October 30, 2023: Drex DeFord, Executive Healthcare Strategist at CrowdStrike joins Bill for the news. A thoughtful consideration surfaces around democratized AI and the implications on efficiency and privacy. What does the rise of machine customers mean for future economic activities? How will this explosion of AI affect cyber threats and security management? Furthermore, we cover intriguing topics around Patch Tuesday, AI's impact on development and intelligent applications, and the concept of continuous threat exposure management. As we delve into this episode with DeFord, we invite listeners to grapple with these complex topics at the intersection of healthcare, cyber security and AI.
Unlock the full potential of AI in Healthcare with experts David Baker, Lee Milligan, and Reid Stephan on Nov 2nd, 1 PM ET. Learn to navigate budget constraints and enhance operational efficiency in healthcare IT. Don’t miss out on affordable, scalable AI solutions and practical tips for success. Register Here.
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
How are we figuring out how to make the place, in my case, make the place safer for what feels like a better value in the dollars that we're spending.
Welcome to Newsday A this week Health Newsroom Show. My name is Bill Russell. I'm a former C I O for a 16 hospital system and creator of this week health, A set of channels dedicated to keeping health IT staff current and engaged. For five years we've been making podcasts that amplify great thinking to propel healthcare forward.
Special thanks to our Newsday show partners and we have a lot of 'em this year, which I am really excited about. Cedar Sinai Accelerator. Clearsense, CrowdStrike,. Digital scientists, Optimum Healthcare IT, Pure Storage, SureTest, Tausight,, Lumeon and VMware. We appreciate them investing in our mission to develop the next generation of health leaders.
Now onto the show.
It is Newsday, and I am joined by the one, the only, Drex DeFord with CrowdStrike. Drex, good to good to have you back on the show. Good to be talking. In fact, I've been out of the office so much, I need to learn how to speak back into the microphone and stop getting so far away.
I like that your camera follows you around too. That's a new and interesting feature that you've come
up. I use an iPhone for my workstation camera. For the quality. My team wanted a little higher quality, but if you use some of these features, like people aren't going to see this on the podcast itself.
But if I cover my face right now, it zooms in on the Einstein photograph behind me, cause it sees his face. Doesn't recognize a person with their face covered. It'll actually pick up on the painting behind. Fantastic.
Well, high tech AI. There you go.
We're doing a new process now. For those who don't know, we, this week health, you go to our website, there's a news. button out there. And so any news story that we discuss will actually be on this page. In fact, Drex, there are like 80 news stories on this page to choose from. They're all in categories, AI, machine learning, cloud architecture, infrastructure, cybersecurity, so forth and so on.
Patch Tuesday Turns 20 was on the CrowdStrike website. So I'm going to assume you've read that one. So, back in the day, Microsoft had an issue. Microsoft may still have issues, but they instituted Patch Tuesday, where every Tuesday you got a bunch of patches and you roll them out to your various machines.
And they batched them out.
They basically did batch work, because prior to that, they would just issue patches as they came up with patches, which sort of drove people crazy because you were getting them every day. Then they lumped them all together into Patch Tuesday.
And, Everybody is very used to Patch Tuesday.
They are very used to Patch Tuesday. Should we be used to Patch Tuesday? Or does that indicate problems with software?
Well, yeah. I mean, obviously it indicates problems with software. you write better software, there should be, less patching that needs to be done.
So, I think there's that sort of compounding factor of just, there's more and more patches on Patch Tuesday. Oftentimes, what we also see is that the patch that was originally issued on Patch Tuesday doesn't quite do the job and the next Tuesday there's another patch to patch the patch. Those kind of situations are tough.
And then I think, looking ahead, when we can talk about artificial intelligence, but I think looking ahead as we see adversaries start to use artificial intelligence, and a lot of this is to do things like look at the patch and Disassemble the patch, which is not easy to do. There's a limited number of people, probably in the world who are good at that.
Understand what the patch is protecting or what the vulnerability is that the patch is supposed to be protecting. And then figuring out how to take that vulnerability and weaponize it. That today takes... a fair amount of time. And that's why from the point that somebody realizes there's a vulnerability until there's a patch, there's that period of time where the problem is still there, right?
The vulnerability is still there, but no one's taken advantage of it yet. And I think with AI, what you will see, what we anticipate seeing is that Those patches will be disassembled. The bad guys will figure out what the vulnerabilities are, and then they'll create zero days to be able to attack those vulnerabilities faster and faster and faster.
So that time period will continue to shrink down. And so patch Tuesday, we fear could become zero day Tuesday, right? So as soon as these patches are released. Using artificial intelligence, they'll be disassembled and deciphered very quickly. Zero days will be built for them and those vulnerabilities will be weaponized.
It's... Way faster than they are today.
Are we getting better? I remember, my team, we did we had security audits and whatnot, and one of them was on patching, specifically patching all the systems that were out there, and, we had gotten it down to just a, quite frankly, we were pretty current on our patching, but it was still like some of the systems were, 30 days, some of them were seven days, so, we'd gotten Fairly current.
It's almost going to need to be real time
at this point.
Yeah, I mean, it's a huge deal today. Let's face it. A lot of the breaches that we see in, Healthcare organizations around the world today, the breaches occur because oftentimes there are old patches which have not been applied and those vulnerabilities are the ones that are taken advantage of.
So it's not just the current patches, sometimes it's an old patch that hasn't been applied or hasn't, hasn't been updated, an old piece of software that hasn't been updated and should have been. And so, that's part of it. The other thing that, that we're seeing is that vulnerabilities that existed in the past sometimes the zero day or the piece of work that was built to take advantage of that vulnerability bad guys are just taking that same piece of work and polishing it up and turning it into a new.
attack method. And so, these are business people, whether we think of them that way or not. These are, high tech, highly innovative, very creative bad guys. And they are structured much like any other corporate entity. They have CEOs and CFOs and development teams. They have help desks.
They write chatbots to help you be able to pay your ransomware much more quickly and effectively. And they spend a lot of time figuring out how to do what they do as least expensively as possible so that they can make the most amount of money, right? They're creating business plans inside their own companies about how do they repurpose old stuff so that they can do this stuff on the cheap.
to others who can do it on the cheap.
We really shouldn't read in too much into this that Microsoft is one of the most attacked services out there, because Microsoft also represents a majority of. Healthcare systems that are out there.
I mean, even Biomed devices, a lot of them are running on Windows. software and whatnot. So, there's a graph in here that shows an escalating number of attacks that are going after Microsoft, but that would make sense if it's a majority of the attack. surface that eventually that's what would be attacked.
I had a chance to sit down with David Ting and we talked about the MGM and Caesars breaches. And the one question I wanted to ask you is one of them paid the ransom. The other did not pay the ransom. One of them paid 15 million cause that was the ransom and the other.
incurred, damages well in excess of that 15 million. Is this an art or a science? Which one was right?
I don't, I don't know that one or the other was right. I think this is a thing that most organizations need to spend a lot of time before you're attacked thinking about what you're going to do when you're attacked.
Is paying the ransom even something that you would consider? If it is. What would be that number? How many systems would have to be encrypted before you would, cry uncle? How long would you be down? Are you comfortable that you have all the backups and the things that you need to be able to recover?
And if not, where do you draw the line? And then I'll tell you the other thing too, is I think when you talk about cyber liability insurance and you're working closely with your insurers and others, yeah the You may have something sort of dictated to you and so you have to be sort of thoughtful and careful about that.
Have those conversations in advance with all the other parties that are involved in this discussion. So there's
not a right answer.
So Drex had a 229 event, CIO's in the room, and I had this with CISOs as well, a couple of weeks back. One of the questions I throw out there.
When we start talking about security is pay the ransom, not pay the ransom. And I give them three options, pay it, don't pay it, or game time decision. And bunch of them said game time decision. Like it will depend how far they've gotten, what they've breached, where they're at, backups, all those things that you just mentioned.
And I'm like, okay I'm fine with game time decision. As long as if you're going to pay, you know how to pay and you have that whole thing mapped out. Like you were saying, are you ready? But one of the CIOs just said, Hey, it's illegal to pay, like you can't pay. And is that a misnomer or is that essentially the guidance that they're being given right now?
Sure. I'm not a lawyer, but I know that there are some rules in place, some laws in place that have to do with financing international terrorism or something to that effect. And so that. Law has been interpreted or maybe misinterpreted as being the, you can't pay ransom. My understanding is that you still can, I think there's, again, you, this is why you have internal counsel, outside counsel breach coaches 📍 and other people involved.
📍 Don't you think it would be in the paper to seeing the CEO and CIO for Caesars, like handcuffed and taken out of the executive offices, that would have made the news by now.
Yeah, for sure. And I think, but it is important to sort of understand that the dark web and the things that are happening on the dark web are really, horrible. We think about it a lot as just being ransomware and they're making money and, they're stealing data and holding it hostage and you're paying to get the files deleted and all of that. And that's all true. But the reality is the deep and dark web goes much more broader than that, the funds that you pay to get your data back may be funds that are used for lots of other really horrible, terrible human trafficking, other things that happen in the deep and dark web.
So it's certainly worth considering the possibility that you're paying for something that you really do not want to have any involvement in. And that in many cases, this is the way that those other businesses are funded. If you think of it like that that's what I'm saying. These are extremely innovative and creative business people who run these sites and run these operations, and they don't run them in isolation.
They're often tied to. And,
And they're unscrupulous. If they had a mission statement, it would be the diametrically opposed to every healthcare's mission statement across
the country. . Absolutely. It would be the opposite end of the spectrum. Yeah.
We'll get back to our show in just a minute. Having a child with cancer is one of the most painful and difficult situations a family can face. In 2023, to celebrate five years of This Week Health, we have partnered with Alex's Lemonade Stand all year long with a goal of raising 50, 000 from our community.
We've already achieved that goal and we've exceeded that goal by 5, 000, so we're up over 55, 000 for the year. We want to blow through that number. We ask you to join us. Hit our website in the top right hand column. You're going to see a logo for the lemonade stand. Go ahead and click on that to give today.
We believe in the generosity of our community and we thank you in advance. Now back to our show.
I want to hit on this Kaufman Hall has a flash report that comes out every month.
The September flash report shows that margins, operating margins are actually, I mean, they're not back to historical levels. But they are positive and so you now have a trend from June, July and August, a trend right around 1 percent operating margins. And it doesn't make up for the last, two and a half, three years of negative margins, but it's heading in a positive direction.
Are you getting that same kind of feeling? I mean, obviously the numbers don't lie. But that there's a relief, there's a little bit of pressure being taken off of the health systems.
I'd love to say that, yeah, I hear that and I see that, but I really don't.
I don't know if the distance, the amount of time that trend has been occurring is enough to, have an effect. On the buying end of the... Yeah,
and the reality is they were making budgets based on bad months. So, that, the budget conversations are...
You may have to go through a fiscal year, refresh new budget cycle.
Look, CFOs are... Awesome, but once they learn a habit, that is the habit and the habit right now is to, I think a lot of them are sort of locked down tight and they're asking a lot of questions and they should they're looking for value and the things that they're buying, they're trying to understand, are we doing things like consolidating You know, packages, software packages, security packages, those kinds of things.
How are we figuring out how to make the place, in my case, make the place safer for what feels like a better value in the dollars that we're spending. And so, I don't see like floodgates opening by any stretch of the imagination, but. But things are still, I think, pretty tight for healthcare CIOs and CISOs.
One of the skills you have to have is managing that budget, managing it closely. Gartner had their conference, and I'm on a CIO dive. Ten trends Gartner expects to shape enterprise tech in 2024. And wouldn't you know it, AI will take an oversized role in enterprise technology strategies in the coming year, according to the analyst firm.
This goes into the category of... No kidding. But anyway, regardless let's take a look at the top 10. We have democratized generative AI. Democratized just means in the hands of tons of people. AI trust, risk, and security management. We'll see IT leaders. We'll need to erect AI security and privacy guardrails as adoption expands throughout the enterprise.
By the way, I mean, so the Gartner conference is not Gartner's healthcare conference, it's a Gartner just a Gartner conference. So this will not be healthcare specific. AI augmented development, which I'm doing a ton of these days. I am doing like 95 percent of my code. is coming out of ChatGPT, and I'm putting 5 percent in.
It is, it's a game changer. The productivity enhancements on my side have been have been pretty high. And then so I hit up some people who I know do hardcore development. I'm like, are you guys tapping into this? They're like, oh yeah, we've been tapping into this for the better part of a year. Yeah. It's, it takes the mundane work out and it lets you really focus in on the things that you need to do.
Intelligent app, intelligent applications. As part of the ongoing vendor push to infuse AI into services, more applications will become what Gartner defines as intelligent applications apps able to respond appropriately to autonomously. Thanks to Learned Adaptation. Applications becoming intelligent.
tell you, the one that gets talked about the most is Epic seems to be partnering a significant in a lot of ways that they haven't partnered before. And they seem to be bringing Gen AI into a lot of different areas in the EHR. Do you think we're going to see that across the board? Will we see that in ERP?
Will we see that? in our HR systems, our PAC systems, and everything else?
Yeah, I think so, and I mean, we definitely see it on the cybersecurity side of the house, too. And so, we've just released Charlotte AI, which is, exactly the same thing. There aren't enough people, they don't have enough skills, they can't do, all of the work that they're being asked to do.
And so the idea is that you use generative AI to create the situation where you can take eight hours worth of work and make it maybe eight minutes worth of work, right? The more that you can work on that, the more that you can create that situation where it makes a difference can compress, like you said, a lot of the boring, a lot of the, like, looking for needles in a haystack.
And that doesn't just apply to cybersecurity. It obviously applies to clinical analytics and the stuff that happens in ERP. So it's a lot of work If you can compress it and make it easier to do and make the work more interesting for the people that are involved. It's a huge deal. There's
a growing sense of concern from health IT leaders, CIOs specifically, around the budgeting around this.
There's a concern that we're going to check a box on an agreement, and we're going to have to true up at the end of the year and find out we've used AI significantly. And so people are sort of holding back, doing small pilots. They're like, look, I can imagine that Gen AI can respond to emails for every worker we have in the healthcare system.
But is that really a good investment? And how much is that going to cost? And it doesn't sound like much up front where you say like, oh, it's just two cents or three cents or whatever. But then you start multiplying that out. And. Essentially, you could be looking at an increase in costs of millions and millions of dollars.
Do you have that same concern? Like, we don't know what the usage pattern is going to be yet.
Yeah, I mean, I think when you talk about the, and I have a hard time saying this word, the Democratization of generative AI. That's what happens because people are super creative and really inventive. And so, when you think about it being a penny per whatever it sounds super cheap, as you said.
But as people get more and more creative and they start to realize, I mean, This is the big data analytics issue in many ways all over again. Once you figure out that you can ask this question and get an answer, then you're like, oh wow, maybe if I ask this, I can get an answer.
Maybe if I ask this, if I can get an answer. Maybe I can automate this process. Maybe I can automate this process. And you start to get A lot of use of these tools, if they're productive and they actually work the important part of this will be, I think, the probably metering and reporting and sort of understanding how people are going to use it, especially if it's a sort of paid by the use.
model because yeah, it's just like we see in cloud computing. If you're not monitoring that at the end of the month, you can get a giant bill that you didn't, Oh, no, I wasn't expecting that. What happened? You've got to have insight. So there has to be some really great reporting on those kinds of usage models.
Yeah, so my automation and AI budget at This Week Health is now 1 percent of our revenue. And I don't know if that's a good metric or not. But we, every staff member has access to ChatGPT. So that's the 20 a month right there out of the chute. Then we have some automation tools and some other. Things across the board and things we're doing, and it just ends up being about 1%.
I wonder if that's just gonna be a line item moving forward, where it's like, Hey, 1% or 2%, or whatever. At the end of the day, I look at it and go, oh my gosh, this is saving X number of hours. I'm not even close to the number of hours, like the number of FTEs we would have to hire. If we, tried to do these same things without it, so.
And there's the speed to value question too, right? You showed me some of the things that you were doing when we were together last. And so the idea that you can get things on the site. probably, you can get things out, 500 percent faster, which actually , it's great.
It's great for the people who consume the information on the site. It's great for folks who want to get the reader's digest of something that happened in one of the podcasts. It's it's super valuable. So for you, it does take. And for a lot of people who are using it now, if you figure out how to ask the question right, and you give it the right material, it can greatly reduce the amount of time that goes into the consolidation of tons of material into something that's really usable.
Or, like you said, building code. There are a lot of folks that are using it now to... to build code. And all the things that are happening on the good side of the fence, all those things are also happening on the dark side of the fence, right? From a cybersecurity perspective. Great, amazing emails, phishing emails are being written by the dark web version of ChatGPT, which You just tell it that you wanted to write this email and make it sound like it comes from somebody who has a 11th grade education and grew up in Indiana, and it will write an email in that kind of format, even if English is your second language, right?
So it sounds very legitimate. You can say things like, Write the email so that it sounds like it comes from Bill Russell. You have enough material out there that, it can look at your sort of writing style and make it sound like it comes from you. So, with all the good, there is the bad. And it's it's definitely something I think that we're watching and everyone's watching right now.
Yeah, the deepfakes is highly concerning to me. The, the software we use for the podcast, there's a correcting correction mechanism. which is now AI driven and essentially all I have to do is read a consent form and say approve and then if I make a mistake in the podcast, the team can just go in there and type the words in and it will be my voice corrected.
But it's almost that simple. I mean, if you could just type in a script and say, Indirects to Ford's voice, you can have a, a script that says, Hey honey, I'm not going to be home. Hey I can't find, my credit card, whatever. I just need the number. Can you whatever.
I mean, that kind of stuff is is scary as all get out. And it's amazing to me, the number of people who have. Safe words, code words now with their family members to make sure that they, and you have to think about it personally now as a family. You do. Cyber security. It's, just to finish out this article.
So continuous threat exposure management, Gartner says is one of the top 10 and you've already touched on that. And that's key. Machine customers. AI will boost the speed and efficiency of organizations next year and in the process, it will become a considerable economic actor as algorithms gain the ability to assess and execute purchases for organizations and individuals.
The rise of the machine customer is expected to lead to trillions of dollars in revenues by 2030. Sustainable tech, platform engineering, industry cloud platforms are the top 10 trends. So,
I think you think about things like, the B2B. Kind of work that occurs today turning that into AI machines, AI bots, talking to each other to take the boringness out of that work, but also the potential risk that's involved in that without the right kind of monitoring and throttling organizations could get themselves into trouble.
Buying a bunch of stuff that they didn't mean to buy, or transferring funds in a way that they didn't mean to transfer, right? And all you need is, so we talk about, this, where are the vulnerabilities, if a vulnerability like that's discovered and an adversary is able to insert themselves into the middle of that AI bot to bot conversation or transaction, there's a lot of damage that could be done very quickly if it's not, again, monitored and throttled properly.
Yeah, well, there's, everything good, you have to consider what are the opportunities for adversaries and that's one that definitely concerns
me. We're a little over time, but I wanted to ask you with the hostilities in the Middle East the war in the Middle East going on.
Are we seeing an increase in cyber activity at this point?
Yeah, we are I think there's you see it, a lot of it in the form of just hacktivism that kind of stuff, folks taking oversight. Spewing nasty messages. I just saw something come across my desk what might have been yesterday, where the Israelis had told their hospitals to disconnect from the Internet for a period of time because they thought there was a legitimate risk in in being connected to the internet.
So, there's a lot of things that are happening over there, and it's easy to sort of think about it, I think, as over there, but the reality is we're all connected to each other in a very real high speed way, and as we've seen in the past, it's really easy for something that happens over there to spill over into the rest of the internet and affect us all.
It's, it's a tragedy what's occurring over there now, and, I think our our thoughts, and if you're this person, prayers certainly go out to everyone involved, and, let's hope that somehow we find peace there pretty quickly it definitely, from a cyber perspective .
Definitely everyone should be on high alert for the things that could come out of the region. Yeah,
and we saw that in Ukraine as well and Russia. Anytime there's a there's a boiling point somewhere in the world. War has gone digital. And so, if you can take out the adversaries digital capabilities and those kind of things, so all of a sudden.
There are literally digital missiles going in multiple directions. Well, sometimes those could hit the target and sometimes they can bounce around the internet and end up hitting another target. So yeah,
collateral damage is a real thing, no matter what kind of warfare you're talking about. Yeah,
Drex, always great to catch up and look forward to doing it again.
Yeah, I'll see you soon.
And that is the news. If I were a CIO today, I think what I would do is I'd have every team member listening to a show just like this one, and trying to have conversations with them after the show about what they've learned.
and what we can apply to our health system. If you wanna support this week Health, one of the ways you can do that is you can recommend our channels to a peer or to one of your staff members. We have two channels this week, health Newsroom, and this week Health Conference. You can check them out anywhere you listen to podcasts, which is a lot of places apple, Google, , overcast, Spotify, you name it, you could find it there. You could also find us on. And of course you could go to our website this week, health.com, and we want to thank our new state partners again, a lot of 'em, and we appreciate their participation in this show.
Cedar Sinai Accelerator Clearsense, CrowdStrike, digital Scientists, optimum, Pure Storage, Suretest, tausight, Lumeon, and VMware who have 📍 invested in our mission to develop the next generation of health leaders. Thanks for listening. That's all for now.