This Week Health

Don't forget to subscribe!

March 4: Today on the Conference channel, it’s a double Interview in Action live from ViVE 2024. First, Drex speaks with Theresa Meadows, Senior Vice President & Chief Information Officer at Cook Children’s Health Care System. Delving into the realities of clinician burnout, her efforts towards a happier, more effective workforce are prominent. Theresa discusses a problem-based approach focusing on mitigating burnout and improving workflow efficiency. With a myriad of tech innovations floating around, how does one zero in on effectively targeting pain points? Next, Drex speaks with Toby Gouker, EVP, Government Health at First Health Advisory. As part of a company that strengthens digital health through cybersecurity practices, policy design, and resilience initiatives, Toby provides an insightful overview of the challenges and strategies involved in their operations. How do cyber threats affect the industry's strides towards improved patient care? Why is the matter of cybersecurity within healthcare gaining more relevance due to continuous technological advancements? What plans are set in motion to ensure a safe digital transition?

Subscribe: This Week Health

Twitter: This Week Health

LinkedIn: Week Health

Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. 

Welcome to This Week Health. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, where we are dedicated to transforming healthcare, one connection at a time. Today, we have an interview in action from the 2024 conferences, the spring conferences, VIVE in LA, HIMSS in Orlando.

Special thanks to our sponsors, Quantum Health, Gordian, Dr. First, CDW, Gozeo Health, Artisite, and Zscaler. You can check them out on our website, thisweekhealth. com. Now, onto our interview

  Hi, I'm Drex at VIVE 2024, and I am here with my good friend, Teresa Meadows from Cook Children's Hospital. And you guys have a lot going on at Cooke right now. You have just opened a new, a whole new hospital. What's going on? What's top of mind back home before you came here?

Yeah! I mean,

originally I'd have a lot of different answers. Like, top of mind right now is trying to help operations deal with the changed healthcare.

Oh.

But, for us, probably a lot of evaluation about how to improve workflow and burnout. I mean, that's kind of been our number one focus. So, we're looking at products that actually will solve problems.

Nursing burnout? Clinician burnout? All.

All. So, we've got two projects we're working on. One for physician and one for nursing. To really kind of reduce, actually to get more nurses into the workforce. And then Help our physicians want to practice medicine, which most don't these days. So, really trying to figure out how we bolster both because if the mom, if mom is not happy, nobody's happy, so if the nurses aren't happy, doctors certainly aren't happy.

Yeah. And vice versa. I'm married to a nurse, so that's I'm

a nurse, so I'm super cranky all the time. So if I'm not happy, nobody's happy. And so, so we've really focused on trying to find solutions. And we've kind of done a problem based approach. Like, what are your key pain points? And we're trying to find solutions to kind of influence those pain points.

Versus just looking at everything on the market.

It's not a shotgun, but something that's really specific that there's consensus around this is burnout

survey. Oh yeah. Surveyed everybody for burnout. Great. And then we took that data and now we're trying to find solutions to maybe

help reduce it.

So here you are. I know. At the big show. Yes. Looking around at a lot of stuff. Yes. Maybe for burnout or for other things. Yeah. What are you seeing that is kind of interesting, might be something you take home?

Yeah, I mean, I think there's several really cool technologies. I think AI, I hate to even say it out loud.

I know, it's okay. Is really in its infancy. And so trying to find Someone who has actually thought about a problem and not just we're going to cure your documentation with AI Yeah, but really kind of maybe hyper focused Solution so I saw I was talking to I forget the name of the company, but we they have a solution where They help patients get to a doctor faster.

So with all the access problems that we have, they have technology that will actually sit on your website and help you find, get you to appointment in two clicks. Versus 37 clicks. Yeah, wow. That normally it takes for somebody to find something. So that's kind of cool. Right. But there's lots of cool stuff.

Yeah, there is

lots of cool

stuff. You have to abet the coolness for the

reality ness. I think there's always a balance in there, right? And that's part of your detector that's built into all CIO jobs. You get

super excited about what you see, but then you're like WAH.

Anything on the downside of that.

Yeah, what could go wrong with this? So speaking of not downside, but If you could have any fictional character as your life coach, who would that be and

why? It would totally be Ted Lasso.

Ted Lasso. I think that's a good guy. You love that guy? I

love him. First of all, I like soccer. My daughter is a soccer player.

Yeah. But secondly, his approach is kind of how I approach things. Yeah. Like he's very people oriented and relationship oriented. And figuring out how people tick. I totally see that. Figuring out how people tick, like I really enjoy that. And so to see, like, I know it's fiction, but to see how he kind of learned what made people tick.

Right. And then making people like you. Like, I'm gonna stay with you till you like

me.

I love it. That's what I would do. I'm like, you're gonna like me. So

that cranky thing isn't

really it. It isn't. It's occasionally. I'm less cranky.

Hey, thanks for your time. I really appreciate you coming over and doing the interview.

I'll see you soon.

  (Transition) 📍 📍 📍 ​

  (Interview 2) 📍 hi, I'm Drex at VIVE 2024, and we're with Toby at First Health Advisory. And, man, there's a lot going on this week. I want to start by just, thanks for being here. And tell me a little bit about your background, because you're kind of legendary and all.

Oh, well, I work for First Health Advisory as the chief security officer for our government health divisions. Before I joined First, I spent five years as the provost for the SANS Technology Institute. So that's what led me here. First Health is a digital health risk assurance company. We do cyber security.

practices, we'll do privacy and resiliency initiatives as healthcare moves into the digital age security needs to move with it. We want to make sure that as we're adding, new features and benefits to improve healthcare that we always do them in a secure manner so we don't hurt healthcare in the process.

Absolutely. I mean, one of the things that, part of the reason I'm doing what I'm doing is because A long time healthcare CIO, but I got to this point where it became really clear to me the thing that's going to interrupt all the investments and all the things that we're doing that are benefiting patients and families, it seems like it's more likely than ever to be a cybersecurity incident.

Yes. So I started focusing on that path because I think that's maybe, where we can

do the most good. My jump from the SANS Institute was exactly for that reason. While I was at SANS, we developed a product called CyberCity. for the Air Force. It's a kind of attack and defend range where they can practice their tool sets, right?

Both ways. You know, It has train station in it, it has a school system, it has water pumping stations, missile silos, and a hospital. We put an electronic health record system in. It was embarrassingly weak. It was like a piece of Swiss cheese. So before we gave it to them, we had to harden it. So I went and talked to my good friend Carter Groom at You need to get into the business of providing cyber security practices along with your information technology implementations.

Yeah. He agreed if I agreed to join him, and so I know that healthcare was going to come under attack, and so that's why we're a healthcare only focused firm. I mean, First Health Advisory

has such an amazing and interesting history of how the company got here. Do you want to talk a little bit about that?

From the, doing initially electronic health record implementations and all of that, and then, as those things went along, like, oh wait, here's a giant gap and a challenge.

Cybersecurity. Yeah yeah, we were one of the major players when meaningful use came out to implement electronic health record systems.

But, really for us, the differentiator wasn't about to plug it in and go away. Yeah. Really trying to understand what the customer needs for, what their clinical workflows are. Cause we have clinicians on our team to represent the voice of that so it's not just an IT project. Stuff like that. So the vast majority of success of those early days was putting in what we call at the elbow support.

So, clinicians could really take advantage of the workflows of the new equipment that they had. And like I say, that's the connection to that cybersecurity practice when we found that the EHRs that were all being put in were terrible. As a matter of fact I know there was a year long delay in the implementation of defense health.

Because CERN could not be put in because they couldn't pass DoD security standards. Right. It was a whole year of delay before they got that

started.

  📍   In the ever evolving world of health IT, staying updated isn't just an option. It's essential. Welcome to This Week Health, your daily dose of news, podcasts, and expert commentary.

Designed specifically for healthcare professionals like yourself. Discover the future of health IT news with This Week Health. Our new news aggregation process brings you the most relevant, hand picked stories from the world of health IT. Curated by experts, summarized for clarity, and delivered directly to you.

No more sifting through irrelevant news, just pure, focused content to keep you informed and ahead. Don't be left behind. Start your day with insight at the intersection of technology and healthcare. This Week Health. Where information inspires innovation. 📍 Increase 

Yeah. Well, lot of people have talked about AI this week. But I would venture a guess that the most talked about thing this week isn't AI, but the stuff that's happening back home, systems being down because of a cyber security incident.

You just

were quoted in an article, just tell me that story, because it's gotten a lot of coverage, a lot of people are reading that.

Okay so the story kind of starts quite some time ago. The newness of the story starts on like February 13th, when some security researchers reported a feature in ConnectWise that allowed you to create an admin account even though you weren't logged in to the system, which bypasses multi factor authentication instantly.

Okay, so that security researcher told them in private, they spent the next two days coming up with a patch like they should. And they rolled that patch out from the 15th to the 19th to their network, because for all their cloud based servers, but they also knew they had about 8, 000 plus on prem instances of it.

And so on the 19th, they said, like a good company would do, there's nothing wrong with what they did, everyone's going to have flaws that they need to fix. They said, we have an issue, and here's the solution. Well, you know what? Melissa's actors have been watching ConnectWise and other vendors of these similar projects because they're a big gateway.

Yeah. Okay. And so they pounced on that probably just as fast, if not faster, than anybody else to patch the situations. And so we started noticing a whole basket load of different kinds, from, different kinds of malware to denial of service attacks to ransomware attacks being loaded as a payload through that open door now and stuff like that.

They noticed that and so what they did at ConnectWise was they freed up the ability to put that patch on to everybody. Even if you were running an unlicensed version of the product, they let you put the patch on. And then they also, in another step, really gave you a screen that said if you try to log into an unpatched system, call the help desk if you have an unpatched system.

So they really were diligent, but the trouble is, with Statistics show somebody's going to get hurt in that and it's a race,

right? I mean, it's a race when somebody announces a zero day or this is a two day people find it out, right? It's a two day, right? Yeah, but to the world attack it sort of feels like a zero day once that's out there Then there's a race There's a race between the good guys who are trying to figure out how to patch it and get it Not a problem turn it into it.

Not a problem anymore. And the bad guys are trying to figure out how to weaponize it And patching is a chronic

problem for us too. Absolutely, yeah, it's a big burden, but, the malicious actors operate. In minutes and hours. And the good guys operate in days and weeks.

I mean, you get the patch and you have to put it in the lab and you need to test it.

Make sure it's not going to break workflow. Business workflow or clinical workflow or whatever. And all of that takes time. The bad guys are standing on the accelerator.

So if you move forward just a little bit, two days later, as we talked about, on the 21st, at like 2 o'clock in the morning, an announcement comes out, Change Healthcare's got an issue.

And they, again, did the right thing. Disconnect. Step number one. Disconnect. And some people were faulting them for doing that, because they were worried, well, what about the implications in healthcare? No, I'm exactly Concerned about healthcare. That is the perfect thing you need to do.

Disconnect. I'm with you. I

think that's an admirable

first step. Right. And then start communications to everybody. Be transparent. Be transparent and work through calling the right individuals to start fixing the problem. And then come up with some assurance and show me that I'm not coming back online unless I've got assurance that I've either gone to the right kind of a backup, or I've done a rip and replace, or I've even got new hardware, whatever it is.

And these things, everybody wants them to be back online as quickly as possible. But traditionally, history would tell you these kinds of things can last upwards of a month. They take a while to sort out and understand what's really happening. It might be a couple days, but it takes a while to sort out and get assurance that I'm putting back on something that's not still affected.

Not to mention the fact that's just business continuity, when you go to disaster recovery on this, it could be six months to a year before they're really up and operational on that. But today, if I were talking to people about what they should be doing, it's like, don't get into the blame game.

It doesn't matter that Alpha V was the actor. How does that help you that a Russian nation state was doing this? That's you, as a security professional. Whereas a CIO should be looking to your business unit leader to say like what's our business continuity plan? This is in essence a, not a third party breach, but a fourth party breach.

Yeah, okay. Well, do you have a business continuity plan in place? Or in case something fails? And the answer is typically, well, I didn't think about that yet. We haven't looked at it. We haven't looked at those forms for a few years. We're doing surveys, and we're getting our third parties to turn in their self assessments.

Right. Maybe a couple of us are Auditing those, but when we get back an answer that says I'm not comfortable with the answer We haven't taken the next maturity step to say well, what's my contingency plan

around that? And that's what that's what I would tell people today. It's like if I'm focused today.

I'm telling our security and CIOs and like Please start conversations. We're in business continuity. You need to be looking at how do I keep the lights on not who done it? Okay, so it's so it's like number one Uh, where are my cash reserves? Because this is a cash flow issue. I'm not filing claims, you know, my exchange is down.

Where are my cash reserves? How healthy are my, you know, lines of credit? are my favorite vendors that are willing to negotiate some new longer terms with me? And then, what's the number for my favorite financial friend at CMS?

Here's another question I have for you along those same lines. Cyber insurance.

So I have business interruption insurance. Does that kick in? Because it's not my breach, but it's one of my third party operators that had a problem that's causing me a business interruption. Have you had any conversations with anybody about that? Have you heard anybody trying to make those

claims? Yes, and the conversations have all led to, it depends.

Ah, how was the contract,

how was the policy written? How was the policy written? What were the things that were colored out? Right,

exactly, and so there were some telling questions that came up in a meeting. The, call where, you know, HHS was on the phone with CISA and the FBI and others, where one provider says, um, is the reason that, Optum said this, this is a nation state attack so that they could get insurance coverage.

So, and the answer, I don't know. but that's, so you're right. Those are very important questions about, you know, funding this. But even if it's cyber insurance, it's like. They're going to give me my money, but are they going to cut me a check tonight?

Right. Yeah. How long is this process going to take?

Because I only have

10 days cash on hand. Yeah, right now it's what is my cash on hand and what's my flow there. And it's not just about the money, but the money is important for all the other resources we need too. Because that's why I said that we're a risk assurance firm that's looking at, at helping to, preserve all of the resources in healthcare as a cybersecurity firm, because, because it's going to take extra resources right now today, because we're manually processing, prescriptions, we're writing them down on pencil and paper, and we're storing them in a file somewhere, so that's extra resources.

It's a slower to the patient, solution. And then later on, when we get from continuity into business recovery, I've got extra personnel that I have to bring in or distract from patient care to backfile all that into the system so that it can keep going. So it's really about resource. Yeah, and resource management is really what we're trying to protect because those resources are absolutely mission critical.

Everybody runs on a thin edge. of excess resources because they want to devote it all to patient care. And so we're really keen on that. So, really, the message today is,

watch that. Don't worry about

the rest in a bar six months from now. If you've done it, don't come out

later.

We sort of chatted about that briefly before we started. We started having a conversation before we started recording, and at some point I was like, I can't talk about this unless we have the camera running, but the attribution part is really difficult too, right? Because Yes. lot of these are sort of ransomware as a service kind of companies.

So, the ransomware, the capability is distributed. There are situations where the spider organizations, the e crime syndicates, people inside the company get mad at each other and the company breaks up. And the IP I guess from a cyber bad guy perspective goes in different directions and so sometimes now it's hard to do attribution because it all looks the same until you really dig into

the sort of like the tactics in there.

Yeah, it's going to take weeks of detailed forensic studies to actually discover this because the initial attack vectors generally all look the same because, and even, even the principles involved in them can be the same. So like, for example, the signatures of what's going on now look very much like the same signatures that happened in the Colonial Pipeline attack.

That's where, Carter started to put some Thoughts around that, how similar that is in that field to our field here. Pretty certain that some of the same individuals or their work product was involved in this going forward and they, they, you know, they get kind of stomped on by the authorities.

The groups disperse and scatter, but they don't all go away. They reconvene, pick up the pieces of their software. Put a few new tools on them. Right. And away they go. Wow.

Amazing. Uh, one of the things I wanted to ask if you're getting called about is, and we sort of touched on it earlier,

as

the folks in the pharmacy, for example, start to talk to their counterparts and the pharmacy and change, like, I think, I think we're okay.

I think it's okay for you guys to reconnect. And then they come to the CISO or the CIO and they say. Sounds like it's all clear on our side. So they start putting pressure on, you know, pretty much right away. So talk about the risk conversation around making the decision about what you need to reconnect.

Okay, I'll start that conversation off with the fact that, I think that, you know, by their actions and by our previous interactions with Optum, that they have sound Principles and practices in cybersecurity field. People need to recognize that change health is a relatively recent acquisition on their part.

It only happened in last October. So you can't say that change health care is Optum's health care. It is today. Yeah. Okay, so So the first step is, is that, what is your trust level relationship with the provider of the service? And in this case, I don't know who Change was, but I do know who Optum is. And, so that, that's step number one, I'm going to check.

Yeah, I'm going to look at three guys in a garage. Right, yeah, I'm going to check, I'm going to check that box. Okay. I'm going to look at, you've got to then do an immediate, business impact analysis with all the right stakeholders in the room. Yeah. To determine This particular connection, this particular operation, is it mission critical?

Are there other sources that we have? Do we have options? Not options. if it goes down, if it turns out that we've turned it on and it is a RISC, I hope I'm smart enough to now have a backup. And I've got monitoring on place. So those are the kinds of questions that would go through my mind in a meeting.

And then, the business unit leader would then make the decision. Because it's, it's a business decision. It's not a cyber security decision. In the cyber world, we're the advisors to that situation. in charge of the bottom line, so they've got to make the decision with our advice. It's both IT security and business needs.

Yeah, no, I love that. Paul, let me ask you sort of one, more question, and that's really in the More broader sense of, we spent a lot of time talking about change. We spent a lot of time talking about change this week. Other things that you're working on that you're kind of super proud of that FIRST Health

is?

Well, one of the things I'll tell you is is that we are very strong proponents of this conference here, VIBE. Okay, because in the cyber security space, there's a saying that you probably know that, whatever it is you know today, 18 months from now, half of it is obsolete. Okay, so that if you're not reinventing yourself every day, you're doing a disservice to whatever applications you're serving.

So, so we're here at this conference and super pumped and excited because this is where the digital innovations in healthcare are happening. And we're listening and researching on those, and we're also looking at the new techniques in cyber security practice. And our job is to marry those two together to make sure that the future stays as protected as it can.

Make those lanes merge as early as you possibly can, right? Yeah. And talk to these, startups, early age. Make sure that they're working on building cyber security in from the start. That we know, we know, that's the most efficient way to do cyber security. Little bits and bytes each piece of the way.

You don't want it to be at the end of the day and be in the position where DoD was. Retrofit. Nope, nope, gotta stop. And now I've used it here, and these people are, you know, you're working on venture capital money, and it's time to market. A year would crush them. A year would crush them, so we want them in there on first.

So that's, that's really the big excitement for us at this conference. And, you know, AI, as you open with, is really important on people's, list. And it's important to us, too. and the idea that we are strong proponents of the fact that AI has the ability to improve healthcare delivery outcomes. Our job is to make sure that it doesn't, at the same time, give away the keys to the kingdom.

Right. As it's

offering that improved additional service. Right, right. We see more and more, AI built into the products that we use, but we've not spent a lot of time thinking about what are the terms and conditions of when we put that thing into that software as a service product, and then it goes into the AI machine.

Do they get to keep that data and use that data to train? You know, like, there's a lot of, there's a lot of questions. I, I feel like that is a whole can of worms that we're only barely opening.

Absolutely, yeah, it's just like the devil is in the detail of the unintended consequences of the steps that we're taking.

Yeah, and, and they're not just Data driven. They're ethics driven, too. Yeah, and so we're so we're looking at anticipatory ethics Processes like because everything that we build Is built by a person. Okay software has the personality of the coder and stuff like that and it has an intention Yeah, okay, so we want to interview people for the intention of what they're doing, and then look at the unintended features of the product as well.

And the biases of the person. And the biases, right. That they don't even

realize that they have, right? Right, exactly. Interesting. Thanks. I really appreciate you, uh, coming by. Really, it's always, I mean, it's great fun to spend some time with you and talk to you. I have a feeling we're going to be spending a lot more time together.

Looking forward to that. Thanks for being a part of this. and that's it. We really appreciate you being here.

More soon.   (Transition) 📍 📍 📍 ​

Thanks

for listening to this Interview in Action episode. If you found value in this, share it with a peer. It's a great chance to discuss and in some cases start a mentoring relationship. One way you can support the show is to subscribe and leave us a rating. If you could do that would be great, and we want to give a big thanks to our partners who make this possible.

Quantum Health, Gordian, Dr. First, CDW, Gozio Health, Artisite, and Zscaler. You can learn more about them by visiting thisweekhealth. com slash partners. Thanks for listening. That's all for now.

Thank You to Our Show Sponsors

Our Shows

Newsday - This Week Health
Keynote - This Week Health2 Minute Drill Drex DeFord This Week Health
Solution Showcase This Week HealthToday in Health IT - This Week Health

Related Content

1 2 3 252
Transform Healthcare - One Connection at a Time

© Copyright 2023 Health Lyrics All rights reserved