July 31, 2025 • 25 mins
In this episode of Compliance Conversations, CJ Wolf, MD, is joined by Rui Ribeiro, Co-Founder and CEO of Jscrambler, to dive into the client-side security threats healthcare organizations often overlook.
From patient portals to embedded video players, Rui explains how browser-based vulnerabilities are creating new risks that healthcare teams need to be aware of.
You’ll learn:
- Why client-side protection could be the next step in HIPAA evolution
- How healthcare can follow the lead of PCI DSS standards
- The critical role of Zero-Trust Architecture and JavaScript integrity
- Simple ways to start reducing hidden compliance risks today
Thank you for listening! Please share, like, and subscribe.
If you'd like to see more compliance and auditing content feel free to follow us on social media.
Check out our resource center and weekly compliance newsletter for additional compliance and auditing content from our experts.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
CJ Wolf (00:00):
Welcome everybody to another episode of Compliance
Conversations.
I am CJ Wolf with Healthicity.
And today we're going to betalking about security and how
to prevent what a lot of us fearin compliance, right?
Making sure that our protectedhealth information is secure.
(00:20):
And our guest is Rui Ribeirofrom J scrambler.
Welcome, Rui.
Rui Ribeiro (00:25):
Thank you.
It's a pleasure to be here.
CJ Wolf (00:29):
We're glad that you're willing to take some time and
share a little bit about thisimportant topic.
But before we get into ourtopic, we'd love to hear about
you.
Tell us a little bit aboutyourself and what you're
currently doing and the workthat you're involved in.
Rui Ribeiro (00:43):
So, my name is Rui, you already mentioned it.
I founded a company calledJscrambler with my co-founder
Pedro Fortuna with a mission tosecure the client side of web
applications.
When we start doing thesemissions of founding a company,
bringing people together, downthe road we understand that the
(01:05):
problems that we are facing aremuch larger than what we
initially were looking for.
So down the road, we understoodthat we were focused on data
privacy, that we were focused onmaking sure that when the user
was engaging on a website, whichcan be an hospital in this
case, or an healthcare provider,they are sharing a lot of data
(01:29):
with them and that data isvulnerable.
It's mainly vulnerable to thirdparties, third party access, be
it conscious or unconscious, beit an attack, a
misconfiguration, or differentproblems that arise from all of
these technologies workingtogether.
(01:50):
And this has brought ChaseCranberry up to this point.
We have been mainly focusedover the past couple of years in
terms of data, on payment data,But we have also expanded into
the health care because, ofcourse, payment aid is very
relevant, but protected healthinformation is, I would say,
(02:14):
even more relevant for patients.
for the users.
CJ Wolf (02:20):
Yeah, absolutely.
And as compliance officers, ofcourse, we're concerned with
protected health information orPHI, but all data, like you're
talking about, payment data isalso.
And security strategy andvision really is, we're not
saying let's just protect ourPHI, let's protect all sensitive
data, right?
And so I appreciate you havingexperience in that area as well,
(02:45):
because I think Probably theprinciples, the concepts and the
strategies are probably prettysimilar is what I would think.
So let's jump into our topic alittle bit.
And a lot of us in complianceare looking at the proposed
rulemaking to amend the HIPAAsecurity rule that HHS came out
(03:06):
with in January.
I'm curious that you weretelling me before that there's
one big area that the rule doesnot include, and that's kind of
what you focus on, which is theclient-side protection a little
bit.
Tell us a little bit aboutthat, the client-side
protection.
What do you mean by client-sideprotection?
I'm assuming you mean thehospital or the provider.
(03:27):
And why is that so vital to themission that we want to reduce
risks in healthcareorganizations?
Rui Ribeiro (03:34):
And I forgot to mention that we are a very
technical company and we focustoo much on the technicalities.
So when we're talking about theclient side, we're mainly
talking about the end user.
So when you are engaging with abrowser.
And these things is like, whenyou're talking about like, they
forgot to address this problemis from a technical aspect, they
(03:57):
focus too much on cybersecurityaspects, cybersecurity attacks,
and not so much on naming whereyou should be addressing data
privacy concerns.
If you look at it today,there's data at rest on the
servers, and there is data thatyou are either inputting or
outputting out of your systems,which is normally through a
(04:18):
browser or a mobile app.
In the case of healthcare,mostly through browsers.
And that's the client side.
That is the moment where theend user is interacting with
that data.
And it is the moment wherewhere if you basically look at
it, you're either capturing thisprivate information or you are
(04:43):
displaying it through theresults that you have provided
through diagnostics and all of
CJ Wolf (04:48):
those processes.
I see.
So that's kind of where, let'ssay if I'm a patient and I enter
my, there's a portal of medicalrecords, right?
I've received services at ahospital or a doctor's office,
and now I want to go in andaccess the note or my latest lab
results.
(05:09):
So you're talking about thatmoment in time, right?
That moment in time.
Rui Ribeiro (05:13):
And that moment is more critical than most people
think about it because, first,it's an interaction.
Second, it's dependent on theuser.
And third, we have evolvedserver-side security a lot, but
client-side security, so at thatat that exact moment is not so
sophisticated.
In most situations, you haveabout 60 different vendors
(05:39):
coming into play to ensure thatwhole interaction.
For example, imagine that youhad to see a video.
an healthcare provider is notgoing to develop a video player.
They're going to bring in avideo player from a third party,
or they are going to use dataanalytics from another third
party, like Google or someoneelse.
(06:01):
All of these things cometogether to make that
interaction.
The question is, is there asecurity model in place so that
a video player is not able toaccess your private information?
And that's where we come in.
So looking from the complianceperspective, when you're dealing
(06:22):
with compliance, you have towork with marketing, you have to
work with security, you have towork with the web development
team, you have to work with somany people and understand their
language, which is incrediblycomplicated and mostly with
technical people like sometimeswe are.
And so we try to break thosebarriers.
(06:45):
So we come in, We provide thesolutions that someone from
compliance is able tounderstand, like what type of
data do you not want to sharewith third parties?
What type of data is allowed?
Would this third party, like avideo player, should ever have
access to X, Y, and Z?
(07:08):
And we are not only able tomonitor it, but also enforce
those behaviors, which is atechnology that is missing from
the browsers and from all ofthose other parts of the tech
stack.
And we have been doing it for along time in payments.
But when we designed thetechnology, to be honest, like
(07:30):
payments was at the bottom ofour priorities.
It was mostly other types ofprivate information that we were
more focused on.
But since then, the needs havebeen increasing because of
credit card scheming and allother types of attacks that are
(07:51):
targeting the payment industry.
And if you look at it, thataffects all of the industries in
different forms.
CJ Wolf (08:02):
So what are some of the solutions that exist to kind of
help mitigate that risk?
Do you have
Rui Ribeiro (08:10):
any examples?
Yes, I think it's like we,there is technologies that are
already in place, even for thebrowser, for example, content
security policy.
So which vendors are allowed tobe here?
But most of the time when yougo to an organization, they
don't know how many vendors arethere.
Where are they coming from?
Because it's differentdepartments adding to the stack
(08:35):
different elements.
Like I was saying, like a videoplayer would...
Would the person from thecompliance team know about a
third party that's being used toplay a video on that page?
Most likely not.
That's right.
But that video player has thepotential to access all of the
login data of your users.
(08:56):
Why?
Because most likely, forexample, it was designed for a
company such as a Netflix whereall the content is behind the
paywall.
So it has a lot of capabilitiesif it's wrong.
If it's properly configured, itwill only play a video, but it
has the capacity to access logininformation or it could only
(09:18):
play content if it goes througha login process.
So if you look at it, there isa lot of things that can go
wrong and not all of them areattacks.
So first, what we have to makesure is we have to inventory all
of those third parties.
You can do it manually.
We can try to use technologiesthat is very tough to manage, or
(09:41):
you can use a solution such asJscrambler that really maps
those third parties from all theinteractions in real time and
through all the year.
Because what happens today on avendor doesn't mean anything a
few weeks after.
because they can change theirscripts, they can change their
strategies.
And I do think that I waslistening to another call,
(10:05):
another session that yourecorded, which was with Aaron
Bennett.
And he was saying like, whenyou look at the pixel from a
third party, you try tounderstand what data they are
collecting today.
And he said, but you cannotcontrol what they will collect
in the future.
And that was a topic that hewas saying, like, you cannot
(10:29):
control what they will collectin the future.
Our objective is, yes, you can.
If you use solutions such asJScrambler, you can define
clearly what type of data theycan access and what type of data
they cannot access at all.
And this plays very well intothe, of course, the deeper, IPA
(10:52):
and also all the organizationsthat are focused on the privacy,
which is if you don't havecontrols and if you don't
monitor, how can you prove thatyou are, as an organization, how
can you prove that you arehaving an active role at making
sure that your patient data issecure?
(11:13):
Yes.
So it starts really, it's likea chicken and the egg problem.
It's not when you find problemsthat you need to react.
It's like, how do you make surethat you have the systems in
place to control and avoid thoseproblems altogether?
CJ Wolf (11:30):
Absolutely.
Well, this has been great sofar.
We're going to take a quickbreak and then we're going to
come back and let's talk aboutthat a little bit more.
Welcome back from the break,everybody.
We're talking about prevention.
And I think what you just saidbefore the break is spot on.
A lot of our complianceofficers work with security
(11:53):
officers.
So chief information securityofficers or CISOs, and they look
at the security rule and whatyou said is absolutely right.
You can identify a risk, butnow the question is, what did
you do about it?
And I love that idea of havingsomething to say, well, we
(12:15):
identified this and this is whatwe did to try to mitigate that
risk.
That's really what you'resaying, right?
Rui Ribeiro (12:22):
Yes, I am.
And I would say like ourobjective as a company is in the
long term is I will go to asecurity officer or to a
compliance officer and say, youhave your social security
number, you have your this, thisand that.
Who should access it and when?
and then make sure that we setup all the systems so that no
(12:47):
one else can access that privateinformation.
Because we need to starttalking, not about encryption
and whatever, and very technicaltopics, and talk about the
customer and the data.
If you started the discussionby that point, in our case, for
example, when we were talkingabout payments, it was pretty
(13:11):
clear.
We just want X, Y, and Z to beable to access payment data.
No one else.
While when you are in a paymentpage for PCI compliance, that's
why the reason why we arepushing this type of technology.
But when you're interactingwith a payment page, you have a
(13:31):
lot of third parties there.
Now you even have like AI,whatever, to help you in that
process.
Who is to say that AI chatbotis not overstepping in accessing
data?
Not in a purpose for an attack,but in the purpose of it was
not properly configured.
To give him context, to givegood answers, some companies
(14:02):
might think, okay, it'simportant that they know which
page...
they are looking at and what'sthe context of that page.
It recently happened, or a fewyears back, that Google Pixel or
Facebook Pixel was everywhereon websites, even on health care
(14:24):
hospitals.
And they were leaking loads ofinformation about individuals
such as you and me.
And when we were appointingsome cancer, periodic cancer
screening, part of the processof our day-to-day lives, they
would infer that we had aninterest in cancer.
(14:45):
They, the companies.
And then they would sell thatinformation to even other third
parties.
And since then, I know thatthings have evolved a lot, but
to be honest, they have onlytried to solve this problem by
limiting a little bit the accessto this type of information.
(15:07):
The question should be in adifferent way, which is like,
it's not the vendors, it's thehealthcare groups that need to
have control of this.
It's not Google, it's notFacebook that needs to decide
which
CJ Wolf (15:23):
data they want to
Rui Ribeiro (15:24):
share.
CJ Wolf (15:24):
Exactly, because it's the healthcare organization's
data, it's their reputation,it's their patients.
So are there certain areas thatyou think healthcare
organizations might not beaddressing?
Any examples of those?
Are they missing the mark?
I
Rui Ribeiro (15:43):
think that most of them, if you ask any of these
compliance teams that areworking hard on this, how many
vendors or which vendors youguys have on your webpage, they
won't be able to answer thatquestion.
If they're not even able toanswer who, then what they are
(16:07):
doing is not an answer that theyare going to be able to reach.
And to do that, they're goingto have to ask a lot of teams.
And the problem is, if they asktoday, they will get one
answer.
If they ask in five, they willget a different answer.
Because most of these teams,they have several objectives.
(16:29):
And I would believe, forexample, the marketing team is
under a lot of pressure to bringadditional customers, to bring
additional people to thewebsite.
And some vendor tells them, I'mgoing to give you the best
exposure ever.
And the guys that come to ourwebsite, they are going to
convert like in 10, one is goingto convert.
I assure you, they're going toput that on the website.
(16:50):
And then the security teammight notice it and say, oh,
that shouldn't be.
And we kind of are, we'll bebrokeraging all of these
interests together because weend up helping everyone in the
process.
We have to put compliance teambecause then they have the
control, they have thevisibility.
We have the security teambecause we are monitoring all
(17:11):
these third parties.
They are able to say, okay,it's okay for you to use this
vendor.
We are constantly monitoringevery session and the marketing
team, they can adopt other toolssuch as AI tooling and all of
that, because they know thatthey have the controls in place
and they have the approval fromall of them.
Going back to that samescenario on that other meeting,
(17:35):
he said, most of the time themarketing and web teams work
together, but they leave out thesecurity guys and they leave
out the compliance guys out ofthese meetings.
Right.
We don't want that.
We want them to all be part ofthat decision.
Yeah.
Because first it's publicfacing.
Then experience has shown thatthe liability is a very big risk
(18:01):
and you will lose customers andyou will have a huge impact for
the organization.
CJ Wolf (18:06):
Yeah.
You mentioned before that youworked a lot kind of on the
payment side.
Can HIPAA and can we learnanything from...
what you've experienced fromPCI and anti-skimming kind of
requirements and those sorts ofthings.
Tell us a little bit about whatyou've learned there and can it
apply or can we apply some ofthose lessons?
Rui Ribeiro (18:31):
I think that there is a direct application.
Like PCI was very brave and theorganization was very brave to
point out that when you'repaying something on a webpage,
you need to...
The payment pages as a...
a type of profile that has avery important type of data,
which is used for fraud, whichis a credit card and payment
data.
And they clearly stated, youguys need to have control over
(18:53):
these third parties.
This is, I'm oversimplifyingand the PCI people are going to,
and I'm part of that wholeprocess, but I'm trying to
simplify the message.
But if you need to havecontrol, you need to know who
they are, and you need to makesure that you limit their reach.
They came up also withsuggestions on how you can do
(19:18):
it, but basically the main ideais this one.
This was very brave because upuntil a few years ago, people
would say the web part is of noimportance.
There's no data there, which isstupid because if you look at
it, there is data there becauseI just typed it in.
(19:38):
And there is data there becauseI just looked at it.
So the data is there.
While it is spread across allthe users, if there is a method
for you to be in every user, andthere is, because you have all
these third parties embeddedinto the page, it's not just
under your control, thecompany's control, because all
(19:59):
of these third parties arethere, then there is a method
for you to access all of theusers' data by them accessing
their own data.
So they were very brave to spotthat and to put that in a
requirement for all thecompanies that accept payments
to implement.
And this has led to an industrymaturing.
(20:23):
And for example, today, I don'tthink you will be able to do a
vacation without us, JayScrambler, being in the
background, helping to make surethat no one is stealing your
credit card.
We have customer type airlines,media streaming companies,
hospitals, mostly on thepayments, but also because there
(20:47):
are some very sophisticatedcompanies out there, also in the
healthcare space, also in thebroader privacy aspect of the
organization.
And it's incredible howvolatile this is because you
have different rules like youbooking an appointment or
(21:08):
accessing your patient data fromone region in the us you are
going to load a different set ofvendors then you are on another
region on the us or if you areabroad accessing your data
because the privacy laws arevery complex and even changing a
computer or changing fromcomputer to mobile, it's
(21:30):
incredibly volatile.
And that's why it's a bigchallenge for compliance teams
because even if they look at thesnapshot, they are not seeing,
not even the tip of the iceberg,they're just seeing that
there's something out there thatthey should be worried about.
CJ Wolf (21:49):
Right.
Well, Rui, this has beenfascinating.
We're getting close to the endof our time, but I like to, if
you have any last minutethoughts or recommendations,
where would you recommend thatcompliance teams start when they
start to think about some ofthe risks that you shared today?
So
Rui Ribeiro (22:07):
there's no point in raising a risk if you have no
way to solve it.
Gladly the risk that we arepointing at, we have a way to
solve that.
I would say, ask your teams,which of party vendors are
there, okay?
If they want, they cancross-check with us because we
have free reports and our teamcan help them see if what they
got back is the truth or it issomething that they believe to
(22:31):
be true, which most of the timethere is no real intention.
There is no, it's just like,it's so volatile.
that they sometimes, theyreally don't know that they
brought in vendor X, vendor Y,and vendor Z to the picture, and
that some of them could be abig risk for the company.
Again, there's no point inraising problems if there were
(22:52):
no solutions, but there aresolutions out there and they can
implement them rapidly.
CJ Wolf (22:57):
Well, excellent.
Excellent advice.
And Rui, thank you for takingthe time to sit with us and to
share some of your experience.
We really appreciate it.
Okay.
Thank you.
Thank you very much.
And thank you to all ourlisteners for listening to
another episode.
As usual, if you know of otherexperts or topics that you want
(23:18):
to hear about or hear from,please let us know.
And until next time, take care,everyone.
Welcome everybody to another episode of Compliance
Conversations.
I am CJ Wolf with Healthicity.
And today we're going to betalking about security and how
to prevent what a lot of us fearin compliance, right?
Making sure that our protectedhealth information is secure.
(00:20):
And our guest is Rui Ribeirofrom J scrambler.
Welcome, Rui.
Rui Ribeiro (00:25):
Thank you.
It's a pleasure to be here.
CJ Wolf (00:29):
We're glad that you're willing to take some time and
share a little bit about thisimportant topic.
But before we get into ourtopic, we'd love to hear about
you.
Tell us a little bit aboutyourself and what you're
currently doing and the workthat you're involved in.
Rui Ribeiro (00:43):
So, my name is Rui, you already mentioned it.
I founded a company calledJscrambler with my co-founder
Pedro Fortuna with a mission tosecure the client side of web
applications.
When we start doing thesemissions of founding a company,
bringing people together, downthe road we understand that the
(01:05):
problems that we are facing aremuch larger than what we
initially were looking for.
So down the road, we understoodthat we were focused on data
privacy, that we were focused onmaking sure that when the user
was engaging on a website, whichcan be an hospital in this
case, or an healthcare provider,they are sharing a lot of data
(01:29):
with them and that data isvulnerable.
It's mainly vulnerable to thirdparties, third party access, be
it conscious or unconscious, beit an attack, a
misconfiguration, or differentproblems that arise from all of
these technologies workingtogether.
(01:50):
And this has brought ChaseCranberry up to this point.
We have been mainly focusedover the past couple of years in
terms of data, on payment data,But we have also expanded into
the health care because, ofcourse, payment aid is very
relevant, but protected healthinformation is, I would say,
(02:14):
even more relevant for patients.
for the users.
CJ Wolf (02:20):
Yeah, absolutely.
And as compliance officers, ofcourse, we're concerned with
protected health information orPHI, but all data, like you're
talking about, payment data isalso.
And security strategy andvision really is, we're not
saying let's just protect ourPHI, let's protect all sensitive
data, right?
And so I appreciate you havingexperience in that area as well,
(02:45):
because I think Probably theprinciples, the concepts and the
strategies are probably prettysimilar is what I would think.
So let's jump into our topic alittle bit.
And a lot of us in complianceare looking at the proposed
rulemaking to amend the HIPAAsecurity rule that HHS came out
(03:06):
with in January.
I'm curious that you weretelling me before that there's
one big area that the rule doesnot include, and that's kind of
what you focus on, which is theclient-side protection a little
bit.
Tell us a little bit aboutthat, the client-side
protection.
What do you mean by client-sideprotection?
I'm assuming you mean thehospital or the provider.
(03:27):
And why is that so vital to themission that we want to reduce
risks in healthcareorganizations?
Rui Ribeiro (03:34):
And I forgot to mention that we are a very
technical company and we focustoo much on the technicalities.
So when we're talking about theclient side, we're mainly
talking about the end user.
So when you are engaging with abrowser.
And these things is like, whenyou're talking about like, they
forgot to address this problemis from a technical aspect, they
(03:57):
focus too much on cybersecurityaspects, cybersecurity attacks,
and not so much on naming whereyou should be addressing data
privacy concerns.
If you look at it today,there's data at rest on the
servers, and there is data thatyou are either inputting or
outputting out of your systems,which is normally through a
(04:18):
browser or a mobile app.
In the case of healthcare,mostly through browsers.
And that's the client side.
That is the moment where theend user is interacting with
that data.
And it is the moment wherewhere if you basically look at
it, you're either capturing thisprivate information or you are
(04:43):
displaying it through theresults that you have provided
through diagnostics and all of
CJ Wolf (04:48):
those processes.
I see.
So that's kind of where, let'ssay if I'm a patient and I enter
my, there's a portal of medicalrecords, right?
I've received services at ahospital or a doctor's office,
and now I want to go in andaccess the note or my latest lab
results.
(05:09):
So you're talking about thatmoment in time, right?
That moment in time.
Rui Ribeiro (05:13):
And that moment is more critical than most people
think about it because, first,it's an interaction.
Second, it's dependent on theuser.
And third, we have evolvedserver-side security a lot, but
client-side security, so at thatat that exact moment is not so
sophisticated.
In most situations, you haveabout 60 different vendors
(05:39):
coming into play to ensure thatwhole interaction.
For example, imagine that youhad to see a video.
an healthcare provider is notgoing to develop a video player.
They're going to bring in avideo player from a third party,
or they are going to use dataanalytics from another third
party, like Google or someoneelse.
(06:01):
All of these things cometogether to make that
interaction.
The question is, is there asecurity model in place so that
a video player is not able toaccess your private information?
And that's where we come in.
So looking from the complianceperspective, when you're dealing
(06:22):
with compliance, you have towork with marketing, you have to
work with security, you have towork with the web development
team, you have to work with somany people and understand their
language, which is incrediblycomplicated and mostly with
technical people like sometimeswe are.
And so we try to break thosebarriers.
(06:45):
So we come in, We provide thesolutions that someone from
compliance is able tounderstand, like what type of
data do you not want to sharewith third parties?
What type of data is allowed?
Would this third party, like avideo player, should ever have
access to X, Y, and Z?
(07:08):
And we are not only able tomonitor it, but also enforce
those behaviors, which is atechnology that is missing from
the browsers and from all ofthose other parts of the tech
stack.
And we have been doing it for along time in payments.
But when we designed thetechnology, to be honest, like
(07:30):
payments was at the bottom ofour priorities.
It was mostly other types ofprivate information that we were
more focused on.
But since then, the needs havebeen increasing because of
credit card scheming and allother types of attacks that are
(07:51):
targeting the payment industry.
And if you look at it, thataffects all of the industries in
different forms.
CJ Wolf (08:02):
So what are some of the solutions that exist to kind of
help mitigate that risk?
Do you have
Rui Ribeiro (08:10):
any examples?
Yes, I think it's like we,there is technologies that are
already in place, even for thebrowser, for example, content
security policy.
So which vendors are allowed tobe here?
But most of the time when yougo to an organization, they
don't know how many vendors arethere.
Where are they coming from?
Because it's differentdepartments adding to the stack
(08:35):
different elements.
Like I was saying, like a videoplayer would...
Would the person from thecompliance team know about a
third party that's being used toplay a video on that page?
Most likely not.
That's right.
But that video player has thepotential to access all of the
login data of your users.
(08:56):
Why?
Because most likely, forexample, it was designed for a
company such as a Netflix whereall the content is behind the
paywall.
So it has a lot of capabilitiesif it's wrong.
If it's properly configured, itwill only play a video, but it
has the capacity to access logininformation or it could only
(09:18):
play content if it goes througha login process.
So if you look at it, there isa lot of things that can go
wrong and not all of them areattacks.
So first, what we have to makesure is we have to inventory all
of those third parties.
You can do it manually.
We can try to use technologiesthat is very tough to manage, or
(09:41):
you can use a solution such asJscrambler that really maps
those third parties from all theinteractions in real time and
through all the year.
Because what happens today on avendor doesn't mean anything a
few weeks after.
because they can change theirscripts, they can change their
strategies.
And I do think that I waslistening to another call,
(10:05):
another session that yourecorded, which was with Aaron
Bennett.
And he was saying like, whenyou look at the pixel from a
third party, you try tounderstand what data they are
collecting today.
And he said, but you cannotcontrol what they will collect
in the future.
And that was a topic that hewas saying, like, you cannot
(10:29):
control what they will collectin the future.
Our objective is, yes, you can.
If you use solutions such asJScrambler, you can define
clearly what type of data theycan access and what type of data
they cannot access at all.
And this plays very well intothe, of course, the deeper, IPA
(10:52):
and also all the organizationsthat are focused on the privacy,
which is if you don't havecontrols and if you don't
monitor, how can you prove thatyou are, as an organization, how
can you prove that you arehaving an active role at making
sure that your patient data issecure?
(11:13):
Yes.
So it starts really, it's likea chicken and the egg problem.
It's not when you find problemsthat you need to react.
It's like, how do you make surethat you have the systems in
place to control and avoid thoseproblems altogether?
CJ Wolf (11:30):
Absolutely.
Well, this has been great sofar.
We're going to take a quickbreak and then we're going to
come back and let's talk aboutthat a little bit more.
Welcome back from the break,everybody.
We're talking about prevention.
And I think what you just saidbefore the break is spot on.
A lot of our complianceofficers work with security
(11:53):
officers.
So chief information securityofficers or CISOs, and they look
at the security rule and whatyou said is absolutely right.
You can identify a risk, butnow the question is, what did
you do about it?
And I love that idea of havingsomething to say, well, we
(12:15):
identified this and this is whatwe did to try to mitigate that
risk.
That's really what you'resaying, right?
Rui Ribeiro (12:22):
Yes, I am.
And I would say like ourobjective as a company is in the
long term is I will go to asecurity officer or to a
compliance officer and say, youhave your social security
number, you have your this, thisand that.
Who should access it and when?
and then make sure that we setup all the systems so that no
(12:47):
one else can access that privateinformation.
Because we need to starttalking, not about encryption
and whatever, and very technicaltopics, and talk about the
customer and the data.
If you started the discussionby that point, in our case, for
example, when we were talkingabout payments, it was pretty
(13:11):
clear.
We just want X, Y, and Z to beable to access payment data.
No one else.
While when you are in a paymentpage for PCI compliance, that's
why the reason why we arepushing this type of technology.
But when you're interactingwith a payment page, you have a
(13:31):
lot of third parties there.
Now you even have like AI,whatever, to help you in that
process.
Who is to say that AI chatbotis not overstepping in accessing
data?
Not in a purpose for an attack,but in the purpose of it was
not properly configured.
To give him context, to givegood answers, some companies
(14:02):
might think, okay, it'simportant that they know which
page...
they are looking at and what'sthe context of that page.
It recently happened, or a fewyears back, that Google Pixel or
Facebook Pixel was everywhereon websites, even on health care
(14:24):
hospitals.
And they were leaking loads ofinformation about individuals
such as you and me.
And when we were appointingsome cancer, periodic cancer
screening, part of the processof our day-to-day lives, they
would infer that we had aninterest in cancer.
(14:45):
They, the companies.
And then they would sell thatinformation to even other third
parties.
And since then, I know thatthings have evolved a lot, but
to be honest, they have onlytried to solve this problem by
limiting a little bit the accessto this type of information.
(15:07):
The question should be in adifferent way, which is like,
it's not the vendors, it's thehealthcare groups that need to
have control of this.
It's not Google, it's notFacebook that needs to decide
which
CJ Wolf (15:23):
data they want to
Rui Ribeiro (15:24):
share.
CJ Wolf (15:24):
Exactly, because it's the healthcare organization's
data, it's their reputation,it's their patients.
So are there certain areas thatyou think healthcare
organizations might not beaddressing?
Any examples of those?
Are they missing the mark?
I
Rui Ribeiro (15:43):
think that most of them, if you ask any of these
compliance teams that areworking hard on this, how many
vendors or which vendors youguys have on your webpage, they
won't be able to answer thatquestion.
If they're not even able toanswer who, then what they are
(16:07):
doing is not an answer that theyare going to be able to reach.
And to do that, they're goingto have to ask a lot of teams.
And the problem is, if they asktoday, they will get one
answer.
If they ask in five, they willget a different answer.
Because most of these teams,they have several objectives.
(16:29):
And I would believe, forexample, the marketing team is
under a lot of pressure to bringadditional customers, to bring
additional people to thewebsite.
And some vendor tells them, I'mgoing to give you the best
exposure ever.
And the guys that come to ourwebsite, they are going to
convert like in 10, one is goingto convert.
I assure you, they're going toput that on the website.
(16:50):
And then the security teammight notice it and say, oh,
that shouldn't be.
And we kind of are, we'll bebrokeraging all of these
interests together because weend up helping everyone in the
process.
We have to put compliance teambecause then they have the
control, they have thevisibility.
We have the security teambecause we are monitoring all
(17:11):
these third parties.
They are able to say, okay,it's okay for you to use this
vendor.
We are constantly monitoringevery session and the marketing
team, they can adopt other toolssuch as AI tooling and all of
that, because they know thatthey have the controls in place
and they have the approval fromall of them.
Going back to that samescenario on that other meeting,
(17:35):
he said, most of the time themarketing and web teams work
together, but they leave out thesecurity guys and they leave
out the compliance guys out ofthese meetings.
Right.
We don't want that.
We want them to all be part ofthat decision.
Yeah.
Because first it's publicfacing.
Then experience has shown thatthe liability is a very big risk
(18:01):
and you will lose customers andyou will have a huge impact for
the organization.
CJ Wolf (18:06):
Yeah.
You mentioned before that youworked a lot kind of on the
payment side.
Can HIPAA and can we learnanything from...
what you've experienced fromPCI and anti-skimming kind of
requirements and those sorts ofthings.
Tell us a little bit about whatyou've learned there and can it
apply or can we apply some ofthose lessons?
Rui Ribeiro (18:31):
I think that there is a direct application.
Like PCI was very brave and theorganization was very brave to
point out that when you'repaying something on a webpage,
you need to...
The payment pages as a...
a type of profile that has avery important type of data,
which is used for fraud, whichis a credit card and payment
data.
And they clearly stated, youguys need to have control over
(18:53):
these third parties.
This is, I'm oversimplifyingand the PCI people are going to,
and I'm part of that wholeprocess, but I'm trying to
simplify the message.
But if you need to havecontrol, you need to know who
they are, and you need to makesure that you limit their reach.
They came up also withsuggestions on how you can do
(19:18):
it, but basically the main ideais this one.
This was very brave because upuntil a few years ago, people
would say the web part is of noimportance.
There's no data there, which isstupid because if you look at
it, there is data there becauseI just typed it in.
(19:38):
And there is data there becauseI just looked at it.
So the data is there.
While it is spread across allthe users, if there is a method
for you to be in every user, andthere is, because you have all
these third parties embeddedinto the page, it's not just
under your control, thecompany's control, because all
(19:59):
of these third parties arethere, then there is a method
for you to access all of theusers' data by them accessing
their own data.
So they were very brave to spotthat and to put that in a
requirement for all thecompanies that accept payments
to implement.
And this has led to an industrymaturing.
(20:23):
And for example, today, I don'tthink you will be able to do a
vacation without us, JayScrambler, being in the
background, helping to make surethat no one is stealing your
credit card.
We have customer type airlines,media streaming companies,
hospitals, mostly on thepayments, but also because there
(20:47):
are some very sophisticatedcompanies out there, also in the
healthcare space, also in thebroader privacy aspect of the
organization.
And it's incredible howvolatile this is because you
have different rules like youbooking an appointment or
(21:08):
accessing your patient data fromone region in the us you are
going to load a different set ofvendors then you are on another
region on the us or if you areabroad accessing your data
because the privacy laws arevery complex and even changing a
computer or changing fromcomputer to mobile, it's
(21:30):
incredibly volatile.
And that's why it's a bigchallenge for compliance teams
because even if they look at thesnapshot, they are not seeing,
not even the tip of the iceberg,they're just seeing that
there's something out there thatthey should be worried about.
CJ Wolf (21:49):
Right.
Well, Rui, this has beenfascinating.
We're getting close to the endof our time, but I like to, if
you have any last minutethoughts or recommendations,
where would you recommend thatcompliance teams start when they
start to think about some ofthe risks that you shared today?
So
Rui Ribeiro (22:07):
there's no point in raising a risk if you have no
way to solve it.
Gladly the risk that we arepointing at, we have a way to
solve that.
I would say, ask your teams,which of party vendors are
there, okay?
If they want, they cancross-check with us because we
have free reports and our teamcan help them see if what they
got back is the truth or it issomething that they believe to
(22:31):
be true, which most of the timethere is no real intention.
There is no, it's just like,it's so volatile.
that they sometimes, theyreally don't know that they
brought in vendor X, vendor Y,and vendor Z to the picture, and
that some of them could be abig risk for the company.
Again, there's no point inraising problems if there were
(22:52):
no solutions, but there aresolutions out there and they can
implement them rapidly.
CJ Wolf (22:57):
Well, excellent.
Excellent advice.
And Rui, thank you for takingthe time to sit with us and to
share some of your experience.
We really appreciate it.
Okay.
Thank you.
Thank you very much.
And thank you to all ourlisteners for listening to
another episode.
As usual, if you know of otherexperts or topics that you want
(23:18):
to hear about or hear from,please let us know.
And until next time, take care,everyone.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.