuff.>>Interviewer: All IP and connected.>>All connected, right. The policy or the medium in which they’re connected changes. Some are ZP and Bluetooth
and hard line and WiFi, and we’ve got all these
different protocols that they use to connect. We buy biomedical
devices at volume, right? And biomedical devices have a long path towards FDA certification,
so a lot of the time they’re designed years
before they’re fielded. And when they’re fielded,
they come out and the device manufacturer says, “Alright, we’ve got this new widget. It’s going to, you know, save
lives, it’s a great widget. It uses this protocol called TLS 1.0.” And as a security professional
I’m sitting there going, “Really?” Like, I’m not buying that but that’s kind of the only game, that’s the only widget that I can buy because that’s the only widget that does that particular function and, you know, it was made. So, this is a huge problem for us is endpoint device security, ensuring there’s no vulnerabilities, ensuring we’re not
increasing our risk profile by adding these devices to our network and endangering our patients. So it’s a huge area.>>And also compatible to
what you guys are thinking. Like I could imagine,
like, why would you want a multi-threaded processor on a light bulb?>>Frushour: Yeah.>>I mean, scope it down, turn it on, turn it off.>>Frushour: Scope it down
for its intended purpose, yeah, I mean, FDA
certification is all about if the device performs its intended function. But, so we’ve, you know,
we really leaned forward, our CSO has really leaned forward with initiatives like the S bomb. He’s working closely
with the FDA to develop kind of a set of baseline standards. Ports and protocols,
software and services. It uses these libraries, It talks to these servers in this country. And then we have this
portfolio that a security professional would say, “Okay, I accept that risk. That’s okay, I’ll put that
on my network moving on.” But this is absolutely
a huge area of concern for us, and as we get
more connected we are very, very leaning forward on telehealth and delivering a great
patient experience from a mobile device, a phone, a tablet. That type of delivery mechanism spawns all kinds of privacy concerns, and inter-operability
concerns with protocol.>>What’s protected.>>Exactly.>>That’s good, I love to
follow up with you on that. Something we can double down on. But while we’re here this morning I want to get back to data.>>Frushour: Sure.>>Thank you, by the way,
for sharing that insight. Something I think’s really important, industrial IOT protection. Diverse data is really feeds a lot of great machine learning. You’re only as good as your
next blind spot, right? And when you’re doing pattern
recognition by using data.>>Frushour: Absolutely.>>So data is data, right? You know, telecraft, other data. Mixing data could
actually be a good thing.>>Frushour: Sure, sure.>>Most professionals would agree to that. How do you look at diverse data? Because in healthcare there’s
two schools of thought. There’s the old, HIPAA. “We don’t share anything.” That client privacy, you mentioned that, to full sharing to get
the maximum out of the AI or machine learning.>>Sure.>>How are you guys looking
at that data, diverse data, the sharing? Cause in security
sharing’s good too, right?>>Sure, sure, sure.>>What’s your thoughts on sharing data?>>I mean sharing data
across our institutions, which we have great relationships with, in New York is very fluid
at New York Presbyterian. We’re a large healthcare
conglomerate with a lot of disparate hospitals
that came as a result of partnership and acquisition. They don’t all use the same electronic health record system. I think right now we have seven in play and we’re converging down to one. But that’s a lot of data sharing that we have to focus on between
seven different HR’s. A patient could move from
one institution to the next for a specialty procedure,
and you got to make sure that their data goes with them.>>Yeah.>>So I think we’re pretty, we’re pretty decent at
sharing the data when it needs to be shared. It’s the other part of your question about artificial intelligence, really I go back to like
dedication analytics. A large part of the
medication analytics platform that we designed does a
lot of anomaly detections, anomaly detection on diversion. So if we see that, let’s say you’re, you know, a physician and you do knee surgeries. I’m just making this up. I am not a clinician,
so we’re going to hear a lot of stupidity here, but bare with me. So you do knee surgeries, and you do knee surgeries
once a day, every day, Monday through Friday, right? And after that knee surgery, which you do every day in cyclical form, you prescribe two thousand
milligrams of Vicodin. That’s your standard. And doctors, you know, they’re humans. Humans are built on patterns. That’s your pattern. Two thousand milligrams. That’s worked for you;
that’s what you prescribe. But all of the sudden on Saturday, a day that you’ve never
done a knee surgery in your life for the last twenty years, you all of a sudden
perform a very invasive knee surgery procedure that apparently had a lot of complications
because the duration of the procedure was
way outside the bounds of all the other procedures. And if you’re kind of
a math geek right now you’re probably thinking, “I see where he’s going with this.”>>Interviewer: Yeah.>>Because you just become an anomaly. And then maybe you prescribe ten thousand milligrams of Vicodin on that day. A procedure outside of your schedule with a prescription history
that we’ve never seen before, that’s the beauty of
funneling this data into Splunk’s ML Toolkit. And then visualizing that. I love the 3D visualization, right? Because anybody can see like, “Okay, all this stuff, the
school of phish here is safe, but these I’ve got to focus on.”>>Interviewer: Yeah.>>Right? And so we put
that into the ML Toolkit and then we can see, “Okay, Dr. X..” We have ten thousand, a
little over ten thousand physicians across New York Presbyterian. Doctor X right over here, that does not look like
a normal prescriptive scenario as the rest of their baseline. And we can tweak this and
we can change precision and we can change accuracy. We can move all this stuff around and say, “Well, let’s just look
on medical record number, Let’s just focus on procedure type, Let’s focus on campus location. What did they prescribe
from a different campus?” That’s anomalous. So that is huge for us,
using the ML Toolkit to look at those anomalies and then drive the privacy team, the risk teams, the pharmacy analytics teams to say, “Oh, I need to go investigate.”>>So, that’s a lot of
heavy lifting for ya? Let you guys look at data
that you need to look at.>>Absolutely.>>Give ya a (mumbles). Final question, Splunk, in general, you’re happy with these guys? Obviously, they do a
big part of your data. What should people know
about Splunk 2019, this year? And are you happy with them?>>Oh, I mean Splunk has
been a great partner to New York Presbyterian. We’ve done so much incredible
development work with them, and really, what I like
to talk about is Splunk for healthcare. You know, we’ve created, we
saw some really important problems in our space, in this article. But, we’re looking, we’re
leaning really far forward into things like risk based
analysis, peri-op services. We’ve got a microbial stewardship program, that we’re looking at
developing into Splunk, so we can watch that. That’s a huge, I wouldn’t
say as big of a crisis as the opioid epidemic,
but an equally important crisis to medical professionals
across this country. And, these are all solvable
problems, this is just data. Right? These are just events that
happen in different systems. If we can get that into Splunk,
we can cease the archaic practice of looking at spreadsheets, and look up tables and
people spending days to find one thing to investigate. Splunk’s been a great partner to us. The tool it has been fantastic
in helping us in our journey to provide best in-class patient care.>>Well, congratulations,
John Frushour, Deputy Chief Information Security Officer,
New York Presbyterian. Thanks for that insight.>>You’re welcome.>>Great (mumbles)
healthcare and your challenge and your opportunity.>>Congratulations for the
award winner Data to Everything award winner, got to get that slogan. Get used to that, it’s two everything. Getting things done, he’s a doer. I’m John Furrier, here on
theCube doing the Cube action all day for three days. We’re on day two, we’ll be
back with more coverage, after this short break. (upbeat music)

Leave a Reply

Your email address will not be published. Required fields are marked *