June 20, 2022: Drex DeFord, Executive Healthcare Strategist at CrowdStrike joins Bill on Newsday to talk about the economy, cyber labor issues and cyber liability insurance. We explore options for how a health IT leader can prepare for a down economy. While we have to brace ourselves for a slowdown in healthcare, agility will be essential. The Federal Reserve raised its benchmark interest rates three-quarters of a percentage point, its most aggressive hike since 1994. New research suggests nearly a third of cybersecurity professionals are planning to quit the industry, at a time when companies are struggling to protect their networks from attacks. How can healthcare or any system with confidential documentation survive with an impending catastrophe? Sophos observed that as healthcare ransomware attacks increase, organizations are struggling to obtain coveted cyber insurance policies. How is this survivable? How can we protect our servers and patients? Is self-insurance the only answer?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
An interest rate hike is one of a hundred gas pedals and brake pedals that are used to try to manage the economy. And they're not usually immediate levers. Doing this doesn't immediately cause a change or cause an outcome that you necessarily want. And as with all things, there are always unintended consequences.
Thanks for joining us on This Week Health Keynote. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to our Keynote show sponsors Sirius Healthcare, VMware, Transcarent, Press Ganey, Semperis and Veritas for choosing to invest in our mission to develop the next generation of health 📍 leaders.
All right. It's Newsday and Drex DeFord from CrowdStrike is in the house. Drex. Welcome to the show.
Thank you. How are you?
I'm doing better than you. I'm not in a hotel room. So you are you're traveling. Where, where do we find you today?
I am in St. Louis, Missouri today, and I had obviously a lot of presentations and a lot of stuff going on yesterday and last night. So my voice is also a little funky today. That's OK.
Plus St. Louis is amiss a 12 day heat advisory, and it's unbelievable. And if I used to live in St. Louis and people are like, oh, and now I live in Southwest Florida. And they're like, oh man, Southern Florida, the heat must be horrible. I'm like not half as bad as it was in St. Louis St. Louis heat is, I mean, the thing people don't realize is St. Louis is surrounded by rivers. And so when it gets really hot, it just evaporates the water and makes it a complete sauna.
Super humid. Exactly. Definitely feels a little bit like a sauna.
Oh man. Well better you than me. And I don't wanna offend my, my friends in St. Louis. I like visiting, but I also, like, I like leaving before the summer hits
we're gonna talk about the economy. We're gonna talk about cyber labor issues, cyber liability insurance, because I did a today show and twice in the today show I. I'm gonna have to talk to Drex about that. So I think people are gonna expect me to talk to you about it, even though I, I did a today show on it.
I wanted to touch base with you on it. Right. I wanna talk about the economy.
Big news in the economy yesterday fed raised the interest rate and we're gonna tie this back to health. It, in fact, I think the opening question's gonna be, how does a bad economy impact healthcare? And then how does a bad economy impact health, it, health, it budgets and vendors and sales within health.
It, so that's where I think I want to go. Cause I think that's what will interest our listeners. But just to, just to set it up 75 basis points percentage point, point 75 percentage point increase in the benchmark interest rate. The new target by the end of the year is 3.4%. They see the rate rising in 2023 to 3.8%, by the way, they're, they're wrong, like 90% of the time, but I'll read.
I'll read essentially. What, what in this story I got from CNBC 20, 22 growth outlook. Cut officials are also significantly cut their outlook for 2022 economic growth. Now anticipating just 1.7% gain in GDP down from 2.8% from March, and they are strongly committed to a 2% inflation goal. This is why they're raising the rate and the rate does slow down the economy.
It's just, it's just what happens. The current I think the last report had interest or I'm sorry, had inflation rate at 8.6% in its multiple quarters of 8.6%. That's why the pretty significant move of points of five basis points. But this is not an economics lesson. It's just essentially.
To fight inflation. You have to reduce the amount of money flowing through the economy. And in order to do that, the best way to do that is to increase the cost of money, which is what an interest rate is, is the cost of money. And which means there's gonna be less borrowing. There's gonna be less buying of houses.
There's gonna be less buying of capital equipment. There's gonna be less expansion in the economy because the cost of the cost of things is gonna be. The cost of money to invest is going to be higher. Therefore the cost of goods ends up going lower because the demand for those goods goes down. So
I like that. I like that economic lesson. That's that's pretty good.
Well, thank you. If you could send a note to my dad, that would be great. Cuz I have my degree in economics and I use it. I use it so rarely actually I use it more sitting around with friends, talking about it. Than anything else.
Yeah. The, the one positive here is the job. The job market has been a point of strength in the economy through may 390,000 gains was the lowest since April 20, 21. Average hourly earnings have been rising as well. So and we're gonna talk about we still have labor shortages and we will always have labor shortage, even in a, in a strong or weak economy.
If there's, if there's high, unemployment or low unemployment, we still have. Gaps in some key roles. All right. Let's, let's talk about how the economy impacts healthcare. I I'll start with this. People are like, well healthcare is pretty immune to the overall economy and to a certain extent that's true.
I mean, if you need heart surgery, you, you go in for heart surgery, but if you need an elective procedure, As we learn through COVID when the elective procedures go away, the finances for health systems get hit pretty dramatically and not all elective procedures are elective per se. I mean, some of 'em are pretty critical and you do 'em and you do 'em no matter what, cuz they're but a bunch of 'em are.
Are just that they're elective. They're things that people put off. They also put off going to their primary care doctor. They put off going to their dentist. They put off those things. When you don't have money, you or when money gets tight, you tend to put those kinds of things off. We, as an industry run at.
In good years, we run at three and 4% margins and bad years we run at negative margins. Not everybody. I mean, the Mayos of the world are at 10% and the Cedars of the world are at 10, 15% margins, but those are the academic medical centers with a great degree of specialty and those kinds of procedures.
But the average hospital. Could see that 2% easily turn into a negative. And when that happens, then we start having those discussions. Don't. It's what are we gonna do to stem the tide? These, these downturns in the economy don't last forever, but while they are here, we have to make sure that we're not we're not losing money.
What, what do those conversations look like? And how does a health it professional? Let's start with the health it professional. How does the health it professional prepare for let's start with the leader. How does the leader prepare for a down economy?
I think the other thing to think about in all of this is that these things like a rate hike. An interest rate hike is one of a hundred gas pedals and brake pedals that are used to try to manage the economy. And they're not usually immediate levers doing this doesn't immediately cause a change or cause a, an outcome that you necessarily want. And as with all things, there are always unintended. Consequences with things like rate hikes, combined with lots of other things that are happening in the economy and in the world right now. So this isn't a one lever machine. It's a multi lever machine. And like you said, the, the idea that they. Get this a hundred percent right. Out of the gate and they know exactly what would happen, what's gonna happen.
Just isn't real. So we, we don't really know if it's gonna cause a slowdown in health system, acquisition, health system investment in digital health or in cybersecurity or annoying all the other things. So I, I think that what you do as. Leader in health system is put yourself in the best position possible to be as agile as possible.
That probably should be a rule all of the time. Sometimes you ease up a little bit when the economy is running well, and it looks like it's gonna continue to run well for a while. And that you've got a predictable income stream and that, you know what your your profit percentages are gonna be.
And that you have good relationships with your bank or your bond issuers. And so you can, you can manage the flow of cash. Pretty well. But you should always put yourself in the position of being really agile and that is be thoughtful about your commitments. Don't over commit.
Don't under commit though. There are things that you kind of have to do to continue to make sure that the plant works and I would go back to sort of cybersecurity and infrastructure and things like that. When you get behind on those. From a Maslow's hierarchy of needs perspective, those baseline lower level investments that make the machine run.
Once you get behind and you get into technical debt, it's really hard to get out of it. And it becomes a a real millstone around your neck when it comes to doing anything else that's innovative or creative. So I think it's. Mind your PS and QS and make sure that you have a good governance process and that you're being very thoughtful about the investments that you're making, but continue to make investments because you kinda have to do that to make a business run.
Yeah. It's I agree with you, agility is key going into these markets. I disagree with you that. This can go any direction. This is clearly gonna be a down economy. There's there's there's we're we're raising interest rates into a slowing economy. You raise interest rates into a roaring economy, not a slowing economy.
And when you raise interest rates going into a slowing economy, it will slow things down. We also have a regulatory environment where hospital acquisitions is harder, so we're not gonna see. Health systems struggle. They're gonna have to figure out a way to get through it because there's not gonna be like some white Knight coming in and buying it private equity may.
But I don't think we're gonna see large health system acquisitions. We'll see strategic acquisitions continue. Sure. With that's being said, and we could disagree on that because Hey, the people in CNBC are right and wrong, 50% of the time. And Warren, Buffet's a bajillionaire because he's right.
75% of the time. So. the economy can go in any direction, but agility is key. I would hesitate from long term commitments to capital at the, at this point. So the shorter term contract, this is why cloud contracts make sense, right? So shorter term contracts that have renewals that can scale up and down as the size of the organization.
Is is going up and down. This is one of the reasons I've fixed infrastructure is I, I think an old model. And more cloud, one of the things about cloud is it's, it's leasing the infrastructure. Sure. And, and so you can grow and you can come down with it. So I like that.
Well, it gives you, it gives you a very predictable Expense model too. Very often when you're doing capital investments, buying things, putting stuff in your data center, for example, that stuff lasts for five years and then you have to replace it. So there are these big bulk purchases that have to happen on a regular basis when you're doing cloud investments or subscriptions software as a service those kinds of things, it creates a very predictable outlay of cash that you know is happening on a very predictable basis, which CFOs and treasures are fund of predictability.
I loved your point though, on tech debt, one of the things you have to do is you have to protect that the refresh cycle on equipment and a lot of, a lot of health systems leaders, health, it leaders. Fail to do this and you fail to do it on the desktops. You fail to do it on the switches, the routers software, certain software agreements require upgrades and that kinda stuff. We definitely do it on the medical device side. And if you don't protect that tech debt is, is at some point, you gotta, you gotta pay the toll.
You're gonna go through that toll. And I remember when I came in as CIO and our toll was. I don't know, like it was a lot, it was, it was in the hundreds of millions. It was not, not a small amount over 80% of our equipment in our data center was end of life.
Yep. Exactly the same situation. And it creates a sign wave, right. It creates an expenses wave that is very hard ultimately to flatten out. So you have to spend a hundred million, this. And then you only get 10 million. I mean, just making these numbers up, you only get 10 million the next year and the next year. And then maybe you have a another hundred million year, and that is really tough for your finance people to figure out when are when and what are we gonna do?
Cuz they're pulling levers too. When are we gonna, when or what are we gonna do financially to see if we can get the money that we need in that year? And if we can't, then we have to push the sign, wave to the right, which tech debt just makes it worse. And and. Even when it's capital investments that you have to make, because you're in a building and you have to do some of these things. You still have to figure out how to flatten that sign wave to make it predictable for your finance folks.
I agree. It is hard to do, and it's something you need to do. Because that, that predictable expense maintenance expense of your, environment is something that the CFO crave. So you gotta work closely with the CFO and yeah.
Yeah. One of the things we did is we put everything on a on a life cycle. So you buy a, a router and we said seven years, no, we said five years. Access points were two or three years. And desktops were seven years cuz we went to thin clients. So we put everything, everything we bought.
We said seven years, five years, three years, that's the life cycle. Yep. And then we had the, then we had the replacement cost and then I went to the CFO and I said, all right, you want you, your desire is to have predictability. My desire is to make sure that we don't have tech debt. And so what she was able to do.
Every year we'd go in and we'd negotiate. And they'd say, man, it spends a lot of money. Boy, you guys spend a lot of money and I'm okay. Negotiating on, Hey we're not gonna do this. We're not gonna do this. And that's a topic for another day. But one of the things that she was able to do was get everyone to agree.
Because even the, the hospital presidents and everybody was like, Hey, this equipment, can't get this old. I have trouble with my staff and getting things done and outages and and employee satisfaction, whatever, when you do this. So we gave them the, the method is life cycle management. We're gonna take this part of the it budget.
We're gonna put it over here under building maintenance. Like it cannot be touched. Yeah. And now we can negotiate the rest of the it budget.
Yeah, totally agree. Did exactly the same thing. There is an infrastructure maintenance cost center. That is a, non-negotiable largely predictable because if what's in your environment and you can predict a life cycle, you can predict the cost to replace those things.
And that is a pretty solid piece of budgeting that you can do. For a pretty good period of time. I mean, you can know over the next three or four years with pretty good accuracy, what you're gonna have to spend on just replacing stuff that you have now at the same time, you're looking at a lot of other options, too, right?
When we were in the PC world and everything was about replacing PCs, that was our budget. But at some point we started messing around with BDI and we had a different set of expenses. We were able to take the PC expenses out largely because we were able to place those, replace those with zero clients and other technologies.
And so the technology changes over time, but that core piece of the set budget around tech debt avoidance is predictable. And you can do a pretty good job of protecting that because everybody understands it. It's just the rock that everything else is built on.
Yeah. And, going into a down economy, the other challenge is holding onto your best employee. Right. And so you, you always have to be, you have to be cognizant of your staff. the people that are required to keep the thing running and running effectively, and you have to, you're always taking care of your entire staff, but there's, there's certain people that you look at and you go what, if we lose that person, that's a significant workload that we're gonna lose significant knowledge base.
Maybe even history of the environment that's required. Yeah. And it's so important to keep your eye on the culture, keep your eye on the people and have those conversations. I realize that that's true at all times. It's more acute during a down economy.
there's a lot of empathy in this, right? I mean, for sure, all the things we're talking about that you have to deal with as a leader in your organization are the things that your employees, as the leaders of their family are also dealing with. They're dealing with their own versions of tech debt and house maintenance and car repairs, and cos on insurance and all the other things too.
And so you do, you have to be, you have to be very thoughtful about all of that, your stress as an organization, your team. Stressed on behalf of the organization doing that work, but they've also got their own things that are dealing with in their personal lives too.
📍 📍 All right. We'll get back to our show in just a minute. I want to tell you about the podcasts that I am the most excited about right now that I am listening to, as often as I possibly can under that is the town hall show that we launched on the community channel this week health community, and an Arizona Tuesdays and Thursdays. What I've done is I have essentially recruited these great. Hosts who are coming in and they're tapping people in their networks and having conversations with them about the things that are frontline kind of stuff. So it's, it's technical, deep dives, it's hot button issues. It's tactical challenges. it's all the stuff that is happening right there. Where you live on a daily basis. We have some braid hosts on this show. We have Charles Boise. Who's a, data scientist, Craig Richard, bill Lee, Milligan Reed, Stephan, who are all CEOs. We have Jake Lancaster Brett Oliver, who are CMIOs. We have mark Weisman who is a former CMIO and host of the CML podcast. And now a CIO. At title health and we also have the incomparable sushi shade who is fantastic. And I'm really excited about the fact that she's tapping into her network and having some great conversations as well. I'd love for you to tune into these episodes. I am learning a ton myself. You can subscribe on our community channel this week health community. You can do that on iTunes, on Spotify. On Google on Stitcher, you name it, we're out there and you can subscribe there and start having a listen to yourself. All right, let's get back to our show. 📍 📍
let's touch on one topic before we go. So partners and vendors who are out there selling solutions to healthcare can they expect smaller budgets, harder to get in there and talk will new projects be harder to have discussions around and those kinds of things to be honest, I wasn't a CIO during a down market.
I mean, I've been in down markets and other things, but in healthcare from 2011 until I left. It was, it was a roaring economy. So it's I'm not sure how it would impact the vendor partners and how they look at it. What are your thoughts?
Yeah, well, I wrote through the downturn in 2, 2, 9, the turn around happened after ARA, but it was a very different if there comparison to that down economy. It is just in the kind of goes back to that, have a good governance process and make sure that you're being very thoughtful about the investments that you're making. And I think it's just a lot of this is, it depends on the organization that you're talking to in this, in the situation that they're in.
Organizations that have done a good job managing their money and have a good ward chest tucked away may continue to make investments, maybe not at a super aggressive rate, but they'll continue to make investments for smaller organizations who may not have. Those war, chest belt built up.
I think there's a lot more conversation for them internally around every investment that they're gonna make. And they're gonna make some really hard decisions between investing in facilities or buying new capabilities for analytics or something like that. So I, I imagine that for the vendor partners, there will be a bit more of a challenge. For the next little while. We'll kind of see how it plays out.
I think they have to be more discerning. I think they have to be more discerning in terms of where they spend their time, where they spend their money if I were talking to partners today. But the other thing is I think that the message has to be honed to be closely aligned to the strategy.
Of the health system organization. And to understand that one health system's strategy is not the same as the next. It's the next. Yeah. You do wanna spend time with them talking to them, understanding what they're doing. If you can get that, that ability. The other thing is I, I interview CIOs all the time and from time to time, somebody will say, how do I know the CIO strategy?
If he won't gimme a meeting, I'm like before I interview most CIOs, I just go out there and. Google and find like 10 interviews they've given and yeah. Before and that's how I sort of prepare for an interview. And I thought if I'm the salesperson and I I've been given X account, if I've been given, well, I don't wanna take a large one, but if alright, if I've been given Providence, I can find 20 quotes or 20 interviews of BJ.
Sure. So if you wanna know, I just BJ Moore, but you can also see stuff from the CEO, from the digital health officer, from the chief nursing officer every health system. Files and annual kind of community benefits report. There's tons of great stuff in those reports that tell you about where the organization's going and what they believe in what they find to be the biggest challenges and the work that they're doing.
All of those things are great clues to, to help you understand is the thing that you are trying to sell a thing that helps them solve a problem. And you might have a much better chance if it's a stated problem that you see in two or three or four of these locations, even if you can't get the meeting to, to kind of have the in depth discussion at the executive level, you can definitely go into it. Talking about how you're solving problems that they're claiming they have.
All right. Let's hit, let's hit a couple of these things here. So bad news, the cybersecurity skills crisis is about to get even worse. Oh, thank you for this story, Dr. Here. This is, this is such a tough problem already. So nearly a third of cybersecurity workforce is planning to leave the industry in the near future.
New research suggests leaving organizations in a troubling position. All right, so let's take a look. Cybersecurity firm Trellix Reputable commissioned a survey thousand cybersecurity professionals globally, and found that 30% are planning to change professions. Now it's important to note that Trellix is multi-industry so they picked a thousand it's global.
It's not us, and this could be any, any number of industries, but they're essentially saying that a, a fair number are looking to leave as for cybersecurity workers themselves. Those who plan on leaving the profession are doing so because they feel underappreciated. And unable to grow in their roles, a lack of clear career path, 35%, a lack of social recognition.
I'm not sure what that is recognition in the role, or I guess, and limited support to develop their skills were cited as the top three frustrations pushing security workers to quit. Wow. Well, this is your area. You're you're with these. These are your people. You're with them all the time. Does that resonate with you?
And I think that one of the things that's kind of tied into all of that is especially in healthcare, we talk about clinician burnout and the under appreciation by the community, you know in the time of a pandemic community continues to go off and do things that causes surges in the hospital. And you hear nurses and doctors and others say you.
People just don't understand what they're doing to me. I think that same kind of feeling. Washes over the cybersecurity team. They feel like look, we're saving our organizations every day. We're blocking thousands of attacks. There are new zero days that feels like every day there's patches and exploits that have been created.
In software that we run, that we have to, and it's not just the security team. Right. But it bleeds over into the it team and desktop team and others who are, are going out and applying all these patches and making sure that all these updates are done guarding and monitoring the internet of things, stuff.
So I mean, they feel, I think in a lot of ways they feel underappreciated people people. don't Regard them as the heroes that I think a lot of them are because of the kind of work they're doing and the way that they do keep critical infrastructure up and running. And in that whole situation, you can imagine there's a lot of them that are frustrated or think about thinking about doing other things.
But we read the same kinds of stories about clinicians and nurses too, that are thinking about leaving the field and going to do something else because they're They're burned out and they're underappreciated. And I just think that's a lot of the kind of world that we live in right now in healthcare.
And back to the leadership conversation we had earlier, you have to be very thoughtful and careful and empathetic and spend time with your team and understand what's happening and try to figure out how do you help them through that? There's not one good answer. There's a good answer for every individual.
It takes a lot of time from the leader, which is also gonna lead them to have a little bit more burnout too.
So I'm gonna give credit here to David Baker. David Baker used to work for me. And he was the, we called him the VP of experience anywhere where we, where it intersected with a customer, he was in charge of that.
And in charge of that experience. And so that could have been internal clients could be external, and he did a lot of those things. He went on to be CIO he's CIO at Pacific dental. We've had 'em on the show a couple times. Brilliant guy loved the way he thinks. And one of the things he came to me with this plan at one point, and he said, bill, we've gotta tell the story.
Of how all the great things that it is doing to the rest of the organization. I said, work with marketing. He worked with marketing for a year and he came back to me and said, this is not working. I said, all right, what, what do you propose? He goes, I'm gonna hire two roles. I'm gonna give 'em titles. That don't reflect what they're doing, but here's what they're going to do.
This is the kind of stuff that goes on. I'm not a CIO anymore. People can't go. I can't believe you did this. So we hired two people who were essentially marketing communications people into, into it. They reported into his team and they came up with this framework. For not only engaging the organization really well with communication for every project.
And so his team was the front end for every project we did out into all the ministries hospitals, ministries, hospitals depends if you're in Catholic healthcare or not. So. So they were the front end, but the other thing they did is they started telling our story around the organization and they started highlighting the great work that the it staff was doing and whatnot.
And it's interesting because just that work that he was doing, we saw the survey results around it and around our support and stuff, we saw them all tick up a significant amount and I'm like, You know what a lot of it is just awareness. It's like, man, these people are working hard. They're doing, yeah. That's that, that new PC on my desk was didn't just happen. That new software, that new tap bad in badge out didn't just happen.
Nobody ever says when they pick up the phone and it makes that noise, man, those guys are doing a good job. Every time I pick this thing up, it makes that noise. Right. There's work that goes into that. And so I I'm totally with you, man.
Like the whole thing of like, you're it. And you're CIO and you're some kind of your own. Quarterly reporting or annual report to the organization. The other thing that I I have worked with a lot of great health systems too now and other organizations, we're all walking around with a TV studio in our hand, our phones and it's so easy to win.
Something is going well, or you're talking to someone and they're sort of evangelizing for. Break out that phone, record that one minute and put that on an internet page or something like that. All of those things are, even though you may be doing this stuff for the outside audience, from the department perspective for the outside audience and the organization, it's what your internal team will also get.
That feeling of appreciation that somebody is noticing all this hard work. They do understand what I do. And we are trying hard to explain that to everybody else. I'm not laboring over here, sort of in a, in a dark room and nobody knows how hard I'm working. It's it is a lot of it comes back to appreciation and helping others appreciate the work that you and your team are doing.
Yeah. And the good CIOs know this and some of whom I have to say, Hey, here's one of the benefits of coming on the, this I'll show is when we do a show, let's say we do a show for Cedars. All of a sudden our number of listens ticks up in Los Angeles. Or if we do one for Mount Sinai, all of a sudden our number of listens ticks up in New York.
You know what that is? That's the internal staff at Mount Sinai. Going in to see what the CIO's having to say. And I, I tell them, I'm like, this is another way to get your story to your staff. They're gonna see the clips out on social media. They're gonna, and, and they're gonna, and a bunch of 'em are going to download.
And some of that they think is self-serving and I'm like, some of it is self-serving clicks and listens do help this week health, but on the flip. It's self-serving for you too. Cuz you can get the message out of the good things you're doing
and you get to brag on your own team too. Yeah. I mean this is a team sport and if you, you love what you're doing and you're talking about the things that you're doing. I mean, always talk about it in the sort of construct of we, we are doing this, we are doing these kinds of things. My team is doing this and I know all the good ones do that.
But. Believe me, your team appreciates it when you talk in those terms, because they know you are talking about them. It is a great, it is a great opportunity to publicly recognize all the cool people, all the great teammates that you have that are helping you accomplish the.
Rex, we're out of time. I'm gonna do the cyber liability one. Cause I'm hearing this more and more. Okay. I only have you on the show once every six weeks. So SOFOS did the same kind of thing. Surveyed 5,600, it professionals including 381 in healthcare about cyber liability. The report found that 66% of surveyed healthcare organizations were hit by ransomware in 2021. That seemed like a big number to me up from just 34% in 2020, about 61% of those taxed resulted in data encryption.
So 61% of the 66% resulted in data encryption survey results also revealed that healthcare was the most likely sector to pay ransom just over 60% of respondents who experienced encryption admitted to paying the ransom are Are health systems. And I think the question I wanted to ask you here is are health systems getting in front of this and, and deciding we are going to pay the ransom ahead of time, or is this one of those it's getting locked and they sit around and go, we've gotta make this decision. What are we gonna pay it? Or are we not?
Yeah. I, I think that again, the answer is, it depends. Different organizations handle this in different ways, but I would definitely say to you have an incident response, retainer use some of those hours to do things like tabletop exercises, where you can work through a lot of these questions you don't want to have to make. Decisions about these things in the heat of the, in the moment.
That's, that's crazy to do that.
Think about it in advance. Think about what some of your options are, what you would do, how you would react, do it with a partner who sees tons of incidents like this happen every day. Every week so that they can give you really good scenarios and tell you what some of your options are.
And and what others do. I mean, all of that is good. Coming from the military background, we exercise exercise, exercise, and we did that because in the heat of the battle you want this. to Even though it's a completely abnormal thing you want to, to, you want it to feel as normal as possible so that you're not panicking in the heat of the battle.
And that's what a lot of incident response, retainer, incident, response exercises, outage exercises, those kinds of things, put you in a position that you're not panicking when they're happening. And a lot of the things that you can pre-decide and pre-build. LIKE How do you wanna talk to the press and all those kinds of things, you have, all of those things done ahead of time.
They're sort of a pull out of the box and execute that we're going with plan a and that's what you're gonna execute. So it's definitely a thing you wanna plan in advance. You don't wanna do it in the heat of the moment.
All right. It goes on to say, in addition to the challenge with obtaining coverage, 51% of the respondents said that the level of cybersecurity needed to qualify is now higher.
And 45% said that the policies are now more complex. That's almost the market. Yeah, definitely. Yeah. So the market's almost working here, right? So it's like, Hey, you know what? We've been ransomed a bunch of times the cost is going up and they're sitting there going. look We're not just gonna keep paying these things out over and over again.
Here's what we're gonna do. We're gonna make sure that you have some good procedures in place before we write this insurance policy. almost is working that you now have a big brother behind you as you go in, and if you need. Good pushing you to have
a better cybersecurity program. Yeah. I mean, bill, the, the reality is, and I don't have these numbers exactly. Right. I'm sort of pulling 'em out of my head, but in 2019 cyber liability insurance companies, for every dollar they collected, they paid out 47 cents in claims. And by 2020, for every dollar they collected, they paid out. 69 cents in claims.
Now that still sounds like a great profit margin to us in healthcare, but it's not a winnable game in the cyber liability insurance world. And as you can remember, like back in the beginning, basically you got a piece of paper, it said, do you have a cyber security program? And you said, yes. And they gave you insurance.
And as they continued to sort of pay and pay and pay and pay, I mean, in some ways I'm not blaming cyber liability insurance companies, but their willingness to pay has ultimately created a situation where now. They have to think very carefully about this. These are math people. They are looking at, what are the odds that we're gonna have to pay.
Some of them decide they're gonna completely get out of this business. And they don't offer cyber liability insurance at all for the ones who continue wanna do this rates have gone up, deductibles have gone up the limitations of the policy and what they will, and won't pay has been narrowed and the amount of questions that they ask clients.
To make sure that they are incurable has kind of gone through the roof, these addendums that they have now to their policies, the questionnaires can be pages and pages long. And basically you're also signing in a testing to all of the things that you are saying yes to on there. They may ask you to explain, they may ask you to provide proof.
And if you ever get into an incident, they're gonna wanna be very involved in that. The result of that has been that some organizations have not been able to get cyber liability insurance. And for those who have gotten cyber liability insurance, they probably reduce their coverage and increase their deductible.
And they realize they're gonna have to live with those limitations. So it's become a much more challenging world for he. I think in the past year, year and a half, I have heard way more health systems say they're gonna self-insure they're gonna create their own captives and they're gonna essentially create their own sort of insurance program to be able to cover them for cyber liability insurance.
But it's tough. It's, it's a lot harder than, than it's ever been. And it sort of drives you to, if you don't have a good cybersecurity program, you're gonna have a really hard time getting any kind of coverage. It's. It's not the good driver discounts are kind of gone in this. You have a great program and you can get insurance, but having a great program, doesn't give you like some super great discount anymore.
It's just sure you can get insurance now. So, so it's tough. And I think this'll be a pendulum thing where it'll swing really hard one way, and eventually, maybe it'll start to swing back, but we'll see, it's a weird world that we live in when it comes to cybersecurity. Adversaries and the way that they have been super innovative in attacking healthcare
Drex as always great to catch up with you and thanks for coming in after that late night, last night, I can only imagine how hard you guys were working.
Thank you so much, bill. I appreciate it.
What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to show just like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com. They can also subscribe wherever they listen to podcasts. Apple, Google, Overcast. You get the picture. We are everywhere. Go ahead. Subscribe today. We want to thank our news day sponsors who are investing in our mission to develop the next generation of health leaders. Those are CrowdStrike, Proofpoint, 📍 Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst. Thanks for listening. That's all for now.