May 16, 2022: Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint joins Bill for the news. It’s not as obvious as it once was, who the next round of CIOs will be. Has the role changed? Is it becoming more operational? Is it still desirable? How can we develop the next generation? Mental health apps have worse privacy policies for users than most other app categories, according to a Mozilla report. In a rare show of alliance, Apple, Google and Microsoft have joined forces to expand support for passwordless logins across mobile, desktop and browsers. And Apple has spent decades building its walled garden. Is it starting to crack?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
Healthcare is a laggard when it comes to digital transformation but they're definitely going through that journey right now. So there's a significant investment in how do we reshape our care models? How do we embrace digital from online or home health or telemedicine? However you want to frame that up in terms of enhancing and augmenting our care provision.
It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst who are our Newsday show sponsors for investing in our mission to develop the next generation of health leaders.
All right. It's news day and we are joined by Ryan Witt with Proofpoint the man behind the healthcare strategy for Proofpoint. Ryan. Welcome.
Bill good to be here. I always enjoy these conversations.
We're going to look at three stories, one concept. And we're going to look at the CIO roles that are open. And some of the talk about that. We're going to look at privacy specifically around mental health apps. We have two apple stories, one apples that's specifically about apple and the others apple happens to be related to, and a happens to be in the security area, which I always love talking to you about let's start with CIO roles. Okay. This isn't a story per se, because. Outside of outside of the TMZ Of healthcare, which is HIStalk.
I'm not sure where you would find this, find that story, but you have the ascension CIO it's been confirmed to me has stepped down. So that's a significant role. That's open. The common spirit CIO role is open. I've talked to some people who have confirmed that the recruiters are looking on that one.
We have Nebraska medicine just announced this week. Brian Lancaster has taken another role to get closer to family. And that job is is open university of Nebraska academic medical center. So that's an interesting role. And then we have the CIO is stepping down as well, another academic medical center out of North Carolina.
And I'm sure that's not an exhaustive list. I'm just, these are the ones that are top of mind that, that my network has been talking about recently. And as. A lot of times I get to call, Hey, do you know of anybody that might be interested? And it's interesting. Cause it got me thinking about the role and it got me thinking about our our work over here to train the next generation of health leaders.
And I, I wanted to have a discussion with somebody you happen to be here. So you and I are going to have this discussion it's not as obvious as it once was like who the next round of CIOs are, who are going to step into these roles. has the role changed? Are we not developing the next generation? Or are there other things I'm not looking at here that doesn't make it, the reason that it's not obvious who the next generation are, that's going to step into those roles?
I Think it's a combination of factors. Certainly in much of my time for healthcare, particularly when you engage with health, it staff executives. The CIO was, deemed to be the pinnacle role. That was the one that everyone's aspiring to at some stage in their career.
it's not the pinnacle anymore. Is that where you're going to say?
Sure. It is I'm not sure people see it, that.
I think I agree with, well, there's a lot of other roles now. Right?
There's a lot of other roles that I think have a lot of appeal. If you just look at kinda around the, it executive suite, I mean, some would argue the CISO role and the importance that cybersecurity and the posture brings to an overall health system that has graduated into becoming a. a board level role, or certainly a role that reports to the board very frequently.
They're being asked to consult very regularly on like what's going on on the current cyber security landscape and tell us how we're impacted if at all. I mean, I just can't tell you from my standpoint, how frequently I've spoken to the industry about what we know about Ukraine and Russia from a standpoint and that's just like broad briefing update.
So the CISO role has elevated it's now board level conversations. It's the CISO's actually there because in our case, a lot of times it used to be the CIO Giving the CISOs report to the board. And that's not the case anymore.
Not the case anymore. Healthcare is a laggard when it comes to digital transformation, but they're definitely going through that journey right now. So there's a significant investment in how do we reshape our care models? How do we embrace digital from online or home health or telemedicine? However you want to frame that up in terms of enhancing and augmenting our care provision. And a lot of times those initiatives are being led by chief digital officers, chief innovation officers roles.
But I think. Now are dedicated to these these activities, but I think used to our historically we're kind of housed under the CIO role previously. And I think those are the, the lack of a better way of putting it. That's probably the more interesting, innovative part of that, of that CIO role and all of a sudden that parts, that part potentially has moved away or, or has moved away.
And I think lastly when the. Role is really exciting is when we went through our last phase of transformation or the whole meaningful use digitalization and the patient record of the EHR, and that CIO played this pinnacle rollout, driving the health system from essentially a paper-based system to a digital system.
And had this king pin position made a lot of strategic moves and investments and helping the health system and embrace this new way of. Recording the patient record. But I think now that that role has moved into an operational role or we're moving into a two dot O EHR role, which again is an operational sort of transformation role.
So I just wondered what degree the role has, the appeal that it used to, even though it's still. Entitle in many cases in reality, the pinnacle of the it organization within a health system, but there are also probably other roles that I think are equally interesting or maybe have greater importance.
it's interesting because the essential role at Waldo Conrado is the chief digital officer came in from Motorola. But he's on that executive team when we go to JP Morgan every year when I go to JP Morgan every year and listen, he's up there on that board. He's one of the few, if, if I thought about it, he's the only technology and digital person. Who I've seen at that outside of John Alaka, John Alaska went there for Mayo as well.
And those are the only two I can think of everybody else is the CEO and the CFO. Right. You can get to that group. And so he's very much a part of the strategy that's essentially is moving forward and the CIO reports into that role. And I think they actually, and I'm not even sure what that role or title is for Eduardo, but I think they've actually gone out and hired a digital person.
somebody from again, from outside the industry. And so that sort of speaks to, I think what you're saying here, which is, is the CIO role becoming more operational? It's hey keep the data centers running operationally, keep them secure. The CISSO is becoming more strategic, but there's still a an operational team within the it organization that has to implement a lot of these things across the board.
So it becomes, it becomes more of an operational role with that being said, I was in a room with 13 CEOs who have all sorts of continents and valves that have been added to their title. It's CIO and CTO and CIO and chief innovation officer and and those kinds of things. So it's. It's interesting. I think we're seeing this thing go in a lot of different directions, but the large, large, large organizations have split up innovation, digital, and the operational role of the CIO.
It will be interesting to see if anybody wants to step into those roles. Those are that there's not a lot of love in those roles. I mean, you just the, keep the data center up and running, keep the EMR running keep all the points of integration, functioning, and make sure that you support the digital, the new digital foundation with the, the right data and the right API APIs and all that stuff.
I mean, it's just essentially what you're saying is we want you to be the plumber. And the electrician of, of healthcare, like just stay, stay here. But somebody else is going to be the architect. Somebody else is going to be the designer and the painter of that building. And you're just going to keep, keep everything running. I hate to say it that way, but
It's a good, it's a bit depiction though. And I think it explained why those roles maybe don't quite hold the appeal they used to.
Yeah. it's interesting.
📍 📍 We'll get to our show in just a minute. As you've probably heard, we've launched a new show TownHall on our Community channel. This Week Health community. And it airs on Tuesdays and Thursdays. I'll be taking a back seat to some of these people who are on the front lines. TownHall is hosted by an array of talented healthcare leaders who are facing today's challenges head-on. We're going to hear from professionals and their networks on hot button issues, technical deep dives, and the tactical challenges that healthcare faces. We have some great hosts on this. We have Charles Boicey and Angelique Russell, Data Scientist, Craig richard v ille, Lee Milligan, Reid, Stephan, who are all CIOs. We have Jake Lancaster and Brett Oliver who are CMIOs and Matt Sickles, a Cybersecurity first responder. I'd love to have you listen to these episodes. You can subscribe on our Community channel. This Week Health Community, wherever you find and listen to podcasts. Now let's get to the show. 📍 📍
Hey, let's talk, let's talk about privacy a little bit. So privacy is one of those things we don't really end up talking about a lot. We talk about security when you and I get together, but this privacy aspect really has, has caught my interest lately. The verge wrote an article. And what Beckers does is they essentially summarize articles for us so that we can digest some really quickly. This one is most mental health apps have exceptionally creepy privacy practice reports, fines, and Mozilla went out and they looked at 32 players, 32 mental health and prayer apps.
Interesting category. They found 29 required a privacy, not included warning indicating concerns about how user data is managed and shared. They talked about the fact that it's just creepy, how they're collecting this data and sharing it. Things like intimate, personal thoughts and feelings, moods, mental states, biometric data.
The team found that they collected large amounts of highly sensitive personal data under vague privacy policies. They also found most of the apps have subpar cybersecurity protocols, including allowing users to create accounts using weak passwords. And they close with this. Most of the reports said Talkspace, better help, better stop suicide, pray.com. And Woebot are the apps with the worst privacy policies. For example, Woebot collect data about its users from third parties and shares user data for advertising purposes and Talkspace collects its user chat transcripts and uses that information. Mozilla said it reached out to these players after they did this report.
And the answer to that is very few of us. And I guess the question I have is if it was obvious, if the app actually said. Hey, we're going to take this information. You're going to give us, and we're going to monetize this information through advertising debt. would you like to continue? I think that would change the behavior of a significant amount of people, but it's it's opaque.
We don't, we don't really know what they're doing. And to a certain extent, it feels to me like the user community has gotten complacent and essentially, almost expects you to use our data in ways that we just sort of blindly trust because there's nothing you can do about it. Anyway,
I did a couple of things here. One is a course of the old adage. If your app map.
if you haven't given them money,
then you are the product. Then you are the product. you are the product and your data is funding their business model. and I think a lot of people understand that and, and frankly are okay with it. I'm calling you. From Silicon valley. I live in Silicon valley. I talked to a lot of these organizations in a business context, in a, in a social context, very regularly, and someone from a privacy standpoint at a very large tech firm that a name that we would all know did a great way of explaining to me their viewpoint of how, how you look at privacy and the reality is if you deliver value, they, the perception is from the valley. If you deliver value, people are okay with the privacy exposure. So let me give you an example. If you're searching for say a new car, right? You want to buy a new car the next time you log on.
You see these banner ads for new cars. You're like, eh, that's not a great extent now. Clearly somebody who's been eavesdropping on what I'm doing. That isn't a great experience. So I'm like, I'm not entirely happy with that. Fast forward two days later, and you log onto your, your email account and you get a little pop up that says, oh, you're on Southwest tomorrow morning at 9:00 AM.
Time to check. Oh, well, I want to be on the list. That's pretty cool. Thank you for that, Mr. App. I'm going to check in now and both examples are privacy violations are not violations, but they're examples where your privacy has been impacted one delivery. And not a very Bible experience. So you didn't like it.
One delivered you invaluable experience. You thought that was pretty cool. I want more of that. And I think the more we do that, the more we log we've walked into our car and we put our phone down and the car recognizes the map navigation. Oh, you, I think you're going to work now or you're going to Starbucks.
Are you going to, so I'm going to load that into your map. You're like, oh, that's pretty cool. I like that. So I, I. It feels like privacy is one of those things that is very, has different viewpoints from different people. And I think for the most part, if you were to look at people's viewpoints about privacy anonymously on a let's say a document or whatever, or a survey, you could almost, you could almost think of bet pretty confident that that based on the guessing the age of the, of the person who responded to the survey, because those are a little bit older. Haven't much dimmer view about some of these privacy violations. Those are younger. Like it's okay. It's just the world we live in now, right?
Yeah. I have a friend who says Google is not a search engine. And I, so what do you mean it's not a search engine? It's like, that's, that's the facade but Google is an information tracking engine that then monetizes that money in any number of different ways. And and I said what's, what's your, what's your premise. And then they'd lay out some of the business models that, that Google has.
And I'm like, well and he said, all right, so here's the other thing, the difference between an apple, iPhone and a Google Android. He said is based on the information that attracts and, and a store and shares. And he began to show me the the, if you shut everything off for that Android phone to talk back to the mothership it stores all that infant.
And the minute it gets back on, it starts broadcasting all that information back out where you've been what you've been just all sorts of what you searched for, what you looked at, anything, any button you touch on that phone, they're essentially tracking. And again, it's all in the it's, it's all in the The purview of we're going to make your life better.
Right. Do no harm, do no evil. We're going to make your life better. And I don't, I don't I think if people saw the profile and actually the example of this is Facebook back in the day took all the information who your friends were and all that other stuff. And they would say likely voting profile or something like that.
Sure. And you sit there and. Well, that's interesting. I mean, I guess if we all thought about it, it's like, of course they can make that generalization, the people you're hanging out with are probably similar to you. This person posted this kind of stuff, therefore you're, you are probably of that elk or think that way based on this data. they build out some pretty detailed profiles of who you and I are.
If you look at just those two companies side by side, and if you look at their business models, you get a pretty clear indication about their motivations for data collection company, a apple, like they essentially want to sell you more things. They want you to have the new iPhone, the new iPad, the new AirPods. They want you to have their arcade services, their music servers, services, TV, plus their collection of data on you. It's about selling you more. Products, very clear Google, essentially can't sell you anything. There's very few things from Google.
You can buy as a consumer. So their data profile and mission is about collecting data on you. So they can use that data to resell on the open marketplace. as you go back to the new story here there is a, an, this, this event here happened a few years ago, but it's, it was pretty well-documented.
So there was a website similar to the mental health websites you referenced called patients like me. Right? And I think we remember this website or not, but it's the idea was if you had an ale event, you're able to go onto this website anonymously. And share your experiences and get consultation and find a kindred spirit where somebody who who's going through, what you're going through is very useful services.
My understanding. Yep. But what happened was they had a breach and there was no real. Way my understanding for the bad actor or from a hacker to understand who that patient or that person was from the data they collected from a patients like me. But when they aggregated that data across multiple platforms and start building that jigsaw puzzle together, they were able to identify.
Oh, that's based on that puzzle, that puzzle piece from here and this from Facebook and this from Instagram and this from Google, it's like, ah, we now know who that person is. And there were some patients who were exposed. And so moving from privacy to security, there is a, there should be a great concern about, about the security vulnerability of all this.
Even if you're from a privacy standpoint. Maybe have a more laissez Faire attitude, depending on your age towards these things. That security aspect is still.
let's bring it back to healthcare. And I don't want to hit on this too hard, but a bunch of my data's being used by health systems and they are essentially monetizing that data there for the good of mankind. They're selling my data to research, to pharma, to others. And they're creating a new billion dollar organization from that data that they've collected about me. I guess my question on the warning label would be the same thing. If they have said. Hey, w we're going to collect this data from you. Are you okay with us selling it at a later date for a profit?
I'm wondering, first of all, that would, that would make the job of the nurse really hard because some people would just say, no, I'm not giving you that data. And they go, well, we can't care for you effectively. If you don't give us the data and then go well, okay, then don't sound like.
All right. Well then you have to go through this special entry point in order to make sure that your data doesn't get sold somewhere, somewhere down the road. And with this, this specter of de-identification in place. I, I worry that there's part of me that wants to log into my chart and see a little warning there that says, Hey, we noticed that one of your systems participates in the selling of data. Would you like us to, to give you the option to opt out of that information being used in that entity, but they never asked.
And so from a healthcare standpoint, it feels to me like we should be held to a higher standard than big tech with regard to the use of that data, because it was given at a point of vulnerability for me, I was vulnerable. I needed your help. I gave you the information and now you're going to use that information to make money. I may agree with it, by the way, you're going to do research for the good of mankind. I might say by all means, go for it. But I at least want to be given the option.
Yeah. I mean, I, you know, I hear about the sort of Kind of like tangentially go, but to answer the question about these applications or these startups who want to go spin up a, that their paid for versions of Gmail or Google maps and the idea being you pay for that service on a subscription basis.
And what you get out of it is the same, same experience, but there's no data collection capacity. And would the, is there a business model for that? And right now I don't see it. I think people want the free service. And so that kind of makes you think if, if until we see some traction on those sort of services being consumed, maybe in healthcare people are just not going to tolerate or people could come and go with check the box. Yes. She's selling my data. I know that I don't like it. I'm not going to really argue about.
Well, let me ask you this one, this one's really close to your wheelhouse here. Apple, Google, Microsoft team up on passwordless logins. Do you see a day where passwords are gone where we don't need passwords. I think that's one of the biggest vulnerabilities, by the way. I mean, the easiest way for people to hack a health system is to just ask somebody for the password they get in. And then they just escalate permissions along the way. That's been the traditional path. And do you think there's a way that someday my nurses will not even know what their log their password is and still we will have a secure way for them to access the system.
I mean yes and no. Yes. Do I see that day? Absolutely. Should it happen? Absolutely. Is the functionality capability there to make it happen? Absolutely. But we are talking about an industry that still has pagers until has fax machines and tell us windows 95.
I knew you'd throw the fax machine at me. Those fax machines are awesome these days. I mean, they.
They are. it would be a very useful and vital next step, but like everything else that I feel like healthcare has so many things on the, to do list. And I really I'm a champion for healthcare I really want to see healthcare make all this dries. It needs to, to better save car the industry because the industry is continued to be under assault, but, and things like this are important for helping the industry cross the chasm. But I just feel like there's just so many things that industry has to do, and I just want to see them keep making that investment. So I, I guess I'm short, I'm sounding a little bit skeptical
And it's warranted, let me give you the example. So it's interesting to me. We were always pushed in both directions. Hey, keep the things secure but make it easier for them to use. And so we did Impravada across the board and I remember they improvised a system that batch. Just touch touch your badge. You get logged in. And there was really two types of log-ins. There was the first log-in of the. Where we would use dual factor authentication and you would you'd get in.
And that login took about a minute. From the point we turn on the machine until the point you were in a little over a minute or a little under a minute, actually it's 50 something seconds. It was a little more cumbersome and whatnot, but it got you into like 16 different systems with just that touch of the badge and the second form of authentication from that point for the next six hours.
Authenticated, you could then badge in and badge out of machines throughout the throughout the ed or throughout your clinical rounds or whatever you're going to do. And those were sub ten second logins to the second and third time. And I think the timeout was either four or six hours on that before you had to dual factor authenticate again, there's this, there's this balance we have to, Be cognizant of, because if I did, Hey, look, we're taking away the sub ten second.
And every time you log in, it's going to be a 55 second ordeal. I think they would have, I would have to hide or change my identity before I walked through the hospital. I think they would've taken me out. So there's that balance of things. Passwordless passwordless access to systems. Seems to me something that would be advantageous that, that the system would want to adopt.
I agree with you because there's a lot of It's a couple of, first of all, it's one that we could all identify with to the benefit we could all say, okay, I can see where that impact my life in a positive way. So I think it's an easier sell compared to other technologies or other sort of take cards that need to be put in places. This should be one to be easier to convince the health system and the clinical teams in particular about why you would do that. So I think there can be some more attraction here and we shouldn't be focusing on this.
Yeah, eventually, Hey, the last story, we're not going to get to talk about it, but I'll, I'll give you the last word on apple has spent decades building a walled garden and maybe starting to crack, and they talk about the EUS going after apple pay right now. US law lawmakers are looking at similar laws and the walled garden is being seen as anti-competitive.
And it's not letting people in, it's not creating a free marketplace of, of different apps and those kinds of things. And they feel like once apple pay set up, there's no other pay you can really use within there and they want it to be open and accessible to others. Is this the beginning of the end for the walled garden or is this the ease of use and the functionality that they build in because it is a walled garden and the security for that matter, going to win the day.
I'm talking to guys got at least two apple photos in the background.
Yeah. I made the move a long time. In fact, that's the original apple
Look. I mean, I think Elan Musk tweeted about the gesture yesterday saying that the apple ecosystem is essentially equivalent to 30% tax on the internet. The point being is that if you, if you need to utilize iOS to get to your app or whatever you pay this other app vendors pay this premium to be on that, on that environment to be in their metaverse, if you want to call it that Is it a problem? I understand why it's a problem.
I understand why it's the walled garden could be crashing down. But the other thing I think here it's like the apple user. I think you're kind of showing here as well. They're very loyal. They like the experience. They trust apple. For the most part, they stay, see apple is kind of like one of their most primary go-to vendors, a vendor.
They they'd probably admire amongst the most. And so I think the user base is very happy with the experience and like you, I find myself giving more and more of my business to apple. And I don't necessarily want to do that, but I do trust them in a way that I don't trust my other it vendors.
I don't have the same sort of affinity with lag T vendors. So from a user standpoint, I'm kind of more and more saying, I want to embrace it. Although I think regulators might have something to say about that and it is anti-competitive potentially, but it feels like. More and more the way companies like apple try to get around these competitive feelings or sentiment is they, they broadened the ecosystem in a way it's hard to identify them as being anti competitive. So they got into the apple fitness app. Well, I mean, there are a lot of other bigger fitness players out there. They're going to probably bring out a car at some stage or so it appears, I mean, there's there are other, other larger, much more damaged car vendors out there.
So the kind of broad. In a way that they don't double down and like build out their ecosystem. I mean, apple TV plus has made great strides in a couple of years, but it's hardly. On the scale of next gift, in-state sorry, a Netflix or even Amazon prime for that matter. So is it truly anticompetitive? I don't know. The regulators has something to say about that, but I don't know. We'll see how it, how that works out.
Okay. Yep. again, you get the last word on that. am looking around, looking at it, all the apple devices that are within a Stone's throw of where I'm sitting right now. And I don't know if I can be objective here. One of the things I do like is the fact that they have really advocated for privacy. And to be able to do some of the things on that phone and know that I'm going to talk about trampolines and I'm not going to see an ad on my computer when I get back to my computer on trampolines and go, how I, all I did was say that in a conversation, how did that end up in this search?
I think Facebook, they acknowledged and one of their quarterly reports. So they lost about $10 billion of revenue. when apple made it aware that you should, they could opt out of the tracking on Facebook. Right? So, I don't, that's kind of a good thing as a user of apple products. I think it's a good thing. I liked the ability to be able to opt out of these tracking. And I do it all the time.
Too, as well. as always. It is always fun to talk to you and I want to thank you for your time and look forward to our next conversation.
Been great, but I'll talk to you soon.
What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to show just like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com. They can also subscribe wherever they listen to podcasts. Apple, Google, Overcast. You get the picture. We are everywhere. Go ahead. Subscribe today. We want to thank our news day sponsors who are investing in our mission to develop the next generation of health leaders. Those are CrowdStrike, Proofpoint, 📍 Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst. Thanks for listening. That's all for now.