Podcast interview with Phil Lieberman, CEO of Lieberman Software (transcript)

This is the transcript of my recent podcast interview with Lieberman Software CEO, Philip Lieberman.David Williams: This is David E. Williams, Co Founder of MedPharma Partners and author of the Health Business Blog.  I'm speaking today with Philip Lieberman, he is CEO of Lieberman Software.  Phil, thanks for your time today.Philip Lieberman: Yes, hello David.Williams: What products do you provide and what industries do you serve?Lieberman: Well David, Lieberman Software has concentrated for the last 20 years in the development of security software specifically to deal with the core issue of too many people having too much access to too much information for too long. We provide security tools that are used by large organizations and government organizations to manage the security of their environment.Our most recent product is a tool for what is known as privileged identity management.  The idea is that there are certain key accounts in large organizations as well as mid-sized organizations that control the keys to the kingdom.  Those would be the administrator accounts or the root accounts.  These are the most powerful accounts that provide unlimited access to all information.  What we concentrate on is providing enterprise level solutions: software and services to help people implement better processes so that they can keep their secrets secret. They can also make sure that only the appropriate people have access and only at the appropriate time.We have approximately ten products.  We're USA based and we're located in Los Angeles and also in Austin, Texas.  Our core audience is everything from the health care field (hospitals and back end providers) through the financial field (banks, credit card processors) as well as into the government in terms of helping them with their national defense issues as well as operational security issues.The other issue that we also deal with is auditing. We work with the auditing community to make sure organizations are compliant with HIPAA, FISMA, SOX, as well as international compliance requirements.  We also concentrate on this idea of continuous auditing and making sure that organizations are not only secure at a point in time but they stay secure over time.  So we do a lot of things.Williams: Tell me what's the same and what's different about health care if you compare it to financial services or the government market?Lieberman: Well they have a lot of similarities and they do have differences.  A lot of them have to do with the nature of what the attack vectors are that they each face.  Health care has a component of financial compliance; most health care providers take credit cards.  They do electronic transactions and they inter-operate with the financial community.  So from that perspective, they're just like any other organization in that they have to maintain compliance with things like PCI and DSS.The thing that is different about them is that when it comes to health care records and it comes down to their infrastructure, in some ways they're less mature than their financial counterparts.  The reason is that the vector, that is that the attack point for them, is not as valuable as it is for companies that are purely financial.  I think it was Jesse James who said, when they asked him why he robbed banks, that's where the money is.  In the case of health care, they have a second valuable item besides their financial systems and that is of course the patient records. In that last couple of years we're seeing a greater emphasis and greater urgency from health care organizations, especially large ones, to get their house in order with regards to providing a proactive security posture to make sure that they're really in good shape; not just to avoid trouble with the regulators but that they actually have a secure infrastructure to maintain security over their patient records.  They do suffer from a lack of investment over quite a number of years for many of the organizations.  They also suffer to some degree with a naivety when it comes to the nature of how sophisticated the attackers are on their particular assets.Obviously getting credit cards first gives you direct access to information, but if you do have the ability to gain access to the patient records you can commit identity theft, which potentially could be even greater than what the existing risk on just a credit card.  A credit card can be turned off, but an identity theft is a much more serious problem.  So with the new federal regulations,  H.R.1 as well as 2221, we're starting to see the health care industry trying to get their house in order.Williams: Sounds good.  I think it was actually Willy Sutton, but I think Jesse James would probably say something very similar about the banks.Lieberman: You know you're probably right.  I guess that was a misquote, but nonetheless you have to admit that that's where the money is!Williams: Yes, certainly.  I've seen some interesting anecdotes from people saying a stolen credit card has a certain value in the market, but stolen medical identity with somebody's Blue Cross number could be a lot more valuable, especially if it's used with a fraudulent provider.  Are you seeing that as well or is it more just general identity theft that's a problem?Lieberman: With all criminal activity and I guess maybe it's just human nature to go after the easiest targets first, so credit card theft is a much easier target and takes a lot less work to achieve a financial reward from the criminal’s point of view.There are inherent limitations in the current US based system for credit card issuance and credit card authorization.  In fact, just this morning, my wife's credit card got compromised.  We received a call from American Express that somebody was using it in England for the last few hours and they were showing card present.  Literally somebody had cloned her card and was using it at a Boots, which is a drug store chain in London.  So clearly a higher vector or a more valuable and easier vector to get to.On the other hand, in terms of things like UCLA and medical records, we got an announcement that they were having a problem with her medical records and there was a compromise and it was aggravating but we didn't really see an identity theft occur as a result of it.  So I think it's a question of the immediacy for the criminals. If credit cards were to become harder and harder to deal with I would imagine in a gross sense that they would move on to identity theft.Williams: You mentioned H.R.1 and 2221.  Tell me a little bit about what's in there that's relevant for this topic.Lieberman: Well the relevant issue is actually something that deeply disturbs me in both pieces of legislation.  The thing that deeply disturbs me is they specify a penalty for the users and managers of health care information, but they don't prescribe a technical solution.They move that off to some point in the future and say we'll get back to you, but as far as the penalties, we're happy to tell you what those are going to be right now.  The other issue that also bothers me about both pieces of legislation is that they never really address the issue of culpability.  They simply say be secure or else and we'll punish you even if it's not your fault.  So in a sense, I think there is some unfairness in the idea.Let's say a health care organization were to get compromised by a criminal, it would be the health care organization that would pay the penalty as a result of it even though they have no culpability in it.  So I think in a sense I'm a little disturbed by the nature of this legislation.  I applaud them for rationalizing it and coming up with a single federal definition for it, but I think they really do need to look into their hearts and ask what is fair with regards to who is liable.On the other hand, there has been under investment in security in health care.  There is no question about it.  We see it ourselves as a company that many organizations are unwilling to make the investment into securing their infrastructures. They also seem unwilling to implement the core infrastructure changes to provide a more secure environment.  So in a sense perhaps the issue of these fines may prod them into making things better for their own good and for their patients’ own good.Williams: So it's maybe a blunt and unfair instrument but may push the industry overall in the direction that it needs to go?Lieberman: Well exactly. It is blunt and they need to improve their security unquestionably.There are also a number of other things that concern me. These have to do with the practical realities of technology and that is that there is a tendency if there is going to be the security to create silos and to secure those silos of information possibly to the detriment of patients. Specifically we saw this at UCLA where we changed the address in one place yet we still get bills from another place. No matter how many times we tried to change an address, it doesn't seem to take, which is an indication of a silo of information that might be for security purposes or could even be from legacy reasons that they simply have not integrated their environment.The thing that concerns me from a security point of view is that security should be transparent and it should make it easy for people that are the right people to get the information.  It concerns me that if they silo and they lock up this information, this could go negatively for patients where they need immediate access to their records.So there is a balance point that needs to be made between security and accessibility and in a sense the instruments of the government for H.R.1 and 2221 are somewhat blunt in terms of not really finding fault.  So I think some health care organizations might implement too much security just as they have implemented too little security to the detriment of a patient.Williams: What's going on with some of the smaller enterprises?  You mentioned the focus on the larger ones and the medium sized ones, but there is a lot of emphasis on bringing the smaller physician offices online. With small entities it's not just that they've under invested in security, they haven't had much of an investment in information technology at all.  What are some of the things that you will see happen as small offices move from paper to electronic?Lieberman: That's a great question.  To be blunt, security is hard.  Security is complex.  Security requires infrastructure and investment.  It requires staffing and if requires significant investments in some cases of the existing IT infrastructure.In a very strange sense, paper records are more secure. Many organizations are still on paper records and in the movement over to electronic – we do see some interesting things. Different practices will come together into one large group, then they have the money, especially if it's a publicly held group, to be able to invest in this technology.  I've kind of seen from our perspective where the technical specifications haven't been provided by the government in terms of how this is all going to work and how this is going to be audited, so we don't see a lot of movement at the lower end of this.  We see a lot at the high end where liability is big from the major health care organizations, but at the lower end we are just not seeing any activity, at least not any acquisition of technology.Williams: Now you mentioned that the penalty had been specified but not the technical solutions, which were put out to some point in the future.  Is there a process that's defined or is it just put out there into the general amorphous future?Lieberman: It's generally into the amorphous future.  They have certain dates where they said if you pass this legislation we'll get back to you in about a year.  Here is what the fines are and we'll get back to you in a year in terms of telling you what the mitigation strategy is going to be, but give us the authority to levy fines but we'll get back to you as to what the rules are going to be in the future.Williams: It sounds like this business about the balance between access and security has not been that well thought out.  It does concern me when you talk about the siloing of information because I think one of the ideas of the government’s IT strategy is to have less siloing of information and more availability across different settings. But it sounds like it may be X number of steps forward and Y number of steps back at the same time.Lieberman: Oh, I agree.  There is also the issue that large health care organizations that have multiple practices underneath them may have separate systems that have never been fully integrated.  You add onto this the issue of compliance with government-mandated regulations for patient records and you may have a formula for tragic results.The question is: how is the upgrade going to be mandated?  Who is going to audit all of this to make sure this is all being done correctly and what is the mandate to make sure that everyone plays together?  Now only that, what is the incentive for doing so?  Certainly a stick is a motivator, but the question is what is the carrot towards all of the participants in this upgrade into electronic health records to make them be more efficient and to see a financial benefit in doing it?Especially in the revision of 2221, it was really clear that they did not want to favor any manufacturer or any particular technological solution, but as they say, not making a decision is a decision.Williams: Considering the environment and legislation that's been passed, what do you see over the next couple of years as business opportunities for Lieberman Software?  Are there particular areas that you'll be focusing on and other places where you say we just have to stand aside until the dust clears? How do you evaluate the environment from a business standpoint?Lieberman: The business opportunities today are good and with the inclusion of the health care sector, they'll improve even further.  The nature of security management from our perspective as a vendor of these tools is that a lot of organizations really don't have great policies and great segregation of duties in processes implemented within their organizations.  So for many of the companies that adopt our solutions, they're on their first steps of implementing segregation of duties, which is part of  Sarbanes Oxley as well as other security standards that are out there.  This is both domestic and international.The nature of all of this is to make sure that the right people have access at the right time and, for example, that there are no common passwords and people don't leave the company or the organization knowing the passwords and the passwords never get changed within the organization for sensitive systems.  This is a technology and a terminology and a process that's been well known. Most IT auditors such as Deloitte or KPMG go through organizations and audit them for their compliance in these really basic security processes and give them guidance in terms of solving these problems.So for us, having solutions that help them do this has been very good for our business.  In a sense the health care areas have been more naive in terms of their exposure to these technologies.  Certainly the auditors have come in because they audit them just like any other organization, but in a sense they have been less adaptable to it. With the new regulations they will have to come into the fold and begin to implement the best practices of other organizations such as financial organizations and government. When you look into the defense sectors where we're dealing with life critical scenarios of security, they certainly adopted our technology vigorously to make sure the right people have access at the right time.So we see this as incremental business towards our end and we also see the auditors who go through and help these organizations with their security profile.  We see them also loosening their purse strings so that they will in fact implement solutions that the auditors have been telling them about for years.  So from our perspective as a company, we see this as both good for their health, but also good for our health and also good in terms of protecting their fundamental assets and protecting the patient.  They should implement the technology to protect our identities.On the other hand, they're certainly under financial stress.  We understand that and they have to make the decisions at the right time to maximize return on investment and maximize what resources they have.  Security is something that other organizations have done before but for them it's an area that they have under-invested in for quite a long time.Williams: I've been speaking today with Philip Lieberman.  He is CEO of Lieberman Software.  Phil, thanks so much for your time.Lieberman: Thank you so much.