Open source contact management for Technology Industry

How to create outlook signature

and now I'll turn it over to today's moderator Beth Jones Sanborn managing editor at hims media thank you Eric and welcome everyone thank you for attending today's healthcare IT news webinar compliance s-code automate compliance using open source technology sponsored by Red Hat my name again is Beth Jones Sanborn managing editor attends media and I'll be your moderator today security racism health care has been on a steady rise over the past three years with pH I becoming a prime target in addition financial penalties for HIPAA violations have also been increasing both in terms of the number of settlements and civil monetary penalties levels are levied rather and the penalty amounts of cells now in order to protect the pH I data healthcare organizations must have a solution this fast verifiable repeatable and secure to help customers meet that criteria Red Hat works with the National Institute of Standards and Technology or NIST to develop the security content automation protocol also called F cap to enable the automated vulnerability management measurement and policy compliance evaluation the leader in open software sorry and open source software offerings Red Hat named a red hat teams with open f cap to deliver the capability to implement compliance as code the today's session will review the open f cap compliance as code offering and how to automate your compliance cluster using best practices for red hats health or health care customers our speakers today are autist cha cha who is the chief technologist for healthcare North America and Sean wells she's the jury strategist at the Red Hat and with that I'll hand it over to audit to begin the presentation oh thank you bet good morning everyone really excited to be here or good afternoon to folks in the west coast or wherever you are we have basically four specific goals for this presentation that we are going to walk through today I'm going to start off with an overview of HIPAA compliance a little bit history and what are the control and regulation specifically surrounding the electronic personal health information and what is your responsibility when it comes to adhering to HIPAA compliance and then from there I'm going to hand it off to Sean bells who's going to talk about the compliance that's code similar to the idea of infrastructure s code how we can automate and reinforce compliance policy using code to reiterate and re-establish our baseline and towards the end I'm going to talk about a security readiness programs that highly encourage you to participate as a way to assess your baseline and what are the areas that Red Hat can help or you as an organization need to address in terms of insuring your security posture more on that towards the end of the presentation I do encourage everyone to ask questions there's no live Q&A per se but we really want to make it as interactive as possible and hope you get the value out of this to start off I'm going to present a poll question to can level help us level set what kind of audience is in attendance so that we can have the right conversation right information being presented so with that the poll question is on your screen please take few seconds to respond and hit the submit button the question is which functionality do you represent in your organization are you representing operations purely security network operations application developers or security office as well all right thank you everyone for responding that's pretty fast from a response perspective so looks like we have more folks represented from security office perspective and then IT operations nobody in the audience on network tops as well so moving forward we will actually try to tailor the information more relevant to how security office and all IT operations could leverage this kind of capability all right so let's get started HIPAA or HIPAA I'm just trying to make fun of the fact that often times I often misspelled HIPAA as well it's actually health information Portability and Accountability Act the two aids which was instituted in 1996 with three major aspects one was portability portability was around the fact that when you switch insurance providers there are no pre-existing conditions that are enforcing you to switch to another insurance provider where they can say we're not covering this as long as you have previous coverage so I personally are very thankful for that second aspect was Medicaid integrity program and fraud and waste fraud and abuse this was a sense essentially to ensure that the integrity program to detect fraud waste and abuse in the Medicare program is continued to be funded and they can operate into the future years third aspect was around administrative simplification this was around standardizing the transaction sets the exchange between the insurance providers insurance appears and the providers to standardize on how they're going to represent code said to identify patient with specific diagnosis this essentially established a baseline for having a communication electronic communication that everybody understood by leveraging these code sets so from that perspective from that point on there was also another aspect of HIPAA HIPPA regulation which was around ensuring and protecting the electronic personal health information and these were around three specific areas one were around administrative physical and technical safeguards so physical safeguard as the name sounds it was all around around protecting the facilities and having proper access and control for authorized users in place all code entities or companies that must be HIPAA compliant they must have policies about youth and access to the workstation electronic media and it also included transferring removing disposing and reusing electronic media that had thi information on it second aspect was around technical safeguards that require access control to allow only authorized access to thi information this included things like in a unique user ID emergency access procedure automatic log of encryption and decryption of the data that were essentially mandated as part of that additionally audit reports or tracking laws was enforced that must be implemented to keep a record of activity even on the hardware and software level this was essentially done to help pinpoint source or cause of any security violations the other as of the technical policies were also to cover integrity controls or measure put in place to confirm the thi has not been altered in any way so the integrity controls were things like who access the data what modifications were made to that data what was the old value and the new value and what date and time it took place these were again done to ensure there's a traceability and accountability to information that has been altered a last piece of that was network or transmission transmission security which is the last technical safeguard acquire of HIPAA compliant hosts to protect against unauthorized public access or pH I this concerns all method of transmitting data whether it be email over the Internet or over VPN or private network or private cloud there was a supplemental act that was passed in 2009 called the hi-tech the health information technology for economic and clinical Health which supports the enforcement of shipper requirement by raising the penalties of health organizations that violate these privacy and security rules the hi-tech was formed in response to health technology development increased news and storage and transmission of electronic health information as a result of affordable Iraq which mandated meaningful use perspective for everyone to move on to the electronic health record systems so with having that contacts on already share some statistics around its consistence around the consumption and the software supply chain that is extremely important in consuming and building applications so if you look at this statistics they were basically 1096 new open source cross projects that were launched everyday and if you look at organizations that are consuming open source project there was about 52 billion downloads of Java 59 billion downloads of java scripts from open source libraries or communities out there there's 12 billion download of container images from public registry like docker hub and then when this organization looked at the content of these downloads they found out that there were 84 percent of them I'm sorry they were several of them had security defects in there and 84 percent of these open source projects because of the nature of the project they never went back to address those security defects purely because open source communities are mostly driven towards providing the next best feature and functionality and holistically if you look at the statistics one in 18 download could contain at least one known security vulnerability and I believe everybody on this call probably realizes the common way that organizations are breach are two known security vulnerabilities not to zero day vulnerabilities which are unknown and folks failing to patch that so automated governance and compliance of the code can reduce your defects by 63% that was one of the measurements that we did through this report and to put it in perspective we looked specifically at some organizations that were using open source companies we found our typical organization had 120 mm components with known vulnerabilities 19050 point 8 percent of them were fixed but if you look at the time that it took them to fix those vulnerabilities the median for those 119 days so especially with thi being a prime target and this next slide really talks about that because the value of thi information in the underground of black market of you know the wherever these stolen records are sold is more than even financial information this is a 2016 report that estimated that each record for pH I was being sold for four hundred two dollars the reason the PHR information is more expensive because you can now file claims against the insurance companies with those with that information pharmacies your Medicaid or Medicare programs and it's really hard to detect them by the time but an organization is able to detect that these are false claims you know sometimes they have paid CMS and double Medicare Medicaid Services have estimated in past years that they have paid millions in false claims and that's why there was such emphasis on reducing the fraud waste and abuse in addition the HIPAA violation penalties there are four tiers for those and they go up in terms of fine not from the fact that if you were unaware and you have HIPAA violation or not you you had not known that that has taken place and animam firing from 100 to 50,000 per violation maximum of 1.5 million per year and if you go all the way to tier 4 which I hope you are able to read the slide it's loaded blurred out but where organisations failed to adequately annoyingly address the HIPAA violation the firing starts from 50,000 per violation to maximal 1.5 million dollars per year and we have seen a lot of HIPAA violations fine in terms of anthem and some others that had breaches that range it to millions of dollars so this is a serious problem as you all know for organization from long jiggers longevity and risk management perspective with that I'm going to ask another poll question to kind of get a sense from the audience what has been their biggest challenge in implementing HIPAA compliance policy in your organization can you please please take a few seconds to respond to this question so I can and I will be happy to share the results with you on the next slide I think this will kind of give a good pulse also of what other organizations are facing and things in terms of challenges okay I'm going to go ahead and close hole pretty soon okay no response coming in okay closing the poll in three two one all right thank you those that have responded oh there's some more response okay and here's the results thank you for all those who responded so by far number one reason is lack of understanding of HIPAA requirements second is technical safeguards lack of understanding HIPAA requirements I I have heard that several times from customers that I have interacted with and not being clearly articulated what they are responsible for and as we go through this presentation actually you'll have a good appreciation of but read and has been working on to help address actually the lack of understanding and also the the mating of the demonization of the technique of safeguards but that's I think get a good pulse of the audience so with that I'm going to hand it over to Sean Sean I'm sorry event a little bit over no we're good so excuse me my name is Sean wells I work and within our government group to focus on how to on how you you ensures security compliance whether it's something like HIPAA for NIST or PCI DSS so we wanted to talk through some of the work we're doing to automate security policies and through the lens of the poll there were about 47% asked how do we understand the requirements better about 30% asked about technical safeguards so I'll try and pivot my language to reflect some of that so to get started them part of the problem from the problem definition may be as as government and as healthcare moved into trends of digital transformation that required rapid innovation it's really no coincidence that we saw people like NIST or different healthcare agencies publish their own risk management frameworks and within especially federal healthcare this framework brought to minds across government industry across multiple geographies and together they formed a set of both both implementation framework as well as best practices but it had some problems and it's nobody's fault that compliance is struggling to keep up these frameworks are kind of from an earlier era that is pre cloud and pre mobile and pre virtualization certainly pre containers when multiple year dev ship cycles were common and IT was much more manual but unfortunately productivity in that era was measured in months not minutes and governance risk management compliance well the GRC market the software market is still organized that way so what's interesting is as we kind of move forward it's you know where does the treat lay can can all of this be automated can it not be can we provide some clarity so is the misc risk management framework as well as the HIPAA frameworks something that should be reused are they compatible with development frameworks like agile so we wanted to share some of the work we've been doing with healthcare as well as with government to automate much of HIPAA compliance so from the whole about a third of everybody said the questions were around technical safeguards and about half for understanding requirements so I'll kind of build the story through those lenses and to do that we ultimately start with the actual policies now whether you start with the HIPAA policies or how they map back to something called mistake 153 which is just a requirements catalog we have these categories of requirements maybe they deal with account management or audit events or system integrity and as we move in we've kind of cherry pick what we want so maybe the HIPAA baseline enforces unsuccessful logon attempts but it doesn't ensure that there's a banner when anybody tries to SSH in we kind of tailor these to what's called a security baseline and maybe for criminal justice would they have their own selections and when we move over to HIPAA you'll see that they're slightly different and that's what we call the baseline it's it's for this conversation for this webinar a baseline is really the the selections of regulatory controls and as we move in today as relates over to Red Hat we wanted to start with understanding most of the security automation component and it's not a talk about crypto or audits or SELinux but mostly about security automation and in that world we've created something called open s cap and the idea that stands for open security content automation protocol but we've worked with federal agencies like NIST as well as healthcare to develop a portfolio of tools and content to assess systems for known vulnerabilities as well as known miss configurations so I'll detail a little bit about what that means and fundamentally this portfolio of tools is focused on infrastructure operators or the technical the guys and gals with hands on the keyboard so we wrote automation that allows us to have a security guy generated meaning if I'm using Linux I want to know what features of Linux what security configuration features are relevant to HIPAA if I'm using middleware like in a patchy web server I want a security guide tailored for Apache web server that includes and is written to specifically HIPAA so that's what is called the s cap security guide once we have that baseline we need to tailor it so maybe for example we turn on or off a configuration check or on or off SELinux so we have a graphical workbench that works on Linux Mac or Windows that allows you to tailor the technical controls for a component and then there's plug-ins for configuration management tools that what kind of show and look at - so what we ended up doing is in the true open-source way we don't want to just invent a tool as Red Hat we actually want to create an entire community around this so we worked with the government that we've been doing so for almost 10 years and we over the over literally 10 years actually we've seen the within federal healthcare and regulatory industries doing I controlled and classified HIPPA now actually mandates the use of some of this security content automation whether it's for government or whether it's for private healthcare and in doing so they created a national checklist program so the idea then is can we have the government house a centralized repository of configuration baselines so that way when I say that I'm going to use Linux or I'm going to operate a container platform or OpenStack or even VMware I want to go to a.gov website that has authoritative guidance on I'm using Red Hat virtualization gives me the HIPAA baseline translate the high level requirements like you will do network encryption to very very specific configuration actions that are tailored to my infrastructure and that is exactly what the NIST national checklist program provides so we've included a link to where you can find the Red Hat content and today we've published thing baselines for HIPAA PCI FISMA Enterprise Linux OpenStack OpenShift and so forth and we're the idea now is to gradually move into a little bit more technical where we'll show how these scans work we'll show how the automation functions sample reports and excuse me to do that then we want to remind ourselves that the scanning is not just for vulnerabilities meaning unpatched software it certainly is a primary use case but it also has the ability to configure sorry to evaluate configuration compliance meaning our my passwords the right length do I have certain configuration settings enabled or disabled and also in the case that I am failing a configuration check I want the ability to remediate my system and when I say remediate I mean turn to red light to a green light I want to I want to convert my system to a pass so we're going to step through how to do that and when we begin the conversation it actually begins with installing the software it stops so the font may be small but what you're seeing is a screen capture of the installation of Red Hat virtualization and as we go through the installation you brett has delivered pre-configured security profiles for example PCI DSS security maybe it's military the Department of Defense security configuration baseline or HIPPA to the idea then is we no longer have to interpret security policy when you things like Enterprise Linux or Red Hat virtualization excuse me you actually deploy directly into a known configuration and when we deploy you click the button you click done and that's it that's actually the end of the kind of the story so as I move on then when the system is installed you'll actually get an evaluation report it looks similar to this and we'll show the actual results in just a minute here and the idea is the report will cover HIPAA specific security settings so what we've done is translated the high level HIPAA requirements into actionable and measure durable security configuration checks within Linux and other layered technologies so to help orientate myself kind of over the next 30 minutes or so I wanted to give a quick quick poll about were you aware of this functionality and if the majority says yes we'll pick up the pace and if the majority was not aware then we'll kind of slow it down and step through this a little bit more detailed so yeah take a couple minutes and yes or no not so kind of while people are clicking the buttons this feature or one of the questions that I just got pinged on is how long has this been delivered so these security integrations are actually in the native Red Hat Enterprise Linux installer for l7 as well as Red Hat virtualization for version for X and then we're incorporating it into layered products as well like OpenStack and up and shift and I'll speak to that in just a minute so looks like everybody kind of came in and the results were resounding most people did not know so well slow it down and that's really good feedback so I mentioned that you click the button in the Installer it deploys into a HIPAA configuration and what you end up getting yeah well this is on a system that was not hardened this is actually for my laptop but what you end up getting is a report that shows you a compliance score so we can break this down in a couple interesting ways the first is rule results so it's your classic pass or fail over roughly a hundred and fifty checks my system only passed 47 it failed a hundred and two reported unknown which is that slice of orange on the rear end so it allows me to just get a really quick synopsis outside of that though it really doesn't tell me enough information it's okay well I failed a third of the rules what does that really mean and that's where we start highlighting the severity so we have a kind of three categories high severity which is a category of vulnerabilities or miss configurations of which can be remotely exploited so these would be things like you have SSH or remote login enabled and you have the ability to log in as the root user remotely with with no password super high vulnerability medium would be things such as maybe they there's there's a some sort of defense in depth in play where it's not immediately remotely exploitable but given one or two circumstances your system or your data could be leaked and then low or other is kind of the category of good hygiene where in reality this is not going to cause you to get but you should really have your file permissions in order because if you do it'll make life hard for harder for an adversary so that's considered low outside of that then you'll notice kind of based on the blending of severity you get a risk score expressed as a percentage so a lot of customers requested this and you'll notice the rule results show that I failed roughly one third of the result but the score shows that I'm roughly 59% okay that's that's not really good math how does that add up so the score actually demonstrates a a weighted average so if you fail a high severity check that is considered more detrimental to your score and it's a weighted average so that's kind of where that comes from from there we end up scrolling a little bit down and I mentioned that each high level configuration requirements are each high level requirement in this case nist 853 ultimately has to be translated to a technology specific configuration action so in this case those mystic hundred 53cm 5 which may or may not mean anything to you it's misted for the federal healthcare side of the house and you'll note how that high level requirement translates to specific pass or fail configuration checks but if you fall under the commercial side well you may be following the HIPAA policy directly in which case you may recognize how this is broken out where the the top level requirement is HIPAA 164 dot 308 and a whole bunch of paragraph numbers that might be more meaningful to you and again we've mapped that high level policy to specific configuration actions within the the components in this case enterprise Linux and in doing so their artillery status reports that gets reported pass or fail are pretty self-explanatory but I also wanted to highlight something called not checked so in certain situations we see the policy like HIPAA require some security control that cannot be automated a really good example is what you see in your screen relating to encrypted partitions and they're not just talking about do is the operating system encrypting their data they're generally talking about is the hard drive in the server self encrypting and in reality we're not able to evaluate that with any certain degree of provenance or certain degree of assurance so we acknowledge the check but we marked it as not checked or not evaluated so it's one of those things where we want to recognize in certain situations there's a couple fringe cases where an auditor will have to evaluate something manually and we just don't want to over promise that we can automate everything we try but there are certain cases that we that we can't and we make that clear so we have a red light or green light we know that we pass or fail and I mentioned we want to turn those red lights into green lights and to do that we ship a couple of remediation capabilities so the first is a series of ansible playbooks which are provided natively in the operating system as well as on ansible galaxy and from them for one we generate corporately as Red Hat playbooks to known security policies such as HIPAA or PCI DSS or however oftentimes a lot of customers use those base ansible playbooks as a jumping-off point to create a tailored security baseline I mentioned that's what something called s cap workbenches for so by using SQL work bench you can tailor what security controls are applicable to you for example maybe you're running a healthcare system and that's an incredibly high assurance platform you want to enable all of the security checks however maybe you're just running a blog which does not require it's not having patient data so maybe you dial back the security a bit you generate a playbook from a custom baseline either way is completely supported so as you move on I mentioned that the play books are actually delivered natively in Red Hat Enterprise Linux and there's a whole bunch of them believe it or not we shipped them for JBoss middleware for Red Hat fuse which is messaging platform for rl6 for rel seven and as stewards of open source we actually ship them for other platforms such as scientific linux or web man with river linux and that's actually something we've been doing for a number of years by shipping it natively in the operating system Red Hat has a promise that whatever we ship we support so if any of the ansible playbook is broken if there are any errors in the S cap content in Ex the the bug fixes follow the standard patching process you can open a support ticket we fix it we give you the fix as a security errata outside of getting the content the remediation content from within Linux we deliver it natively in ansible galaxy and there's a whole bunch of profiles there ranging from criminal justice information systems to the military and of course HIPPA so if I were to click on hippo which is the bottom link near the bottom of the screen currently a you'll be brought to documentation that gives you you know run this command here's how to download the playbook here's what you need to change to make it work put your IP address here that kind of documentation is available and then again as a Red Hat everything we do is open source so if you're inclined to participate if you find a bug we certainly as Red Hat customers encourage you to open a support case but absolutely everything is on github whether it's the HIPAA baselines whether it's government based lines it's all on github today so I wanted to really kind of be strong and emphasizing that point so a little bit about baseline management of things like hypervisors of things like operating systems but objects and I wanted to show a workflow on how this ties together so if I'm a user in a classic IT environment maybe you're following ISIL service management basically you generally have some user create provisioning workflow and they click a button they want a web server behind the scenes oftentimes large enterprises run something called Red Hat satellite which is a system management framework for Red Hat technologies operating systems OpenStack virtualization platforms and so forth and the provisioning process goes we have the ability to get a template like I wanna I want the Apache on Rails seven template danceable we'll go in and configure it such as maybe you enable PKI or certain Apache modules and as you move through the workflow process you'll know that the second to last step is that ansible tower has the ability to run a specific job template such as the s cap playbook or hardening process so in doing so we no longer have security being this tertiary process by the time the user gets whatever service they need using the web server example it's pre hardened so the process has I don't know component level knowledge of this is Apache I need the baseline for Apache and it's going to be running on rel seven and I need to hard well seven so by the time the service is delivered all components are pre hardened so we wanted to show that and then also in the cloud world oftentimes you know in reality we would absolutely love for every customer to use Red Hat virtualization or OpenStack but oftentimes hospitals are going and exploring things like public cloud providers such as Amazon or sure or even Google or perhaps they're on premise and they need VMware support so what we've been able to do is write a something called cloud forms which is a hybrid cloud management tool that works on premise and off premise public cloud private cloud and it becomes the bridge between all of these different environments so with cloud forms we actually have the ability to deploy the secure infrastructure in a cloud agnostic way if you're deploying to ec2 sure VMware it actually doesn't matter we've written this integration already and deliver it today it's not a road map or a feature component at all so we wanted to share this workflow with you it turns out most people didn't know which is why we wanted to have a webinar so maybe two to help out if and I while we read the Q&A and prepare for you know kind of the questions and answers did this help you is this information that was useful to you if yes great cook yes if no let us be aware of it and then type some questions in the chat that we can go through live uh-oh and for not sure why don't we treat that as a maybe and just let us know the questions in the chat so while I am biting for time right now we're going to start going through them to tee up the live Q&A so with an issue yep deshaun up I thought like it would be helpful to explain what ansible galaxy is you mentioned that oh I don't think books my right no no well so the question was what is ansible galaxy so the idea is in the same way docker hub provides a centralized community space to find play books sorry to find container images ansible galaxy is a centralized spot to find ansible play books and the this term ansible play book reflects a machine language in yamo based machine language that derives a configuration engine so that we can be with a high degree of certainty if you create a Apache PlayBook that hardens Apache that deploys a particular version you can share that and that's what ansible galaxy does so from a Red Hat perspective we went ahead and provided corporate Red Hat backed Red Hat engineering supported playbooks for known regulatory baselines which means that as Red Hat we go and communicate with regulators whether it's HIPAA whether it's auditors like coal fire whether it happens to be the the American Department of Defense for our DoD baselines we go and translate those baselines in two configurations of Red Hat technologies and we make them public through ansible galaxy and it looks like 100% of people replied so to flip over to the answers which apparently there isn't a slide so the answers as they show up in my view are about half the people said yes this was really interesting and new information and the other half said maybe there were no notes it's kind of on the fence so we'll start tying up the QA and while I do that I'll hand it back over to octave or kind of a review of would not be able to help with her balance yes thanks John so building on what Sean just mentioned the actually in partnership that Intel have launched a program that allows you to kind of set your security readiness what this program is right now we have about 150 healthcare and life sciences organization participating in it globally and what this program is really is a way to measure your organization against your peers and how are you ranking against other healthcare organizations that are looking at their security postures this does spend nine countries and what this program is is basically a one-hour interview with you guys with the specific template of questions that we will ask this template captures you know your level of concerns what are your high-level priorities and then measure against specific 38 security controls in healthcare organization and how you grade against those security breach security controls that have resulted in breach and what we do is actually put it into this program that takes your answers and generates a report that allows you to grade yourself or grade you against the your peers and gives you also recommendation on based on the priorities that you have identified what are the first things that you should be addressing and it also provides actually links to certain technologies that you could look at to consume to quickly address those security controls that have been identified I think the cool part is that every one Supporter you can refill out this template and give it back to us and we will run it again and it will give you the updated result on terms of how you you are tracking against poachers now what it is it's partly so I highly recommend engaging us and reach to us on this program it's a good good way to get started rising what are the areas that you when I dress and identify controls that you want to address first in terms of protecting your organization so with that we have about 10 minutes for questions and answers and what I will recommend actually in order to reach out for this program please reach out to this email address k parks at redhead comm jay park Zebrahead calm and you can download these slides and also get the email that way so this point we'll move on to the questions thank you and just as a reminder for our listeners today our participants you can continue to submit questions throughout the QA by using the active question panel on your screen just to the left of the slides and so for the first question where as we generate the report do you have a tool included with red hat enterprise product such as Sean I'll jump in and take that one there are a couple different ways to generate the report the very first one a his classic red hat in that there are command line tools for system administrators clearly that only works on a one-to-one basis it's not really how to scan a hundred systems so to scan at scale we expose this functionality through both Red Hat satellite which is our system management tool as well as Red Hat cloud forms which is a hybrid cloud kind of service management platform so you can do it one on one such as a system administrator may we can do it at scale such as through Red Hat satellite and we can do it across cloud providers public or private through platforms any of them are completely supported right now yet and I would add to that I would add to that the mid cloud phone specifically you have the capability to implement workflow so if you did use cloud phones to do the scan and it generated the report and you want to use the ansible playbook to kickstart the remediation process you probably don't want to immediately go and touch the production servers or service which are running mission-critical workload you probably want to go through some approval process I'm sure that app owners are there these controls are going to be in place so cloud phones is a great way to actually implement that organization workflow in enabling and executing these security controls okay our next question are the s cap and ansible content supported by Red Hat they are so the we have two levels of support so I'll answer thoroughly the first is I'm interpreting this as can I open a ticket and can I call a 1-800 Red Hat and if something's broken will they talk me through it the answer is yes absolutely the second is if something's broken will you patch it so the answer to that is yes if there are any errata or missing features if something is incorrect we actually deliver through our pms updates to the content as well as the tools so yes absolutely completely supported okay and what validation does the content go through oh that's actually a really good question so I mentioned briefly something called the NIST national checklist program and what wouldn't is the role of the government in this national checklist is to review vendor submissions so that when red hat says HIPAA policy number one two three four maps to the following operating system-level configurations they peer review that to make sure our interpretation of the policies correct they peer review it to make sure that our implementation of the control is correct and then they also take a look at our automation technologies like the actual ansible and s cap code to ensure that we're not reporting false positives or false negatives and that is done and indicated when it is complete on the NIST website so it allows you to say although the the vendor just uploaded this yesterday and it's not reviewed maybe I want to hold off for a week or two until NIST gets a chance to review it and it allows you to be a little bit more informed okay we're down to our last couple questions so again a reminder to our participants today that if you did have any other questions you wanted to ask at the please enter them in the ask the questions are so how much is this workflow is accessible through an API I still think that do so both satellite and cloud forms have REST API s and as long as you can make a rest call you can access this functionality through an API so I suppose the the question is really asking will it fit into existing automation workflows will it fit into custom tooling as long as your workflow or custom automation supports REST API s the answer is best that API is included ok great and final question how long does it take to complete the assessment and will you provide the questionnaire ahead of time so the client can prepare you yeah I'll take that one so typically it takes one over to go through the interview questions to fill out the template and capture your priorities and concerns and obviously the that template will be provided ahead of time for you to review and digest and maybe even gather information to answer some of those questions we have found in previously with other customer that you know it's pretty pain free process and it's pretty quick and the results are appreciated in terms of identifying where they should prioritize their efforts in securing the organization and meeting HIPAA compliance okay so it looks like that was our last question so at this time Shawn or authors if either one of you have any final comments and that you'd like to make it this time please feel free to do so yeah so I'll go first so I do understand the complexities behind HIPAA can be very daunting and the nebulous information that exists on the internet and reading through the policy could be it could be painstaking task I do believe that you know that is essential for our security and protecting our PHR information so it is should be a priority one of the things that were submitted as a direct question to us was lack of executive support as one of the possible reasons why organization not are far along this path I mean lack of executive support should clearly be addressed to the Paramount of fines that exist in not addressing HIPAA compliance that should change pretty quickly after you share that information the shot so I guess the biggest thing is we talk a lot about infrastructure so the goal is to have components like hypervisors be compliance ready out of the box so the idea is you deploy into a known state and then you have tools and content to do continuous monitoring over a period of time like a year just during your normal life cycle so we provide out-of-the-box compliance with continuous monitoring and and that's kind of what makes it so unique is as we add regulatory baselines we open-source them and put them natively in the technologies so that it doesn't become the customer responsibility to define HIPAA for a hypervisor or to define HIPAA for containing the platform should take care of that and then there was a question I just noticed that we did not answer in the chat about are we aware of templates security templates and checklists that cater to the Canadian HIPAA requirements and sorry about that no that's enough that oh no no it just popped up so the answer is no I am not aware but what's nice is that we can add them quite easily so I would suggest we put our emails in here send an email to Optive Kendall or myself and we can take that one offline to figure out how to do it together and shown an audit just to draw your attention to another question you may want to take offline that just popped up as part of compliance if you need to go through multiple computers what is the asked what are the access requirements to scan those and what is the typical time to scan one computer so if you wanted to jump on that offline as well the person asking a question is listed there as well if you wanted to make sure that that point got address yeah it seems like there's a couple here and there so as people ask questions