October 3, 2022: Drex DeFord, Executive Healthcare Strategist at CrowdStrike joins Bill for the news. 2022 is the most financially difficult year for hospitals. A Kaufman, Hall & Associates analysis indicates hospitals and health systems continue to face intense pressure on staff and resources while also dealing with rising expenses for supplies, drugs, equipment and the workforce. Ohio hospital is laying off 978 employees. Ascension reported a $1.8B annual loss. What Is Social Engineering? We take a look into the sophisticated world of psychological cyber crime. How are health systems dealing with supply chain issues? What is going on in the non scaled startup space?
Sign up for our webinar: Delivering Better Patient Experience with Modern Digital Infrastructure - Thursday October 13 2022: 1pm ET / 10am PT.
When the pandemic hit, we suddenly had to decentralize the way we were doing healthcare. But the foundation wasn't there. We are now in a world where care delivery is primarily through digital means. How do we create and maintain a modern healthcare digital foundation with people and processes at the core?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
Show me a list of all the contracts that we have and information services. A lot of this is like cybersecurity 1 0 1. Contract 1 0 1, you can't do something with it. If you don't know what you have. Because ultimately what you wanna try to do fewer contracts and fewer agreements mean a simpler world that you live in.
It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst who are our Newsday show sponsors for investing in our mission to develop the next generation of health 📍 leaders.
It is news day and today where you're joined by the incomparable. Drex DeFord, who is now back from burning man and ready to report. We're not gonna ask you to report on burning man. What goes on at burning man stays in the desert. So that's what I hear.
That's what you, that's what you hope or that's what you hear. Maybe both. Oh gosh. I I'm looking forward to this conversation. Although the topics are not the rosiest of topics these days we'll talk a little social engineering. I like getting to some of the security stuff with you. Sure. But a lot of, a lot of the story strikes just are, are circling around the financials for healthcare.
Coffman hall did a report and it didn't paint a rosy picture. Hospitals are likely to lose billions of dollars this year due to continued to press margins, heightened labor costs. According to the coffin hall report. I have a, we're not gonna do all these stories, but I'll just give you the headlines. Ohio hospital lays off 978 employees, and that's not a large it's sisters of charity health system. It's not, not a huge system to begin with. So you lay off a thousand workers. That's a lot of workers and then Ascension reports, 1.8 billion annual loss. Now, before people go crazy, that's on 28 billion in revenue.
So It's never good to report a 1.8 billion loss. and again, I think it's the same factors. Let's see. Higher salaries, wages benefits due to staffing challenges, increased use of contract to premium labor. A lot, a lot of it's circling around that labor line. Yep. A bunch of it's circling around supply chain and inflation.
And then the rest of it is circling around contract renewals. So let's start there actually. You and I, former CIOs, this whole contracting thing. Is something that should be basic blocking and tackling these days. Right? I mean, we should know when a contract's coming for renewal, we should give ourselves enough time to negotiate those contracts.
These are all the shoulds. We're shoulding on people as my friend likes to say, don't should on here. we should have that timeframe. We should know. We should also know what's in the contract, what we've negotiated for, what we're actually using. This might be the time to look at those contracts a lot closer to say, Hey, this stuff we're not using. And we haven't used for the last two contract years, maybe we shouldn't contract for it again. like, we're just not using it.
Yeah. I mean, as a. Primarily a turnaround. Guide's one of the first things I always did when I came into an organization was, I mean, first of all, can you actually show me all of our contracts? It was not unusual to come into a place and say, show me a list of all the contracts that we have and information services. And we couldn't actually produce that. So just like, I mean, a lot of this is like cybersecurity 1 0 1. Contract 1 0 1, you can't do something with it. If you don't know what you have.
So the first thing you need is kind of an inventory of all the contracts. And then the, the next thing is really look at those contracts. And especially when it comes to licenses and things like that, are we over buying licenses and not using all of them? Are there terms in the contract, we might wanna have a conversation about renegotiating all those kinds of things, because ultimately what you wanna try to do fewer contracts and fewer agreements mean a simpler world that you have to live in. And so you can simplify sort of operations and payments and all of those kinds of things. But the other part of it is if you do that kind of work and you really are transparent about it with your chief financial officer, you also gain a lot of street cred with your chief financial officer who says.
yeah, I'm willing to give this person in that department more money because they are clearly being great stewards of that allocation. They're doing everything they can to make sure that they're only spending money on the things they need to spend on because they have partners meaning.
Clinical business research operations, people inside the organization. They have partners who are working with them very closely to make sure that they're buying the stuff to support the mission. So yeah, contracts it's a. Always a big line item. And in many ways, I think it's just getting bigger and bigger, not just in it, but kind of everywhere across the organization.
What are you hearing with regard to supply chain? I'm hearing switches routers. You gotta plan almost a year and a half to two years out. Are you hearing that still?
Oh yeah. Yeah, sure. That, that kind of supply chain. Yeah, definitely. I think this really lends itself to. Thinking about your strategic plan when it comes to don't be the chief of technical debt, right?
Make sure you have a plan to replace a lot of that infrastructure on a regularly scheduled basis and flatten that line out as much as you can so that you're spending kind of the same amount of money every year. If you can. I realize that that can be a challenge too. And then the other part of it is.
Being actively involved in a conversation with your partners, your supply partners, around what delivery times look like, so that you can actually make some adjustments about, I actually need to buy it this year. We may not pay for it next until next year so that it can be delivered maybe in the year after that. It's definitely crazy supply chain wise.
I'll tell you what One of the things. When I was CIO, money is lifeblood for, for it, period. You start running out of money and then equipment starts to age. Your service level starts to go down and so part of the job of the CIO, one of the primary jobs of the CIO is to make sure that you're adequately funded.
And it's interesting when I hear a CIO say, well, they didn't give me enough money. I'm like, then you're not doing your job. Now. I understand the challenges from year to year and those kind of things. But at the end of the day, A lot of it's education. Like I had to educate my, my it staff. They're like, you didn't get us enough money for this and explain to them, Hey, you know what?
A health system runs this way. We make this much margin this. So we were always, in fact, we did a course in our it university on finances, healthcare, finances. Mm-hmm, not just it. So they would understand, okay. Here's how the money comes in. Cuz they, they. We're incredulous. They're like we have to be making.
And at the point we were making like 6% margin and they were saying, you, you have to be making more than 6% margin we're this big of a company. And, the reality was we, we weren't, I mean, the overhead for our health system is pretty high. It's a, it's a labor intensive industry. So the, you have to educate them, but then education.
On the other side, I facilitated a conversation with a bunch of CIOs. Around this, challenge of the conversation with the CFO, the conversation with the COO, and then going to those executive meetings. Exactly. And not just getting skewed by people who are essentially sitting there saying these words it's getting too much money.
It's a black hole. I know we need to spend on technology, but boy, that's a, that's a big percentage. We could do a lot of stuff with that money. Yeah. that's an example of, we have to educate the executive team. I, I was looking at a major health system. Yeah. there was no one with a technology title on the, and it was a major, it's like a 15 to 20 billion health system.ah. Does that surprise you in:hen now this would've been in:
And so that almost got me fired, but realistically now sort of like 10 years later, I had people who were on the board at the time that I talked to who said turns out you're right. Right. And, and so a big part of this has to be, you talk about education. Structurally creating the education through a governance process. And we've talked about governance before. It's a lot of the work that I did as I was an independent consultant between the time I left Stewart and the time I joined CrowdStrike, every time I worked with health systems, a lot of the. Root cause of the problems were tied back to governance and their inability to prioritize well and their inability to be transparent because there was no structure in place to be transparent about the things that we're buying and why we're buying them.
And who's actually the executive sponsor for that project and that application that we use and that tool that we use or whatever the case may be. So this really is about. Building an information services department that does things to support your business clinical and research operators. And that if there's a contraction in that budget, that contraction has to also.
Be in conversation with those business clinical and research operators about what are you gonna stop doing so that I can reduce my budget, right? Otherwise you do get into this tech debt problem. You get behind on things. You get into a situation where you can't upgrade or patch equipment, and that re leads to sort of risk of. Down times, risk of cybersecurity exposure, all those kinds of things. So yes, a lot of education, a lot of transparency usually centered around the idea of good governance.
I was gonna try to sing there to like, give the impression of the choir, getting ready, oh, pre preaching to the choir, but let me hit this and then we'll get, get back to a little pragmatic for sure. Aspect of this. This isn't just hitting healthcare delivery networks. This is from digital health business and technology. This is modern healthcare's new digital solution, right? So they're, they said, Hey, we're tracking layoffs across the industry and they have Amazon reducing 400 workers innovator.
Laying off 90 employees medley laid off half its workforces GoodRx laid off 140 employees 30 Madison, 10% wheel, 17% SEMA 4, 250 employees signify health, 500 employees calm 20% of its workforce. True pill. So this is. This is hitting those people that go to the health conference, right?
So these are the innovators and the venture backed companies, the private equity backed companies and even in some cases, even earlier stage than that the money people went to 'em and said, look, you need a long runway. And in order to get that long runway, you need to start looking at revenue.
So this model where we were just like, Hey, just scale, scale, scale. And eventually somebody will buy you. We're now looking more realistically and saying, look, nobody's gonna buy you if you're not around in two years and your revenue needs to hold that up because the money's not gonna be flowing in as much.
I mean, what are you hearing in the, and I guess we'll call it the non scaled. Startup world because signify signify was bought mm-hmm some of these larger scaled up solutions are good fit for the Uniteds and the, the others. Mm-hmm . I mean, what are you hearing in this, in this space?
Yeah, so, I mean, I think this is one of the same things that kind of happens with health systems is that when the economy gets Sort of punched in the face. they start pulling their horns and think a lot more about everything that they do. I think investors P VC investors start to think about the same thing.
Do I sit on the sidelines and hold, do I, do I continue to invest? And in companies that they've already invested in, like you said, they start to talk about because you're buyers. Are pulling in their horns. You're gonna need a longer runway, which means the amount of money that you're spending right now, your burn rate, isn't gonna allow you to survive long enough.
And we don't think there's additionally mu additional money coming, or how hard will a round be if we have to do another round in the next year or 18 months. So all of that leads to contraction, right? And thinking and, and that contraction, while it can be. A bad thing for lots of reasons, including layoffs and all of that from the CEO and the chief technology officer in those startups the CIOs and those startups, a lot of this leads to really, really important blade sharpening, right?
Yeah, exactly. Figuring out exactly what it is that you do and where it is that you're gonna focus your time and energy. Because back to the governance conversation, if you try to be everything to everyone, you are not gonna succeed. And so you really sort of have to pick your direction, get really, really sharp on that and really, really good at it and focus.
And and so it may not be a bad thing. We may ultimately have more successful products as a result of this. Ride, we may go on for the next 18 or 24 months as opposed to the money free flows and you just get to keep trying things and trying things.
Yeah. I I, I believe that is the case. I believe that this will sharpen the message. This will provide focus and in fewer pivots, quite frankly, you just, you don't have the, the money to keep pivoting. All over the place. And so you don't get the pivot, whiplash that you get as a CIO.
For the ones that have really sharpened that continue to sharpen like current acquired by best buy and care centric acquired by Walgreens. And you talked about signify and, one medical bought by Amazon. I mean, these are companies who have pretty sharply focused and as a result have created a situation where there's in, in some cases almost kind of like a bidding war
📍 📍 We'll get back to our show in just a moment. I wanted to take this opportunity to share with you our next webinars. On October 13th, we have delivering better patient experiences with modern digital infrastructure. During this conversation, we're gonna discuss multi-cloud, how to modernize health it, and a blueprint for creating an agile digital infrastructure without impacting the quality of care. If all those things sound really complicated, we're gonna make them less complicated for you on this webinar. This webinar has five campaign episodes. You can view them before the webinar to learn more. You can find these episodes as they release and register for the webinar at this week, health.com. Click on the upcoming webinar section and top right hand corner, and I look forward to seeing you there.
📍 📍 all right, Dr. Now I put you through the paces because I'm looking at these headlines. So I believe technology has a place to play on all of. And as I, as I look at this financial, right? So from a financial standpoint cost of labor contracts and inflation on ancillary stuff and whatever. Also you have, you have. Negatives in the, actually, I'm not sure this quarter of the negatives were all that bad on the stock market, but for the year the stock market's been negative technology has a role to play in all of those.
So if you were a CIO right now, if I, well, I always do this to you. I, I make you go first. I'll go first. If I were a CIO right now, I'd be looking at that, that labor line and I'd be looking really sharply at it. And I'd be looking at solutions. That and I, I, again, I wouldn't be doing this by myself. I I'd have partners within the organization and I'd be, I'd be looking at, 'em saying, Hey, here's what technology can do.
Here's what RPA can do. Right. In these administrative areas and potentially in some clinical, but mostly in the administrative areas, I think we could really save. A fair amount of labor and time I'd be looking at the documentation piece and saying, is there any aspect of our documentation strategy that can be taken to the next level?
Now we've talked about ambient for a long time here. Is that showing the promise that it should, is there another way we should be doing that? I'd be looking at documentation because that's an awful lot of the nurses world is just sitting in front of the computer and doing that stuff. Mm-hmm . I'd be looking at the non-value ad.
It's hard to say non-value. Work that the nurses are required to do and saying, okay, is there some way to offload that to technology? The repetitive it's? I shouldn't say non-value added, but I should say the repetitive non intellectually challenging work that they just have to do. Hey, that room's needs to be clean.
Let's put the information here. Okay. Somebody will come. That's all stuff we can automate. The sitters in the room we can automate. Delivery of some stuff we can automate. I'd be looking at I mean, even if it's a 5% reduction. Through the implementation of technology. I think that's one of the areas I would be heavily focused right now.
And also to be honest with you, I'd be laser focused on the clinician burnout issue. You have the 15,000 workers nurses right now striking in Minnesota. Oh yeah. And Dr. You're gonna love this poll. I put a poll out there. It said on LinkedIn, my Monday poll for this. Essentially said, is this gonna be a trend 15,000 nurses on strike?
Is this gonna be a trend? Are we gonna see more nurses, unionized and practice their, their their negotiating power as a group mm-hmm and I said definitely most likely, probably not. And no, those were the four answers. it's close to 80, some odd percent of people that say either.
Definitely. In fact, the majority was definitely, and then the second highest was probably and so if you look at just the positive answers, it's, it's over 80%. Believe that more nurses are gonna unionize and more nurses are gonna strike. Right? So that whole area of what can we do from a technology perspective?
To lighten that load. Yeah. I'm not saying it's the only answer clearly. There's I mean, there's labor rates, there's all sorts of issues. A number of patients, they have to oversee two full years of the pandemic that they've had to deal with. Yeah. But, and as much as it depends on me from a technology perspective, what can I do to alleviate that problem? Those are some of the things I would do as a CIO. where would you be focusing right now?
I just wanna, I mean, I think it seems like every time I'm on, we sort of talk about this, I'm a Toyota production system guy. And so a lot of this comes back to people process technology.
And so while it sounds good and sort of feels good to say, we're gonna take some pieces of that work that whoever nurses or anyone is doing. And is there a way to automate that a lot of. Sort of ties back to, is there standard work? Are there standard processes that we could look at to automate?
So there's probably a couple of pieces there. One is, one is before you would spend the money on the technology to do automation Do you have processes that are automatable. And so that requires a lot of work, not from the it team, but from management engineers who don't exist at a lot of healthcare organizations and sort of business clinical and research operators who decide that they want to create standard work, that they can then apply a technology solution to.
So it sounds it sounds simple, but it's a lot of, of really hard work. I think it. It's always a great place to focus, because what you wanna do is to try to keep those really expensive staff assets. As we say so often working at the top of their license. And again, this doesn't matter if it's an administrator or a clinician or a researcher.
So take as much off of 'em as you can. The other way to think about this might be as I just sit here and listen to you, talk about it. A lot of health systems and a lot of group practices. We've given physicians scribes. To do a lot of the, not fun, not really interesting, but somebody has to do it kind of work with the electronic health record.
Maybe that's a way to work through the process of, is there some sort of a scribe for nursing is somebody doing that? I don't really know, but you know, maybe that's a, maybe that's a way to sort of think through this process-wise to say, what are the things you could offload? Could you hand that to somebody who costs less money?
Who might need a career path in, right. That would be awesome for them. And then at the same time, look at that as far as what what's the standard work that we could automate and move into an RPA effort or something like that.
Cool. All right. So just some of the other stories, how virtual reality is turning surgical training upside. We're not gonna hit on that, but that's just another story that we could have hit on this time around, but what we're seeing is virtual reality becoming much more let's see applicable to things within healthcare. So something to keep an eye on FBI, spotlight, cybersecurity risks of outdated medical devices.
We just did a webinar on that. And a couple of shows. I wanna hit this one with you though. What is social engineering? A look into the sophisticated world of psychological cyber crime? So I think generally our audience is gonna know what social engineering. Right. But I mean, if, if you had to sum it up in, in two minutes or less social engineering is what
oh, you're asking me. Social engineering is it's the kind of thing that a conman does. When they try to gain your confidence and get you to give them something that you wouldn't normally give up. So it could be as simple as from a cybersecurity perspective, it could be as simple as a bad guy calling calling an individual and telling them they're from the help desk.
And they're trying to do some work on their shared drive and they need their password because something's not working right. And they're trying to fix it. And then the person gives up their password. It could also be I think in the story, there's a really good example of some a female who called a bank and had a baby crying in the background and claimed to be the wife of a husband who was having a problem with his account.
And he couldn't come to the phone and she needed to get the information and the bank service desk, guys being wired as they are, I want to help and I want to make people's lives easier. That's part of why I do this job gave up the information. So that's the kind of, it's not the short version, but that's, that's the idea behind social engineering,
a, a great article by the way, built in.com. What is social engineering? So it says social engineering, exploits, kindness, right? So you find a kind person and say, oh my gosh I locked my keys in my car. Can you can you help me, blah, blah, blah. And then before long they've ripped you off somehow. Right? So exploits, kindness
turns out you've helped them break into a car.
yeah, exactly. Social engineering, manipulates, respect for authority. in some ways, social engineering takes advantage of human nature. Social engineering requires confidence. It is a con game. That's essentially where you started. It's a, for sure, some sort of confidence game is going on social engineering, capitalizes on online sharing. those were some of the things and really
they're really great at doing research on you. Right. And you've made that easier. Not you, but us in general have made that easier now. Social media and all of that. You, you put a lot of information out there about yourself, the things that you like, maybe your birthday, you might talk about where you went to high school, all of those things are kind of like the tricky little security questions that might be asked when you need to reset your passwords.
So there's, there's so many things that you put out there. You don't realize that you're giving up and these adversaries have all the time in the world to do that research and build up that list of stuff they need to know about you before they begin their, whatever the event is.
So I'm gonna give you the list of social engineering examples. And if listeners are listeners and going, Hey, I don't know what these are. It's built in.com. Cybersecurity. What is social engineering? But here they are bait. Diversion theft, honey trap. Quid pro quo. I had to say that slowly fishing pretexting rogue, spearing, and deep fakes. If you don't know what any of those are, there's good. Explanation of each one here. They close with this though, and this is where we'll probably close out the show. How can you protect yourself from social engineering without becoming a, just a complete jerk? Right? I mean, the thing is you could get to the point of saying, I don't trust anybody.
I don't trust. And we can go down that path, but they start with this. There's no single solution, but there are ways to more consistently mitigate the ill effects of social engineering in its many forms. Harmon's tech is to remove the weak link, meaning humans by removing their ability to screw up.
It's like having bumpers on the bowling alley. You can't. Get into the gutter. You can't not hit the goal. His company, he says uses physical, fail, safe that include the multifactor authentication software. He names one. So even if an account becomes compromised, the perpetrator still can't get in. this article's really written to us. It's written to it professionals, like, what are you gonna do to protect your people from social engineering and dual? Factor's a good example, but I like the whole concept of eliminating the human aspect of it. This is why I'm waiting for. No more passwords in healthcare. Yeah. Right. That's that's the ultimate. It's like they can't steal your password if you don't have one.
Yeah. That they will, they will come up with another way to do something though. Even if you don't have a password. Right. And that's why things like machine learning and artificial intelligence. Built into the products that you use to monitor endpoints identity protection cleaning up active directory, all those kinds of things that you do as a part of sort of should do as part of normal security operations and normal. Network management and operations. Those are all really important things to kind of protect end users from themselves, cuz they will make mistakes.
And we are working in an industry where people really, really do wanna help. And so that tendency works against a lot of our end users, as you see and hear about all the time when it comes to the number of people who click on fishing links when it's just a test and all that kind of stuff.
And there's great companies that can help you. Like a crowd strike can help, right. As if tower site can help you as can mitigate and rubric RIS Veritas. These are Proofpoint. These are all companies that support this week health. So I just thought I'd throw all those guys out there. Lot of security companies.
Yeah. It's I mean, it's interesting to think about when it comes down to sort of like, Personal stuff. How many, if you're on Facebook for people who are on Facebook, how often do you get invites from people to connect? Who you don't know? Part of that probably are people who are trying to figure out. Information they can get from your profile that lets them do things they shouldn't be doing so great. Let's I mean, it's all those kinds of little things like that. You have to be suspicious. You don't have to be let's let's don't have to be a jerk,
Let's end with this one. So LinkedIn, somebody said to me, once bill with your profile, I can't believe you only have. And I have like a little over 10,000 people that I'm connected with.
I can't believe you only have 10,000. The age you're at, you've been in these prominent roles. Now you're doing you know what I'm doing today? You should have more. And I said, look, here's the deal. first of all, if I connect with somebody and they send me that long thing right afterwards, I immediately disconnect from 'em.
Yeah. it's just a thing. The other thing is I try to protect my network by not connecting to people that I know wanna exploit my network. Right. So, yeah, to, for the most part, I am, I'm very judicious in who I connect with. Now, if you happen to work for a health system and have a, a health system email address, I'm gonna connect with you.
If you're working for one of these companies, that's supporting them that they're partners I'm, I'm likely gonna connect with you. But the others I don't connect with, and I don't know, maybe that's my cynical nature, but
I think it's a good nature to have. I think given the world that we live in right now that being appropriately cynical although I know that you deep down in your heart are an optimist about those things. is probably, that's probably a good thing keeps you outta trouble.
I'm not smiling when I get that long, that long InMail thing that says, Hey, thanks for connecting. Let me tell you about my company. And I just scroll down to the bottom. I can't believe you just sent me this long thing.
Delete, delete, delete. Yeah.
Direct's always great to catch up with. I think we'll see each other next month. Definitely. Mm-hmm for sure. what fall events are you going to, to chime fall forum or health?
I will be at the chime fall forum. I'm not going to health this time. I will be at the association for executives of health information security. Maybe by the time this show, this show is on. If it's on next week, it's on Monday. So that's on that's on next week. Okay. So I'll be at a E H I S. With our friend, David, Finn and others. And then also do an event with CDW later in the week in Las Vegas. So it'll be a travel week next week for sure.
Wow. You're just Mr. Mr. Event. This fall. Should you?
I'm an airplane guy. I'm an airplane guy right now.
Yeah, I'm, I'm getting there. I'll have four flights this fall, which is four more than I really enjoy having, but I don't know what it is as I get older. I don't enjoy flights as much. But I do like the amount of email I get done on those flights.
Yeah, I'm not a big fan of flying. It's just one of those things you need to do to get to this stuff that you really do enjoy. Absolutely. Which is networking with a lot of folks and, helping to solve problems. That's always fun.
DRS, always great to hang out with you. Thanks again for your time.
Good to see you. Thanks for 📍 having me.
What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to show just like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com. They can also subscribe wherever they listen to podcasts. Apple, Google, Overcast. You get the picture. We are everywhere. Go ahead. Subscribe today. We want to thank our news day sponsors who are investing in our mission to develop the next generation of health leaders. Those are CrowdStrike, Proofpoint, 📍 Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst. Thanks for listening. That's all for now. 📍