Podcast: Uncovering the Great Risk in Security and Privacy of Health Data in Latin America and Beyond

Re-Think Health Podcast Series Season 2


[toggle title=”View Transcript” state=”close”]

Maria Palombini
Hello everyone, and welcome to Season Two of the IEEE SA Rethink Health Podcast Series. I’m your host, Maria Palombini and I lead the IEEE Standards Association Health and Life Sciences Practice. The practice is a platform for multidisciplinary stakeholders from around the globe who are seeking to develop solutions for driving responsible adoption of new technologies and applications that will lead to more security protection and universal access to quality of care for all individuals.

We know cybersecurity, which is our ultimate goal – how do we protect the connected healthcare system? It is evolving constantly from increasing policy to a changing threat landscape where there’re still considered many risks and attempts to proactively combat this challenge as it’s happening in real time, anywhere throughout the globe. This season, we’ll bring you experts to share with you what they’re seeing globally, and as well at the regional level.

And with that, I would like to introduce Andrés Velázquez from MaTTica to our podcast today. Andrés it’s going to share some really great information with us. He has a very deep experience, more than 20 years in cybersecurity, cyber crime, computer forensics, and digital investigations. These are all the things that we need to know in a connected healthcare world. But before we get to his expertise, I’m going to ask Andrés to share a little bit about what he does at Manteca and what actually inspires his passion to go into this space.

Andrés Velázquez
Thank you very much Maria. MaTTica has been evolving for the last 15 years. I actually created MaTTica back in the days, because I saw that there was no computer forensic company in Latin America. The need for digital evidence or to find digital evidence to present it to court and to different processes was at that time something that made me make a decision. I was trained by the US Secret Service at some point. One of the things that I have been doing is helping a lot of organizations internationally against child abuse. So these are some of the things that we’re doing. We actually are the crisis management team for the IT on some of the biggest hackings and narrations into some companies here in Latin America. So I think that will help to understand what we have been doing, and how I got into this field? I always loved computers. At some point, I decided that cybersecurity will be the thing that will lead my way in this life.

Maria Palombini
It’s fascinating. Every time I talk to you I always learn something new about you. I didn’t know about the secret service thing. There was an interesting thing on your LinkedIn profile. You had mentioned that you are an incident response enthusiast. It’s the first time I’ve seen it. Maybe it might be out there somewhere else, but maybe you could just share a little bit of light exactly what came to mind when you said that this is something that you want to say about yourself?

Andrés Velázquez
It’s kind of interesting how everything has changed in the last 20 years when I started doing cybersecurity. Everything was about firewalls, anti-malware; that time was about antivirus. Then I started into policies and all the documents that you have to have, and everything started to move into forensics. As I mentioned, the part of computer forensics led me to digital investigations and digital investigation led me to get into something that I really like. It is how you can do incident response and crisis management in clients. Most of the clients that we have are in the financial sector. So it’s kind of weird how I’m going to say this, but I love the adrenaline that I get when I was called to solve an issue of a client or a company that could get very messy.

Maria Palombini
No, I wouldn’t call it weird. We call it passion. And we have many volunteers like you in our different programs who share a similar passion. The idea to find a solution, to do something, to make something that was bad better, or find a good outcome for it. That was one of the things that I found most exciting about our initial conversation. When we were talking, I noticed that you were very tactful in not using the term cybersecurity. And you even mentioned to me that cybersecurity is a technology engineering term, but what we need to focus on is risk mitigation and response. So we’re seeing more companies such as yourself, like MaTTica, who are getting into this sort of area and really proposing this concept of risk mitigation, risk quantification, proactive response, forensics, and that kind of thing. So maybe you can explain some of these concepts on this approach and why you believe in the world of connected healthcare is because that’s where we’re more and more moving towards. It’s really important to incorporate this sort of approach into your strategy system.

Andrés Velázquez
Everything started because I have been training a lot of board of directors from different kinds of companies in Latin America. When we talk about cybersecurity with them, they think it’s something very technical that you have to know how to program, or you have to know what distributed service is. And the best way I have learned to talk to them is to talk about risk. It’s very interesting because this can be applied to pretty much everybody else, even on the personal side, if you listen to these past podcasts and you start listening to some terms like buffer overflow, or the WAF, and all those terms. We’re very used to talking like that with acronyms, because I’m a very technical guy. Well, you won’t understand. So getting into the risk approach is better.

We are used to reacting to risks. Businesses are used to understanding that they have to do something about risk that could be implemented, control, transfer the risk, or accept the risk. When we can link the risk to something that could affect the company in their reputation, loss of the operation, or an incident that they could lose money by a lawsuit and find the cost of getting back to operations. Then they will understand the value of considering cybersecurity on their plans. This is something that is interesting also because we, on the personal side, are dealing with risk all the time. The only thing is we understand what the risk is. Let’s talk about the pandemic situation that we’re facing right now. I was in San Francisco when everything started, the news was very critical and the way that they were explaining what was happening, but at the end, or at that time, they weren’t really clear on what were the risks.

I remember all the things that I did on my flight back to Mexico. I don’t think they were wrong, they were in the right things to do at that point. So cybersecurity is not about installing anti-malware and a firewall, as I mentioned, it’s about creating a strategy. Now, how can I link this to the healthcare perspective? Well, first of all, we need to understand that technology and cybersecurity are cousins, but they’re not brothers. There’s a gap in between them. Innovations, in most of the cases, have a lack of cybersecurity leaving a lot of risk on the table. The research and development teams are trying to create the most amazing devices, but in the end, those devices could have their own vulnerabilities. They can run in networks that have not been secured. And the users of the technology are not aware of the risk when they have them. It’s very interesting the way you presented these questions, because no, the companies in general are not embracing this concept. They’re still hiring people that will do cybersecurity as something that will go on the operation side, not really on the strategic side of it.

Maria Palombini
Interesting that risk is one element. And I think one of the things that sort of gets lost is the concept of privacy. We think about secure breaches, but what really we’re even not focusing on is patient privacy. And you mentioned something very interesting to me that I found so profoundly insightful when you said that there’s a fight between being comfortable versus being secure. And you said it in the scope of, there’s a balance with the medical devices we use in hospitals versus consumer devices utilized in the home and in the concept of overall risk. Do you want to explain a little bit more what you mean by this fight? Like what you have observed or what you’re seeing as trends from that point of view?

Andrés Velázquez
It’s something that at least in this field we discuss a lot. We always want to have the most secure infrastructure from the internet of things and points servers and networks. Let’s say that the information is stored in our colleagues’ computers and is very confidential and we want to control as much in how the user moves information. So the person responsible for protecting the information will block everything. It’s more secure, but the user cannot do their job. So we can not lose all the controls because that will risk the confidentiality of the information. We need to find a way that it’s secure, but it’s usable. It’s pretty much on how we can balance those two concepts.

Maria Palombini
It’s very interesting because it’s always sort of the question – comfort or quality versus uncomfortable but more secure. This is just a question in life we all see. This is the balance that we have in everything that we do. One of the reasons why I invited you on this is because you bring the Latin America perspective. And when we were talking in Europe, they have GDPR where there is a consensus of governments who are following GDPR policy around privacy, but then when it comes to Latin America, you said there are some countries who may be a little more robust and others that are not. Are you getting a sense that those who are not are starting to embrace this concept of looking at regulation or protocols to sort of give more security? We know connected healthcare will be moving more and more into the Latin American region. Just try to get your perspective and maybe some insight on what you see going around.

Andrés Velázquez
We have some data privacy laws in Latin America. Some of them are actually very similar to what was created in Spain a few years ago. Those laws protect sensitive data, like the ones used in the healthcare industry. Pretty much the difference in the way that I can see in Latin America is the way they enforce it. And in some cases the law has just been approved. So we’re in the process of implementing the challenge in most of the cases, I think it’s in the public sector. That is the biggest sector or the biggest area that has healthcare systems. Actually, I was a co-author in a book published by the Mexican data privacy authorities on the law where I explained the biggest risk about data privacy in the public sector. Pretty much what I stated is that the local entities will not have the same budget, the skills or time to implement the same systems and protection as the federal government.

This applies to all the public hospitals and the way they are storing the patient information. Some of them only have the information on paper. They do not transfer that information to other hospitals or other entities. Some of them have their own systems, but they could be connected or not to others. Some of them pretty much outsource the processing and the managing of the medical records. And we have had a huge issue here in Mexico a couple of years ago. A person in Ukraine was spending his nights, looking for databases that will be published without a password. And he was able to find a database with 1.3 million medical records from Mexico. He contacted me and I helped him to figure out where it was from. That information was from one specific state in Mexico. Doing some investigation, I was able to find that they were trying to find a database administrator for probably six or seven months, but at the same time, they actually got a contract with the government where they have to store and process and manage the medical records of these patients in Mexico. All their information was available on the internet without a password. So yes, they probably decided to transfer the risk to another entity. But at the end, that entity was not able to secure that information. We actually brought down the information. We were sure that nobody saw it. We tried to contact that company. They said that they didn’t have anything to do with that, but the company a week later disappeared. We actually gave all the information we had to the local data privacy authority. And they actually tried to find them. They were not able to find it anymore, so it pretty much disappeared. So we have a law that will protect the sensitive data like these medical records, but now that their information of all these patients was affected. Now we can not do anything to bring it back as it was before. Yes. It’s going to be a penalty to this company, but in the end, the data remained on the internet for some time.

Maria Palombini
That’s 1.3 million patients that we’re talking about being exposed. So that’s very insightful. You have a technology background, and obviously you have to intersect with policy and regulators and with industry demand and boards of directors. And I asked this to all my guests – there’s always this debate that regulators and policy makers need to do more to require the engineers and developers of hardware and software, these connected medical devices and building more security features. Do you share a similar perspective that you feel policy and regulators need to step up more, or do you think maybe there needs to be more technologists to come together and collaborate and develop technology standards to address the problem? I’d like to hear your perspective since you intersected all these different domains as you go through this process.

Andrés Velázquez
It’s very interesting. Because I have been doing the forensic side of my company for a while. And one of the biggest challenges that I have been facing and working with with a lot of entities out there, like the Council of Europe or the United Nations, is that technology brings a different way of understanding how things work. If I have a case where someone actually accesses these medical records from another country around the world, at the end on the technical side it’s just a click. I don’t know if they are in another country that doesn’t have the law around cyber crime or not. So if I bring these to answer your question, there’s a huge thing that we have to consider and it is called jurisdiction.

I had to spend probably two years trying to understand jurisdiction in the way the lawyers understand it based on what I just mentioned. So when we’re talking about creating law around technology, you’re talking about controlling something in a jurisdiction. In the States, we have the HIPAA to address cybersecurity in the health system, but we don’t have that in Latin America. We just have these data privacy laws. So how we can interact in a world that is now connected, the information that data from these medical records was in a server, or at least some servers in the United States, not really in Mexico or in Latin America. Now we’re talking about globalization, it could be in any country in the world. If we’re gonna talk about law, we’re gonna be blind folded because that will only apply to some countries. Therefore, I prefer to talk about standards or best practices in some cases if we’re not able to carry standards, and then try to be able to adopt those standards globally, that we don’t care if there’s a law or not, we will be able to solve most of the issues that we’re facing.

Maria Palombini
That’s really interesting. And I’m so delighted that you brought up this point because often when we talk about healthcare without borders, being able to say “I can take my data and go into this other country, they’ll have my whole history and be able to take care of me.” And we’re also worried about the technologies in doing so, or the data taxonomies or the languages. But you brought up an important point, which is there is no harmonization of policy around healthcare data. So although we may have technology means we still have the challenge of policy. And as well, as you mentioned, just in general, the technology standards and data standards around all those things. So I’m delighted that you brought that point up because I tend to hear these debates on this whole arena quite a bit.

I thought this was very interesting coming from the US when you said to me we need the CIA for cyber vulnerabilities and anything from connected health in anything we do. Naturally I was thinking of the Central Intelligence Agency in the United States, but you are referring to those three letters or something else. So I would just want you to share with our audience what you were talking about when you said CIA and exactly what in reference to how this can be applied to this growing challenge.

Andrés Velázquez
The CIA is not really my vision. It’s something that we have to learn when we are starting cybersecurity. I need this called the CIA triad. That is a concept that focuses on the balance between financial reality, integrity and availability under the protection of an information security program. So when I tried to link it into the health sector, the settlements are very important. Confidentiality – that only the persons or the devices or systems that the law allows are the ones that are looking at the information integrity, or talking about that the information or the data is not changed without any record control or that it has to be changed. And I will really say pretty much that you can have information or data when you need it. Normally I mention two examples. The first one is about our bank accounts. I don’t want my bank account to be public. So that’s why it needs confidentiality. I don’t want my bank account to show a wrong number of how much I have on it. Well, if it’s over what I used to have, I will be happy. But if I access my bank account and I see less than what I had, well, I don’t want that to happen. And the third thing is, if I need to use what it’s on my bank account, I know I need to be available to me. If I move it into the health sector, what happens with this medical record? What happens with this device that is attached to me that needs the information that has to be exact, and it cannot be manipulated.

So those three concepts, we normally talk about with the decision makers. We need to make them understand that this reconstitution is the vase of cybersecurity, and they need to be linked to the strategy of the company that processes that we want to secure. So I don’t want my medical record to be public, to be changed in their content that could have an allergy that I don’t have, or the other way, and I need that record to be available when I get to a position that I need it.

Maria Palombini
Very important. Based on what we talked about today and all your experience, perhaps you can share a final thought with our audience on one of the most important call to action for an individual or a patient to take, for the overall healthcare domain, or for any other stakeholder, like wearable developers and connected medical device developers to sort of take that action or take something into consideration to move the needle on this growing challenge?

Andrés Velázquez
We’ll get back to how we started, talking about risk. So yes, for a hospital or a facility, the information that you’re receiving from your patients, all the technologies, like they are researching and developing new devices, please consider cybersecurity because that will help to solve issues right now, instead of finding out that later. There’s going to be an issue with either data or information on how the device actually works about policy makers. We have to understand that we have to find ways to make this something that everybody could apply, meaning that there are maturity models and we have to cover security. Now, not everybody is going to be in the highest range or the lower range.

We have to figure out how we can implement cybersecurity in a very strategic way that could be improving, depending on how everybody is working. And at the end to the patients, that is pretty much you, me and everybody that is listening right now. There are some risks, and try to understand how the entity, the hospital, the wearable, the medical devices that you’re using could have a vulnerability and something that could affect you. I’m not trying to be fatalist. I’m trying to be kind of real. With what happened with the COVID, we had to understand the risk to decide which controls we have to apply. And I have been trying to understand how much we can get from the COVID reaction to cybersecurity. And yes, on cybersecurity, we’re going to be as secure as the less secure person is involved in what we’re doing. It is a chain. So I will like to end with a phrase that I loved from a cryptographer in the United States. His name is, uh, Bruce Mayer. He says that cybersecurity is not a problem about technology, it is a problem about how we use technology. So don’t blame the technology, how we’re using the technology and who are creating new technology.

Maria Palombini
That is a very profound final thought. You’ve shared really great insight and concepts with us, and a lot of the things you’re talking about, we are covering in the IEEE SA Healthcare Life Science Practice. Most notably to our audience, we want to share with you. We are hosting a five-part virtual workshop series on global connected healthcare. And we’re doing this in collaboration with the Northeast Big Data Innovation Hub based in the campus of Columbia University in New York. And the series is designed to bring anyone who is involved in technology, either in healthcare practice, clinical research, regulatory research, or in general engineers to openly listen to some of the great concepts and new technologies that are out there, and most importantly, work together to identify and develop a framework to moving towards solutions, whether it be in the design of the products themselves into practice, or in where we need policy to step up and help support the overall goal.

This series takes place live in February, April, June, September, November. All of them are recorded on demand. If you’re not able to get to one or all of them, you can register for free at ieeesa.io/cyber2021. We also cover this in many other incubator programs from our telehealth paradigm, security, privacy, accessibility, and continuity for all. We have the decentralized clinical trials program, and of course WAMIII, which is wearables, medical, interoperability, intelligence. All of our incubator groups are open and inclusive. We welcome anyone who wants to contribute towards moving the needle on the challenge. You can learn more about all of these activities at ieeesa.io/rethink. I want to thank Andrés for joining us and sharing all this great insight and you, the audience, for being with us and continuing to follow us. We look forward to you joining our next episode, but until then continue to stay safe and well.


What is one of the greatest risks in the connected healthcare ecosystem? Here’s a hint: it’s not the hackers.

Listen to our eye-opening conversation with a cutting-edge cybersecurity forensic technologist, Andrés Velázquez, Founder and President of Mattica, based in Mexico, who highlights common global challenges and inherent obstacles in the emerging Latin American region.

As an industry where are we falling short? Where are we not investing resources correctly? Find out how organizational shortcomings are feeding this growing threat to institutional and patient security and privacy and the overall future of connected healthcare.

Related Resources:

About the Guest:

Re-Think Health Podcast Speaker Andrés Velázquez

Andrés Velázquez is the Founder and President of MaTTica, a strategic cybersecurity company that has the first computer forensic lab in Latin America in the private sector. He has over 20 years of experience in cybersecurity specialized in computer forensics, digital investigations, crisis management, and incident response. He has been a co-author of several books on presenting digital evidence in Latin America and on Data Privacy Laws. Considered an opinion leader on media, he is a columnist in Forbes México and participates constantly in the media explaining cybersecurity and the elements linked with digital crimes.

Andrés is committed to fighting against child abuse on the Internet, participating with different organizations training law enforcement agents, judges, and DA’s on digital evidence and crimes. The Mexican business magazine “Expansión” named him one of the 30 youngsters in their 30s to lead the change in Mexico.

Follow Andrés Velázquez on LinkedIn and Twitter.

Share this Article