This Week Health

Don't forget to subscribe!

April 22, 2024: Wes Wright, Chief Healthcare Officer at Ordr, joins Bill and Drex for the news. How has Ordr spearheaded innovations in network security within the healthcare sector? What challenges have they faced in securing complex healthcare networks, and how have these been addressed? Is segmentation the solution to these major cybersecurity breaches? Furthermore, they explore the broader implications of their security solutions on patient data protection and hospital operations. This episode not only highlights Ordr's strategic initiatives but also fosters a broader discussion on the critical role of cybersecurity in modern healthcare.

Key Points:

  • Challenges in Healthcare Cybersecurity
  • Protecting Patient Data
  • Impact on Hospital Operations

News Articles:

This Week Health Subscribe

This Week Health Twitter

This Week Health Linkedin

Alex’s Lemonade Stand: Foundation for Childhood Cancer Donate

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on Newsday.

bind everything on your network. Second step, segment. Third step, work on your vulnerabilities. What we've been doing as an industry is we'll find part of the stuff that we have out there, see all the vulnerabilities that are on it, and dive right in there and start fixing those vulnerabilities. β€Š My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts and πŸ“ we want to give a big thanks to our Newstay partners,

Clearsense, Sure Test, Tausight, Order, Healthlink Advisors, Cedars Sinai, Rackspace, Crowdstrike, and Fortified Health .

Now, let's jump right in.

(Main) β€Šhey, it's news day. And today we are joined by Wes Wright and Drex DeFord. We have two people joining us today, Drex and Wes. Welcome to the show. Thank you, Bill. Hey, good to be here. it's going to be a little loud behind me. I'm in the car dealership. I had to bring my old car in for service.

who knows how long I will be here. But I chose not to do the, loaner car

10 years old bill. Just trade it in and get another one. Man.

Deserve it. I know. Well, It's a classic . It is classic. it's a very low serial number Tesla Model S. So, I was one of the early adopters. And it was a lemon. So if Elon Musk is listening to this and wants to I mean, it, had all sorts of problems. I have a new battery in it. I have a new screen in it because the glue behind the screen melted.

I have, you name it, they had to replace it. Now the good news is they replaced it all under warranty. but it absolutely was a lemon. And one of the guys came out, because they fix these cars a lot of times in your driveway. And a guy came out to fix My Model S in the driveway.

And I said, why have so many things gone wrong with this car? And he was replacing the handles. So they have those really cool solenoid handles and I had to replace three of the four of them. And he he showed, he goes, all right, so this is the one that I just took out. And it looks like the three of us went into a garage and we had like soldering irons and we'd like.

It's like, hot glue gun, like we put it together, whatever. he goes, here's the one I'm replacing it with. And he showed it to me. It's like, there's not a single wire on it. It's like perfect. He goes, to be honest with you, we had no right shipping any of these cars back in, those days, because I worked in Fremont.

And he said there was a whole team of us at the end of the line and like three out of every four cars that came off that line we had to fix just to get them out the door. So anyway that's how the story goes. I don't know how much truth there is to it, but that's the story. I'm going to hit you guys up with this story because it's interesting.

Wall Street Journal. It's time to hand cybersecurity over to computers. And I don't know if you had a chance to read this. I'll give you a little, little glimpse into it. The article discusses the escalating issue of cybercriminals targeting the American healthcare industry, significantly disrupting operations by attacking large healthcare providers and insurers.

It highlights the recent major cyberattack on Change Healthcare and whatnot. The attack compromised insurance payments, so forth and so on. And they're essentially saying, That with AI, with where computers are going, we can't respond fast enough as humans, and it's only going to be computers that are going to be able to keep up to monitor all the false positives, to identify the signal from the noise and so forth and respond fast enough.

I am curious, two cybersecurity professionals here, your thought on that of handing cybersecurity over to computers? But before we

start, it's important to know that this is an opinion article, and it was written by Larry Ellison from Oracle, and Seema Verna, who works also at Oracle, but at Cerner, and used to be the King Boo ha, the Queen Boo ha of CMS.

So that that's who's making this

assertion. So let's talk about the premise. Let's start with the premise. Is the premise accurate or not accurate? I thought

we'd been saying that for the last 10 years, is that we have to pit machines against machines.

We can't do this from a human perspective anyway. I thought that was a no brainer. We'd already decided that.

I'll tell you, I thought at first when I read it, it wasn't April Fool's Day, but I thought it was an April Fool's Day joke. And the reason is that, I mean, I think there are a lot of great tools and there's a ton of awesome automation that we should be doing, especially in healthcare.

That we haven't got around to yet for whatever reason. A lot of it is just the complication of the environment. But I can't imagine handing cybersecurity over completely to the machines. And that feels like a little, maybe clickbaity headline to get people to read it. But there may have

been a little hyperbole on the headline.

I agree. of course you can't just turn it entirely over, but we've already said, you've got EDR, you gotta have EDRs to go against what they're doing on that side. So we've already put machines against machines. haven't approached full self driving yet, Bill.

It's the same. It's a little bit of the same thing, right? Like, is πŸ“ it time to turn over driving to the machines? And the answer to that is maybe πŸ“ in some cases , in some particular situations, it's good that you take pieces out of it. And hand it over to the machines.

But I don't know if it's good to let the machines do all of it. And so, depending on how you read that article, it could take you down a different path, but.

Was that Skynet that took over everything? Wasn't it? We can't have that

shit happening. Oh my gosh, we haven't even started talking about AI yet, and you guys are talking Skynet.

Yeah, I think this will become more and more the norm, just like, coding. It will become more and more the norm for computers to do it, just like billing and denials will become more and more computers will be doing it. The

problem with πŸ“ that bill, though , in my opinion, is that and Drex and I have been talking about this since we were knee high to grasshoppers.

It's there's just This foundational cybersecurity blocking and tackling, I just don't feel like that is as present in our healthcare systems as it really should be. I get frustrated every time I hear about a ransomware attack that takes down a whole health system. Has nobody ever heard of segmentation?

Holy cow. If we had our foundations tighter, perhaps we could turn it over to the Skynet quicker. Our foundations

just aren't there. So what's the answer to that? So right now we have legislation Senator Warner's put forward that essentially that. There's going to be set of minimum standards that healthcare needs to meet in order to Gosh, It can't be tied to CMS.

It tied to the idea that if there's a cybersecurity breach that interrupts your ability to file claims with CMS, but you've reached πŸ“ this minimum standard that you'll be able to get Already approved advance payments for your claims while the cyber security incident gets sorted out.

That's how that particular piece of new Warner legislation is written. So it's very specific. But there are pieces of legislation like in New York State and other states right now that are essentially πŸ“ saying you have to be this tall to ride the ride, or we're going to stop talking to you from the state government perspective, and here's some money to do it, and maybe if you're lucky you can get some of that money, but it is aimed at fundamentals, it's aimed at, the very basic stuff that you really should have in place, you really should be capable of doing, but You know, a lot of organizations don't do it well, even now.

Yeah. you shut down a hospital that can't provide a certain level of cybersecurity?

No, they'll be shut down themselves. I mean, no, let them keep practicing until they get shut down. But when they get shut down, then they don't get any of this money that Drex was talking about. Cause they weren't up to this.

You know, It. It's really starting to get, I can't know, I don't know if you can tell, but it's really starting to get frustrating out there that these ransomware attacks that have been around for, πŸ“ God , 15 or 20 years πŸ“ are having this kind of impact. I just don't understand

it. It is frustrating.

The part that I, continue to be concerned about. I talked to a CIO at a very small health system yesterday in the middle of rural New York, which you always think about New York as New York City, but there's a lot of spread out property in that state that it's, 60 or 70 miles between hospitals.

And, he's at a small 70 bed hospital. They have the only emergency room in the area. The problem becomes when an organization like that. Where, the CIO has 15 people on staff and a part time, CISO. And they can't do the fundamentals because just, there's a lot of fundamentals to do, even if you're the smallest place in the world.

Yeah, they

still have the same fundamental things that they have to do, no matter the size.

And the problem is that when they get, if they get breached, when they get breached, and they wind up, taking the hospital down and having to divert patients, patients have to now travel for, two hours to get to the next emergency room.

It's a, is super aggravating just from the perspective of like, from a patients and family care perspective, you can't get the, if this is the terrible day that you're in a car crash and you have to travel two hours to get, emergency definitive care, it's not a great day for you

put this into perspective though. So we have the small health systems and that kind of stuff. Another one of the articles that's on our news site today is AT& T says personal data from 73 million current and former account holders leaked onto the dark web. Now I don't know the specifics of the leak, but that's, it's AT& T, right?

So, I mean, if they're getting into AT& T, what's the chance they're getting into that small rural health system and what can they do to defend themselves?

Yeah it doesn't bode well for that small health system, the one that Drex πŸ“ mentioned , that has a part time CISO and can't even get the fundamentals down.

you can only do what you can do, and there are just certain fundamental network hygiene things. That you should do, period. And segmentation is one of those things. The AT& T thing, yeah, there are going to be people that are smarter than us. there's going to be some vulnerability that they can get in on.

Something like that. And I think we've all stopped talking about the if they hack, or it's now a when thing. So what you got to do is just try to mitigate the when and we're not doing what we should be doing to mitigate the when W H E N, not W I N. mitigate the when this happens to you. we've done this to ourselves and I've just started noticing this and actually saw a presentation at VIVE or HIMSS one of the two where somebody told the group to, yeah, don't do segmentation.

It's too hard. Instead, do this other stuff first and then get to segmentation, where the HHS document said, and I'm so happy that they, put this out, but they said, bind everything on your network. Second step, segment. Third step, work on your vulnerabilities. What we've been doing as an industry is we'll find part of the stuff that we have out there, see all the vulnerabilities that are on it, and dive right in there and start fixing those vulnerabilities.

Whereas, we could have protected all this other stuff if we would have Found all our stuff, segmented it, then it's just, it's frustrating that segmentation, which is the biggest protection to shutting down your whole operation is not getting the focus that it should get. And that's what I'm here for, damn it.

And Drex, this isn't, segmentation isn't new. I mean, in 2011, when I came into To St. Joe's, the plan was to simplify the network, and they were actually eliminating segmentation because certain printers didn't work, and we couldn't, and it was hard to get people to things, and it is, you can create a gnarly mess if it's not well thought out.

But with that being said I remember when Deloitte was our internal auditor, they came in and they said, stop. Like, stop, yes you're making it easier internally, but you're making it easier for anyone who gets in to get all the way across. 2012, it's now 2024. Segmentation is still a conversation we need to have?

Really? Oh man,

number of flat networks out there, Bill, you would not believe. can still find easily, and this is one of the things that should be segmented off. Immediately, a financial risk perspective, I still see PCI gear mixed in with clinical workstations, man.

thing the world has changed. It's a lot easier to do this than it was when Yes. Yes. Wes and I showed up at a large health system in Southern California in 2006.

Yeah, 2006. And the same thing. In the spirit of making it easy, there was a giant flat network. And to do segmentation took a lot of work to identify all the individual pieces on the network, all the things on the network that probably should be grouped together. And then to build and maintain a network segment was very difficult.

Segmentation was a great idea, but it was really hard to do. And that's why a lot of flat networks Were built, but as time went along, I mean, even now, like, just to talk about Ordr for a second, but you know, using products like Ordr to be able to see everything on a network and then be able to make big decisions just right out of the gate.

Like this group of stuff probably should be together in a network segment. You don't have to create a thousand network segments across your organization. like everything, this is just start. You know what's there, create some big segments, you start to really protect yourself, and then you can continue to sort of make those micro segments, build out micro segments over time and make it better and better.

Yeah, I'm starting to use the term macro segment.

macro segmentation, and you can get to micro segmentation but by gosh, let's get some macro segmentation done

now. Yeah.

β€Š πŸ“ πŸ“ β€Š In the ever evolving world of health IT, staying updated isn't just an option. It's essential. Welcome to This Week Health, your daily dose of news, podcasts, and expert commentary.

Designed specifically for healthcare professionals like yourself. Discover the future of health IT news with This Week Health. Our new news aggregation process brings you the most relevant, hand picked stories from the world of health IT. Curated by experts, summarized for clarity, and delivered directly to you.

No more sifting through irrelevant news, just pure, focused content to keep you informed and ahead. Don't be left behind. Start your day with insight at the intersection of technology and healthcare. This Week Health. Where information inspires innovation. β€Š πŸ“ Increase

β€Š

Yeah, back to this AT& T breach. It's a really interesting story too, because a lot of that, you don't know what you don't know.

This is one of those things that a cybersecurity researcher Basically called AT& T and said, by the way, we found all these millions of AT& T records for sale on the dark web, and you should probably know about it. And AT& T then, of course, scrambled to, figure out like, how did we get breached or where did the data come from?

And I don't think they really still know that yet. This is some stuff from like 2021. The data is, older data and it's hard to say where it came from, but . I

haven't been an AT& T customer since before 2000. Yeah. And I just got my

notice.

I'm sure mine's in the mail.

That's crazy. it goes way back. So is this common? Like, we find out about the breach. When the information goes for sale.

That's not the first

time I've heard of it. Yeah I've talked to a couple CISOs who said, somebody called me and told me my information was out there and I had to track it down, how it got out there, and then I had to go back usually to a third party vendor.

Who has got hacked and say you got hacked. Yeah, it's pretty common.

And I think the other interesting thing is that, CISA is monitoring a lot of things that are happening, obviously on the internet. And I was talking to a CIO the other day from a big academic medical center who said they got a phone call from from CISA saying by the way, we think you have a problem.

And they didn't realize that they had a problem. So getting calls from, a dark web, researcher, researcher, or getting calls from the FBI or getting calls from CISA as the first indicator that you have a problem goes back to this, I think, original idea of if you're not doing πŸ“ the fundamentals, It's hard to see in your own environment , what you have and where things might be broken.

All right. You

guys seem to be two opinionated people. So I'm going to throw this one out at you. Cause I, I need opinions. open AI and Microsoft reportedly planning a hundred billion dollar data center project for AI supercomputer. What does Microsoft know or believe in order to make a hundred billion dollar investment in AI?

in a data center supercomputer.

Yeah, they know something. I tell I certainly wouldn't bet against whatever Satya is doing. guy has just he's been spot on from a vision perspective for Microsoft since the jump. So I saw that story too and I went, what does Satya and Microsoft know that is really causing them to do this?

And so I can't even speculate. I'm not smart enough, bill, but I did kind of have the same response as you when I read it, which was, what do they know that,

We may not know? I built one data center in my life and I think it was a. 50 million project, a hundred billion dollar project.

that has to be mostly the innards. That has to be just a crap ton of NVIDIA chips. And that's exactly,

Microsoft built a data center and I think it's still running it under the ocean. So maybe they're going to do that.

they're, they are obviously the primary investor, I think at this point in open AI.

they're well into that space. And like you said, Bill, those NVIDIA chips are not cheap. And depending on how you're going to do this, if this is some kind of a, foundational cloud based AI offering, that's a lot of compute that a lot of organizations are going to use. And it probably isn't super hard to drive the math up to That kind of a number if you're going to build that kind of a platform.

you're also two of my West coast friends Elon Musk suing open AI because it was started off as an open platform. It's named open. AI. Should he at least win on the name? Should it be closed AI instead of open AI at this point? No.

I, I just think it's interesting, right? So remember the whole time period where Altman got into it with his board and then resigned and then was hired by Microsoft and then resigned from Microsoft.

And all this happened in like 24 hours. Remember that sort of series of events that happened not long ago? Yeah. And all that was all over the same thing, right? The board said I really think we're open AI and this should be for the public good and, all of that. And I think the CEO was in the category of like, no, I think we can make a lot of money from this.

We probably should, focus on that version of the business. And the right hand didn't know what the left hand was doing. And there was a lot of consternation and ultimately the board. Was the one that got fired and the CEO is the one that stayed. And so,

Well, the old addicts, no money, no mission.

Sam saw that. No money, no mission. Yeah. it had remained open AI and that whole open source platform, and that's the direction they were going to go, it would not have accelerated. The progress nearly as as it has.

Yeah, you know, and something I think, there's a bunch of other competitors coming out with OpenAI.

I mean, Apple just dropped their AI platform, or πŸ“ was it yesterday , a couple days ago, something like that. we live in interesting times, thank goodness. Yeah,

you have Anthropic, Google has multiple platforms actually. Hey, bye. Yeah, so it will be interesting.

I'll just continue the theme. Hundred billion dollar data center, open AI. I think we're seeing the formation of, one, one AI platform to rule them all and the one thing I will say is.

There's ambient clinical listening. There's, I don't know, like a hundred players now. I would say 70 of 'em live on top of open ai. To give you some idea of where they're trying to play, they're trying to be that platform that's sort of agnostic will be your natural language, front end and even potentially your reasoning engine, depending on what you're trying to do as an application.

I think that's what Satya sees. I think he sees that, that level of integration across the board, deep integration with a lot of different systems in a lot of different industries.

our founder, he's made that remark too. He said, Microsoft, just like they do with everything, Microsoft is building the platform for businesses to use for AI.

Yeah. And they are providing an AI service, just like they're providing the Microsoft 365 service and, it's going to be hard to overcome that. The ease at which they are going to make AI accessible is going to be hard for others to overcome, I think. There's

another really interesting story, I think, yesterday about OpenAI, and it was one of those things where they did it, and they talked about it, but they're apparently concerned about releasing the tech, and that was with about 15 seconds worth of your voice sampling, they can do all kinds of they can make your voice sound like it's saying lots and lots of different things.

And all of this is sort of, we've already seen that sort of thing be used in cybersecurity breaches where they've, gone into service desks and, Pretended to be somebody else to get password resets or to get new MFA devices registered or whatever the case may be. So, I mean, it's another example of just the I think maybe the three of us, we talked about this the other day that the AI that we talk about today.

In a year, it's going to be a completely different thing. It's going to be like, Oh, that's so old school, so it's interesting to just see the stories continue to rumble out, the tech continue to rumble out, the stuff from NVIDIA, like that whole, stuff from their user conference or their build conference a month ago.

It's an incredible amount of tech that is rumbling out into the market now. Based on AI and, it's going to be incredible.

Personally, I've never seen anything in healthcare adopted as quickly as I've seen the AI adoption happen in healthcare. I mean, everybody's doing something with AI. πŸ“ I this ambient stuff that you were talking about, Bill, that's huge. Stanford just, decided to roll it out across all their camps. That's huge, Every CxO, CISO, CTO that I talk to, there is some kind of AI project going on in their facility and it's mostly driven by the clinicians, which is a super cool thing to have happening. but I've never seen a technology in healthcare over the 30 years I've been doing this get adopted with as much enthusiasm as I've seen AI πŸ“ get adopted .

we talk about game changers a lot. I actually πŸ“ think that AI and the delivery of healthcare is really going to be a

game changer.

said all that, let me throw one more thing in there in the spirit of Maslow's hierarchy of needs. You can do all the cool AI stuff that you want.

If you don't get the fundamental cyber security stuff right, all that investment won't matter. And this kind of takes us through the whole loop back to the beginning of our conversation, I

think. the thing is, though, is it's like they say about homeowners and guns with an invader.

Hey, do you want a gun? Do you need to own a gun? Cause that invader will take it away and use it against you. Hey, if you don't have your cybersecurity fundamentals down, the bad guys would come in and take that AI and use it against you. That's what's going to happen.

Yeah. Yeah. It's interesting.

Well, out of time, as we. Enter into and to your point, Wes the EHR took decades and required government funding in order for it to get adopted. I can't recall a technology that's been adopted this quickly either. And it's πŸ“ already fundamentally changing the gain and the expectations as we move forward.

I think the biggest question we're gonna have to answer is how do we pay for it? And we will save that for another. Drex, you and I will have to come back and talk about the NVIDIA announcement because that was one of the most fascinating videos. I've watched in months it was a rock concert for chips.

I mean, it was unbelievable. But we'll come back and do that. Gentlemen, thank you. Appreciate it. great to host you from the Tesla dealership down here. Hey, good luck with

that lemon you got there, Bill.

Appreciate it. Thanks, Bill. Take care.

β€Š πŸ“ πŸ“ Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Big thanks to our Newsday sponsors and partners,

Clearsense, Sure Test, Tausight, Order, Healthlink Advisors, Cedars Sinai, Rackspace, Crowdstrike, and Fortified Health

you can learn more about these great partners at thisweekealth. com slash partners. Thanks for listening. That's all for now

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

Healthcare Transformation Powered by Community

Β© Copyright 2024 Health Lyrics All rights reserved