December 6, 2021: Healthcare can’t move forward without regulatory guidelines. Health IT leaders need to be in the know. Mari Savickis, Vice President, Public Policy at CHIME joins us today to discuss interoperability, de-identified data, 21st Century Cures, HIPAA, National Patient Identifier and cybersecurity. Plus the year that was in Washington, DC. HIPAA is so antiquated, but we adhere to it like it’s the 10 Commandments. Is there any movement towards redoing it? Language prohibiting the HHS from developing a patient identification standard was removed from the House Labor bill for the 1st time in the Senate. And the FTC clarified their Health Breach Notification rule to include third-party applications that collect consumer’s health information under privacy protections.
00:00:00 - Intro
00:04:30 - Advocacy led by CHIME’s public policy team resulted in HR 7898 law giving providers credit for cybersecurity best practices
00:25:00 - CHIME public policy launched the InfoBlockingCenter.org in 2021. A convenient site to find free resources, FAQs, articles, archived webinars, and cheat sheets to prepare you for compliance.
00:27:00 - All sectors are facing cybersecurity staffing shortages
00:27:30- 3 out of 4 hospitals operate without a designated security leader
00:31:30 - Cyber insurance has gone up by almost 50%
Questions or comments? Please reach out to firstname.lastname@example.org
Newsday - 2021 on Capitol Hill: A Health IT Update from CHIME’s Mari Savickis
Episode 469: Transcript - December 6, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Bill Russell: [00:00:00] Today on This Week in Health IT.
Mari Savickis: The pandemic has been a massive distraction. I like to look on the bright side. Is that had we not had high tech in place back in 2009 we wouldn't even be where we are today had that level of adoptions permeated hospital and clinicians. We'd be in a whole different world of hurt. So that's the good news, right? Can you imagine having a pandemic 10 years ago, it would've been a disaster.
Bill Russell: It's Newsday. My name is Bill Russell. [00:00:30] I'm a former CIO for a 16 hospital system and creator of This Week in health IT. A channel dedicated to keeping health IT staff current and engaged.
Special thanks to Sirius Healthcare, Health Lyrics and World Wide Technology who are our Newsday show sponsors for investing in our mission to develop the next generation of health IT leaders.
Before we begin. I want to share an exciting announcement for This Week in Health IT. Starting in 2022, we're going to have four channels to bring our community more specialized content for your specific needs. The four [00:01:00] channels are News, Community, Conference and The Academy. The News channel we'll have our Today and Newsday shows where we explore the news that is going to impact health IT. The Community channel is just that. A place where we come together and collaborate. One of the distinctions of this channel is that we will have guest hosts from the industry and people that they invite to talk about the topics that we wrestle with every day. Things like clinical informatics, [00:01:30] data security and the like.
We're excited about where the community will take this channel. The Academy is about training. It's about training the next generation of health leaders. Here's where we're going to be launching our new show. It's called Insights and the show will actually take highlights from our last five years and break them into 10 minute episodes for your team and perhaps people who are new to health IT to come up to speed.
Finally, this channel, the one you're listening to right now will become our [00:02:00] Conference channel. The same great content you travel across the country to receive. We're going to be bringing to you right on this channel. This show will become Keynote, where we do our long form 50 minute interviews with industry leaders.
And we will be augmenting that with Solution Showcases and briefing campaigns that introduce exciting solutions in more detail. For more information on our other channels and where you can subscribe visit us at this weekhealth.com/shows - [00:02:30] S H O W S. Now onto the show.
All right. It's news day. And today we're joined by Mari Savickis with CHIME Public Policy. And we are going to look at the year that was in Washington, DC with regard to Health IT.
And we're going to look at the year that's coming up. We're also going to touch on some cybersecurity stuff as well. They just did a really cool survey and we're going to share some of the findings from that as well. Mari, welcome. Welcome to the show.
Mari Savickis: Thank you Bill for having me back.
Bill Russell: [00:03:00] Well, this is fun. I like, I liked the cadence of this bringing you on and finding out what's going on up on the hill. Or what's not going on. Sometimes lack of progress is, is the news. But this year it hasn't been. There's been a lot of things that have happened oddly enough in, a pandemic year. Actually you shared some information with me ahead of time.
We've talked about this before, but a lot of accomplishments from the public policy side. So give us a little taste of it and then I'll chime in [00:03:30] with some questions about them.
Mari Savickis: Sure. For those of you have tuned in before and heard our our conversation, cyber is the name of the game over here.
And so, at the top of the year, January 6th, it seems like a distant memory, right? Almost a year ago. President Trump actually it was Trump and was over the last bill that he signed before leaving off at signed a bill into law that is really something we've been working on for years. The way that it works in DC is it's a lot of rolling boulders up the mountain kind of thing.
Nothing just happens quickly. And so it was years [00:04:00] of advocacy to get to this point, but we'd heard pretty consistently from providers and our members that the environment with breaches and compliance and breakthroughs. And so we've been taking a multi-pronged approach to how to address it. So the multi-prong approach includes working as part of our healthcare sector being an active participant, right?
Getting relief for providers in the form of of this law, which is gonna give HSS authority to pop in some of the. And the intensity of them [00:04:30] and the fines that go along with them. Again, if you are a provider who follows best practices for at least a year, and those best practices are include the ones that have been co-developed by HSS in the industry lovingly known as 405 ER hiccups.
And so, this is a big deal. I mean, they're developed in conjunction with the government. We have a big say in it. One of our members actually is is the co-chair Eric Sacker and the other co-chair is with HSS. And so there's a lot of people who've had a lot of interest in [00:05:00] this.
And what's great about the practices is that they are designed for not just big well-funded providers. You're also designed for the smaller, medium, and you don't have to do everything in one day. Right. Kind of thing. It's it's a journey,
Bill Russell: It almost has to be designed for the smaller players because when you look at the breaches over the last years, Some of those small players, it's the Sky Lakes Medical Center.
And, and, I forgot the one out of New York, but there's smaller players that were ransomed. And I mean, I guess we had one big playe, you had Scripps, which was ransomed, but it's not the large players that [00:05:30] are getting really wiped out. It's the smaller players who don't have the funds.
And so this kind of relief you know, is targeted to help them around the audits and compliance as long as you're following best practices, but it's also designed to get them money. Isn't it?
Mari Savickis: That's exactly right. I mean, I think there was a widespread acknowledgement that the smaller intellectual resource providers are exactly just that left for resource.
And so their level of sophistication is not on par with some of the larger providers. And maybe not even have even a part-time [00:06:00] security officer. So they're just very behind and they're actually also the weakist link. And so they end up being a threat to the entire healthcare ecosystem because they're an easy target.
And some, I just had a conversation with someone this morning who represents rural health care providers and one of their members was hit and I think it was, it was rural Michigan. I guess they thought, well, why wouldn't anybody want me to do it that? So I was like, oh, they actually want everything to do with you.
Right. And so you're the way that they would burrow in. So it's trying to bring [00:06:30] more awareness to this effort that this sector is free to join. Everyone should join. No fee. I will put up the information at the end of the show Bill, but there's no costs. The tools are free. Yay. We love free .Who doesn't like free?
And it's very collaborative in nature cause we all are in this together. So that was the one thing. And actually just yesterday, HHS launched a website on 405D. It sounds like, oh, kind of Monday and no, no, no everything is one-stop shopping now. We're really excited about this. In fact we're sending a memo about that. I'll send it to you. But [00:07:00] this is good. This is great news. So you can just, again, we just need to drive more attention to it so that folks know that this is a set of tools that actually was developed by your peers and can be used by you. There's still a lower awareness of it.
Bill Russell: I think part of that is the complexity, right? So you're talking about that. The 405D resources, ISAC and other things. There's a bunch of resources for us to pull together. If you were talking to a CIO what are the one-stop shops?
Where do they go to get up to speed and really understand things? [00:07:30] Because again, the complexity, the amount of information, Hey, work with the local FBI work with this work, with that, it's just, it it's overwhelming.
Mari Savickis: It is overwhelming. And so what I would say is that that's why you join a professional association. So if you're a member of CHIME or a has, that's a good place to start. If you're not a member of ours and hopefully you're a member of another organization, who's keeping tabs on us for you. We have, and I can share with you Bill, we have a list of free resources that the government has. We've compiled this together into a neat little cheat sheet.
And then again, worst case, if [00:08:00] you get stuck and you get hit by a cyber attack and you really don't know where to turn, you can always call me. You can call the team over here and we don't need to know what happened. It's not, I was raised Catholic. It's like, we don't have to go in, we're going to go into confession.
Right. You're just going to tell me, this is not for me to make the handoff to the proper officials. And then we step out of it. So, the worst case isyou're having trouble to getting response that, you can let us know. One of the top things that's recommended by the government is that you get to know your local FBI office.
So if you haven't done that and that's one [00:08:30] step cost you, nothing that you could do today is go find out. And again, Bill I can give you the links to where those field offices are. We've gotten questions like, well, how do I find the FBI? It's not the one in DC. Right there, there field offices across the country and we can connect you with them.
And so you should establish a relationship with them. That's just one, one step you can do.
Bill Russell: You know, we're going to come back to cybersecurity, but obviously we have patient ID. We have interoperability, we have a bunch of things. So let's sit on patient ID.
Mari Savickis: Talk about it. So this is another monumental [00:09:00] year. So this is a third year that the house of representatives has actually excluded the language if there's language in the appropriations bill that funds NATO job. Okay, well, let's go back into time machine for a moment I believe it was 1999. It was like 20 years ago that Congress stripped out some language said, okay, you have five years and HIPAA.
You have to create identifiers for providers. Standards that is. Standards. I want to just reemphasize, it doesn't have to be a number, but standards for identifying clinician for identifying, for patients, for [00:09:30] a health plan. And the thing is like the to provide the patient pieces in there are controversial.
And so that piece has been removed and there's a prohibition in Congress right now. Again, it's a law that says HHS can find anything related to establishing a standard for a patient that identifies them. That's why there's no number or or solution or framework that HHS is adopted. So there's that.
And that's been something we've been fighting to overturn. So this is the third year of the house of representatives. [00:10:00] Difficult language. And it's the first year that the Senate acted to try and take it out. So of course it needs to make it across the finish line. Do you know right now tomorrow is the deadline for the government to be funded.
And so there's no funding bill fully through in the entire fiscal year, 2022. So right now we're looking at a CR hopefully not a shutdown. They're trying to work that all out right now. So what that means is like things just kind of continue status quo that needs a language they'll say then like, you have to live to fight another day.
So we celebrate the [00:10:30] victory that the Senate acknowledged it. And that we're going to try to move this full continuum, moving this forward. It's going to be really hard and, truth be told it's not going to happen immediately. And so anyone who's holding their breath, thinking that this is going to become law is it's really not realistic.
It's going to happen. I don't think that necessarilty, I mean, I want to be optimistic, but I have to be a realist too. But, we're getting closer. Every day is a little bit closer. Anybody wants to join our coalition you can join our coalition and it's free also. To help us get the ban removed.
Bill Russell: Yeah, every time I talked to you, I feel like I'm [00:11:00] going back through schoolhouse rock and the bill moving up to the Senate, to the house then to the Senate and it does take some time for some of these bills to, make it through.
All of this is about it's about funding, the research, right? So we're not trying to solve the problem of, okay we have this many undocumented immigrants in Southern California. Roughly six to 8% of the people that presented in one of our hospitals were undocumented. Because essentially they weren't Kaiser patients.
[00:11:30] And so they came to the Catholic health system, which provided care for anybody who came in the front door. When I think of this, that's the first thing that pops into my mind. Like, they're not going to have an ID. So, is this just like, Hey, this gets us to the starting line and we start to figure those things out. Is that how we're thinking about this?
Mari Savickis: There, I mean, certainly there are these per second use cases like children like immigrants, right? Somebody maybe is homeless. This is a problem that needs to be solved. And, I mean, yeah, we could potentially assign a number. That's highly controversial [00:12:00] and it doesn't have to be a number.
And then in the end, maybe something's illegal they might not want to get a number. I mean, I think we, you don't want to let perfect be the enemy of the good that you do have to keep your eye on these populations who may be under starved. So we do think it needs to be able to be able to touch everyone.
You know, In the absence of Congress, allowing HHS to spend even one penny on establishing a standard, we did have a framework that we, the coalition adopted that says like here's some parameters that you can think through for me. If you want some nights reading at [00:12:30] night Bill, I'd be happy to send you the framework is pretty lengthy, but it takes into consideration things like privacy and security.
I think tha t some of the concerns are rooted in the government having control over people's data. But I mean, some of these arguments are somewhat antiquated and you and I have talked about this before. We're giving away a lot of data anyway. And so to think that it's not actually already out there and there's actually bumpers. The government can't just do what they want to do with personal data.
There's the privacy act of 1974. [00:13:00] Not to say that, you know, I don't keep up by all backfill copters someone's going to, something's going to happen. Sure. But, guess what that's already happening today and it's not the government. We have to know that. So we don't have a national privacy law. I mean, that's sort of leads into another conversation, but there are some voices who are are louder in Washington who are not gonna necessarily let this go over the finish line without a lot of kicking and screaming. And so, we continue to try to get champions and educate folks on the need for this.
Bill Russell: Yeah. I mean, the conversation we've had is I just don't think we should paint the people [00:13:30] who aren't jumping up and down about patient ID as Luddites. They're. They're not necessarily Luddites. They're looking at it and saying, okay, what about privacy?
What about this group? What about, there's a lot of challenges to it that. just, just the it needs to be it to see the light of day in terms of a debate. And I think that's what we're pushing for here. Right? Let's get it on the Senate floor. Let's have the debate. Let's have the conversation, let's put it to a vote and, and make it part of the public consciousness.
Patient ID can help in a lot of different areas. if done, well. It can also have [00:14:00] some downsides and we just need to be aware of those things and talk about them. And so I think this is a big win in that we had the conversation on the house floor. Passed or took the language out.
Now we're starting to have the conversation on the Senate floor and making progress, but this is the kind of thing, people are thinking, oh, this is close to the finish line. It could be an administration or, or potentially two away from actually getting across the finish line, depending on what happens next. We just never know.
Mari Savickis: I forgot [00:14:30] to mention one important thing again, like let's do like swim through the policy ticket every day is Congress asks, I want to see the Optima national coordinator to do a report on patient matching. And so we're waiting for this report with baited breath. The last I heard is supposed to be out by the end of the year, but this too is something those two might be waiting to decide how they want to move forward on this are waiting for the ONC report.
So we're very anxious about this and I'm sure maybe the next time, if you invite me back for 2022, we can talk about [00:15:00] the report if it's out by then.
Bill Russell: Oh, you'll be invited back. Don't don't worry about that.
Mari Savickis: Naughty or nice. Make sure I don't get a lump of coal in my stocking.
Bill Russell: Yeah, no, you'll probably get a, like a dish for Elon Musk's new internet service so that we can have a better connection next year. I'm sorry.
Mari Savickis: I'll just fly to Florida. We can just do it in person. Somehow if I can navigate the travel..
Bill Russell: Well, quite frankly, we will see each other a fair amount. You have is it called Vive? Is it the Vive conference? Is that [00:15:30] right? I mean, I hear people pronounce that all over the place. Oh, it's the Viva conference. I'm like, I don't think it's Viva. Talk to me about privacy. I have said for a while, and I've talked to a bunch of people who agree with me that HIPAA is so antiquated, but we adhere to it like it is the 10 commandments handed down from on high. Which we should, but it is really, there are sections of it that are so antiquated. Is there any, any movement towards like bringing that back up and redoing it or [00:16:00] are we just sort of piecemealing redoing provisions as we do certain other other laws and other things?
Mari Savickis: I could talk about privacy all day long, like one of my favorite topics, so, okay. Is HIPAA antiquated? Probably. Right. Is there anything better right now? No. Not So much, not in this country. There's also a long history of compliance with HIPAA. And so you have this, well, let me just say, let me back up for a second, providers, if they like nothing else they want ceretainty. Right. Just help me say, just [00:16:30] tell me what I have to do.
Or I just want to understand like what it is you're asking me to do. I mean said another way is they don't like ambiguity. We want bright yellow lines. We want to know what fit are you being held to so on and so forth. And so there's a long history of HIPAA compliance. And so, it's not perfect. I think you could probably argue either side.
So when you start looking at the national privacy bill, there are [00:17:00] some limited HIPAA carved out some, not all though. And I have a comparison chart, but it was totally put you to sleep. But here's the thing, like, one thing that I think we're going to have to wrestle with is this notion of de-identified.
So, what you're asking me to like is HIPAA antiquated. Well, and when it comes to de-identification of data, all you need to deal location tracking, and you can identify someone with pretty darn good certainty about who they are. So once you add that in and pretty much that's your cell phone number one. Okay. So they're going to know everyone where you're [00:17:30] going. Cause there's only one person going to Bill Russell's house who does exactly what you do every single day. Right. So in that respect, that is antiquated. But if you look at some of these bills, they have like de-identified data as carve outs.
And so I think that's something that's going to have to be ruffled to the ground. I'm not sure that I have, I'm sure I don't have the answer, but it's tough. Right. So I'm not even sure that some of these other bills that try to like go a bit further are going to involve all of the calls. Like.
Bill Russell: [00:18:00] Yeah. The de-identified data is the one area you touch on, which is an interesting one.
I'll stay there, but we've had people on the show and we've talked about like six other areas that really could use some just basic touch-up, but others like a rethinking, because this things. This thing's getting up there in age and technology is changing so rapidly. De-identified data is pretty interesting.
If somebody. Has a record of where I live and I've talked to on the show of the places I've lived. I've lived in Pennsylvania. I've lived in California. I lived in Missouri. Now I live in Florida and if they get [00:18:30] access to that de-identified patient information and that kind of stuff. And it has any kind of information about where they're coming from, which they generally do, because if you're doing research on a population the geography matters, right?
So some aspect of that is going to be in the de-identified data. And that the thing I've talked about is we have, we have this new thing that's being launched. A lot of health systems have gotten on board and they're all putting in their patient data. That's the de-identified [00:19:00] data and I've identified at least two health systems that I have visited that have put my data into this repository without ever asking me.
If I want my data in that repository, I guess if I'm not even sure if it's covered with this, but I could opt out of the record sharing, but that was more for the health information exchange, but I think it's being applied to this to this new venture. And by the way, they spin up this thing.
This venture, and it's now it's [00:19:30] valued at billions of dollars based on my data, your data everybody's data. And I'm sitting there going, I'm sort of scratching my head going. I don't, I don't know what I want here, but there's something in terms of at least ask me and I understand it's, it's not my data per se, because they made the record, but it's data about me.
And I just think there's it's time for another conversation around. Maybe not patient who owns the, who owns the data, because I've often said that the house [00:20:00] of someones the data, they created the record, I just want joint custody. So if you stand up this new thing with with all these health systems and put this stuff in there, I want to be able to tap into it somehow. For my record. I don't want everybody else's record just for my record.
Mari Savickis: Is this data Bill. Is this de-identify are we still on the topic of de-identified?
Bill Russell: Yup. We are. We are Yes. It is de-identified you're right.
Mari Savickis: It's complicated. Right? Because we just discussed how data can be easily reattached, but I think, I mean, correct me if I'm [00:20:30] wrong some of these health systems are I mean, they're not going to just put this out into the ether they're doing. I mean, I'm, I'm going to, I can argue both sides. Like I never, like they're doing it to improve like their AI algorithms. Right. They do it in the name, they say in the name of patient care and improvement.
But I, but I agree. I mean, I'll tell you this, I learned the hard way that everyone who knows him, I know his TPO operations, right? The always a little bit of a slush bucket of soft. And, when you sign away your consent, there's a whole [00:21:00] bunch of stuff in there that they, that you know, that the providers can take.
Like, for example, a placenta, right? I didn't know that they could just do something with that. I didn't know that. And so I think this comes to the larger conversation, I guess maybe I'm going to put my consumer hat on and take my time out of ops to be careful here. Just transparency, right? I mean, you just want to be transparent about what you're doing.
And so I think that would be a step in the right direction is if you're as you incrementally move and as provider you're moving into this space and wanting deals with big tech is [00:21:30] just being forthright.
Bill Russell: Yeah. And, and, I'm not calling out healthcare here cause all my Google data is being used for making money for advertising, that kind of stuff.
All my Amazon data is being used to market stuff right back to me and that kind of stuff. I think there's a larger conversation around personal information. The use of personal information in the 21st century, I think, is a conversation that's worth having on The Hill. So if you talk to anyone influential, say, I, I would love to [00:22:00] know if that that conversation is moving forward. It's a sticky conversation, but it's interesting.
Mari Savickis: It's happening but I think Congress has been fairly distracted this year. They're still this distracted, right? They have a lot of stuff to do before the end of the year. I don't even have many business days are left for them, but there's not that many. They're dealing with the government shutdown tomorrow. They're still dealing with build back better. Dealing with the national defense authorization act.
There's a whole bunch of stuff that's happening first before you get to privacy. And [00:22:30] this is really coming back to the privacy thing. I'll send you the table. You can just do a quick search on like HIPAA, right? For example, what's the definition of sensitive data. When you talk about a national privacy or national privacy law. What is sensitive, right? Look at how they treat de-identified data. These are not easy questions. So I think it's, there's, I mean, it's probably not going to be perfect, whatever comes out, but what else is lagging? And so the last thing I'll say is that, you just, again, celebrate victories is that federal trade commission.
They're the ones that govern [00:23:00] third party apps and data that's how is the non HIPPA covered entities? They said, Hey guys, we're going to start looking at these third party apps more. And the privacy terms and conditions, which is really a victory for consumers, for the patient term consumer, who is giving their data away to maybe they don't really know.
They think it's one person that's really like, there's a downstream effect here. So we just have to take it in bite size pieces. I don't think we're going to solve everything tomorrow.
Bill Russell: Yeah, no, there's definitely a win. [00:23:30] Interoperability you know, CHIME has some wins there. Let's hit on that because clearly it's 21st century cures is coming upon us.
Mari Savickis: Oh yeah. I mean, yeah. I mean, I think we're moving along and obviously the pandemic has been a massive distraction. I mean, on the one hand again, looking, I like to look on the bright side, I'm a glass half full kind of person. Is that had we not had high tech in place, back in 2009. So we wouldn't even be where we are today had that level of adoptions, [00:24:00] permeated hospital and clinicians. We'd be in a whole different world of hurt.
So that's the good news, right? I mean, can you imagine having a pandemic 10 years ago, it would've been a disaster. So we're a lot closer than we were, but it's still not correct. And one of the things you know, just go back to the HIPAA stuff for a moment that we need for interoperability is consent. That is not ironed out nicely.
There's no easy clean way to do consent electronically. And then when you start mixing in your substance abuse data, it gets very complicated. So that part, this is a work in progress. Now back to [00:24:30] information blocking and the 21st century cures act. I think we have some challenges with APIs and security. And people are just starting to wake up to this. We can say, oh no, everything's fine. Notning to see hear.
Well, I don't think that that's true and I'm not alone in my thinking. So increasingly I think you're going to hear more about that. So the deadlines too are rapidly approaching like within a year. Does everybody have a Firebase server? I don't know. I don't think so. Somebody should probably, probably will be off.
We'll probably take a look and see what the permeation rate is, [00:25:00] but people are behind too. We still have the pandemic I mean, we're moving in retraction. We do have an interoperability, one stop shop for everyone. We have implementation guides, it's infoblockingcenter.org, we, and many other providers sensations banded together.
So you can go and take a look and see what resources you need. And if you have questions, you can start off to us and we'll try to answer it. I will say that, we're still waiting for answers for, from the questions in terms of implementation that we get from members from ONC. So not that we have all the answers. But we'll tell you [00:25:30] if we do or don't know.
Bill Russell: Yeah. One stop shop infoblocking center.org. What am I going to find there?
Mari Savickis: You're going to find, like for example eight exceptions information blocking. Super complicated. The privacy one is like, I think the most, one of the most complicated.
Bill Russell: So your team has broken it down and done those things. You guys are also doing a lot of online content and that kind of stuff. You develop those cheat sheets, which I love. It really is fantastic. So your team is yourself. Who else is on your team?
Mari Savickis: So we have Andrew [00:26:00] Tomlinson. He's our Director of Federal Affairs. We have Cassie Leonard. She's our Director of Congressional Affairs. And then Lauren, Cameron, who is our Administrative Assistant. And we, we're small, but mighty with like pens above our weight. But I think we get a lot done and yeah our, just for everyone listening if you're not a member. That's okay. We welcome you with open arms, to any of our policy webinars. They're free. All of our information. There's no firewall to get into our TTs. Also free. So, if you want to be on our distribution list for a Monday newsletter [00:26:30] also free. So yeah send all your friends and family over Bill.
Bill Russell: Actually I do peruse that that newsletter every week. It's really helpful just to know what's going on and to stay ahead of the curve. I really appreciate all this stuff that your team is doing. We'll have to have Cassie on. Because we had, we've had Andrew on it at some point, but we have not had Cassie on. Get her in front of the mic and find out what's going on from her perspective.
Mari Savickis: Yeah, absolutely. We're happy to bring the team on next year, that would be, that'd be fabulous. They are both amazing.
Bill Russell: The last thing I want to [00:27:00] do for this show is I want to hit this cybersecurity study that you've done.
Actually to, just to tee it up, we we were talking about a story. Attracting retaining healthcare CISOs. Maybe it's not a money problem, and this is an SC Media. Jessica Davis wrote this article. She says all sectors are facing cybersecurity staffing shortages with the latest data, showing that the US cybersecurity workforce needs to increase by 65% to protect critical infrastructure.
But for [00:27:30] healthcare, the challenges are more severe. Three out of four hospitals operates without a designated security leader. Three out of four. Wow. But I know that's true because I have clients I talked to and they, you know, have a half person or they have a person who splits their role.
So I see that. Those roles are then handed to IT or compliance officers. From an outside perspective the reasons for these shortages would seem related to budget constraints. After more than a year of battling the pandemic many hospitals [00:28:00] and health systems are operating with fewer staff overall and facing staggering financial challenges, data from the aha estimates that the net financial impact and collective losses tied to COVID-19 hospitalizations from March to June of 2020, which was the worst period of time.
But alone will be 36.6 billions because that's when we stopped the elective surgery. So that's that's. Interesting point in time to take, that's going to be the worst case scenario. And the total does [00:28:30] not include the estimated 161.4 billion in lost revenue from canceled surgeries and other services.
It's interesting to me. There is a shortage in cybersecurity for sure. There's actually a growing staffing problem in health IT just in general. We've, we've had almost a war start for talent and people are being hired away from other health systems and those kinds of things. And I'm hearing some shortages as much as 15% open [00:29:00] positions at certain health systems.
And now I've gone off the security side. I'm just saying in health IT they could have 50% open positions. But cybersecurity CISO's, really good CISOs are hard to come by. If they are going to move, they probably have moved and they're where they need to be. So there's a significant shortage in the staff, not only from a strategy standpoint, but also from a an engineering standpoint as well. So you guys did an interesting survey. I say you guys, I don't know if you did it per se, but [00:29:30]CHIME.
Mari Savickis: It was basically with AHA our affiliate organization comprises of those. It's yeah, it's our survey. And we plead with them to fill this out because we really need to know where we need to push and pull in DC. I mean, you hit on all of the, the challenge, the workforce itself is a big challenge.
And I personally know several students who have blocked healthcare. But that article that you referenced that you sent me. Yeah, I think Mac was quoted. I think it was him. Maybe it was someone else about their CISOs are really wearing like a super [00:30:00] person cape or some sort of cape. Like they're just trying to do the best they can every day.
And maybe, maybe their salary, isn't the only factor. They really feel very invested in getting up and doing the right thing, which is what I've found. I mean, in a lot of places you can work, but working for patients is really a calling. So, I mean, there, there are shortages and I think that's something we have to work on together.
The sector is aware of that. We we hired David Fend. She's now again, And [00:30:30] he's working to, again help us with cyber security issues and membership and drive more awareness. And we'll be diving into some of these issues like workforce there's. I mean, there's no shortage of problems when it comes to CISOs. I think the work that we do at part of the sector draws more attention to it. There's a lot of money that's actually been pulling out with a conference in DC for cyber security, but it's not specific to healthcare. So we have to like, we have to live to fight another day on that as well, because we've [00:31:00] been behind the eight ball. We're not banking, but we're, but we're working hard together.
Bill Russell: Yep. so it did go out to a CISOs within healthcare. Here's some of the findings 67% of respondents indicated they had a security incident in the last 12 months. That meshes with my anecdotal conversations that I've had. 45% were unaware of free best practices from 405D only 52% are members of ISAC and 80% of respondents indicated the cost of cyber insurance had increased over the past year.
I [00:31:30] talked to somebody that their cyber insurance had almost gone up by 50% and they don't think that's going to stop. And it's not only the cost going up, but the, the requirements are such that they're so stringent that if you follow those requirements, you really aren't going to get breached or I mean, you reduce the likelihood so, so much.
And I guess that is part of the reason that insurance companies exist is to drive higher level of compliance, but [00:32:00] they're sort of looking at what they have to do. And they're like, well, if in order to do all these things, I have to go to the board and get a couple million dollars to all this work, just so we can get this insurance policy and be compliant with our insurance policy.
So it's just another way to drive the conversation. I'm not against that, to be honest with you. For years, it was hard to talk to boards, hard to talk to leaders and get them to want to invest the money necessary for good cybersecurity and anything like [00:32:30] that where you say, look, we're not gonna be able to get a cyber policy unless we do these things and we've scoped these out and this is what it's gonna cost you. And that just backstops me as, a leader in trying to make that case.
Mari Savickis: The cyber liability thing is a big deal. We heard lots of problems about that. I had one member who's i n an urban area who has sort of disadvantaged populations that she wasn't able to get the same policies you got last year. And then she had a hotline get a supplemental policy. And so it doesn't have the same amount of coverage. And [00:33:00] that the requirements are exhausted that you have to meet. And some of the feedback has been that not all of the requirements and most event are actually helpful, but I think there has to be some, I think we're we and others are starting to scrutinize like what exactly these requirements are.
You don't want to have a situation where you're scared of the POC. And just doing something to do something. So, yeah, we've heard a lot about that. And Congress is aware of it and there's been a geo report on it too. So this is like an issue.
Bill Russell: Yeah. And so people are reporting they need help in various areas. Grants, or federal assistance about [00:33:30] 40% regional extension center with cyber experts on hand 33%. Closer relationship with federal authorities, 16%. So there's, there's a lot of different things there you're asking for. So you get this information and I assume this is the type of information you go up to the hill and you start to weave a story of what healthcare needs.
Maybe, maybe not you. It's information you put in people's hands who are going to be in those meetings I would imagine.
Mari Savickis: The report has nice [00:34:00] infographics. We are going to bring out to the hill and we're going to sh we are sharing it with, with but it shows you too, like we are, the providers say that they need extra help. So this is to help alumni or figure out where to pinpoint things. Like they need federal assistance.
We're pursuing that, especially for underserved providers. TBD on whether we'll get that some level of support with the regional, like something like a regional extension center that kind of help boots on the ground when you need help. A closer relationship, I mentioned at the top of the call with federal authorities are saying that they feel like they need.
And a clear understanding [00:34:30] of when they can and can't share information, which continues to be a concern. And you'll notice that when some or many organizations are hit with a cyber incident, that they walked down and they don't want to talk about. But if you have a window and two, what happened? You can actually help others.
Like the, there was a great w binar with the CISO from Vermont who they were down for like a month and he laid out all the challenges that they had. There were [00:35:00] some examples that he gave, like if he had to go back in time and fix things like, like the challenges of dropping back to paper, right? There's a lot of clinicians, if they're younger, don't know how to code on paper. So there's some things like your phone system, is it tied into like everything else ? You don't want single points of failure. There were so many, I can't remember them all. It was, but he was willing to go with, stick his neck out and talk about it. So that's the, we need more of is to understand and have a window [00:35:30] into what happened. But people are afraid to share infroamtion.
Bill Russell: Yeah, absolutely. All right. I want to give you the final word here. What, what can we expect from Congress and the hill next year? You know, what big events do you expect that we're going to make progress on next year?
Mari Savickis: Oh, this pandemic man.
Bill Russell: Yeah I know. And we're going through a new variant right now. I mean, that could start off things pretty good.
Mari Savickis: In the near term, what people can maybe look forward to. We're really hoping that especially with [00:36:00] the new variants that HHSwill re-issue the PAG, the public health emergency. So for those of you who wonder how this actually happens, it's renewed every 90 days. It's not for renewal in January.
Bill Russell: Does it get renewed by a vote of the house or how does it get renewed?
Mari Savickis: No, no, no this is the HHS. The secretary would decide to re-institute it for another 90 days. And then onother 90 days. But last year there was an acting secretary in place before Xray viscera was confirmed [00:36:30] and the acting secretary put out a note to the state it's subregulatory, but it basically is like, we promise not to pull the rug out from underneath you.
We're not going to terminate the PAG until at least the end of 2021. And we would give you a 60 days notice. Well, obviously the pandemic is not over. And so I think, our best guess is that it will be renewed. Number one by HHS in January. Number two, that they may issue a similar like-minded letter that he did last year.
Now, when our [00:37:00] Congress acts to change these because of the pandemic I can read, they're just temporary. Right? Whether Congress acts is another big question mark. So we're following that closely as well, but that would be one thing I think that you can look for is at least some level of certainty, hopefully moving forward on telehealth.
Bill Russell: Mari, there is absolutely no chance that the public health emergency comes off any time in 2022, that's a prediction. It's just my personal prediction. But [00:37:30] in January of last year, I said, there's no chance it's coming off in 2021. I don't think there's any chance it's coming off in 2022. Not because I think the pandemic is going to get worse or anything to that effect.
I don't think there's any appetite for this administration or for this HHS secretary to pull it off. It's actually a way to fund a bunch of things without getting funding. Right. So, so I think it's, I think it's just going to continue.
Mari Savickis: That's exactly right. And we're happy to come back and maybe bring the team on and we can talk [00:38:00] about whatever you want to talk about.
A little bit more gaps, whether it's interoperability or telehealth or patient ID or privacy. I would say another thing our teams are focused on, which we haven't talked about on this call, but we can talk about next time is the care continuum. It's not just for patients, I would just go to hospital. They don't go to a doctor's office.
They go somewhere else. Especially Medicare patients or those with chronic conditions. So that's something we're paying attention to and try to make sure that interoperability spreads across the entire sector. And that they're, well-supported
Bill Russell: Fantastic. Mari, I want to thank you for coming on the show this year. It's [00:38:30]been fantastic. And I also really appreciate the work that you and your team are doing on behalf of health IT up on the hill and I look forward to, more progress next year and you guys are wading into as much uncertainty as anybody else in the industry. I mean, you just, it's an election year again as well.
So will those always get, get kind of fun up there on the hill as well? So we'll see. We'll see what happens. Thanks again. Hope you have a great holiday and we will definitely catch up after the [00:39:00] first of the year.
Mari Savickis: That sounds great Bill. Thanks so much. Appreciate it.
Bill Russell: What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It's conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We're [00:39:30] out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That's all for now.