March 28, 2022: Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint joins Bill for the news. There was a lot of AI and ML hype at this years ViVE and HIMSS. Hacking group Lapsus$ claims it had access to Okta, an authentication and identity management software company that is used by more than 15,000 organizations. The specter of Russian hackers and an overreliance on voluntary cooperation from the private sector means officials are finally prepared to get tough and fix America’s never-ending cybersecurity failures. Teladoc launches a telehealth model for employers. And the healthcare sector is asking, will the digital health bubble burst?
Key Points:
00:00:00 - Intro
00:13:30 - You need to train your users to look for anything that's out of the ordinary
00:29:15 - All of a sudden, Walmart's part of healthcare. Amazon's part of healthcare. CVS is much more substantially part of healthcare. And Apple is trying.
00:32:50 - At some stage we’re going to have an EMR 2.0 sort of event
Stories:
Today on This Week Health.
At a more macro level, it's very clear that whether you're a security organization, whether you are a large critical infrastructure organization, you are perpetually in the crosshairs these days of these bad actors, these threat actors. So you need to always assume the worst in terms of their nefarious aims and trying to penetrate your systems.
It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, 📍 a channel dedicated to keeping health IT staff current and engaged. Special thanks to CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst who are our Newsday show sponsors for investing in our mission to develop the next generation of health 📍 leaders.
All right, here we are. It is Newsday. And today we are joined by Ryan Witt with Proofpoint. Ryan, welcome back to the show.
Great to be here. I always enjoy these conversations.
Yeah, this is the the week following the HIMSS conference. And noticed Proofpoint had a, I'm not gonna call it a booth, but you, you hosted a rest area. Is that, is that what happened?
We had a lounge. We had to make a, a call during the height of Omicron about what are we, or where we not gonna be at HIMSS, we had already made some investment in HIMSS. So we decided not to go a full presence with sending large numbers of staff, couple, three dozen number of staff.
So we decided to create a little bit of a lounge sort of experience. Cause we had that, that basically that real estate to work with. So we were there in very minimal numbers, but yeah, I kind of wish upon reflection, given what I saw HIMSS, the given I saw the level of, of engagement and the number of people who were there. I kind of wished we, I understand the call that we made, but I wish we were there in, in a much more significant way because it was a good show. I thought.
It's hard to make those calls. You're sitting there, you're looking at these numbers. You're going, which way is it gonna go? Is there gonna be another strain? And we have no idea. So leadership has to make those calls. Sometimes they're the correct calls. Sometimes they're not as evidenced by last year's decision by HIMSS to go to Vegas at a time where it spiked and they got hammered. I mean, at the conferences were not well attended.
And so you, you have to make those bets, but it seems like let's see. The official number I saw was 28,000 were there, I don't know. I didn't really read it that closely, but what I was telling people is it felt like between 20 and 25,000 were there, so 28 would not be outside the realm.
Yeah. There was activity. There was noise. There was energy on the floor the entire time. I, I can't really speak to who was there. I mean, I have made some comments that the CIOs went to the ViVE conference cuz that's where their association is. That's where CHIMEwas. There were some CIOs at the HIMSS event.
We tracked a bunch of 'em down and had conversations. But I will say, and some of 'em were even around doing what I normally did, which was booth to booth meeting with strategic vendors while I was know, if I'm gonna go to the event, I could really hammer out four or five, maybe even 10 meetings in a very short period of time. So I saw that happening. I, I guess the question is, was it worth the, a lot of the booths were scaled down. The epic booth was, I, I can't, I mean, my estimation was half the size of what it, it usually is.
Many booths were that like that. Yeah.
Yeah. And so it felt like everybody sort of scaled down a little bit, but it still was a very big floor. I mean, to get from one end to the other was not, was not a small task. I guess the question is, is it worth. One of the vendors said to me, we spent $400,000 all in for the HIMSS event. Is it worth $400,000 or is it just one of those events you have to be at?
I, I think from a from a Proofpoint standpoint and from vendors like Proofpoint who have a significant focus and attention on the healthcare industry, we have to be there. It's a tables stake sort of event. We're in the cybersecurity business. I would, I would've related it to. RSA. I mean, those are 2 shows, and there are from an investment standpoint, there are two largest investment in terms of single events that we do year in, year out. So I kind of think you have to be there. Is it ever worth it? It's always hard to measure that ROI. But I feel like demise of the trade show, which has been
Greatly exaggerated. Right.
I think, I think there's definitely a lot of runway for, for these events. The intangibles that you kind of referenced in terms of the buzz the engagement on the floor, the traffic kind of the euphoria of just being backed together and, and having something like a normal sort of business sort of relationship, a sort of business setting Seemed to be strong. I mean, that's an intangible sort of statement. I can't quantify it really, but it kind of felt like people were really happy to be there. And I I think want to want to do more of that sort of stuff. I mean, it's always gonna be dependent upon business climate, and then what's the next variant gonna cut through at us, etc.
What's BA two gonna do you, but I feel like this will be a part of the, the healthcare health IT landscape for, for a long time coming. We see how vibe, what happens with five. I mean the CHIME brand is very valuable and we understand the importance of ViVE as well are certainly CHIME.
And so if they can use that sort of new platform to kind of grow, I'm sure many vendors like Proofpoint are, are watching that very closely with the idea that at some stage age is something we also will be attending as well.
Yeah. It's it's interesting cause I've labeled both of these conferences, a success. ViVE was about 5,000 and and HIMSS, I thought HIMSS my prediction going into it,.I was completely off. I thought if they, if they peak 10,000, I would be surprised. And so I'm surprised.
Yeah, no like likewise, likewise.
I think both of 'em are considered a success. I think going into next year, marketing departments will have to figure out where to spend their money. It, it felt to me like influencers were at the second event. We're at the HIMSS event and the budget, the buyer was at the first event, but I don't know. I, I mean, that's maybe not fair. I'd have to, I'd have to really do some analysis before I get there.
My Periscope is much more narrow. I don't feel like the security buyers were so much at the first event ViVE. But I felt like they were more present at a HIMSS.
So who are the security buyers? This is a decent conversation actually. So CISOs used to report into CIOs and we've seen some split out and now go into compliance and legal, which is really interesting. I mean, who, who all are the security buyers at this point?
It's a good question. And I'll answer it maybe this way. Where we have seen the most success in terms of health systems or large IDNs, or just more broadly the healthcare industry making the sort of investments that are commensurate with their peers and other industries.
So they're know, similar size organization in other industries. It's those CISOs or those InfoSec teams. Those it teams who have directly related the importance of a cybersecurity posture to healthcare's overall mission. So those who still think about it in terms of a compliancy requirement.
Sure that's important, but we find that they have a hard time translating the importance of making that investment back to the hospital board in a way that's meaningful in return. Those that purely see it as a as a just purely like a security play or privacy play again, have that, that difficulty.
But when you start referencing some of the big outages that we've seen, and I don't need to name, check all the organizations, cuz they've been name checked multiple times where they've basically have not been able to provide patient care for weeks on end. You having to recreate patient records on pieces of paper, they're having to send their oncology patients to neighboring health systems and a whole number of other examples, those hospital boards acutely get it.
They acutely understand that a cyber event essentially totally kneecaps them in terms of their ability to provide patient care, provide patient, meet their mission. And those ones who experience that understand the importance of the investment and those who are watching from the sidelines and the considered matter also understand that. And I think the InfoSec teams that can convey that store are the ones that are the most successful at securing the needed investment. So who is the security? Who is the security buyer? It probably still is centered on the CISO, but I think the CTO plays a significant role there. The CIO, depending on what function that CIO provides, whether he is more of an operational or this kind of like the digital transformation style CIO. Those roles play a role. And if the CFO course is always never far away from that consideration, considering the amount of money often needed to go make these things happen.
Yeah, whenever you say the word money, the CFO is not far away. 📍
📍 We'll get to our show in just a minute. As you've probably heard, we've launched a new show TownHall on our Community channel. This Week Health community. And it airs on Tuesdays and Thursdays. I'll be taking a back seat to some of these people who are on the front lines. TownHall is hosted by an array of talented healthcare leaders who are facing today's challenges head-on. We're going to hear from professionals and their networks on hot button issues, technical deep dives, and the tactical challenges that healthcare faces. We have some great hosts on this. We have Charles Boicey and Angelique Russell, Data Scientist, Craig richard v ille, Lee Milligan, Reid, Stephan, who are all CIOs. We have Jake Lancaster and Brett Oliver who are CMIOs and Matt Sickles, a Cybersecurity first responder. I'd love to have you listen to these episodes. You can subscribe on our Community channel. This Week Health Community, wherever you find and listen to podcasts. Now let's get to the show. 📍 📍
We're gonna do something a little different if you're watching on video. So I'm gonna, I'm gonna pull up the story that we're gonna be talking about right now. We're gonna start with one that you just brought to my attention. I said, Hey, let's talk about some security things.
And you said, did you see this? And I guess it's a story that's unfolding as we speak. Authentication firm Okta says it has found no evidence of new attack after hackers claim breach. So Okta is an authentication identity management software company that is used by more than 15,000 organizations, a bunch of those being healthcare hacking group lapse, how do you pronounce that? Lapses?
Lapses. Yeah. Yeah. Who are generally considered to be. I hate to use the word credible, but I mean, when they make these statements, people take their statement seriously on the know, the whole, like twitter audience that sort of to those who, who pay attention to what goes on, on Twitter. They tend to pay attention when, when this organization makes a, makes a claim like this. So it's, it's treated with some credence. So.
So they posted screenshots on its telegram channel claiming it had access to a number of Okta systems. The company said it had detected an attempt to compromise the account of a third party customer support engineer working for one of its sub-process in January, but have found no evidence of ongoing malicious activity. At this point we can assume if they're finding something, they're gonna report it. I mean the companies that try to hide this stuff, get just absolutely annihilated don't they?
They do, they get pillerateed and I think it's just, no and it looks like Okta's being pretty, pretty transparent here, which is absolutely the right approach. So we'll, and this is as you can see from the date of this story, this is definitely kind of breaking style news. And so probably don't know much more about, than what's being posted here. But I think at a, at a more macro level, it's very clear that whether you're a security organization, whether you are a large sort of a critical infrastructure organization you are perpetually in the crosshairs these days of these bad actors, these, these threat actors. So you need to always assume the worst in terms of their, their nefarious aims and trying to penetrate these systems, your your systems.
Yeah. How's healthcare experiencing that? If I'm an Okta customer today, I assume they contacted me pretty early on to say, Hey, we are researching a breach. So the thing is in a, Hey, we're researching a breach mode right now. How am I supposed to be thinking about this as a security person within a healthcare organization? Am I supposed to be saying all right, making contingency plans or I, I would assume a lot of those contingency plans are already in place.
Yeah. I, I, I think, I think, yes, you need to have the contingency plan as kind of an ongoing, ongoing sort of planning process. I mean, if you're not doing that, then you're, you have some exposure, right. If health system just didn't learn this to take from ransomware about what do you do if this, this sort of cataly event were to occur, whether it's a system being breached or the whole, your whole health system network being breached, you need to have those sort of plans in place.
I think in this particular instance, you need to train and educate your users to look for anything that's out of the ordinary. So this is a Okta focus on authentication. And so if you're getting your system's asking people to authenticate multiple times throughout the course of a day or whatever that should trigger an alarm.
Right. That should be a red flag. So, but instead of like going into each sort of what if statement, I think in this instance here, you need to train your users to look at for anything that's out of ordinary. So something is like, if it's the system it's asking you to do things, it doesn't normally do.
You need to slide that back up to your IT team or your security team and make them aware of that. Because that's gonna be, the users are such an important part of the defensive posture for any organization. Healthcare otherwise.
story they start with is the:The biggest fuel pipeline in the United States ended with thousands of panic Americans, hoarding gas, and fuel shortages across the Eastern seaboard, basic cyber security failure. Let the hackers in. Then the company made the unilateral decision to pay 5 million in ransom and shut down much of the east coast fuel supply without consulting the us government until it was time to clean up the mess from across the Atlantic Syrian Martin looked on in baffled amazement.
The brutal assessment of the colonial hack is that the company made decisions off a narrow commercial, self interest. Everything else is for the government. To pick up, says Martin previously, the United kingdom's top cyber security official. Now some of the us top cybersecurity officials, including the white house, current cyber director, say the time has come for stronger government role and regulation in cybersecurity, so that fiascos like colonial don't happen again.
I think I'll stop there and just get your initial thoughts on the colonial pipeline, how it was handled. And actually I think some things have changed just as a result of that in terms of how we think about these things ahead of time. But what are your initial thoughts?
I mean, I think it's always hard to pass too much judgment on an organization who decides to take a stand and, and how they're gonna rectify their cyber event. You don't really know the pressure's they're under. There used to Yeah there was a point in time in say for healthcare, for example, that were kind of being shamed if they paid the ransom demand.
I've heard a lot of systems push back and say, Hey, you don't know to what degree we had patient safety compromised. And we made a judgment that said we had to pay it right away otherwise there was legitimate concerns that people were at significant risk. And so I think it's always hard to understand unless you're really in their shoes. That being said and I think this is kind of the, the thrust of this article is it goes on and talks a lot about what is the US government's role meant to be going forward? And they used the UK example as a juxtaposition about how strong of a role the UK government plays in their overall cybersecurity posture across, across industries and across the the national health service.
There is a very significant compare and contrast, and we as a country have a lot more exposure as is exampled here by the colonial pipeline, because there isn't essentially overarching requirements put on us from the us government to go have certain levels of cybersecurity protection in place.
That article talked about like the importance of the clean water act, the importance of FDA and other sort of similar are sort of organizations that we put meaningful regulation in place. And that meaningful regulation in place was definitely beneficial to us as a country, as a whole.
And if you look at some of the more recent initiatives the executive orders are from the Biden administration. Some of those things that are potentially going to be caught off into law sometime in the next few weeks, probably through some of omnibus Act through Congress it's not clear truly with the benefit of these initiatives or these laws are gonna be just because there's a lot of suggestions. There's a lot of recommendations around capability. There's water recommendations around improving reporting, embracing things like zero trust, but there's not a lot of teeth. There's not a lot of requirement to do these things.
It's interesting. I mean, there's a couple of statements in this article. One, this is Chris English, the white house, national cybersecurity director. Biden's top advisor for cybersecurity said when critical functions that serve the needs of society are at issues. Some things are just not discretionary. And he's talking about health. I mean, he's talking about a lot of things here. He's talking about the pipeline, but he's also talking about healthcare, right? He's saying when healthcare is under attack, it's something that we as a country are impacted. We as a community are impacted.
And one of reasons we have a federal government is to protect us from foreign actors who are going to attack us. I'm on record as saying for years it felt like we had the equivalent of aircraft carriers parked off the Atlantic and Pacific coasts. And they were just launching cyber attack after cyber attack.
And it felt like in the case of a physical attack, we would absolutely scramble all resources and do something. Right. But in the case of a cyber attack, we were sort of sitting there going well, is this a, should the federal government do something or is the market going to take care of it?
And are we going to and we weren't really coalescing around this. It would seem, I'm trying to think why that would be. What's the bipartisan aspect of this to protect the country, to protect the citizens, to protect our infrastructure would seem to be bipartisan. Right? We all agree. Now we may not all agree on how. But we should all agree on we pay taxes. We, we don't want our hospitals shut down. But I'm not sure what, and I think this is what you're saying too. There's no teeth, but there's no adopt zero trust. Okay. I mean, every health system I'm talking to says adopt zero trust. And I think the maturity of that looks very different from one health system to another. Sure.
But you know, there, there is a playbook. We can gravitate towards and listeners of this podcast will be very familiar with the playbook I'm gonna reference. And that is when we decided as a country driven by the federal government that we are going to digitize the patient record.
Right. They have put significant and, and I, and I know there's a lot of there was a lot of challenges with how that worked. Okay. And if you did it all over again, you might do things differently, but we went from a point in time when essentially nothing, the patient record was broadly not digitized.
And then 5, 6, 7 years later most of the country had some sort of EMR EHR in place, and yes, we have interoperability challenges and all that, but we are looking to solve that as well, but there was very clear requirements about, there was very clear money available on the table to go help health systems achieved digitization of the patient record. There were very clear requirements you had to satisfy to get some of those funds. And there were timelines, the timeline would go from carrot to a stick at some sort of stage. And you went from piece of legislation that actually did essentially achieve what it was aiming to achieve.
And so I feel like we can learn some lessons from that about how to make, make that better. But in terms of how do you get the whole country to buy into legislation? There is a path here that we can follow. Now it won't be easy to get that. get bipartisan support for that, cuz it know, there's nothing is really particularly easy in a bipartisan fashion within the beltway these days.
But I like to see us put more effort on, on that sort of a program, which definitely would have teeth would have funding and something we would all understand and get. And for the most part, get behind it.
They do compare and contrast the UK's approach to this. And it's, it's, it's he uses some salty language to describe what, what they would've done in in the UK, if the colonial pipeline had happened there. He essentially says we would've, we would've got them on the phone and said, what the heck are you guys doing?
And we would've torn them to pieces verbally in the media and whatnot. As I looked at this, this, this is interesting back and forth. Happens all the time in terms of we have events that shape how we think about things. And then we adjust .And we, we do this pendulum of we we want a significant amount of government oversight all the way back to you know what too much oversight on this side. We need to move back to more self-regulation and, and that kind of stuff. So it's an interesting balancing act, but I don't know, in his words in the article he still seems a little confused and yes there's, there are absolutely playbooks out there.
And for health systems, the NIST framework is phenomenal and that's what we followed and, and there's a whole bunch of frameworks to follow out there. It's not like, it's not like you have to go it alone. They are. They're helping us along the way.
And the, the 405D team that kind of public private partnership with health human services and some other organizations, private organizations, they're putting together this whole catalog, a cybersecurity preparedness sort of documentation, kind like of detailed playbook, etc.
For the most part mapped onto NIST controls. So there's, there's no shortage of material to go help a CISO or, or a healthcare organization go figure out what to do but there's not any sort of mandatory requirement to do it. And I think that's where the whole meaningful use initiative definitely helped solve some of that problem.
And I, and I get it. I mean, the whole challenge of the know, do we want more or less government control in these sort of These sort of situations it's that pendulum will perpetually swing and we don't necessarily always know what the right answer's going to be. And that right answer might change from, from time and time.
But if we don't address this in a structural way, then we're gonna have more colonial pipelines. And so we can check our head, we can fur our a brow and accept it, or we have to do something different.
Yeah, absolutely. All right. So have two stories really to close with. One is from modern healthcare will a digital health bubble burst. The other one is Teledoc launches telehealth model for employers. I think both of 'em are interesting. Let's let's start with the digital health bubble. We both went to HIMSS. Clearly digital was front and center. And people are talking about all sorts of new models.
We heard AI talked about. I actually saw some AI models that are, that are truly AI models and truly making a difference in terms of efficiency and quality of outcomes in certain spaces within healthcare. So I, I mean, I hear people saying what's the hype for this year and it's AI and ML, but I think we, we label it as hype to our own detriment because there's some areas where they're, they're making some progress. But when my gosh, we go to these conferences every year and you see the number of players and you see the numbers. I mean, the, the numbers that is the VC deals going into healthcare is just kind of staggering and continues to set records year after year. And it always brings up that question of do these valuations make sense? And will there be a digital health bubble burst over, over time? You probably talked to some companies, I mean the ViVE event had more startups and more VC there and that kinda stuff. Yeah. Because it was related to the HLTH conference.
And yeah, some of the numbers are pretty staggering that these Hey, we're, we're raising this much for our series series B or series a and you're like, okay, do you have any revenue? It's like, well we're not making a profit yet, but you know, they're look at the potential here and that kind of stuff. Being somebody in healthcare, a lot of times I'll look at them and I go I think I could do what you're doing with this, this and this. It would be nice to consolidate, but I already have those three things in place. So I'm probably not gonna be running down the, the hall to embrace what you're doing.
And I'm not sure, I wonder if VC and the, the money chasing this the digital health world is sophisticated enough to identify the buyers are really gonna pay for what these people are building.
I have the situation where I'm based in Silicon valley, right. And as a result, I get access to a lot of, sort of these sort of conversations, basically. It's interesting to me cuz you, you see two principle or two main types of companies who tend to get in the digital phase. One is often somebody, a founder with a clinical sort of background who entered the better widget, a better way of doing something, right. Or you have the technologist who looks at healthcare and says, this thing is crazy. Like there's so many, there's so many inefficiencies here. My widget can go solve problems much more efficiently. And I think in both cases, they're probably a lot more right. Wrong. I mean, of course you always have this to what degree is the the, the founder or the, the inventor, the entrepreneur developing a solution for a problem doesn't truly exist.
You, you always have a little bit of that, but one of the things I see too frequently, though, is you might have this capability that the clinician in, or the clinical expert sees like that would be beneficial, or you might have the technology view about might work.
But too frequently, there is a lack of understanding about the business of healthcare. They understand the clinical side, they understand the technology side. They don't understand necessarily the business of healthcare. So and I think that's to the degree where the digital health bubble might burst is there could be a lot of money going in. Capability or technology to a solution, and it's never, it's not a reimbursable event, for example. So it's like, Hey, sounds great. I love to be able to use this capability, but I can't get reimbursed for it. So there's no way it's just not gonna be adopted right. Until you get that changed.
And as we know, that's a very significant challenge. Within healthcare, that being said, we have to also recognize that, just look at. Look at our healthcare ecosystem, look at the, and the names that we think about or talk about, or our friends or our family talk about and think about who those were yesteryear.
All of a sudden Walmart's part of healthcare. Amazon's part of healthcare. Walgreen's a much more substantially part of healthcare. CVS is much more substantially part of healthcare. Apple is trying, so the interlopers, the disrupters are on the sidelines and have in many cases, Cret onto the field of play.
And the healthcare told us what market from a know, from a financial sort of standpoint, hasn't really grown. It's essentially, it's it's largely the same, which means if you are a traditional healthcare provider your ability to service that, that adjustable market does diminish because, cause there's other others who are eating that same pie. If you, if you wanna use an analogy. So it's a challenging one. I fear that healthcare needs to embrace digital health. The, the traditional players need to embrace it more because if you don't, we put ourselves at risk of being disrupted from organizations who maybe don't historically haven't known understood healthcare, but you saw evidence of HIMSS of how some booths have really evolved over the last 10 years about their messaging into healthcare and it's like, yeah, 10 years ago, you, you kind of dipped your toe in the water and 10 years later, you're, you're, you're kind of like waist deep now in your healthcare sort of knowledge and your, your capability and your relevancy. So, so I, I kind of feel like digital health is. Kind of one of the last sort of bastions of the transformation of industries have not gone through that transformation. So I don't think we could stop this wave.
It's interesting. Every time we, we have this conversation. I'm taking back to some of the other interviews that I've done and it's the equation. Payer, it has to benefit the payer, the provider or the patient. And in the payer world, I'll also put the employer. Right. So the employer, payer provider or patient in some way, the reality is the patient's unwilling to pay for anything. So those models where they say, Hey, we're going directly to the patient and they're gonna pay. I just, I just sort of shake my head and go, all right, well, you're, you're creating a new revenue stream because right now, if my insurance carrier doesn't pay for it, there's very little I pay for.
Then it comes down to where can you make in market? And when they, when they say we're gonna get the provider to pay for it. I'm reminded of being a CIO and sitting there going look, we have 900 applications. I'm not trying to add to that, unless there's a significant new capability that you're gonna give me or or or quality improvement or something I'm not looking to add to that number of, of applications.
And so I hear everybody talking about platforms. I want platforms that allow me to do multiple things that I couldn't, I, I don't want to add, again. I don't want to add 10 apps, do something. I'd rather add one platform that has the ability to leverage the data and security model and the architecture for one system to perform 10 things.
His is why you hear people say if Epic can do it, if Cerner can do it, that's how I'm gonna do it. I'm not gonna add another application. And then you go, well the, the Epic solution is only 70% as good as the state of the art solution. And then they just look at you like, yeah, but the cost, the complexity, the whatever. So anyone who's taking on Epic and I think more and more people have gotten outta that game. Anyone who's taking on epic or one of the established players in there, it's, it's hard to get your foot in the door on the on the clinical application side for that reason.
On that topic question on that topic though. So at some stage I guess we're gonna have this EMR 2.0 sort of event. Maybe we're not far away from it, but is there, can you see a change on that landscape of who could disrupt that? I, I don't necessarily see one right now.
No, I, I think what you is, that's the system of record. And we're gonna, we're gonna layer things on top of it and put a set of APIs on top of it. Maybe even create a whole new a whole new UI UX experience, but underneath it, you're still gonna shove the information into epic. So shove it into Cerner and maybe those two companies will create the new UX and UI around it. That's more efficient and more internet architecture, if you will, cuz today they're not internet, they're barely internet architecture. You can see it from there, but it's not it's just not, not how it was designed. So no, I, I don't see the 2.0 player and, and where it's, where it's gonna come from today. And the other reason is. You just, you just rattled off a 300 million project. Hey, let's replace the EHR. It's gotta be an incremental replacement that is not a $300 million lift, but a manageable lift. Depends on the size of the budget, obviously, but a manageable lift for a significant return. Otherwise, nobody's gonna be moving away. Like the, all of our devices are integrated into that EHR. Now all of our all of our data workflows are integrated into the EHR.
It's, it's hard to see that, that next move, to be honest with you. Other thing I always think about when I, I see this digital health revolution, and you talked about some of the players and I talked to Rob DeMichei, former CFO for U P M C. When we were talking about the demise of the provider, okay. So this is somebody who is CFO for a significant provider in that market space. And he said, Bill, it's not gonna be like all of a sudden, you wake up one day and somebody put a, a new form of healthcare down the road, and you're gonna start shutting down your hospital. What's gonna happen is death by a thousand cuts.
It's CVS took a little of this. The surgery center took a little of this and they took a little bit of this. And now all of a sudden, you're looking down at your balance sheet and you're looking at your, your operating revenue and your operating revenue dropped and your profit margin just went negative.
And you're like, oh, well, we've gotta do more of what makes us money that, that did in the past. But what you haven't taken into into account is you have a whole new set of competitors yeah. That have essentially created a, an ecosystem that's more efficient than you. Well, are we gonna let the hospital in a market die? Cause that's in a free market economy, that's what happens. It's they die and other things pop up in its place. But you know, nobody wants certain aspects of the low margin, high acuity care. They're only the hospitals are taking that. So if, if you just let the high margin low risk stuff, all go somewhere else you're you're gonna bleed the hospitals dry. It creates an interesting, again, we get back to this what, what's the community gonna say? And what's the regulation gonna say when our hospitals start losing money and they are gonna start losing money because these players when we talk about Amazon, somebody's like Amazon gonna buy a hospital or build a hospital. And the answer is never. Never in our lifetime are they gonna build a hospital. They'll do healthcare but they'll do it very different than how it's done today.
That'll contribute to those thousand cuts.
They will, and they will be, they will be deep cuts. I mean, they're, they're going after the pharmacy business. Well, the pharmacy business is fairly profitable. I'm looking at some of this, the imaging centers get popped up by what a former doctor who becomes entrepreneur sets up imaging centers. So they look at, they, they know it, they're looking at it going man. Every time we do an image, here's the profit margin. And every time somebody comes in, we redo the images. Iit's an interesting dilemma and I think healthcare is getting beaten up slowly by a, a thousand cuts and we see it more and more. To be honest with you though, you you've mentioned Apple. Apple to me is the exception and the reason they're the exception is they're not trying to make money in healthcare per se. They're still trying to sell devices. Right. They're trying to sell watches. They're trying to sell phones. They're trying to sell services data services and that kinda stuff. They're in no way right now, I think do I see Apple even remotely heading in the direction of providing care in any way. Would you say that's accurate?
I think it's a hundred percent accurate. I mean, Apple's business model is very pure and very clear. They're trying to sell, as you say, kind of small number of core devices and increasingly more services. Now, what one of those services become healthcare related over time? We'll see, and one of those healthcare services be one of those smaller, deeper cuts. We'll see.
I think Apple has a great opportunity to solve the interoperability problem. To be honest with you. They do. I mean, you.
They do. And they have the incredibly trusted brand as well. Right. So they have the very unique, unique space from a business context of being essentially the rolls Royce style market most highly valued brand, but also in many cases having the Toyota or Nissan or GM style of distribution. So it's like very rare you find somebody to be the high price leader and then the most dominant player from a, from an adoption standpoint, but they're, they're one of those brands and that, that talks about their prowess and business and the, the loyalty, which with customers hold that brand.
And so the moment they decide they want to get into some of these services. And if they get they're already dabbling in healthcare quite significantly. You can just look at the number of apple watches that were at that were at HIMSS and how those watch many cases are being used. It'll be interesting to see what they do.
The other one, I think that's big winner in healthcare right now that doesn't necessarily provide care as Microsoft. Right. So they just sit over there and say you want some SQL services. You want some AI, you want some I mean, we all, we all have contracts with Microsoft cuz you almost have to at this point, but they just provide services in and around healthcare and they'll provide 'em for CVS or Walgreens. They'll provide for Amazon, they'll provide 'em for providers. They'll provide 'em for payers. And so anybody who has a business model like that, that supports the entire ecosystem of healthcare. They're hitting the entire addressable 3 trillion market of players in that space.
I totally agree. And particularly in healthcare where cloud adoption's a little bit behind other industries and Microsoft has a a pretty significant and compelling cloud offering. So you can land a lot of your, your new apps, your new services, or use your existing app for services and land on their cloud. You can see that's they got, they got particularly strong message there.
Let me close with this one. And it's not one we've talked about, but so Meditech is, I think they're the third largest EHR provider. Yeah. They're one of the least expensive to operate. And so you'll see them in a lot of smaller facilities across the country. They now have Meditech expanse, which is really good for ambulatory clinics and those kind of things. They announced a partnership with Google. And their partnership with Google is about bringing the Google interface to the EHR. Right? So the search capabilities of now, I'm sure there there's gonna be more to this partnership. But anytime somebody says. Hey, we're partnering with Google around healthcare. People get antsy and I saw a couple posts of how could they do this without consulting the patient and that kind of stuff.
And the reality is the, I read the announcement in its entirety. It has nothing to do with data. They're not sharing any data with, with them whatsoever. It literally is bringing their search capabilties to the breadth of medical data that's out there. So you could, again, single box, go in there and say pull up the labs from blah, blah, blah. And the labs pop up. Cause Google is extremely good at organizing mass amounts of data and it doesn't matter if it's structured or unstructured. They're really good at that. So that's what that announcement was about, but still Google struggles from this. Anytime they get anywhere near healthcare, people think they're going to use that data for evil. I remember they used to be do no evil was sort of their, their thing, but now they it's almost, they're assumed to be evil from the get go. It's kind of kind of a tough situation for them.
Well, I think the other factor that, that people think about too with Google and healthcare is they have this kind of fast fail mentality. That's kind of the ethos, ethos of the company, and they have fast failed in healthcare a few times. Right. They've they've done some pretty significant initiatives or kind of entered it and then, but they were didn't last very long. Right. So I think. It's easy to look at this one and get jaded and say, okay, here we go again. But I think you're right. This is a little bit different in that they're bringing the search engine, which the significant part of the world uses uses is comfort with understands and they're bringing it to bear within that Meditech environment. I think it's a great partnership and one that I mean, quite a coup for Meditech really given that they are the third player in this marketplace and generally does tend to work in a more kind of smaller to medium critical access style hospitals. I think it's a great capability that they're bringing to their customer base. And one that I think would do them a lot of favors. And I think the customers, customer base really like, and probably is not as vulnerable to sort of that cynicism, which we can understandably associate to Google in this space.
And, and I talked to some people from Meditech and they were talking about the agreement specifically and, and the protections that are in there in terms of the data. And they Google just doesn't have access to the data. I'm not sure how it works, but I guess they somehow embed their appliance within it, it scours all that stuff. And that, that information never goes up to the cloud up to Google. It's sort of, it's sort of built into the EHR somehow. So very interesting. Ryan, Hey, I want to thank you again for coming on the show.
It was great to get your feedback on HIMSS and the, my gosh, the, the events that are going on, even as we speak in the cybersecurity world. Fantastic to catch up with you.
I enjoyed it. Thanks a lot. Talk to you soon.
What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to show just like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com. They can also subscribe wherever they listen to podcasts. Apple, Google, Overcast. You get the picture. We are everywhere. Go ahead. Subscribe today. We want to thank our news day sponsors who are investing in our mission to develop the next generation of health leaders. Those are CrowdStrike, Proofpoint, 📍 Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst. Thanks for listening. That's all for now.