This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this Week in Health It where we discuss the news, information and emerging thought with leaders from across the healthcare industry. This is episode number 33. Today we discuss the data, a term that's used to describe the transformation potential. Data in healthcare in the emergence of an application ecosystem in healthcare.

Plus, we're gonna take a look at, uh, healthcare data breaches for 2018, give you an update and have a discussion around that. This podcast is brought to you by Health Lyrics. Health Systems are moving to the cloud to gain agility, efficiency, and new capabilities. Work with a trusted partner that has been moving health systems to the cloud since 2010.

Visit health lyrics.com to schedule your free consultation. My name is Bill Russell, recovering Healthcare, c i o, writer and advisor with the previously mentioned health lyrics. Uh, before I get to our guests, uh, just a quick update. Um, I want to thank everyone who's participated in our listener drive. We, we were able to raise $3,000 for Hope Builders, an organization that provides life skills and job training for disadvantaged youth.

Uh, I've hired their graduates. Their stories are amazing. Uh, thank you for giving us the opportunity to support the, uh, the next round of students in this great program. Today we're joined by, uh, Nasser Zaomi, the the Chief Information Officer for Thomas Jefferson University and Jefferson Health out of Philadelphia.

Good morning Nasser and welcome. Good morning, bill. Uh, thank you for invite inviting me. It's a pleasure. Well, I'm looking forward to our conversation. It should be fun. So tell us a little bit about, uh, uh, Jefferson University and Jefferson Health. Sure. So, so we are a 14 hospital health system serving patients in Philadelphia and surrounding communities, including Southern Jersey.

Uh, Thomas Jefferson has been around for 200 years now. We had 30,000 is strong re-imagining healthcare education and about $5 billion in revenue, uh, in academic medical center, uh, with Thomas Jefferson University. Being aware of flagship university and hospital, all of our hospitals are teaching hospitals.

Yeah, that's a, that's, that's a fairly sizable system. And so just Philadelphia and Southern are, are you? Um, Philadelphia and Southern New Jersey. Uh, yes. Uh, are you, uh, are you doing a lot of, uh, a lot of things like telehealth across those? Are you expanding into more, uh, retail, retail, uh, type locations?

all of the above? all of the above. Just like Telehealth is big. Telehealth is big. We are expanding in telehealth and we are seeing more and more. Uh, fraction in our telehealth technologies, both, uh, in our ed, and then folks calling in and opting for, um, a telehealth, uh, or a video appointment instead of a physical appointment.

Uh, we are working with, uh, local retail clinics as well. Um, it's a lot going on. Yeah, I'm looking forward to it. I have a lot of friends and I grew up, uh, just outside of Philly, I have a lot of friends. My, uh, I have family that lives there, so, um, they're looking forward to hearing you describe what, what Jefferson's, uh, what Jefferson's doing in some of these areas.

So that's, it's exciting. So let me give, uh, people a little bit of your bio. Um, so obviously c i o for, uh, Jefferson. Prior to that you were, uh, vice president of IT at, uh, New York Presby. Mm-hmm. and prior Yale new, uh, several IT roles at Yale New Haven. Including, uh, ciso. Um, so that's why I'm excited. I I don't get CISOs on the show all that often or people with CISO background.

So it's, it's good to talk security, uh, every now and then. It's such a huge, uh, topic for us. Um, and then you have a couple degrees. You have, um, you have, uh, M B A, uh, from, uh, Columbia, uh, Columbia University. Um, uh, master's in science, uh, in computer engineering, and, um, and, uh, uh, a BSS in electrical engineering.

So, I guess what we can surmise from that is that you're, uh, uh, you're either really good at school or very smart. So I'm, I'm a techie, so that's what I, I'd like to call myself. Yeah. Yeah. So what, what, what's it, uh, what's it like living in, uh, give us an idea of Philadelphia and the, the area of Philadelphia.

I mean, is it, is it a good tech scene? Is it, are you, uh, are you able to hire the kind of people and attract the kind of people you're looking for? So, so I think these are two different questions. And remember, I come from New York, so, uh, is it a good tax? This is an awesome tax. So tons of startups, there are a lot of cool things happening within healthcare and outside healthcare.

I get to meet folks who are really startups, uh, and mature organizations that are, they're really, you know, in the forefront of innovation. Uh, so the, uh, from a metro city point of view, find everything that you'd expect in any metro city. Now, hiring, uh, is a different story. Uh, uh, so we, we have some really talented people, but, uh, it's not been easy to hire.

Uh, it's not very different than what, uh, I experienced in New Jersey. I've been only in the area for a year now. I'll be completing my year next month. Uh, but it's, uh, hiring. Yeah. Talent has been a challenge. Yeah. Uh, and I think that, but that's the story across the board that's unique, not unique to us, but in metro cities.

I think just the competition is so much where we are competing with number of for-profit and commercial organization. It just makes it, uh, a little bit tough. Yeah, absolutely. So one of the things we like to do with our guests is to just, uh, open the floor, give you a couple minutes to just talk about anything you're excited about or what you're working on today.

All right, so that's a tough question because we are doing a number of cool things from innovation to, you know, XR and vr and expanding EMRs and figuring out unique ways of using fire. Um, there is a lot going on, uh, on our infrastructure teams. So specifically for me to pick one area. With that said, I'll say one of the areas that I'm very excited about is the work our team is doing in data analytics, uh, especially predictive analytics.

Um, and I really believe that we have an opportunity to influence patient care in a meaningful way via predictive analytics. I'll share an example with you. Uh, we at Jefferson, we have an o p I task force. You know, this is a national issue. Uh, we, our team developed, uh, a scorecard, which we call a p i, uh, provider scorecard in the insights from the scorecard.

Elective changes in provider workflow that resulted in a 91% drop in prescribing beyond three days. Our team has presented this work at national forums. We recently demonstrated it at, uh, the Philadelphia Health Commissioner's office, uh, who is interested in, uh, disseminating it to other systems in the area.

And this is just one example. Um, there are a number of other use cases that we have worked on and working on. For instance, we are, we are working on predicting. And just, just to give any, another example, I'll just finish by saying that there's a lot of buzz around AI, machine learning and predictive analytics.

And I believe, at least in the short focus on point solutions, which will give organizations like ours most value. This is your, your seeing, and this is where I'm really excited. Yeah, absolutely. And, and that's, uh, I mean, that's really exciting that you guys are, um, and you set up our first story really well, uh, in terms of how data can really transform, uh, things like, uh, the opioid, uh, epidemic and, and really, uh, addressing it head on and.

Um, you know, we've been doing things like readmissions for years and those kind of things, but now we're getting very focused on things that are going to impact the community, things that are gonna impact, uh, quality outcomes. And it's, it is, uh, it's really exciting. The hard thing is there's so many areas to get, uh, to really focus in on predictive analytics that it's hard to have enough staff and enough bandwidth to really do all the things that you want to do.

I mean, that's, That's, that's been my, uh, experience in, in analytics. Absolutely. You really could quadruple the size of your team and, and be doing phenomenal things. So, um, alright, so, you know, on our show we do two segments in the news. We each pick a story and discuss, and then we do sound bites where I'll ask you a series of questions.

Uh, you have a hard stop and about, uh, 33 minutes. So, We will, we'll keep it moving. So my story is, uh, c m s just, uh, completed their, their conference, um, the, uh, on interoperability and blue button 2.0. Mm-hmm. , uh, and there was a lot of, uh, exciting. Uh, really vision casting kind of things. Now, we, we all know that there's challenges in terms of getting the data out and where we're at today, but in terms of really a vision, uh, you really got a, a very clear picture of where they see things going.

So, uh, this story is from healthcare IT news, health, uh, healthcare app economy is coming. Uh, get ready for the data quake and, uh, I'm gonna bounce around to a couple stories, uh, data. Uh, so a Silicon Valley venture capitalist dropped the word one doesn't hear every day data quake. We're gonna look back at 20 18, 20 19.

He, uh, he says, uh, those were the years of the data quake, said John Dor, uh, chairman Kleiner Perkins Call field and buyers data was required to be interoperable. Innovators came together to move us to an app economy, so they're, they're starting to paint this vision of. Data getting to such a place that we're gonna start to see things like a.

Let me hit a couple, a couple other key things on this. So, uh, administrator Sima Verma, or health insure health insurance companies to follow the center's, uh, c m s, uh, lead to make claims data more readily available. We're, uh, she says, uh, we're at the beginning of digital health Revolution. We have the ability to take the net data and unleash it.

Um, uh, she said during the blue button Conference, we're unleashing the most powerful force in our economy. The consumer Verma added that c m s is creating a new type of patient profile by making the, uh, agency's massive amounts of claims data available to the public via Blue Button 2.0. Uh, and she said, we're not stopping there.

We're leading by example and calling on all insurance to release data, uh, in an a p I format. Firma said, you'll see through our regulatory process, Uh, they're very serious about that. Um, so, uh, you know, they talk about not only releasing the c m s claims data, they talk about encouraging. Uh, payers to release their data.

Uh, more than 600 developers signed up for Blue Button 2.0 to start experimenting. I think that number's up over 700 now. Um, and that, uh, which will give them access to the developers can build integrations across more than . Four years of Medicare port part, a bd, uh, data for 53 million Medicare beneficiaries.

And if that wasn't enough, you had, uh, Amazon, Google, I b m, Microsoft, Oracle, Salesforce pledge, uh, to remove interoperability barriers. So, uh, in terms of just visioning, uh, big day for them just laying out this vision for. Uh, uh, freeing that healthcare data, putting it in the hands of, uh, developers and clinicians to really rethink how we use the data.

Um, and so they're putting it out there. So let, let's just start with, let's, let's riff on this vision a little bit. So, does the data have the ability to change healthcare, uh, as it has in just about every other industry? Or are, are we gonna see some barriers? Uh, absolutely. First of all, great news, great article.

Um, and I think one of the other, uh, uh, people coded in the article, Ana said something about consumerization, you know, and I absolutely agree with that, the consumer like ecosystem. Uh, and I think that the shift have been slow. It's been happening for a while. Uh, and, and truly I think it's a matter of when, not if.

Right? Uh, and there are many reasons to believe that now is the time. Okay? And there are many reasons to liberate the data. First is direct patient care. Uh, the ability to, for patients and provider to access 11 data regardless of direct access to E M R. There's a lot of good work being done in the name of interoperability, which needs to continue.

Right? And I absolutely believe, to your point, that data in the hands of researchers and developers and entrepreneurs will truly change the way we provide, um, healthcare. Uh, there is a ton of data in EMRs in other clinical system, which is not used. Overwhelming majority of it, it just sits there for legal or compliance or historical reasons.

And this is the data that in the hands of entrepreneurs in research community can do wonders. Now, you asked about barriers. Uh, yes, there are barriers. Uh, first we have to think through, uh, privacy implication. For instance, companies, uh, like Apple are not covered by hipaa. Right. Uh, and there is, uh, a level of expectation, uh, from consumers, patients about the safety.

For the last 20 years, we have told everyone that your patient information is covered by HIPAA and so forth. Uh, these third parties don't have those, um, protections, I guess. Right? So we have to just think through. It doesn't mean that it should not be open. I'm all for opening. It's just that implications.

Making sure that patient data is stayed pro, uh, protected. There are really real technical barriers to interoperability and openness. And as an industry, we have been trying to solve those for many years. Uh, um, there have been many successes. You know, this conference was Blue Button 2.0, there was 1.0. Uh, so there are a lot of lessons learned and then there are gonna be more lessons learned.

Uh, I think the time is right. We need some push from our policy makers. Uh, we need engagement from organizations like Google and Microsoft who have, um, the resources, uh, to make things happen. And I, research researchers will do their job and, uh, good things will come similar to, uh, app economy that we saw in last decade.

Yep. Absolutely. So, um, you know, so one of the primary principles of Blue Button 2.0 is to get the patient record in the hands of the consumer. So it, it completely frees it, gets it on the phone. Mm-hmm. , uh, once it gets it on the phone, then, uh, as you. Pointed out, you know, there's no HIPAA on, um, security on, uh, apple.

And part of the reason for that is, uh, apple's, essentially the consumer's giving it to Apple. And, you know, they're not really putting that requirement on Apple yet. I think we'll see that sort of emerge here given the, uh, the landscape that's going on. We put, we put the record hands, the patient's. I dunno what, I've talked about this a lot on the show.

I've talked about once we get the, the, uh, record in the hands of the patient, That we're gonna see all sorts of new, uh, paradigms start to, uh, to emerge in that, uh, the patient's gonna be able to, uh, decide to sell their data. It's not gonna be something that a, a health system decides to do, or, or claims data gets sold, uh, and, you know, new industries gets created.

But there's gonna be, uh, the ability for me, the patient to go, I wanna participate in this cancer study, I wanna participate in this heart study and, and potentially get. Get compensated for it. Here's five bucks for this, or 10 bucks for that. So we'll create a sort of data economy there. Plus, we'll, we'll create all sorts of new, uh, uh, really access, uh, changes.

Uh, you know, as I go from health system to health system where I move from place to place, or I decide to use telehealth from a different provider, I'm gonna be able to provide them my record instead of them having to re request the record from another system. Uh, I mean, do you, do you, uh, let's start here.

Do you think the patient should own the medical record? Do you think we should put it on every phone? You're a former security guy, so you know what that means. Uh, and then, uh, do you think that's gonna enable more or, or different kinds of uh, uh, uh, I don't know, ways of of delivering health to that population.

And is that gonna really impact the health systems today? So first of all, absolutely. Patient owns data and up until now, they just didn't have way to access them. And other than, you know, uh, getting a printed copy of their medical record or in some cases going to, uh, a web portal and trying to figure out what's happening.

I mean, so the base that we provide our patient data is, is inefficient and inadequate. And there's certainly not ways where we can easily, A patient can easily say, Hey, physician, this is my record from a hospital. This is my xray. And so,

And, uh, we need to make sure that the chancellor of data from patient to whoever the patient is seeing, whether it's a hospital or a physician, is very easy. It's very quick, and it happens in a timely fashion. That is an absolute must. Um, uh, I think that, um, what I'm concerned about is, uh, Uh, the lack of understanding with security.

So, you know, we, we see in the news what's happening with Facebook and Google and G D P R, especially in Europe, and just the realization by people that their non-health data, their social media data can be used in ways that nobody imagined. And can be mined in ways that nobody can ever imagine. And I think that's an education, there's an educational component, first and foremost, to educate the patient that, that, uh, what can they expect once they share their data?

Because Apple or Facebook, they are known to share their, the data with third parties. I want, I believe that Apple already have in, in their terms and conditions, uh, where they can share the data with third parties. So, A patient knows the data is going to be not only with companies like Apple or Google, but all the ecosystem that, um, they support.

And I think first and foremost is an educational thing that patient has to realize what they're sharing. And secondly, I think you will see some, um, more rules and regulations around them. Probably it'll be a catch up, like HIPAA was a catch up. Yeah. Uh, but I think that will, that will happen. That's a must.

I'm not sure about the monetization piece because for most companies, the, the benefit of the data is, uh, is from scale. The, the, the millions of data sets that I think for, for, for foreseeable future is still or larger organizations will manage. Um, uh, so, uh, But that does not mean the, the, the, but I still really, the, the given data to patient is very powerful.

There may be organizations that are in interested in a very niche studies. So can you mention cancer? So if I'm an organization and my interest in lung cancer, uh, I don't need hundreds of thousands, perhaps, uh, you know, in, uh, contacting, uh, a very special population and targeted population could probably help an independent.

Um, uh, researcher, uh, who, or or a company who don't today have the means or have to spend a ton of money to gather that data. So again, what I think is liberation of data is going to be very powerful. Uh, there are gonna be some issues to both technology, privacy and security that will have to at risk. Uh, but, but I think we point where, um, if we don't, even if we don't address the barriers and the issues, I think

The, the liberation of data will happen. So, closing question. Uh, given the three, three key movements fire, uh, the Apple, um, the Apple announcement and their partnership with health systems that they're bringing data in and Blue Button 2.0, which of those three do you think has the, uh, biggest impact on, on bringing this app economy to, to, to, into fruition or bringing it to bear?

Sure. Instead of picking one, I would say is the push from the government, right? Uh, on opening up. It's probably the catalyst, right? And uh, the interest from organizations like Apple and Google and Amazon, I think is just going to accelerate that. So all of the above is the short answer, but I think the role of, um, uh, of our policy makers probably.

Is going to be most critical in, in, um, uh, I'm not sure if forcing is the right word, but, uh, forcing the opening of data, making sure that data gets open and interoperably actually happens. Strongly encouraging based on, uh, reimbursements and payments. Yes. You, you have a better stress of words than I do.

Um, you know, it's interesting, so we're gonna transition to the next story. But, you know, uh, you know, we're, we're so worried about. Uh, privacy and, and security in giving the, the record to the patient. But we're gonna transition to the story and it's gonna, it, it's gonna look like, Hey, we're not doing that great of a job as a, as health systems today in protecting the data.

So why, why don't you set this one up and then, and then we'll go into it. Sure, sure. This, this was a, an article that was published, um, yesterday, um, news in, in Becker's Health. Uh, and, uh, it's an article that is summary of breaches reported to O C R. So all and all organizations under hip are supposed to report their breaches of over a certain threshold to O C R and O C R then makes that information public.

And this article was a summary of all the breaches that were reported, um, in the first half of, uh, this year. And it stood out because of some interesting trends. First, we have already surpassed a number of records that were breached in 2017, and we still have five more months to go in this year. Uh, and incidents reported as hacking are on the right, and if the content end continue, the number could be 40 to 50% higher than what we saw in.

Uh, so I think that's an interesting aspect and it, it tells us as an industry on where we have, we should be putting our resources in. And this is, I think, supported by, uh, some positive aspects. The incident reported as capital laws have been studied over the last three years, and probably because of the requirement to encrypt by many organizations.

So, as you know, if the laptop or device that is lost or stolen, And is encrypted, then it's not a recordable incident and there are some requirements on encryption and so forth, but I think that over the. Um, this requirement or, or, uh, sort of, um, you know, incentive to encrypt data for organizations or strongly increase the organizations to encrypt.

Uh, and because of that, we are seeing the results of a steadying of, uh, instruments there. So now that we see a rise in hacking related incidents, I think that's an area where we need to, um, focus, uh, um, uh, so, uh, And I think there are other, uh, areas, you know, the, the inappropriate disclosure is also steady, but all expected.

But the reason I thought that this was interesting is that you know, this and, and you think about this in the context of everything else, um, you know, hacking this by Russians in the news and so forth. And, and this just highlights an area which, uh, we still are as an, as an industry, are struggling. Yep. So let me, let me give a, a few more, uh, just, just data points and then, and then I'm, I'm gonna ask you, I, I, again, I rarely get a CISO on the, on the show or someone who used to be.

So it's, so, so, 2016, uh, 450 breaches, 27.5 million records, 27 7, 477 breaches, 5.6 million, uh, records breached. Um, the, uh, you know, over, uh, one breach a day, uh, at this point. 20 17, 18 primary cause was hacking as you, uh, pointed out. Uh, so that's, that's on the rise. Um, but here's some other numbers, which I think are pretty staggering.

Between 20 2009 2017, there have been, uh, 2,181 healthcare data breaches. Um, those breaches have resulted in a theft exposure of 176. Million health records, which is over 50% of the population in the, uh, United States. So over 50% of the people have received those. Hey, we'll protect your identity, uh, papers, uh, the two causes we talked about hacking incidents and then insider breaches, uh, is the other, uh, primary cause.

Mm-hmm. , um, So, uh, let's see, couple, couple more. Uh, hacking It incidents resulted in the exposure theft of 3 million records. Although detailed data is only available on 144 of those breaches in 20 16, 80 6% of the breaches were attributed to hacking incidents. In twenty sixteen, a hundred twenty hacking incidents were reported, which of 20 million records?

The severity of hacks, insider threats was therefore far lower in 2017, even though hacking incidents were more numerous. Uh, a couple, a couple other things I think are insider breaches continue to plague the healthcare industry. Data is available on 143 of those. Um, they actually break it down into two categories, insider wrongdoing.

Mm-hmm. , uh, which includes theft and snooping. That's, you know, just a, somebody trying to find Britney Spears's, uh, record or whatever. The breakdown, uh, was under two inside errors and 70 cases of insider wrongdoing. Um, uh, four incidents were classified as both. So you have, I mean, these are two big categories, right?

You have, um, uh, you, you have incidents that are attributed to your employees. You have incidents that are attributed to hackers and, um, And I, I think the last thing I wanted to point out, so reports of healthcare data breaches in 2017, uh, show that many cases breaches are not detected until many months after the breach occurred.

Mm-hmm. . The average time to discover a breach, uh, based on those incidents that they looked at was 308 days. Uh, and the average in the pre prior year was 233 days. Uh, and it, it actually, they say it should be noted that the data was skewed because some breaches that occurred, uh, they didn't detect for more than a decade.

Yeah. So, um, so I'd like to break our conversation down into three areas, prevention, detection, and response. So from a prevention standpoint, Uh, ransomware, uh, is on the rise. Uh, what can health systems do to prevent, uh, or prepare for these types of hacking attacks? So, so I think, you know, to think about prevent, detect and respond is the right way to think, right?

And, uh, so, so, uh, and I think the best, uh, controls are, are preventative controls. So things never.

As an industry, we have, uh, made some good progress in the last six or seven years around prevention controls. We all had, most organization had firewalls for the last 15, 10, 15 years. So that's a given. Now there are new generation of firewalls that are happening that are, um, really good at application level analysis and so forth.

That's area. Um, and, um, but I think the biggest bang for Buck an organization can probably get from a prevention point of view is, uh, probably from a technology. I'll talk about this in a technology and then human sense. So two, two categories from a technology point of view, in my opinion, is multifactor authentication.

Okay. Uh, and it just makes it very difficult for someone who's actively trying to access information. It does not, uh, it's not a cure all, it's not a , but I think that multifactor authentication has been a challenge in healthcare to implement because of cultural reasons and the need for physicians to get to a patient record immediately and so on, and so, so been reasons that.

Industry has not adopted it wholeheartedly. Like if, for instance, in banking or other commercial industries, um, most of them, their workforce, uh, is, has to use two-factor authentication or multi-factor authentication. Secondly, I think the, the, the, in almost now most of the breaches that we see, uh, which are under hacking and or you mentioned ransomware, um, uh, involves some, uh, Some person doing something that they're not supposed to do.

So it could be opening an email or going to a website and installing something. And that cannot be, uh, emphasized enough, I think. Uh, 'cause uh, the only, I think the real, um, uh, Protection that you can do is train your workforce at different levels. So many organizations now have dedicated security teams.

They are the experts that, but, but those people are probably, you know, a handful of people in any, even, even size large organization, uh, that are a handful. Uh, but then you have your . Folks in technology who I think, uh, money well spent is, uh, is training them on security, you know, to make them your first line of defense and then population in general.

Right. Uh, so, so there are technological solution. I mentioned M F a, I mentioned firewalls. There are data loss prevention solutions. There are many technological solutions that, you know, we, we can implement. Some of which I mentioned. But I think, uh, we, any organization that is interested in securing and proactively protecting have to tie the human side.

Technology that they're implementing. Yeah. The weakness is, is the human. So let's, let's, uh, shift gears to detection. So one of the things that changed the way I think about security is, uh, one of our vendors came in and said, uh, you need to start designing as if they're already in. Just assume they're already in your network.

There's no walls you can put up that can keep 'em out. I'm like, okay. So that actually transformed how I thought about, uh, security and prevention. The other thing was, uh, a C I O told me, uh, he contracted with, uh, one of the firms. It could be our, uh, R s a or, or one of the firms. And what he wanted them to do was to see if he could get physician credentials on the black market.

And they were able to within, uh, I think 24 to 48 hours procure, uh, about five or six of their physician's actual credentials, which worked on their system. So they were able to get into, uh, you know, a Citrix environment, get into the medical record and, and start moving around. Um, and so, uh, detection becomes a little, uh, becomes almost the front line now.

'cause you're assuming that they're, they're in your network. They're, they're tooling around. So you almost have to look at. Patterns of usage. You know, if that doctor's looking at the wrong record or records that aren't theirs, uh, you know, are we tracking all those things? So from a detection standpoint, um, what are some things we can do to detect, first of all a decade to, to track a, a breach is, is kind of amazing.

What are some things we can do, uh, to find those, those incidences quicker, uh, and, and sort of move that that cycle forward? Good. So again, I'll talk about technology and people's side of it because I think people are really, again, very important. So there are technologies now. So I mentioned data loss prevention.

Uh, same technologies, uh, so security and incident and event management systems, uh, that can log in in real time alert. And this is an area. So we spoke about artificial intelligence and machine learning in the context of. Um, health, uh, care, but this is an area where I'm seeing some really promising technologies in startups, um, that are coming up, ways of detecting in very intelligent ways, and correlating and correlating events in then alerting.

Uh, so this is an area, there are always some advanced technologies available and, um, we are, we are reeling some technologies in this area. Uh, but sim is a must. That's a baseline. D l p I think is a must. Healthcare, many healthcare organizations, actually the people part is a challenge. So we can have the technologies, but do we have the people who are going to look and respond and sift through all the false positives?

These, these technologies tend to create a number of false positives, and in some cases, you know, the, the false spot is, is, is many, many times more than real incidents, right? Do we have the, the manpower, the trained manpower, and I think that we don't have as healthcare, um, in, in, in particular. Um, as a nation, we don't have enough security professionals.

There is a lack of security professionals for everyone. Pool is too small to begin with, and especially there is an acute, uh, need for more security professionals within healthcare. So, uh, I think that, Uh, looking into, um, third parties, partnering with third parties for 24 by seven monitoring, uh, is a, at least in the short term and stop gap solution.

I mean, these are folks like, um, uh, Symantec or like Dell or, um, others who have, uh, teams of, uh, trained professionals who, uh, can monitor four, seven. Things probably, um, things can, um, uh, get through without detection, even if you have 24 7 monitoring. But I think in today's days and age 24 7 monitoring is a must.

Uh, and if you're a health system that can afford it to build your own security operation center or soc. Fantastic. Uh, but I think most healthcare system even, uh, our size or even larger than us, cannot afford a 24 by seven monitoring this, that the human capital is just not there. So, so having the right technologies, like seeing like the lp, um, and, and having, uh, people.

Who can respond to it internal and then some external power, but is I think one way of dealing with the, with, with, with, uh, um, a effective detection scheme, a plan. This is one of those areas where you need to have, uh, it takes a village. It's, uh, a series of, uh, highly trained experts outside of your organization.

Experts within, uh, monitoring. Uh, yeah, so I, I couldn't agree more with, uh, what you're saying. Alright, so we have, we have about seven minutes to go. Five quick questions for you. So we're gonna transition to the soundbite section. Uh, I throw out these questions, uh, actually short answers. Um, mostly because of time at this point, but, uh, uh, so CMA Verma first question.

CMA Verma from c m s just announced, uh, healthcare as a fax free zone by 2020. Um, I, I think most people would hear this and say, oh, that's not a big deal. But, uh, from your perspective, how big of a lift do you think it is going to be for health it, uh, to eliminate faxes by 2020? Look, first of all, a deadline is necessary if you want to get rid of faxes, uh, in American medicine, you know, uh, so, uh, therefore I think it's a step in the right direction.

It goes hand in hand with overall interoperability, uh, initiative that we just discussed about, uh, by C M Ss and O N C. My, uh, my health e data is another one. Uh, the easier it becomes to exchange data, lesser, the need will be for faxing it. Right? Fax machines are dying a slow death. Yeah. We see less and less of them, but they're not gone and to kill it in the next two years.

It's going to be a heavy lift, right? Uh, we have made advances in interoperability. There are a lot more to be done, I think. So it's going to be a challenge, uh, where interoperability stops to think about other ways to exchange data. For instance, like it's much easier to find a fax number of a physician office print and fax than finding email address and then sending an encrypted email.

So we are working with a startup, uh, that is an electronic fax on our end, but it takes our fax, it stores it on a secure web server and send a page to the recipient with a new link and a one-time password. That's a stop gap that we are working with a startup to, uh, to solution. But look, I wholeheartedly support the initiative, but I think it's going to be a heavy lift.

Yeah, I agree. Um, second question. So last year about this time, uh, you know, ransomware really became, uh, really prominent. Uh, and so from your perspective, uh, how has healthcare really addressed the specific challenge? We talked about security, but the, the specific challenge of ransomware. So look, uh, last year was bad because a number of organizations were hit, as you said, right?

I mean, especially Ry and Pat here had huge impact on a number of health systems. Uh, and this first year have been quarter, I believe that the threat is not gone. So I have to say that first. I don't think it's gone. Uh, it's very much there and can, uh, come back any time. Uh, but organization took some complete step.

Many organization took some steps, uh, like implementing or enhancing email protection or blocking access Malaysia websites, which has helped. But again, the thing that, the common theme here is that the bad guys are, are targeting people and technology. And I think we need to continue the focus on people-centered approach.

In, in many of the cases where organizations were hit were ransomware. A common common theme is a phishing email that went to someone and then someone clicked on that email, and as a result, the computer system or multiple systems got impacted. So again, the, the, the assuming that your people at the are the first line of defense and a very important line of defense, I think is critical.

And that training need there cannot be emphasized enough. So, uh, innovation is a big part of Jefferson Health. Uh, give us an idea of how, 'cause your, your, uh, innovation team, uh, is separate, but, you know, work closely. So give us an idea of how it and the innovation team work together at Jefferson. Great question.

Look, uh, at Jefferson, uh, innovation, uh, has a special place. Uh, it is one of our pillars I call, uh, along with healthcare and academics. Is that important to us? Uh, it, my team, we all work hand in hand with our innovation teams. Uh, and at Jefferson, we have three innovation tracks. Uh, we are an academic institution and our researchers are often working with, uh, uh, innovation and on innovative solutions.

That works on patents, ensuring that our intellectual prepar is safe and secure and then they work on ways to bring it to the market. So this is an inside out innovation that is happening at Jefferson. We also have a group of people working on startups who are aligned with this in our interested in co-development.

This is an example of outside in. So lastly, we have a group of very talented developers who are developing solutions in, in-house, uh, based on the needs identified for Jefferson. We work with all of these groups very closely. We have very clo collegial relationship. Most cases, we work with them from the very beginning where it's an idea being developing, or if a vendor, if it's a vendor that we are talking to end of the day, for most of the innovation that happens, whether it's inside or outside, in ours developed.

It is the, uh, the implementers and the long-term, uh, keeper and manager of the system. Uh, overall the relationship is great and together we are working on some really cool initiatives. Uh, that's awesome. So, um, you're an academic medical center. Are there specific challenges in health IT for academic medical centers, uh, versus a, uh, non-academic medical center?

Absolutely. So I've worked in non-academic setting as, as, as well, and I can tell you that there, there are some significant difference. EMCs have a unique culture, uh, different from most type of organizations. So we have healthcare. But we have also academic, uh, our mission is to improve lives and to reimagine healthcare.

And our mission is to further education, right? So, which means we have researchers, uh, who are doing cutting edge research. Uh, they have unique requirements of openness, free access to interim resources. For instance, they want to use file sharing systems without being tied to specific technology prescribed by corporate.

It in most of the organization, . Corporate it is able to say, Hey, look, use box.net or Dropbox, and that is it. That's not the case in AMCs. Is, is, is uh, just the requirements because they're working often with many other organization and there is need to, there are needs to collaborate with other systems.

Um, they have very intensive needs. Uh, our student population is unique and have different needs for healthcare workforce. Uh, they want to bring their own devices and expect that it'll work everywhere. Rightfully so. Where students are often ahead of it and challenging us in early adopters of consumer technologies.

So I think that the, the culture is the biggest difference. There are different needs, uh, but overall it's a different culture and, and makes an interesting and challenging environment to work in. So, uh, so we're almost out of time, so I, I'll ask, I'll, I'll skip the last question. Give you an easy one to see if you've made the, uh, transition to Philadelphia.

So, will the Phillies make the playoffs and will the Eagles be able to repeat as Super Bowl champions? So, I, I think I'm much more closer to Eagles and Phillies. Uh, so I would say that, you know, Eagles have a really good shot. We are very excited and, uh, I was in New York, which is a huge exposed town, but.

The, the craziness, uh, around all the boat in Philadelphia is, I think unparalleled. I mean, uh, the city is just crazy about his boat, and you would know this, you're a native, so I'm rooting for Eagles. Yeah. It's, uh, it, it is something else when they do win a championship and they have to grease the poles so people don't climb 'em and all other Absolutely.

Uh, Nassar, thanks. Thanks for coming on the show. Uh, is there a way for people to follow you? Do you publish things on Twitter or anything like that? Yeah. So, uh, I have a tutor account. It's Nizami, N N I Z A m I. So, uh, please follow me and I, uh, like, and post occasionally I don't have a huge following like you, uh, but I'm on tutor Yeah.

Or, or friend me on LinkedIn. Um, um, uh, would love to connect and if there's anything I can assist or help with. Absolutely. Yeah, it's, it's hard to run a, uh, 15, 16 hospital system and be active on Twitter and social media, but, uh, Awesome. You can follow me at the patient c i o on Twitter, uh, my writing on the Health Eric's website.

Don't forget to follow a show on, uh, Twitter this week in h it, and check out the, uh, website this week in health it.com. Catch all the videos on the YouTube channel this week in health it.com/video. And please come back every Friday for more news information and, uh, commentary from industry influencers.

That's all for now.

​