This Week Health

Don't forget to subscribe!

April 29, 2024: Drex DeFord, President, 229 Cyber/Risk at This Week Health joins Bill for the news. Considering the prevalence of cybersecurity incidents, what should be the balance between technological advancement and ethical responsibility in healthcare data management? How can the healthcare sector evolve to ensure that breaches like the one at Change Healthcare don't just become an accepted part of the digital landscape? What are the implications of healthcare providers relying heavily on third parties for data management, and how does this influence patient security? As legislation and technology evolve, what should be the role of Congress in understanding and legislating on complex tech issues like cybersecurity in healthcare? What does the future hold for patient-centric healthcare information systems, and how might this change the dynamics of data ownership and privacy? How can the healthcare industry better prepare for the inevitable challenges of future pandemics and cybersecurity threats?

Key Points:

  • Healthcare monopoly impacts
  • Cybersecurity in healthcare
  • Legislative tech comprehension

News articles:

This Week Health Subscribe

This Week Health Twitter

This Week Health Linkedin

Alex’s Lemonade Stand: Foundation for Childhood Cancer Donate

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on Newsday.

Just because you have access to the data flow, doesn't mean that you can put some of it on an off ramp and go do something else with it. Right. somehow it happened or it's happening.

And then to have, Epic step into the middle of that flow and say, I'm going to make a decision, that's not okay. It is interesting. β€ŠMy name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts and we want to give a big thanks to our Newstay partners,

Clearsense, Sure Test, Tausight, Order, Healthlink Advisors, Cedars Sinai, Rackspace, Crowdstrike, and Fortified Health .

Now, let's jump right in.

(Main) β€Š πŸ“ All right. It's Newsday and it's Drex and I back in the house to talk through the news. Drex, welcome. Well, it's sort of your show as well but welcome.

Thanks. I appreciate it. it's always fun for us to be on the, on the airwaves at the same time.

Yeah. So, I mean, you're now doing the two minute drill, which is great. I listened to that to stay up to date on the security news. I still cover some things on the Today Show because I'm guessing we still have different followings. There's some people that are going to follow you and some people are going to follow me.

And so when things seem very important, like, hey, they released the information from Change Healthcare. I thought, I know Drex covered this, but I'm going to cover it too, because that's a big freaking deal.

it's the story that keeps on, storying. there seems to be some new development in that on a regular basis, including I guess nearly a billion dollars in losses that were reported.

There's a story in the record. I'll probably talk about it, that in today's two minute drill, but You know, they've reported nearly a billion dollars in losses because of this. And but UnitedHealthcare healthcare group continues to be very profitable. So it's a really interesting dichotomy of they had a bad cyber incident, but from a company performance perspective, they continue to perform well.

So

Let's hit the internet real quick. UnitedHealthcare's profit. Yeah, they're not doing too bad. Operating income, seven seven and a half billion. Oh, this is just for the quarter. Wow. So these are big numbers. I mean, a billion dollars sounds like a lot to lose, but

it's not really.

When you're that big of a company. Maybe it's not such a hit. I think, you know, it will continue to be the publicity part of it, the image part of it, but in the grand scheme of things, there was testimony on the Hill yesterday and some of the folks who testified referred to the Change Healthcare, United Healthcare Group, as a utility.

Which is not a word that's very far from the word monopoly, right? this is a thing that everybody has to use. So even with reputational damage and everything else, I don't know, it just makes me wonder, will people somehow figure out how to turn away and do something else? Or are they able to turn away and do something else?

So one of our stories today was, and I do this from time to time, I take a post from LinkedIn that has a lot of, that's dense and meaty. And I will make that one of the news stories. And if people don't know what happens to the news stories we identify them. They go through the system. They actually get through the large language model, gets a summary.

And then the link at the bottom actually takes you to the original story. And this one, Rachel England, Associate Principal, Digital Technologies. And she's in Washington .

She's with Vizient. She wrote this about the hearing yesterday. While the patient care and financial impacts of the change attack were nearly ubiquitous across healthcare provider entities, stronger cybersecurity measures within any or all of those hospitals, health systems, solo doc practices, pharmacies, or others would have done nothing to mitigate.

Those negative outcomes. The basic fact was not mentioned until the final moments of the hearing. The congressman asking the questions clearly did not understand this. This is a major difference from other third party incidents where the bad actors enter a health systems network through a compromised third party.

Very important distinction, though not addressed very well during the hearing. And you know, these hearings are interesting in that typically you have, Senators, Congressmen, whoever are doing the hearings, and they have people that speak into them. But it's also important to note that certain Senators and Congressmen, do a divide and conquer kind of thing, right?

I remember talking with one of the Senators when I was up there, On the hill, I can't remember which one, but he was a doctor. He's like, I'm the designated one to understand. These deep concepts.

On their committee, this is the person that they all turn to ask those questions, yeah.

Yeah,

Yeah. and so hope that the people asking the questions understand this stuff, but it's not their, it is their day job, but it's not their day job. I mean, they're going to talk about this, and then they're going to talk about nuclear proliferation, then they're going to talk about, the Ways and Means

Committee or something.

Yeah, I mean, it's, they're just all over the place. So, she's making the case here essentially that nothing the health systems did could have mitigated this. What are we doing now post? the earthquakes in California led to new standards and we have seismic.

Requirements for all new hospitals that go into place and whatnot. Because, one of the earthquakes for the first time went up and down instead of side to side. Essentially, took down schools and bridges and other things. And they said, oh, wait a minute, man, earthquakes can happen in a lot of different ways.

Let's make sure the critical infrastructure doesn't go down. And so everything since then has been built to something different. Change health care, just like the pandemic, everything since the pandemic. The next pandemic should look very different than the previous one. But what about change health care?

What will it look like two years from now when something like this happens?

Yeah, so I think a part of the point that she was trying to make in her post is that we think about health care cybersecurity on the Hill. this is a very broad brush to sort of paint everybody with. We think about healthcare cybersecurity on the Hill as a problem that is a problem in healthcare organizations, healthcare systems.

And in fact, what we've seen is that with change healthcare, you could have healthcare systems who are doing everything perfectly fine or not. It would have had no effect on the change healthcare breach because. The reality is we live in a world now where we have more third parties than ever before, and we're more dependent on those third parties than ever before.

Absolutely. Healthcare is a team sport from the perspective of business and clinical and research. Lots and lots of things connected together, and that creates, in the military we had this term called center of gravity, which meant that was the place that if you attack You can create massive destruction across an entire country.

And so the center of gravity in this case was a place that a lot of people hadn't necessarily thought about, although as those mergers occurred and Change Healthcare and United Healthcare Group all came together there were folks who sort of protested some of the acquisitions that were happening.

But we've created kind of two different parts of the system now. Health systems, which certainly have to get better and have to do cybersecurity better and have to protect themselves and the stuff that's on their network and the stuff that they're connected to. But the other part of this is the center of gravities that we've created with third party.

organizations who pull data from lots of different health systems to do the work they've been hired to do. But when it turns out a bad guy can breach one of those third parties, they can get access to the data for hundreds of health systems, not just one health system. So that's why the change thing was so interesting.

And so I think ultimately the point she's trying to make is that you're sort of standing on cybersecurity perspective. maybe yelling at health systems about they have to get their act together and be better at cybersecurity. And while that's true, that wouldn't have had any effect on what happened with Change Healthcare, because it's a third party.

And so to only get to that point, from what she said, to only get to that point at the end of the hearing, It's maybe a little bit of a loss. And from the people who are going to do what they're going to do, which is make new rules and new regulations and new laws that will affect cybersecurity and healthcare delivery it's a thing they need to understand better.

And like you said, Senators and congressmen, generally speaking, are not cybersecurity experts. They have staffers who may be much more focused on this and may be much more of an expert. They may have folks that they consult with that are much more of an expert. But at the front line, I think it can be challenging.

I mean, we all saw the TikTok hearings. We all saw the, other stuff. A lot of the folks who are doing the voting, don't really understand what they're voting on.

Yeah. You know, it's, TikTok is interesting to me because it's like, can you boil all this down into a TikTok video so that the entire mass public could understand it?

The answer is, I don't know. I mean, we'll see that in the next story I'm talking about. I will say this when we talk about this subject.

β€Š πŸ“ πŸ“ β€Š In the ever evolving world of health IT, staying updated isn't just an option. It's essential. Welcome to This Week Health, your daily dose of news, podcasts, and expert commentary.

Designed specifically for healthcare professionals like yourself. Discover the future of health IT news with This Week Health. Our new news aggregation process brings you the most relevant, hand picked stories from the world of health IT. Curated by experts, summarized for clarity, and delivered directly to you.

No more sifting through irrelevant news, just pure, focused content to keep you informed and ahead. Don't be left behind. Start your day with insight at the intersection of technology and healthcare. This Week Health. Where information inspires innovation. β€Š πŸ“ Increase

β€ŠAnd we'll get off it here and we'll go to the Epic V Particle discussion from I guess last week as this will air on Monday. One of the things I'm telling CIOs is we've got to look at the supply chain, right?

So when you talk about center of gravity, I think of, what's the supply chain within the health system of the data? What's the supply chain of the process supply chain and all those things? We saw that within the pandemic that, hey, we have to really pay attention to our supply chain for materials and that kind of stuff.

I heard this too many times. We weren't sure of the full extent of how much change would impact our workflow and our process flow. And I'm like, alright, that's our job. And we had this conversation before, I think we do need to understand that.

If it's not the CIO, somebody within the organization needs to unearth, unearth that. Epic vParticle. Epic vParticle. So, I'll give you a little bit of this background. I did a Today Show. My Today Show is supposed to be 10 minutes. This one was 20 minutes. So, I will try to break this to sync.

Our community understands these things, like Care Everywhere is, epic to epic sharing care quality is epic to non epic. Commonwealth is non epic clients who created consortium to share, and then Commonwealth brought it together. There's the direct trust framework where those things all came together for the good of sharing the data across that which is great.

All right, so we have this sort of idea that we have this common set of things, and then you have Tefca, and we've talked about that on the show several times, and we have detailed episodes where people can come up to speed on that. But here's what happened along the way. There's these companies called on ramp companies.

And the on ramp companies make it easier to access the data that is in These information exchanges. And so you have things like Particle Health Gorilla, Node 2, Zeus Health, Redox SureScripts, RLE, OneRecord, InterSystems. They all have these, easier set of front ends with APIs to access this data.

Now, the interesting thing on that is, there's a set of rules around this that is around purpose of use and reciprocity. Reciprocity is an easy concept. If I share my data with you, Drex, I expect you to share your data with me, right? So in order to have a network that works for sharing data, there's reciprocity.

Epic will share theirs, Meditech will share theirs, Cerner will share theirs, boom, we have this reciprocity. Where this is coming down to is this idea of purpose of use. The idea is that it has to be used for clinical or treatment purposes. Potentially payment and operations, but mostly for treatment purposes.

So here's essentially what happened is Epic was approached by their clients And they said, look, some of these people are not using this data for the purposes that the agreement calls for. They're using it for other purposes.

Do you have any idea what the other purposes are?

Yeah,

so there's a couple of them. Integritort is my favorite. Integritort gives access to tort as in law. Yes, I

know. Just the word tort. My, the

hairs stand up on the back of my neck. Yeah. Right. And so this is, hey, if you want to sue a health system, you go to Integritort and they essentially will get all the information out of, The health information exchanges, like if you're thinking about suing, you can get all the information out.

Or if you are suing, you can get all the information out. And clearly that is not a clinical use case of it. And typically what would happen is you'd file a suit. You would request data from the health system. They'd have to supply that data and then you could do the research and whatnot.

This is a sort of a way to. It's definitely outside the bounds of the reason that the exchange was put together. I'll spare everybody the details. There's this big back and forth that happened. And Epic's the one that flexed their muscles and said, No, on behalf of our clients, we're going to cut off, to and and Particle.

And Particle's interesting because they have clear clinical use cases, clear case around providing care and supporting that care. But they also have another side of their business that supports the payers. And they're using the information for the intended purpose, but they're also using it for another purpose.

And case that's being made here is IoT. that most of these on ramp companies are VC funded. And so they have to look for additional use cases. They're constantly going, Oh, how do we grow our market share? And how can we do this? And they're making the case that, look, if you want to improve health, it has to be beyond treatment.

There has to be sharing of data with the payers, with health navigators, with insurance brokers, life sciences, public health. Life insurers. And it's interesting because they go through that litany of people and usually they don't get to the patient until the end and they go, oh and of course, the patient.

Which is what 21st century cures was all about. We do want to get this information and empower patients, there, so they're making that case and Epic's making the case of, well, then you have to change the rules of the network because it's not clear and they're going outside. So they shut it off.

The particle people, went public with, Oh, can you believe this? And there's big notes and that kind of stuff.

Yeah.

Sort of claiming like, Hey, we didn't know this was going to happen. And then, and that's

what we first saw, you and I, that's what we first saw. And then I think we both were like, interesting.

There's gotta be more to this story. And And that's where you really dug into it.

Yeah. And there was more they'd been talking for a little while and they'd been almost put on notice by Epic and I'm not sure what they were thinking, but I'm not sure anyone expected Epic to do this. It is a bold move for them to do that.

And it, it does. Bring them under the microscope a little bit on the amount of power they do have within healthcare to dictate what's going on. And the power is really granted to them by their users, which is the health systems. I don't know that I have a question on this. I'd love to hear your comments on, I mean, I think that's as short as I can do a summary of what happened.

No, I think it's, that was a good summary. I think thanks because it helps me even understand it better, even though I've been reading about it too. So, and I think that's the whole point here is that sometimes just hearing the two of us talk about some of this stuff helps educate people, even though they've been reading about it, makes them think about other angles on this.

The interesting part. Vermeen now becomes the overseer of the data, taking action on behalf of all the health systems. Because they feel like the wrong thing is being done with the data. And maybe that's the right move, but it's all, I mean, there's sort of these degrees of like, okay, the data is supposed to be used for treatment and payment and operations, but not this other stuff.

Just because you have access to the data flow, doesn't mean that you can put some of it on an off ramp and go do something else with it. Right. And. There's probably varying degrees of gray in there that is, like, eh, that's maybe okay. And that kind of part of it maybe isn't okay. But some, somehow it happened or it's happening.

And then to have, Epic step into the middle of that flow and say, I'm going to make a decision, that's not okay. It is interesting. And some of it might be, they needed to step into the flow and make the decision because the health systems they represent, they just don't know enough about that stuff and what's going on to, raise the red flag and ask for help.

Yeah. I remember when I came in, we had an agreement with the company. And that company has since been bought by IBM. And I remember when somebody was asking me, where's your data being shared and that kind of stuff? I said, well, we have this set of companies that we share it with. And I didn't talk about them because it didn't dawn on me that company, the agreement that had been signed prior to me getting there essentially gave them the use of our data.

And it turns out when they sold to IBM, the valuation was based on the fact that they were reselling the data to payers.

Yeah.

And pharma and other things. And essentially we had signed a contract thinking we were getting an interoperability and a population health solution. And what we essentially had done was unlock our data to those sources so that this third party could reap a significant amount of benefit on

this ties back to this whole idea about third party risk, right? That these companies who are selling themselves as population health solutions. are getting access to all that data and maybe, depending on how the agreements are written, are just sort of bankrolling all of, not bankrolling, that's the wrong term, banking all of this data.

Maybe they're a population health company, maybe what they are is a huge repository of healthcare data that can be used for lots and lots of different things. And the health system who signed the agreement, as you said, didn't understand what they were actually giving up there. Yeah. πŸ“ That repository becomes a terrible target, center of gravity for bad guys, but it also becomes a, is that what we're supposed to use this for questions though?

Well, and this is a hard one. I remember having this conversation with Mickey Tripathi, also Aneesh Chopra, we were talking about. third parties writing applications in service to patients gaining access to that data. And it seems like an easy use case, except in order for that to happen, the data passes through somebody's hands to the patient.

And the question becomes, who writes The requirements and who holds those people accountable so that they do not utilize that patient data in a way that is, it was not meant to be used. And it was interesting because when they were presenting it to me, different times, different conversations, I didn't have an answer.

I didn't like look at it and go, oh, this is easy. You just it's very challenging. my point on this continues to be patient centric interoperability. It's Todd Park's blue button. It is every patient has the ability to press a button and download their entire medical record from every health system in the country.

to their phone, and they become the locus of interoperability. It's the patient, not these health information exchanges, not the health systems, not Epic, not anybody else. I'm the locus of the information. And there's a huge uphill battle, but I think the more I contemplate on this, it's the only way through.

By the way, great article, health API guy, and Brandon Keeler has a Substack newsletter and the title of it is Epic V Particle. If you want to go in depth it's it's really well. It's a good

article. Yeah. I mean, look, I'm with you. I think when I think back to This must have been 2010 or something like that.

There was a big run at something called Personal Health Records, PHRs. Google had one. Microsoft had one. There were a few other companies who tried to start them. And the challenge at the time was there wasn't great tech and APIs didn't exist. And patients wouldn't have been able to, be facile enough for the most part to be able to sort of pull that data down.

There wasn't sort of gateways or APIs, things let that happen. But I do think, I agree with you, when you look at the future, the ideal situation would be to have patients be the stewards of their own data and make the decisions about what data could be released for what. Because it is a data center. I mean, it is our information.

I know we've grown up in this environment where hospitals collect this information as they treat patients or they're in the hospital. And so they feel like it's their data. But I think the reality is it's the patient's data, and they should be in control of it. The best way to do that ultimately is through this PHR idea, not PHR, but whatever we're gonna call it in the future.

Yeah. We've gotta be careful here. 'cause it, it's not our data, it's, it is the health system's data. by law, it's whoever creates the record, it's their data. It's data about us, but it's, the health system owns the record because they created the record. That's the case in 49 states.

The only state that's not the case is Vermont. They passed a law where the patient actually owns the record. people say this to me all the time, and I hear it, People out there say, oh, the patient owns the record. I'm like, they don't own the record. They didn't create the record.

And the law states that whoever creates the record owns the record, even if the information is about you or me. If I write information today about directs, I own the record because I created the record.

is a place where I think the story is not done being written yet.

I agree. I agree. I hope. I'm really hopeful on this one.

I hope by the time hang up our cleats that there is true interoperability and it's patient centric and I would love it if people go, Oh my gosh, they're making billions from my medical record. And if we gave everybody access to their own record and they had the ability to sell it to this company for five bucks and this company for 20 and this company.

And there was a marketplace where people said, Hey, look, we'll give you a buck for your record or two bucks for your record. And now all of a sudden they're like, look, I don't care. I can monetize

my own record. Yeah.

Yeah.

And I mean, I think it would also create a situation where you would have.

research subjects who then would actively be looking all the time for research projects that they could participate in. Today that's a problem for a lot of research, researchers, is finding the right number of ends, the right number of participants to be able to do the research they want to do or to make that research valid.

They have to like claw and scrape and try to figure out how do they find the right number of people. It could turn that whole model on its head.

Yeah. People don't know this, but we've been talking now for over an hour because I said I was very verbose today and we haven't. All right. Hey, Drex. Thanks, as always. Hey, you're launching a new show Unhack the Podcast on Monday. We have the two and a half minute drill, but Unhack the Podcast will be,

yeah. We've got that going. Shawna Hofer is uh, with me on the first one.

We talk a lot about AI and cybersecurity. And then the other thing that we're going to launch here pretty shortly is. Another unhacked show, but it will be called Unhack the News, and it's going to be like Newsday, only just for cyber security. So we'll be doing that with partners and with other healthcare execs and others as we go down the road.

You'll see that. Fun times.

Drex, it is great working with you and Thanks again. Appreciate it. Thank you. See you soon.

Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Big thanks to our Newsday sponsors and partners,

Clearsense, Sure Test, Tausight, Order, Healthlink Advisors, Cedars Sinai, Rackspace, Crowdstrike, and Fortified Health

you can learn more about these great partners at thisweekealth. com slash partners. Thanks for listening. That's all for now

Thank You to Our Show Sponsors

Our Shows

Newsday - This Week Health
Keynote - This Week Health2 Minute Drill Drex DeFord This Week Health
Solution Showcase This Week HealthToday in Health IT - This Week Health

Related Content

Transform Healthcare - One Connection at a Time

Β© Copyright 2024 Health Lyrics All rights reserved