This Week Health

Don't forget to subscribe!

November 29, 2021: Rick McElroy, Principal Cyber Security Strategist for VMware and Bill look at cybersecurity from the year behind us and the year forward. A subcommittee has sounded the alarm on the VA’s EHR modernization citing patient safety concerns, cybersecurity issues and the cost of the program. Bloomberg reports that the pandemic blew up old business habits and opened the path to a boom. Companies are finding new ways to match staff, tech and customer demands and U.S. productivity and profits have hit record highs. Plus the Mayo Clinic’s strategic partnership with Google will “transform healthcare”. 

Key Points:

00:00:00 - Intro

00:19:20 - The pandemic drove businesses to remote work. Productivity shot through the roof. And profits shot through the roof. 

00:24:30 - The battle for labor is going to continue and cause us to be incredibly creative going into 2022

00:27:30 - There's been so many missteps with Big Tech in healthcare. They don't understand healthcare but they do understand data

VMware

Stories:

Transcript

Newsday - Labor shortages, Pandemic-driven innovation, and a Reflection on Cybersecurity

Episode 466: Transcript - November 29, 2021

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Bill Russell: [00:00:00] Today on This Week in Health IT.

Rick McElroy: One of the interesting trends that shook out this year from an attacker perspective is ransomware as a service, generally operated as a distributed model. You had a bunch of different groups trying to innovate, do their own things. That has started to centralize. There's some really savvy cyber criminals out there that are running a good business from their perspective, right? They have metrics, they have uptime, they have affiliate programs where they actually pay and have a local trust, so I think looking towards the future, you're now going to see a much more [00:00:30] centralized business model takeover, these as a service models that you've seen in previous years on the dark web.

Bill Russell: It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week in health IT. A channel dedicated to keeping health IT staff current and engaged.

Special thanks to Sirius Healthcare, Health Lyrics and World Wide Technology who are our Newsday show sponsors for investing in our mission to develop the next generation of [00:01:00] health IT leaders.

Before we begin. I want to share an exciting announcement for This Week in Health IT. Starting in 2022, we're going to have four channels to bring our community more specialized content for your specific needs. The four channels are News, Community, Conference and The Academy. The News channel we'll have our Today and Newsday shows where we explore the news that is going to impact health IT. The Community channel is just that. A place where we come together [00:01:30] and collaborate. One of the distinctions of this channel is that we will have guest hosts from the industry and people that they invite to talk about the topics that we wrestle with every day. Things like clinical informatics, data security and the like.

We're excited about where the community will take this channel. The Academy is about training. It's about training the next generation of health leaders. Here's where we're going to be launching our new show. It's called Insights and the show will [00:02:00] actually take highlights from our last five years and break them into 10 minute episodes for your team and perhaps people who are new to health IT to come up to speed.

Finally, this channel, the one you're listening to right now will become our Conference channel. The same great content you travel across the country to receive. We're going to be bringing to you right on this channel. This show will become Keynote, where we do our long form 50 minute interviews with industry leaders.

And we will be augmenting that with Solution [00:02:30] Showcases and briefing campaigns that introduce exciting solutions in more detail. For more information on our other channels and where you can subscribe visit us at this weekhealth.com/shows - S H O W S. Now onto the show. All right. It's news day. And today we have Rick McElroy, Principal Cybersecurity Strategist for VMware, Carbon Black, who is joining us for the first time. Rick, welcome to the.

Rick McElroy: Yeah, thanks for having me.

Bill Russell: This, this [00:03:00] will be fun. This is the first time we've ever met. And it's the first time the audiences is hearing from you. So give us a little background and we'll go from there.

Rick McElroy: Yeah. I've been doing information security for about almost 25 years now. So I started off in the nineties after I transitioned out of the Marine Corps. Predominantly focused on offensive testings. So did that for a bunch of commercial companies went over to Booz Allen, did that the department of defense and, and what I figured out on that journey is it's way too easy. We get an a hundred percent of the time and there weren't enough resources dedicated to the defensive side of the [00:03:30] problem. So from there, I started building security programs. Leading those, worked up to become a CISO. And I'm now focused on healthcare as a sector with security at VMware.

Bill Russell: They really do get in a hundred percent of the, this is the unspoken thing that goes on the, you know, every time we had an internal audit and they said, all right, we're gonna do some kind of penetration testing or we're going to do some sort of attack, simulated attacks come in onto your system.

They always got in. And we were spending millions every [00:04:00] year on cybersecurity and they, they always got in. Are they just smarter or are we just not putting money in the right spot?

Rick McElroy: I think it's a combination of both, right? So, so I mean, on the innovation and smartness scale, of course you have, you know, cyber warfare, which is occurring, which is really driving innovation in spaces and blind spots.

Right? So, you know, they're developing tools that current technologies can't see. That's going to continue to escalate, which you know, which feels some of the problem. And then I do think by and large. It's very hard for us, especially inside of healthcare to be [00:04:30] tactical about how we use and deploy technology.

And so largely buying technology takes a little bit longer implementing technology takes a little bit longer and then of course doing the maintenance phase does as well. All with the right purpose in mind, by the way, which is patient safety and you know, driving those better outcomes. But that's the reality of what folks who are defending, you know, healthcare entities have to deal with.

Bill Russell: I'm going to ask you to give you a little picture of, we're going to look at the year behind us and look at the year forward from a cybersecurity [00:05:00] standpoint. And we're going to get off cybersecurity pretty quick here. We're going to look at the VA. Their EHR implementation. What the legislature's asking questions. We're going to talk about the nature of work and how that's changed. And we're also going to look at the Google partnership at Mayo. Are the three stories I think we're going to cover, but I want to look back on the year that was cybersecurity.

We had the Scripp's breach, but that wasn't the only one. We had several breaches. I don't know if it was solar winds in this calendar year or was that the previous calendar?

Rick McElroy: Technically started in the previous year. It was about six months prior to actually launching [00:05:30] the attack.

Bill Russell: We had that. We had been an Azure vulnerability. I mean, there's a, there's a fair number of vulnerabilities this year. As you look back on 2021, what's your assessment of 2021? And what do you think we're going to take from it?

Rick McElroy: Yeah, I think, you know, if I was going to put everything in a nutshell that the attackers were doing, they're attempting to skate upstream of our supply system, right?

So, so they're going after the manufacturers of technology the binaries that are produced, that all of us use, whether that's on a mobile device or inside of an environment to [00:06:00] drive those patient outcomes. So I think the big takeaway is we have to really start to look at how we're securing our entire digital supply chain. I think the pandemic has highlighted some of those issues in the physical world. And these two attacks in particular Solar Winds, like asia, I think highlight the same need for better than just a supplier evaluation, which is typically what we're all doing.

Bill Russell: You mean the 25 page document that I had to fill out?

Rick McElroy: Yeah, just to do a podcast with us. Right. And look, there is [00:06:30] some good news, right? So, so also cause I I like to track the good news as well. A lot of movements out of nation states. Right. I think finally we're starting to take this serious, at least speaking about the United States, we're taking some significant efforts.

There's a lot of funding coming around to modernize what we're doing from a cyber perspective. And I think all of that will be helpful. All that being said it's gonna be a long road and it's going to take us a while to get there. And so I think looking towards next year, look, one of the interesting trends that, that shook out this year from an attacker [00:07:00] perspective is ransomware as a service, generally operated as a distributed model. You had a bunch of different groups trying to innovate, do their own things. That has started to centralize.

There's some really savvy cyber criminals out there that are running a good business from their perspective, right? They have metrics, they have uptime, they have affiliate programs where they actually pay and have a local trust, so I think looking towards the future, you're now going to see a much more centralized business model takeover, you know, these as a service models that you've seen in [00:07:30] previous years on the dark web.

Bill Russell: Wow. So we're looking at some challenging times even into next year. This is one of those things that it is vigilance. It is continuing increased sophistication over time.

And we're just gonna have to get sophisticated on the other side as well. Is there any way we could work better together? It seems like the cyber criminals are starting to work together or can we work better together?

Rick McElroy: Yeah, absolutely. I mean, look, I talked to Earl over it you know, Health ISAC all the time.

In fact we'll be issuing our annual health care survey. You know, the [00:08:00] ISAC is participated in that, but I think one of the areas that we could really stand to modernize is around how we're doing threat intelligence and that real-time sharing, especially inside of healthcare. Right? A lot of these same actors are targeting, you know, other healthcare entities that are using a lot of the same techniques, tactics, and procedures. And so I do think as you look at some of the ramifications coming out of the new executive order, the direction that DHS and CIS has taken on critical infrastructure, I think health care generally people are considering you know, part of that [00:08:30] as well.

Yeah, so, so lots of movement. I think there, there is some good news. But we're going to have to look on the back end of all of that, about how we're doing this exchange in real time. And and ensuring that you know, patient information isn't being transmitted as part of those workflows and that type of thing. But I think I'm looking forward to what comes out of that cause I think it'll benefit everybody in this sector.

Bill Russell: All right. Let's take a look at these three stories. I will be honest with you the first one sorta it gives me some flashbacks to the EHR implementation than I did, and it also gives me flashbacks to some of the conversations I had with [00:09:00] various constituents as we were doing the implementation.

But, we'll go ahead and wade into it. So representatives from the VA faced concerns from legislators this past week around patient safety issues associated with the agencies,`` Cerner electronic health record monitorization initiatives. At the end of the day, the whole undertaking is about improving patient care said representative Debbie Wasserman Schultz, Democrat from Florida in a house of appropriations military construction veteran's affairs [00:09:30] and related agency subcommittee. Wow, man, they can name a subcommittee can't they? So there, there was a hearing. So Wasserman Schultz. I know that the VA's first rolled out its new EHR took place one year ago this month at the man grant staff VA medical center, which we've talked about on the show in Spokane Washington. The VA had initially planned to go live at 11 sites by the end of 2021.

At this point, the VA is more than one year behind its initial schedule said Wasserman Schultz. She cited [00:10:00] complaints from staff and local legislatures. Particularly those about patient safety issues while there've been no reports of patient harm thank God at man grant staff. This is not a concern to be taken lightly she said. Let's see, she goes on. She, she goes on a little bit of a rant here. So Wasserman Schultz also flagged issues around funding, including findings that the office of inspector general OIG, that the estimates of the project costs had fallen short by billions. She called a revised [00:10:30] estimate timeline problematic.

Let's see, VA Deputy Secretary, Donald Remi took a determined stance ensuring and legislatures that he was taking responsibility for the progress, the success or failure of the program boils down to a partnership he said. Our handling of E H R M to date has failed to live up to the program's promise for our veterans and our providers.

He continued regardless of what happened before, and regardless of how long I've been here. I'm here [00:11:00] now. And I promise I'll be accountable to you and collaborate. He said, the VA is learning and they're growing. And then Wasserman Schultz comes back with a pretty snide answer. I appreciate your enthusiasm but we really need to go beyond enthusiasm.

And you know, and you get the picture, it just goes back and forth. And they talk about, you know, Remi explained that the agency has organized patient safety concerns in several domains, such as order management, administration of medicine, pharmacy, suicide, risk tracking, and documentation, identity referrals, [00:11:30] and consults roles, positions, privileges in ambulatory care.

When concerns arise, Remi said the agency categorizes them, examines them and make sure that they don't reoccur. And then Washington Schultz goes on to say, well, okay, but really how did this happen? Washington Schultz said, what specifically are you doing to prevent this in the future? You know, I'm going to let you go first. Cause I mean, I'm afraid I could go on a rant for 10 minutes, so I'll let you go first.

Rick McElroy: Well, look you know, I'm a customer of the VA [00:12:00] sometimes you know, so in full transparency I'm a former marine. I care a lot about veteran services. I'm a huge advocate all of that stuff. Look, the first thing I'll start with is what year is this? I mean it's, it's 2021 and essentially almost every other entity on the planet has gone through this conversion. For some reason at the VA we can't seem to figure this out and it's continuing to linger. Right. So I think I have two concerns. Yes. I'm concerned about patient care. I'm concerned about speeding that up.

I think, look, this issue has been highlighted for the last 20 years in the, [00:12:30] in the veterans administration. And really what we know is if we can get to electronic records, if we can start to service people faster cause they can't even find a lot of our paperwork as it's sitting in boxes still. Right. So step one, let's start to address that issue.

Now, as we're doing this, of course, we have to think about cyber. Of course, we have to think about the risk. Of course we have to think about protecting patient data, but the one thing that VA should be able to benefit from this is the last 30 years of innovation in healthcare, specifically around how to do this in a [00:13:00] secure fashion.

And yes, to your point, we still have things that occur inside of healthcare. You know, lots of times records are mishandled. We're making a lot of mistakes in how we're doing that. We're sending data to the wrong entities. But encryption is in use right? Defense in-depth is in use at a minimum. Zero trust you know, it's become to shore.

Right. And so I do think there's a number of different ways that they can look at architectures, look at other people's implementations and speed that up a little bit. I think secondarily look, it is good that legislators are thinking about cyber. That they're asking those [00:13:30] questions. Now, what I will say about that is a lot of times, what I see is it's a little bit of grandstanding and I'm not going to pick on any one particular group. Right. But it's top of mind for consumers, especially in healthcare as we're approaching things like, you know, exchanging digital passports for vaccinations and all of those things. So I think while we've made them aware we have to lean in as cyber professionals and really educate them and I think that's a piece that we're missing. There's still some naivety, I think, a little bit and a little bit of ignorance and it's not their fault. So I think we've got to spend time to move from the [00:14:00] awareness phase. They're aware of the risks to the education phase, where they can actually do something about the problem.

Bill Russell: Yeah, I'll tell you EHR implementation is a massive change management effort and you are moving everybody's cheese. It's not, you're not just moving the clinician's cheese in the patient's shoes. You're moving the administrators and HIM and you're, you're moving everybody's cheese, including the check-in you name it, everybody's getting.

And so when you're going down this process to say, [00:14:30] Hey, we're hearing reports that people aren't happy. It's like, no kidding. If we came into the Capitol tomorrow and move to everyone's office and then did a poll that afternoon and said, Hey, Debbie, how do you feel about the capital and how it's being run?

She'd be like, are you kidding me? They moved my office. They didn't tell me where it was going. You know, I don't know where the copier. That's what happens when you do an EMR implementation? That's one aspect of it. The other aspect of it is you have a thousand people that want [00:15:00] input into this process.

And so you sit down with one doctor and you say, okay, How would you like this to go? And they say, we want it to go this way, this way, this is what's in best interest of the patient. And then you go to another doctor and he essentially says the exact opposite, maybe not the exact opposite, but the opposite.

And now your job is to bring these two together. And by the way, there's a thousand doctors. There's 5,000 doctors in the VA. All right. So if you're not going to define standards across the entire VA [00:15:30] for standards of care, standards of practice, standards of approach all those things, then you're sort of, you're at the mercy of who's going to win these battles.

And sometimes you make concessions in your build to try to accommodate both. And you end up with junk because you really just need to pick one and do that. But if you do that, then the person who's getting interviewed for the new story is the physician who's like yeah, they listened to the physician and [00:16:00] graduated from that school.

Like they know anything about medicine. They should've listened to me cause I went to this school, which is much more prestigious than we know about med. I mean, yeah. I mean, this is, this is what, this is what is sort of at play here. So at the end of the day, the other reason they're behind the legislature slowed them down.

They stopped them. They said, look, we've got to get to the bottom of every one of these issues before you move on. So they stopped them for six months and now they're like, Hey, you're behind. Well, yeah, [00:16:30] cause we stopped. So anyway I'm sorry. That was sort of, sort of my rant. I'm not, again, I'm not coming down on anybody.

I've seen this from both sides. You know, you want to be seen representing your constituents and you want to be seen representing the veterans who are receiving care here. So you're obviously going to ask questions and you should ask questions. But at the end of the day it's hard to ask educated questions until you've actually really dug into what it takes to run a [00:17:00] hospital effectively.

And it's the interdependency of a thousand different processes and people and technology all going together. And to think you can just ask the question to go, well, why don't you fix that? Well, that's the intention. We intend to fix it. And I like his process, you know, breaking it down into those categories is exactly what almost every EMR implementation I've seen that goes well. You do an implementation. You expect some breakage, some failure, you [00:17:30] categorize those failures. Are they critical things we need to get to almost immediately, if not yesterday. Build failures or whatever that are potentially causing. But then, then the risks go way down to like, you know what, it's not going to harm anybody, but it's a nuisance for the physician, for the nurse, for the, and so he's doing the right thing and categorizing the problems and then addressing them and then making sure that you solve them in a way that they don't happen again.

So that wasn't as much of a rant as I thought I was going to do because these questions did [00:18:00]remind me of our EMR implementation. And I had to go in front of several groups of physicians who just grilled me for the better part of three, four hours.

I don't really have a question. That was it. That's just my, the end of my rant.

Rick McElroy: That was a good one.

Bill Russell: Thanks. Thanks. I appreciate it. Let's see, what do we, what do you want to do next? We can do the future of work or we can do the Mayo Clinic Google partnership, which what's direction? I'll let you choose.

Rick McElroy: The future of work.

Bill Russell: Future of work. Well, let me ask you this. How have you worked over the [00:18:30] last, I mean, are you pretty much a remote worker and have been for a while?

Rick McElroy: Yeah, I've been remote for seven years, but really in airports for five of those and then at home for two yeah, so largely I Zoom away and, and do those things.

Recently got started getting back together with people in person, which is my preferred method of comms. Yeah. So I think from a family perspective I've really enjoyed the time home. I think from a professional's perspective we all seem a little burned out on Zoom. So I think people are looking, looking forward to getting back together

Bill Russell: Do they still maintain an office for [00:19:00] you somewhere? Like, do you have an office that never has a desk that no one ever sits at?

Rick McElroy: We have hotel officing, like in different cities. And then in Palo Alto, they have hotel offices for us if we need them.

Bill Russell: Yeah. So in this article, they talk about the fact that some of these businesses were preparing to do remote work. The pandemic sort of drove them to remote work, and then they have a picture of an office that's completely empty. And they said, you know, we moved the entire staff to the home. Productivity shot through the roof. And [00:19:30] profits shot through the roof. Of course, I don't know where this building is, but if you put this building in, obviously if you put it in Omaha, Nebraska it's not that big a deal, but you put that in Silicon Valley that that office space, which is a hundred thousand square foot is extremely expensive. And they just talk about the fact that profits have gone up significantly. Productivity is wavering a little bit, but for the most part has been up through the pandemic.

We're being more productive. One of the things I have heard from people [00:20:00] is that the connection to the company, that the cultural connection to the company is not as strong as you would have in working in an office. And what they're finding is they're losing employees after like two phone calls from a recruiter.

Cause they're like, oh, so let me get this straight, you're just going to ship me a different computer. I'm going to sit in front of this machine and I'm just going to do the same job for somebody else. And you're going to give me a 10% pay increase. Yeah. [00:20:30] All right. Yeah. Let's go ahead and do this. I mean, I don't know anybody I work for anyway, so, so that's starting to happen and that's a concern.

You know, it's very difficult to build a culture. I mean, have you seen people build culture remotely well?

Rick McElroy: That's an interesting question. I mean, I've certainly had a lot of conversations around teams that have pivoted and tried to keep that culture. Right. Who felt like they had a strong culture.

I think speaking of VMware as a company, right. And then our own experience with that. So we were an external entity. We happened to be aligned on [00:21:00] a lot of cultural values with VMware when we were acquired. We got acquired four months before the pandemic hit. Four or five months. Right. So couple of big changes to who we are to the market. Big changes to all of those things.

And then of course the world changes around us. And, and so I think we've put some some stuff in place to try to keep the culture, right? Like, you know, whether it's painting sessions. You know, different sessions that are non-work related, right. And that type of stuff. So, so I think a strong culture can maintain it. Building and instilling that remotely is interesting.

I think you, you [00:21:30] do have to take some active measures to do that. But certainly I think the disconnection from other humans is partially led to some of the resignations that have occurred. And certainly I think some of the stress and burnout that we're seeing inside of security. as well

Bill Russell: They go on to talk about the labor shortage. I assume in the space that you're in you're seeing the labor shortage?

Rick McElroy: Oh, yeah, globally. And again, it depends on the market, but you know, looking at ourselves, we we've put programs in place. We have university educations looking across the globe, you know, folks like [00:22:00] Australia, they have a small population anyway.

So they're importing a lot of their cyber talent. The UK the same way. So, so I think there's a lot of initiatives globally to grow you know our own cyber professionals and get those in. And then certainly I think the US government has recognized that as well. You see grant money coming to underserved communities to try to get them into cyber lots of programs that transitioned veterans who were maybe in some other roles inside of the military and, and bring those folks in.

And then of course I think wider campaigns to look everywhere for [00:22:30] anybody that's interested in learning some stuff and contributing to the problem because you know, recruiting is still taking too long. And then of course retaining our people is very hard right now because the pay scales have gone through the roof.

So to your point, very easy if I'm just switching a four by four square on a laptop to another four by four square at another company with a, with another logo. And so I think all of that stuff has created a little bit of soup of why some of the employees are leaving. And then why retention numbers are down too.

Bill Russell: I just heard of a, a company. [00:23:00] They just had a call with their employees and they essentially said, look this is not a pay increase. We are doing a cost adjustment based on inflation numbers. And I think they're giving everybody like a 5 to 7% pay increase just for inflation. It's like, look, we, we understand that gas costs more, that homes have gone through the roof and those kinds of things we're going to give you, you know, it's just, it was almost like an unsolicited it's actually out of cycle.

You know, normally they do every year they do a cycle and I guess the [00:23:30] uptick in inflation has been so great. And the concern of losing people has been so great that they're saying, look, we want to stay ahead of this thing. And oh, by the way, we will come back in six months when we normally in cycle and we will evaluate pay.

But for right now, we just want it to, you know, we, we recognize that there's a significant inflation going on for salaries and inflation in the market. There really is, this battle for laborers is pretty interesting. [00:24:00] the numbers, I keep citing 5 million people left the workforce during the pandemic. 3 million women left the workforce during the pandemic. We have we have baby boomers retiring at a record number and people are like, Hey, where did this labor shortage come from?

Well, we just took you know, we just took 5 million people out, including 3 million women. And I don't know the exact number of, of baby boomers that are retiring, but I, I have heard of doctors essentially saying look I mean, I'll come back after the pandemic, I'm going to hang up, hang it up for the next [00:24:30] two years pandemics done. I'll come back to practicing after that. I know that that's just some of our clinical listeners. They're like, oh, that's awful. But to others, they're like, man, I wish I could do that. Because this has been a ridiculously hard time to practice medicine over the last two years. So this battle for labor I think, is going to continue and cause us to be incredibly creative going into definitely going into next year.

Talk to me a little bit about, about [00:25:00] cybersecurity. It's interesting the number of cybersecurity professionals that I run into that are former military. Is that because they were ahead of the game here or the colleges and universities don't really pump out that many cybersecurity professionals just yet?

Rick McElroy: A little bit, right. So, I kind of pre-date cyber. I don't want to say I predate cyber because information assurance. Yeah. Like, yeah, there just wasn't a lot of us going into the field, but, but I think a couple of things if you look at the talent that the department of defense has brought to bear on the problem through things [00:25:30] like Cybercom, the NSA, and of course the intelligence agencies. They were at the forefront of things like threat hunt.

All right. So, now a common practice amongst security teams. And if you rewind the tape 10 years ago, no one even knew what that was. You know, gathering data and then actively looking for an adversary inside of your environment. And so I think a lot of that talent, for a number of different reasons, whether it was pay scales those are a lot of times a high burnout as well as you can imagine when national security is on the line, came over to the commercial sector and sort of provided, I think [00:26:00] a lot of the thought leadership that you now see and a lot of a lot of the stratagems that, that you now see as well, you know, even moving towards something like zero trust, you know, I, I would point to that coming out of you know, the NSA and other folks like that as well.

And so I think secondarily, I would say in some ways, the transition and the cyber is a lot easier because the language remains the same. If I say to someone in the military red team, they know exactly, but that's the adversary. Word adversary and emulation, and me just say, blue team. They, they know what that means.

So, [00:26:30] so even if they're not in a cyber field at least in the Marine Corps, you know, we speak a lot of those same languages. And so I think it was easier to transition over. And then of course, you know, we're gluttons for punishment. Right. And so I think I think a lot of the same mentality and mindset you know, the adaptability data, the ability to learn on the fly to, to have a lot of different data sources coming at you and then have to make a coherent decision.

Those types of things, I think people just get practiced in the military. And so that's why you see so many of us, I think.

Bill Russell: All right. Well, let's head over to our last [00:27:00] story. Our last story is Mayo clinic CIO. So they talked to Chris Ross who's been a guest on the show about the Google partnership and he talks about how the Google partnership will transform healthcare. Just on the, on the surface there doesn't that make sense to you? That one of the best companies with handling and managing data in the world with developing machine learning and AI and algorithms would benefit healthcare?

Rick McElroy: Yes. Yes. Simpler. Yeah.

Bill Russell: But it's interesting because [00:27:30] there's been so many missteps with big tech in healthcare that a lot of times it's, well, they don't understand healthcare, but they do understand data. And so the question is why can't we get them to do more with data? And so Mayo clinic has partnered with them and, you know, he, he talks about why did they choose that? And he said, you know, we're essentially looking for a partner who believed in their vision for how to cure, connect and transform healthcare.

So people get the care they expect and deserve. And after detailed process, the [00:28:00] team chose Google based on its talent and technology, as well as our shared vision for the future of healthcare. Google focuses on innovation and commitment to excellence. And so, all right, so now you have these two, I mean world renowned companies coming together. One seemingly with a phenomenal history and dataset and clinical processes and practices that are extremely well ahead of the curve with regard to the practice of medicine. And you [00:28:30] have the company with their data and their their skills to back it up. So he asked them if you could just skill Mayo clinics, partnership with Google down to one main goal, what would it be? This partnership will change how care is delivered and will help us grow as a healthcare organization.

So they ask them for examples. He says the first stage of our partnership is to build Mayo clinic cloud, the Google cloud on the Google cloud platform. In partnership with them, we have begun to populate Mayo clinic cloud with the data and have constructed an AI. [00:29:00] Which will bring, which is being used by nearly 200 teams to advance scientific discoveries with AI tools.

We expect that we will see many new algorithms to improve care coming from the AI factory. So they're thinking about this as a platform, which makes sense to me, right? So they're, they're saying, okay, we've got this data that we're taking from this transactional system, which is the EHR, and Google's going to give us this, this cloud platform. And then we're going to build a [00:29:30] set of AI tools that are accessible by, I mean, at this point, the hundred people that have been given access within the Mayo team. But I imagine they're thinking about it from a security standpoint as well, and a privacy standpoint as well. How are we going to open these AI tools up to the broader community and that, thinking through the architecture really matters here doesn't it? I mean, from a privacy and a security standpoint, this, this becomes critical for the future.[00:30:00]

Rick McElroy: It's brutal and look you know, my technologist hat says, this is really cool and I bet you, there's a bunch of things we don't even know. We're going to be able to see from those datasets and bring an AI to bear on it.

My security hacker hat goes, oof, this is pretty risky. However, that being said, right, y ou know, who, who pioneered a zero trust from a commercial perspective and published those first metrics? Well, Google did, right. You know, who, who brought a Chronicle and backstory to market, right? The ability to look at [00:30:30] disparate security events and actually make sense of them. Right. So look Well, I think we, we all have challenges in that area. It's like, as long as it's being discussed as part of the the outcomes, right. Privacy and security, as long as that's built in, you know, from the design phase, I think it'll be in good hands. And certainly I think that model is better than shipping that data all over the place to a bunch of different clouds to try to secure and use you know, different control frameworks for all of it and expect that that's going to work as well. And so I know, you know, [00:31:00] decentralized versus centralized security. All of those things, but it's like if I can actually secure that ecosystem from a ground up perspective, and I think there's a good chance of doing that today. I'm going to take that risk as a CIO on the, on the Mayo side. And I'm going to back Google.

Bill Russell: Yeah. So here's another Chris Ross quote here. So Mayo clinic cloud includes a repository of de-identified longitudinal patient records, which have been constructed with Google and our partner EnFrance, Mayo clinic platform discover product [00:31:30] line provides access to these high quality, comprehensive longitudinal de-identified patient data that few in the industry can offer the Mayo clinic platforms. Principle partner En Francxe's are ready. Using the data with life science companies and drug discovery. I heard John Halamka talk about this platform. It was really interesting. He said they can actually, he could have a, third-party provide them an algorithm and what'll happen is the algorithm, and think of it as in a container, the algorithm will be able to run [00:32:00] against the information in the container. But essentially there's a point of abstraction here where they never actually get access to the data. It's. So, although they're going to get is the results back.

They never actually access the data, even though it's the identified data, they've taken another step to say, you know what? There's, there's no just going in there and doing a, you know, find all and looking at the data and trying to figure things out. It [00:32:30] literally is the algorithms go into this container run and give the data back.

And this is, I'm wondering if, I know that a lot of the cyber security issues for us are manmade. So it's human error ends up being a significant portion of them. You know, phishing attacks, those kinds of things. Misconfigurations and whatnot. But I'm wondering how much of it is, is architectural related.

Cause I, I'm not surprised that ransomware attacks are happening. I'm surprised how they can go longitudinally across the entire [00:33:00] network and shut things down. Because you know, good architecture contains that, or am I being sort of Pollyanna here? That, that, that's how we can contain this?

Rick McElroy: Oh, absolutely. I mean, look, look, the technology exists to do it. Process exists to do it. Companies for ransomware attacks on a, on a daily basis and don't get hit. Some do. So it's so to your point are there a fundamental architecture? Yeah, absolutely. I mean, and I would comment and I hope no one in the audience takes offense to this.

It's just the way I speak. I think [00:33:30] also some lazy engineers and some lazy administrators out there, they take the path of least resistance. Maybe it's your dev team that developed a new application and for some reason it won't work because the network's not opening up. So instead of taking a pinhole approach we sorta take a you know, magnifying and open the whole thing up.

Right. And I look, I've done it. When I, when I ran network devices, as part of, you know, the pressure from other teams to do it you know, a Mo shops that experienced in that. Right. And, and so I do think to get back to the human component, I think, look you know, [00:34:00] architecting it by design so that the humans can't actually access it.

Like that's a much better model, right? Because even if an attacker subverts the human that has access to the trans mutated data, that's non-production anyway, or somehow got access to the results of that data analysis. Well, they still don't have access to the data themselves because the humans don't, that's a much better way to architect a solution for misuse in mind, which I think is something that we missed during the application design phase.

We designed for use cases. But we don't bring somebody in to really [00:34:30] think about, you know, what happens when an attacker hits that button 50 times? What happens when they do something that's not intended to do? So I think planning for those misuse cases are a good way to build security into whatever you're developing.

Bill Russell: Rick, I appreciate your time. Appreciate you sharing your expertise with us. It's always a pleasure to sit down. I love the black background, black shirt, black coat. It makes me happy that you're on the good guy side and not the bad guy side. Yeah, because you sort of have a matrix feel to you when I'm looking at you. I'm, I'm a [00:35:00] little afraid actually.

Rick McElroy: That's perfect. Just a little, just a little, and then I smile and make jokes that.

Bill Russell: Yeah, I'll tell you it's not an exaggeration. Every time I was CIO and I had a conversation with somebody, they said, we're bringing in our experts.

This is a former NSA person. And then they like put me in the room, they closed the door and then they tell me stories and then they'd walk out. I'd be crying with my hands in my and you know I'd just be like, I don't know what to do. I, I think it's, I think it's why they brought that person from the NSA was just make me [00:35:30] realize it's like, okay, I need you.

What can we do because of the the story. I mean, there's stories that we hear and then there's stories that we don't hear and you're just, you just sort of shake your head like, wow. There are so many ways into, our network and we have to, and I remember the day that that they looked at me and said your thought process is wrong.

Your thought process needs to be they're already on your network. So once you start thinking they're already on your network, you'll [00:36:00] start designing correctly instead of trying to keep them off your network. Okay. Now that they're on your network, what do you need to know? I'm like, I need to know what they're doing.

I need to know if they're moving data. I need to know, you know, they're like, yeah, now you're asking the right questions because this whole idea of we're going to build a castle, keep them out is that's kind of archaic at this point. They're going to find a way in.

Rick McElroy: Yep. Well, I think you've got some good advice.

Bill Russell: Yeah. Well, Hey, thank you. Thank you again for your time. Really appreciate it. And look forward to catching up again next year.

What a great [00:36:30] discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It's conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We're out there. They can find us. Go ahead. Subscribe today. Send a note to [00:37:00] someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That's all for now.

Contributors

Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

Transform Healthcare - One Connection at a Time

© Copyright 2024 Health Lyrics All rights reserved