61. Su Bajaj: "The value of AI is what it's doing for you. It's not to replace people but to augment and make us more efficient and catch threats."

Rather read?

Hannah Trum: I'm Hannah Trum, and this is HIPAA Critical, a podcast from Paubox where we discuss security, technology, and compliance news with healthcare industry leaders. We are big fans of email AI and the possibilities this technology brings to the world of healthcare and security at Paubox. What we learn and experiment with now can shape the future of cyber and information security for the better and provide a more useful patient, provider, and covered entity experience.   In a prior episode of HIPAA Critical , I picked the brain of founder CEO Hoala Greevy on this topic. And then, at a recent Zoom social mixer , the subject of email AI came up again, so it’s only fitting to finish out Cybersecurity Awareness Month with a guest who can explore this topic through the lens of the C-Suite.  Su Bajaj is the chief technology officer at Compex Legal , a client-centric record retrieval organization. She brings years of experience to the table that has shaped how she views cybersecurity. And that includes how and why AI can fill in the gaps. Hi, Su! Thank you so much for joining me today. I really appreciate you taking the time to be on this episode of HIPAA Critical. How has your cybersecurity approach evolved over the course of your career?

Su Bajaj: Hannah, thanks for having me on. I really appreciate it. I'm excited to be on this podcast. 

Especially in healthcare, I don't think there was much as much concern around it. I don't think there was much end-user education. The focus was typically, “don't share.” 

I remember being on our change management committee. We were careful about sharing HIPAA and really focused on HIPAA violations, things like that. But I think over time we evolved closer to Zero Trust. You start to assume that there's no network edge, and you really start focusing on how to make the user experience seamless. 

HIPAA is embedded. HIPAA security and cybersecurity are embedded in everything they do. There's definitely an education factor here. But I think where we started from and where we've landed are almost two different worlds. 

The last part of that is the bad guys have been pushing us. They've been pushing us for a long time. That's really evolved cybersecurity in our world, in the medical data space.

Hannah: Do you find that the cybersecurity issues that we are facing in the medical space are because end users are bogged down with hard-to-use technology? Or is it more of an education source?

Su: I think it’s end users. I think it's infrastructure teams. It's a combination of things. It isn't necessarily as seamless as we'd all want it to be, where it's easy to detect, find, etc. It's not as easy to drive behavior. Because you're constantly reminding folks not to click on links, or not to go to suspicious sites. Then you end up whitelisting and blacklisting sites. You have to whitelist carefully. 

It's, again, a combination of simplicity. How do we get end users to interact with us in a simple way that's compliant? They know better. They think twice about clicking on a link. And then more than thinking twice, they report it. “See Something, Say Something.” That interaction needs to be really simplistic. On your email [it] says, “report this message.”

Then the second part is for infrastructure teams. As you know, we talk a lot about AI. But I think it's hard. There's a lot of fatigue. Around cybersecurity, it's always being talked about and how do we manage this? How do we do better? 

I feel, at this point for most organizations, AI comes into play, where it helps to manage these ginormous datasets. We've got a lot of information. Every enterprise has a ton of data about what's happening in the enterprise, what's happening in their networks. 

How do you get a person to collate all that and figure out, “I've got a threat,” or “I've been told I have a threat but do I take this threat seriously, or not?” And then what do I do about it? That's really where simplistic interaction with AI is the future. It’s going to pay off in an ongoing way.

Hannah: I agree. I'm so glad that you brought up AI because we are very excited about it here at Paubox. How else do you see it helping the healthcare industry, outside of being able to detect these threats? Do you see it as helping with large data entry from a collections agency or an insurance agency? Or even a company like yours?

Su: It is a two-part question in my mind. I split this up from a pure IT network hardware [question], whether you're on-prem, cloud, hybrid, whatever. Then the other part about IT is all the data points, the clinical data points that we have available to ourselves. 

From the infrastructure standpoint, a lot of folks in healthcare, specifically, or in health IT, have thought, “well, I haven't gone to the cloud, I'm on-prem, I've got this ironclad security, I don't need to worry.” But folks have had breaches. I think that has been a wake-up call for a lot of folks. You’re feeling really comfortable in what you're doing, but we hear about breaches every month. Every day, in fact, [and] these hefty fines. 

Connecting the dots and using AI to help you connect the dots more quickly so that you’re not wasting time figuring out what’s the issue. What should I be doing? What should my infrastructure be doing in using AI? How do I help us to be more self-healing in the infrastructure? 

That's the piece that I feel we're starting to see healthcare embrace and come out of this, “I'm on an island on my own, no one can attack me, nothing can happen.” Folks have woken up [and know] that's just not true. We need to leapfrog, in my mind, to where FinTech and others are. Because healthcare and healthcare infrastructure are laggards.

Hannah: And healthcare information is worth more on the black market than any financial information is.

Su: It's true, it's true. That's the other piece. It's the sensitivity of our data. Healthcare has been used to having lots of compliance. Most organizations I've worked in [have] internal audit teams that are looking at different areas where we're following good processes and ensuring that we're compliant in a myriad of ways. There's a lot of oversight, typically. 

But again, it's helping the end-user to figure out what is actually happening. The key to adoption is explainability. Tell the user, why does my security think this is a threat? Why does my app think this is a threat? This is why we think this is a threat and what and then what do we need to do about it? 

Because what I see oftentimes in the past, a single piece of information [is vulnerable]. Your software's out of date. Well, I'm going to update my software. But this is still a threat because there are actually other pieces of information as to why this particular server needs more than just a software update. 

That explainability is lacking in AI today. Not Grande, I don't want to make this broad statement. It's been evolving. Folks are adapting to it. The key is the interaction layer with AI. You can have great models. You can have great AI all you want all day long, but if the interaction with the folks that are using it, and the capabilities of it to serve that information up is not really seamless, and really useful. I think it ends up being disregarded. You lose the benefit of all that you've done.

Hannah: I agree, if your technology isn't easy to use, easy to implement and transparent people understand what doing A gets you to B gets you to C, then they're not going to use it if they don't understand it.  I'd like to go back to a little bit ago, you were saying that you've worked in companies that have internal audit departments, how could you see AI helping with an audit for maybe HIPAA compliance, or a HITRUST CSF certification or something that is very applicable to the healthcare world?

Su: In a lot of internal audit departments, it's sort of manual processes and procedures. You created a PnP then you showcase how you follow your PnP. It's outside of the realm necessarily of IT, where you track and document. I'm sending messages that are encrypted and here's the documentation. 

But I think it's more about detection in the internal audit world and how they can leverage detection methodologies that go outside of the user showcasing; these are the 10 steps I take because, you know, again, we're humans, we're prone to error. 

How can we use AI to detect and prevent something from going out the door? As an example, something that is not going out securely? That's not HIPAA. That's not compliant, according to HIPAA. Getting that detection and prevention and interfacing that with an internal audit team to say, “If five instances of this, how do we work around [it]? What were the root causes of those instances? And how do we create? How do we adapt our policies?” 

A lot of the policies remain stale, until and unless an event happens. Then when the event happens, it takes hundreds of days to solve for the event, and then get to the root cause of the event. And then you’re essentially patching from there.

Hannah: You're not being proactive.  You keep saying that, it's really about the language that you use and how you explain the technology to your audience. How would you explain to the rest of your C-suite the value of any cybersecurity stack, but specifically one that would include AI?

Su: It's really about what we as humans can consume in terms of potential incidences, and being able to do a quick analysis. 

How AI really helps in the cybersecurity stack is to be able to take multiple points of information and rapidly come up with what the potential threats are, and what needs to be done about those potential threats. AI is good as feedback as well. You want to keep feeding that model, and you want to keep growing that model. It's a learning model. 

For the C suite, the value is that you don't have to have lots of employees to be able to manage it. You don't have to have somebody watching 24/7. Instead, the value of AI is that that's really what it's doing for you. It's not to replace people but to augment and make us more efficient and catch threats. Make us more efficient in healing those threats, and make us more proactive in [what] is a threat. We need to figure out what we need to do in order to detect this threat as well. 

I think in today's world, it's sort of an easy sell. We're all short[handed]. It's hard to get tech employees. It's hard to get employees. These are big news headlines today. If you have something that augments humans and makes them more efficient and secures your enterprise, that is much more of a real value add to any C suite.

Su: Again, it's looking at Zero Trust. But I think Zero Trust can have some side effects.

The side effects of Zero Trust tend to be that you end up requiring a lot more authentication and a lot more revalidation of users. And being client-centric, you have to find the middle ground there with how do you implement other things so that it’s seamless to the user.  [Where] there isn't a user having to remember 500 passwords. Because, again, that's a security issue in and of itself. 

How do you take being a customer-centric organization and still have Zero Trust? I think the answer there, again, I keep coming back to this, but I believe this in my product world, and I believe that an infrastructure world, is ease-of-use in any organization. Make it simplistic. Make the interaction as simple as possible. 

That's something I love about Paubox. And why as an organization we selected Paubox because the interaction with our customers or custodians is simplistic. They don't have to click around and mess around to figure out what they need to do next. It's all there for them. It's secure, we can trust it. 

That's the key. Those are the kinds of solutions we're always looking for. These are the kinds of solutions we implement and are really thoughtful about how we implement them and what it means for our customers. So I think just being thoughtful with that interaction.

Su: I think it's looking at, updating and keeping your software up to date. I think it's very easy to fall out of date with your software. When you think about something as simplistic as your iPhone updates or your Android updates, you end up kind of falling behind. “I'm going to get to it.”

But when you think about an entire enterprise, creating a regular schedule, having your iOS team ensure that updates are going out and that software updates are happening, I think, to me is sort of one of the better tips. There are dozens, but I think that's one of the better tips out there. 

Su: I didn't start out in tech. I wanted to get into tech, I started to see that I had an affinity for it. I learned to code. I got into an organization that I was open with. [I said] this is the trajectory that I would like to take. I've taught myself to code. I don't think I code very well, but I know how to.

Su: Yeah, exactly. I asked a lot of questions. When you're trying to break into something, ask questions, look for people who are willing to help you and mentor you and go into an organization that wants you to grow. 

Be open and honest about what you know and don't know within that organization, so that you can grow the skills. What you'll end up finding is that you're pretty passionate about some areas, and not as passionate about others. 

You may like to be a tester instead of a coder, or I really want to go into product management. That's exactly what happened to me. [I] sort of leapfrogged into product management from there. But having that baseline of knowing how to code really helped me be a better product manager and understand how to build products. 

You don't need to have all the answers. I think for women when you're going in, there's this misconception that you need to know every single thing and you don't ask a ton of questions. 

Then become a subject matter expert in some things. Learn some things really, really well. But again, ask lots of questions. I've added tons of questions and people are willing to share their knowledge.

Lastly, build connections and your brand. As people leave organizations can continue to stay in touch with them as you talk to other folks. I'm on this podcast, but I'm actually very introverted because people are [key].  I constantly network. I reach out to folks, I have conversations, I want to know what people are doing, what they're working on.

How do I take what I've learned from them into my organization and do better for my teams and with my teams? So I think networking is key and building your brand. Build your brand. Let people know who you are, what you're good at, what you like to do, and get out there, do these kinds of podcasts. That's really important for women in this career, in this field.