This Week Health

Don't forget to subscribe!

July 19, 2021: It’s Newsday with Drex DeFord and Bill. Rather than making a multimillion-dollar investment to deploy a new EHR, Woman's Hospital in Louisiana is seeking potential partners that would instead let the hospital connect to their Epic system. Dollar General hires a Chief Medical Officer. Jeff Costlow, deputy CISO at ExtraHop offers a comprehensive tip sheet to help ease the daunting task of talking cybersecurity with health system leadership. And what started as a surge in criminal activity during the early days of the pandemic has now developed into a full-blown crisis. Why does healthcare keep falling prey to ransomware and other cyberattacks?

OPEN NOW! HRSA Announces New Loan Repayment Program for Behavioral Health Providers - Apply to the Substance Use Disorder Treatment and Recovery Loan Repayment Program

Every day you’re using skills to help end substance use disorders (SUD) within your community. The Health Resources and Services Administration is here to help you with the new STAR LRP (Substance Use Disorder Treatment and Recovery Loan Repayment Program). 

Pay off your school loans with up to $250,000 from the STAR LRP in exchange for six years of full-time service at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff and many others trained in substance use disorder treatment are encouraged to apply. Applications are open until Thursday, July 22, 2021 at 7:30 p.m. ET. 

Key Points:

  • If Dollar General do it right, they could ultimately impact long-term health for rural communities [00:16:35
  • One of the mistakes people make when they go to a board is to take a posture of telling, but the board is really a collaborative group. They're on your side. They're inside. And they will help you to think through things. [00:25:10
  • The electronic health record is a part of the expanding attack surface [00:31:45
  • You need money to take care of unpatched systems and legacy devices [00:36:50
  • Double extortion is real [00:44:20



This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this Week in Health It, it's Newsday. My name is Bill Russell, former Healthcare CIO for a 16 hospital system and creator of this week in Health IT at channel dedicated to keeping Health IT staff current and engaged. Special thanks to Sirius Healthcare Health Lyrics and Worldwide Technology who are our news day show sponsors for investing in our mission to develop the next generation of health IT leaders.

We set a goal for our show and one of those goals for this year is to grow our YouTube followers. Uh, we have about 600 plus. Followers today on our YouTube channel. Why you might ask because not only do we produce this show in video format, but we also produce four short video clips from each show that we do.

If you subscribe, you'll be notified when they go live. We produce, produce those clips just for you, the busy health IT professionals. So go ahead and check that out. Common question I get is how do we determine who comes on this week in health it, to be honest, it started organically, it was just me inviting my peer network and after each show I'd ask them, is there anyone else I should talk to?

The network group larger and larger, and it helped us to expand our community of thought leaders and practitioners who could just share their, their wisdom and and expertise with the community. But another way is that we receive emails from you saying, Hey, cover this topic, have this person on the show.

And we really appreciate those submissions as well. You can go ahead and shoot an email to, hello at this week, health We'll take a look at it and uh, see if there's a good fit to bring their knowledge and wisdom to the community as well. It is Newsday and we have a lot of stuff on tap for you today.

We've got investments are going through the roof. We've got some cybersecurity stories. We've got Dollar General Hiring, ACMO, epic Implementation affiliate. There's just so much going on and I. Dr.

News. So much stuff. So much stuff going on, man, I, I, I always look forward to the days we get to do Newsweek together and it always seems like the world conspires to give us lots of good stuff to talk about when we both get on. You know, I, I have an ongoing dream. You, you're gonna analyze my dream. My ongoing dream here is that I wake up one morning and there's no news story.

That I can do a a Today show for. And I, I, I always wake up and I'm wondering, is there gonna be something relevant to talk about in Health It? Because I, I'm, I'm now up to like 140 shows on the Today Show and I'm thinking, oh my gosh, every day I have to do one of these. Is there, is there gonna be a day where I get up and like, there's nothing to talk about.

Right? And that doesn't, I haven't had that problem yet. I think we aspire to that day. the day when everything is quiet and then you can get on and say. Everything was quiet today. It's a short show. Yeah, it's a short show. I don't, I don't think that's coming anytime soon, buddy. Yeah, I don't, I don't think it is either.

Well, let's, let's get to the news. Well, before we get to the news, let's get to a major announcement in the industry. Frank Knight moves over to Tao site. Frank has been a, he's been on the show. He's been a huge proponent of the show and I really appreciate him moving to Tao site. That's a big deal. I mean, he, he was frank from, from VMware for all those years.

He's a, he's a great friend. We spent a lot of time together at Chime Through Chime, but you know, other than that too, yeah, it's, it's really interesting when somebody has been at a place that long that their personal branding winds up really being intertwined with the company branding. Because when you think of VMware, you think of Frank and vice versa.

So I mean, congratulations to him. I think it's an awesome transition and I'm sure he will do amazing stuff because that's just how Frank is. Yeah, and, and, and if people are probably listening to this having the same question in the back of their head, which is what is Tao. And don't worry, Frank and I have already been talking organization.

Really interesting. We'll have their founder on the show. We'll talk about the technology and give everybody an update on it. But, uh, again, same congratulations to Frank on, on making that move where, gosh, where do you wanna start? Do you, do you wanna start cybersecurity or is that too, uh, too easy for you?

I mean, , you've done, I dunno if it's easy for me. How many calls today have you done where all you've done is talk about cybersecurity? For sure. So I did a, let's see, I've done a. Uh, customer call, a client site presentation. I did an in-house presentation to our team. I did a, uh, webinar with, I don't know if I can say who.

I'll say who. I did a webinar with Netskope and Sirius. And then I did a webinar with Citrix and, and now I'm here with you. So I'm surprised my voice is holding out . But it's really been one of those days and it's just, I mean, it's the reality of the world we live in right now. There's a lot to be talked about and worked on when it comes to cybersecurity.

There, there is. So here's what we're gonna do. We're not gonna start with cybersecurity. Okay. We're gonna get to it because there's, there's a couple stories in here, but let's, let's start with the one that I'm, I'm really curious about Louisiana. Million Epic EHR implementation by seeking affiliation. The organization looked at it and said, million to implement Epic.

We can't do it. It's a 65 bed hospital. It's Women's Hospital outta bat, Baton Rouge, Louisiana. And they had this, the same kind of conversations I think that happen in a lot of these smaller health systems, which is like, look, $200 million is just way too much money. We, we've gotta do something. So they're gonna do an affiliation.

My guess is it's gonna be community connect, but I dunno. But you know, as I see this, I'm surprised this doesn't happen more often at this point. I mean, do you think this is gonna be a trend moving forward? I, I don't know that it's not a trend kind of already, already. I think there are a lot of organizations who have gone through the process of the due diligence of deciding on a new electronic health record and decide that the functionality that they might want, for example, is.

Epic. And then they start to look at the, okay, am I gonna host it? Am I gonna remote host it, or am I going to try to take advantage of somebody else's epic installation? And then there are a lot of big organizations across the country now who have big community connect installations, and they have. But they have a lot of happy customers.

I think the hard part for those organizations is the conversion from, I'm running my own Epic EHR, and my effort as a help desk organization is best effort to signing up community connect sites and then realizing that they put themselves in a position to be a vendor and they have to have SLAs and they have to be able to do all the things like, you know,

Manage order sets and a lot of other governance things that go with these community connect arrangements. So I don't know that it's a, I mean, it's definitely not a new thing, but I think more and more organizations are going to add that to their list of things that they consider when they're looking at new EHRs.

Well, let's, let's talk about what can go wrong here, specifically around this Epic EHR because, uh, there's very high profile ones that have failed the, uh, Hoag Hospital in, out of Newport Beach. Had a, an epic implementation, community connect implementation with Providence. And that one has failed in the headlines.

And, uh, Hogue is now essentially walking away and doing, now you're talking a hospital that's actually a system three hospital system. Mm-Hmm, , yeah. With, with a lot of partners in that, in that marketplace. It's also one of the wealthiest places in, in the country. I mean, people from all over, uh, Southern California go to Hogue to have their babies because all the rooms have a view of, of the Pacific Ocean.

Yes and no, no better place to have a baby and than, than Hoag Hospital is what, what I've heard having, having lived there. So they have phenomenal payer mix, phenomenal philanthropy as well. They went in that direction. Because they were on a, I have to remember what they were on. My gosh. It, but it was, it was a half implemented system and decided, you know, what we're gonna in the epic direction.

And because the partnership with, uh, St. Joe's in Southern California had gone through, they decided to have a conversation with, with Providence, and they said, yeah, we're gonna go in this direction. But the things that can go wrong are that conversation that, that word you just used, which is governance.

Because you don't, you're a renter in that situation. You are, there's a landlord and you're not the landlord, and there's this whole governance aspect that goes into this that sometimes, sometimes doesn't work out the way you think it should. Like we should have more say in the order sets we or we don't like the way you practice medicine.

I mean, those kind of conversations when you do an internal implementation happen. We don't doctors sitting across from each other saying, where'd you get your degree? Right. . But now you're having those across systems and it, it becomes really hard to, to keep those, keep those together, doesn't it? Yeah.

It's, I mean this, there's a, certainly, it is logically easier to go down the community connect path. There's a lot of . Gotchas in the community connect path. And I would definitely encourage, there are plenty of consulting firms who do really good work now around helping, uh, organizations who are going down the community connect path, think through and negotiate.

I. These, all these kinds of terms and conditions around how this is gonna work and what the SLAs are gonna be and what the governance processes are, and how they get to participate. So I would say you can certainly go it on your own and, and try to do that, but sometimes things get a lot left outta the contract that time.

That way when you find somebody who's done it, uh, dozens of times, they're gonna light you up on a bunch of stuff that you may not think of on your own. Yeah. So. And get some help. It's just the right thing to do. But, but on the flip side, if you're the smaller system, you're just looking at it going, look, we, this is a, this is a bridge too far, $200 million for this.

We, we need a new ERP system as well. We need cybersecurity is all of a sudden jumped up in cost of, of what we're gonna need. And they're just looking at it going, uh, look. 200 bed hospital, we don't generate enough revenue to pay for the IT infrastructure anymore. Yeah. And make no mistake and EPIC implementation and some of the other things we're talking about these, these are expensive upgrades.

And my guess is if we walked into women's hospital today, we would look at the EHR system and it would be pretty antiquated for them to be considering the 200 million. So there is a benefit. You just have to walk through it correctly and eyes wide open, negotiate correctly, make sure that that your voice gonna be heard at the, and all those kind.

Yeah, I mean, make, make sure you that you're covered. This sort of changes everything, right? Instead of a bunch of capital investments to buy infrastructure to be able to run this stuff on your own. You're making a conversion, even if it's not an actual dollars. If this is the first time you're doing it, you're making a conversion to opex, you're probably gonna pay, you're gonna start paying.

Subscription kind of fees for Epic Community Connect. You may pay for ultimately Lawson if you're buying other, I mean, this is the way of the world right now. It feels like where we're headed a lot of as a service kinds of things, especially for smaller and mid-size organizations who wanna plug in and have EHR electricity come out or have cybersecurity electricity come out.

They just wanna pay for it. They wanna know they're covered. They want to know they have . Good service and they realize that it's really hard in small town Louisiana to buy that stuff, install it, hire a team, train them, keep them there, not lose them. Always have open positions in all of these areas. So we, we see a big move, uh, for those organizations toward as a service.

Kinds of capabilities. Yeah. And we used to always talk about it as a utility to our organization, and they got it. They're like, every time you plug into a an outlet, you expect power to come through that outlet. And I don't run my own watermill or my own wind turbine. I'm, I'm buying it from a utility. And that's, that's what they're looking for.

Yeah. At another time, we could have the conversation around moving from capital to, because.

I was at, and we have a lot of conversations because at the point you're making that transition, you have to reorient the the CFO around that.

Has a multi-year impact too, right? So things like when and how do we float bonds and what do we say in those bond issuances, right? It it, it changes a lot of the CFO's world. And so you really have to, in the spirit of collaboration, you gotta get everybody on board, or maybe it doesn't work the way that you think.

We'll get back to our show in just one moment every day. You're using your skills to help end substance use disorders within your community. The Health Resources and Services administration is here to help you with the new STAR LRP program, which is substance use disorder treatment and recovery loan repayment program.

Pay off your school loan with up to $250,000 from the star LRP in exchange for six years. A full-time service at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff, and many others trained in substance use disorder treatment are encouraged to apply. Applications are open until Thursday, July 22nd, 2021 at 7:30 PM Eastern Time, which is right around the corner.

To learn more and apply to join the star lrp, you can use the link in our show notes or visit b To learn more. That's BHW as in behavioral health Now back to our show. Yeah, so lemme give you the next story. So Lee Milligan sent this to me early last, last week, I think. He said this is huge.

I looked at the title and I thought, I can't believe he thinks this is huge. And then I read the story and I thought, this is huge. The Dollar General hires Chief Medical Officer boost healthcare items in the stores. It's as simple as it sounds. They hired ACMO and the CMO is mc came from McKinsey, I believe.

Yeah. Came.

Is they're, you know, taking out some, some things in the aisles and they are actually putting in refrigerators, some local produce, some better produce, and those kind of things. They're just selling healthier options to that community. But I think the thing that makes this powerful much more so than Wal a Walmart or CVS announcement is the location of these stores, right?

There's $400 stores and Orlando. 30 of them. Sure. And they are, you're driving, you see a combine or an an orange field to the left, and then all of a sudden you come across small town America. Right. And there's the Dollar General right in the middle there. And they're, and, and it really is, Hey, do I get my groceries from the gas station or do I get it from Dollar General?

Sure. I mean, it's almost that kind of trade-off. Sure. I mean, especially, you know, there are places that are in food deserts like that where there isn't a grocery store and literally driving to a grocery store is a multi-hour trip in many of those communities. It takes me two hours to get to the city that has a.

A grocery store with fresh food. And so people don't do that. They make the other decision, which is go to a fast food restaurant, buy processed food, and all of those things lead to heart disease and obesity and all of that stuff. So I. I mean, I'm with Lee. This is a big deal. This is a big announcement, and I think that if, if they do it right, it could really change.

It could change eating options, which also ultimately impacts long-term health for those communities. So they also did some stuff during the pandemic. They did COVID testing at the Dollar General stores. One of the things we know is that vaccination rates are low. The population that that would be around these locations.

Let's say, uh, a large, let's say you're Orlando Health, right? You're surrounded by a rural population. I know people might not understand the geography, but, uh, around Orlando, on either side is just rural for about an hour or two in, in every direction, north, south, east, and west. Uh, until you get to Tampa, until you get to the, the Space Coast, and until you really get to Lauderdale, Miami literally have two hours surrounded by.

Are you thinking, Hey, this is a good potential partnership, and now I finally have somebody to

talkand. Yeah, I think that's a great, I mean, that's definitely how I would be thinking, having outposts in these areas maybe set up talking to that CMO about what are our telemedicine options or something that we could do so that we could see people with really minor things. Write prescriptions do this stuff to sort of take care of them, but if there's something more complicated, we want 'em referred to our hospital.

So the devil's in details there. There's a lot of stuff that could come from this, but I would definitely be looking at those Dollar General stores as potential outposts to expand the reach of my health system. 17,000, 17,400 stores. It's amazing. I, when I saw the number and then you start to see them, there's some things online you can go look at too, and it shows you like where they are.

And it's, it is pretty incredible. You don't really think about how, how they cover that rural segment of our population, but they really do cover , a lot of rural territory. Yeah, so the, the fresh produce is in 1300 stores that will expand this year to 10,000 of those stores. So obviously they've negotiated the, the supply chain and they've got that all worked out.

It, it's really, really interesting to me. And, and they're growing their number of stores as well. This is a, by the way, a very profitable organization in and of itself, selling what they sell at a Dollar General store because, you know. Rates that are, I think I saw it in this story and, and the numbers sort of took me back.

They had their discounts versus like ACVS or other, but it was like a 20% lower Dollar General is stealing market share. Dollar general prices tend to be 40% cheaper than drug stores, 20% cheaper than grocery stores and in line with mass market retailers. Wow. Right. That's, that's impressive. And look, I'll tell you like your Dollar General store, and you don't think much about that.

I mean, because it's in rural communities, you might think, oh, well it's a Dollar General store. It's not that sophisticated. But look, if you're pulling that off. There's got to be some pretty sophisticated analytics behind, uh, what you're buying, how much you can buy, how do you move it to all of those locations and get it on shelves so that you can buy it at a price that you can sell it at a lower price.

I mean, there's a lot of math here, right? There's a lot of, there's a lot of Abacus work going into into figuring out how to make this. Yeah, I mean, to get those kinds of margins, to get that kind of, of discount or whatnot, let's not underestimate that. I mean, you're talking, uh, these stores are negotiating on pennies and the volumes they're talking about.

They're competing with stores that have really big volumes as well. So their, their buyers, their supply chain is really well thought out. It's also about figuring out the stuff that actually will sell in those stores and not accidentally blowing a bunch of cash buying stuff that nobody wants to buy in those stores.

So, yeah. Right, right. You ready to talk about cybersecurity again? Sure. Let's do . Let's do it. I know you did all day. Let's see. So there's, there's two stories here and I thought both were interesting and I wanted to talk to you about 'em. One was at a deputy CISO for extra hop in Seattle. Jeff Costlow gives some things to consider if you're gonna go talk to your board, if a CISO's gonna talk to their board about cybersecurity.

The other is why healthcare keeps falling prey to ransomware and other cyber attacks. Which one do you wanna tackle first? Um, let's start with Jeff Costlow. ExtraHop is a company based here in Seattle. I may have been the first healthcare customer for ExtraHop back in, I don't know, 2008 or 2009 when they rode in and saved my bacon with their network detection and response, uh, capabilities.

And, uh, they were, they were a customer when I was an independent consultant, and I really liked them. And I don't know Jeff, but I mean, I'm re reading this article, like all those things ring true. He, he did a really good job. Yeah. And so he's speaking at hims. This is from a healthcare IT news, which right now is just the HIMSS megaphone.

Exactly. So he's speaking at him. So they're, they're setting it up. This is, this is the topic of his conversation he's going to be talking about. If you're a CSO getting ready to go in and talk to the board, what are some things that you're going to do? He, he prefaces this. I'm gonna go straight to the, what do you do in, in the conversation, but he does have some interesting things in terms of setting up your framework and, and whatnot.

Alright, so you're getting ready to go in and talk to your board and your ciso. He says, number one, know your audience. That's absolutely true board. Not all boards are, are made the same. Uh, I know our board really only had one technology person per se on it. And that technology person was incredibly savvy and was like the spokesperson for the entire board.

But it didn't mean that we didn't have to really be very clear and very basic about some of the things we were doing. We couldn't just speak to that one person on the board because.

Security. We had to bring everyone along. We couldn't just speak to that one person. And actually he was phenomenal because he helped to bring the rest of the board along as well. So you'd have to know that audience. Have you seen, I assume most boards today have somebody who understands cybersecurity? I think so if they, if they don't have somebody on the board, they probably have somebody on one of the subcommittees of the board, like audit and compliance.

And so somewhere in there, there is an external resource, uh, that understands cybersecurity. And you're right. I mean, I think cybersecurity for so many years led with fear, uncertainty, and doubt scaring people into buying stuff for cybersecurity because, oh my gosh, what will happen to us if we don't? And I think the transition that has occurred, he talks about leading with resilience and managing fear, is that, yeah, of course you're gonna be afraid of what might happen.

Nobody wants to be in the newspaper. Nobody wants to be the person with a microphone shoved in their face. But really the story has to be now, I think. And based on what he's saying, I think he thinks that we've created the situation in healthcare now where you can't provide modern healthcare without digital health, without the tools that we have.

EHRs and ERPs and the thousand other applications that many of us run, which runs on, has to run on relatively modern networks and is connected to the internet because we're doing a bunch of this stuff, as we talked about earlier, as a service. And when you get all of that put together. You have to be really thoughtful about what happens if we go down, what happens if we go offline?

And so you have to talk about it and think about it from the perspective of resilience. If we're down for one day, what does it cost us? If we're down for 30 days, what does it cost us? And what are the things we can do to make sure that if something happens that we go offline, we can come back as quickly as possible to, to deliver great care to our patients and families, because that's what they're all about.

I think the only thing this article doesn't address from, from where I sit is I, I found that one of the mistakes people make when they go to a board is they, they take a of telling. And the board is really a collaborative group. They're on your side, they're in inside, and they will help you to think through things.

So we talked about risk. We educated him on risk, we educated him on the gaps, and he has both of those things in here. You talked about the risks, you talked about the gaps, and then we talked to them about the cost of filling those gaps. We talked about the complexity of filling those. Through the conversation helped us to really determine what's the most important risk to the organization.

And they would a a lot of times help us to understand, oh, okay, we thought this was the biggest risk. And they would say, no, no, this is much more of a risk for us because of this, this, and this. Because they, quite frankly, even, even as the CIO and and ciso, the organization sometimes. Because they're sitting in the entire board meeting and they're going, oh look, no.

Our next five year strategy is based on this being right, and you have to make sure that this gets protected because that's the future of the organization. And we're focused on the, you know, a hundred year old hospital and making sure that all that runs fine and they're going no gap.

I would, I would, if I were coaching somebody, and I have coached CIOs on this, is you have to understand there's a certain presentation you give to the board where you are telling, and then there's other presentations to the board where they're a collaborative partner and you walk in there with, Hey, here's, let's.

I'm gonna tee these things up and I wanna have a conversation with you around it. Oh, I like that. I mean, I think that's great advice and guidance, right? Like you said, they're worried about the hospital and they're on the board and they wanna make sure that that hospital that's been around for a hundred years survives.

But they also sit out in the community, and so they have a different perspective on what. Kind of a cornerstone. That organization is for the community. So they think about the hospital in a different way. And it really is a great opportunity to get that perspective from people who don't work in the organization.

'cause we have a tendency to think a lot about compliance and are we gonna meet all the rules and all those things. They just have a different view of the world and it's a very valuable view. So Drex, how do I It is, one of the things is advocate for resources. And I, I call that closing the sale, asking for the sale.

And there are times where you're, you're there and you're just like, look, we need money. We need this. But I'm, I'm often reminded of my, my data team, my, my data interoperability team. Every, every year they'd come to me and say, I need 15 more people. And it got to be a joke in my head. I'm like, I know they're gonna submit their budget.

They're gonna ask for 15 more people. And cybersecurity can almost get the same rep, right? Every time you go into the board, you're like, we need another 5 million. We need another 3 million. We need another 2 million. What's the best way to sort of tee this up and to ask for resources or to ask for the sale of, Hey, we, we, we need to fund this.

We need more money around this. Yeah. Well, I mean you're, I think you're coaching earlier to CIOs and to boards. Makes a lot of sense here and has a great tie in. And that is what is the risk tolerance of the organization and what are they willing to accept and what are they not willing to accept? And then mapping your requirements to that and making sure that you have a good tie.

You said you wanted to do this. This is what you were really clear were the priorities then this is what we think. We need to be able to do that. And we know that because, and this is the other part of the job that we all have as healthcare executives, and that is making sure that we're doing the best we can and showing every day that we're doing the best we can to be good stewards of the dollars that were given.

So if you can find different ways to allocate dollars that we've been given for one thing, but we found a a less expensive way to do that thing with another vendor or with another product, that we do that and we talk about it, and then we show how we've transitioned those unspent dollars to fill other gaps that the board has set is important.

So this mapping to gaps is incredibly important. And then just showing that you're a good steward every day builds a lot of trust for those healthcare executives that do that. Uh, his last item here is build a roadmap to success. Do you find it's important to have, I don't know, is it a three-year roadmap?

Because one of the things I'm saying to my clients right now is cybersecurity has, is front and center. You could probably get more money this year than you're gonna be able to get in in future years just because of what has happened in some of the health systems that have been pretty public. And because of the nature, right?

It takes 'em down for 30 days or or more, right? And they're state of loss, so you're probably gonna be able to get money. And that's one aspect. And then the second aspect I'm talking to 'em about is that you already had probably two or three years of cybersecurity plans that you probably need to shrink those up because you have an opportunity here to fill some gaps.

Threat is really high.

What's happened? We'll get into story some.

Do you find that having that roadmap to filling those is important and having a timeline on it?

I think timelines are important from the perspective of they actually cause you to do work in a particular period of time, but when you don't know if you're gonna get money, what you need to create is a, a strong program, a strong priority list, right. And and prove again, and again and again that you can execute on it.

And then it's actually closing gaps and it's actually removing risk and making the organization more secure. And if you can do that again and again and again, then they start to build trust in this roadmap that you create. And. Whatever the dollars are that you're gonna get this year, you can go through that list and draw a line and say, we're gonna do all the things above the line really, really well.

And here's the gaps that remain for the things on the roadmap that are below the line. And we're all clear here. You're accepting that risk, right? And then you execute the daylights outta the stuff above the line. And when it comes to the next thing on the, on the list. You ask for more money, you ask for more resources, you prove that you've been a good steward, and you're likely to be able to continue with that program development.

So, all right, let's hit the next story. So why healthcare keeps falling prey to ransomware and other cyber attacks and what is it? 1, 2, 3, 6, 6 items really? First one being electronic health records attack. So.

And the expanding attack surface. I would say it's the electronic health record is a part of the expanding attack surface. Right? We've talked about this before. The attack surface is pretty significant at this point. I mean, you have, you have biomed devices, you have digital health, uh, strategies. You have hospital at home strategies.

Now coming into play, you have patient generated data. There's the, the attack surface has gotten pretty broad at this point. Sure, and you have third party risk management programs. All this has a service work that's going on. We went through the pandemic and we did a lot of other things too, right? We sent, on Tuesday, nobody could work from home, and on Thursday we sent 6,000 people to work from home.

Right? Telehealth blew up. We added medical equipment, maybe didn't close the, all the processes that we usually have, adding medical equipment during the pandemic. We brought in a ton of travelers and maybe we didn't train them as well as we should, uh, train them. So the threat, the threat surface definitely has grown and continued to grow.

And I think part of the work now is. Going back and fixing the things that maybe we took a little bit of a shortcut on during the pandemic to, to, and I think there's ways to do that if you do it well, to actually get back to a place where you were better before than before when you, before the start of the pandemic well have, have as.

So early on there was an easing of restrictions from. The regulatory bodies around certain aspects of the technology, really around telehealth, right? They were saying, Hey, we're gonna relax some of these guidelines and whatnot. Have we gotten to the point now from a safety standpoint, that those things should really should go fall back or have they already fallen back that it's, Hey, look, all these guidelines are back in place and we need to shore up.

Cybersecurity has now become more of a priority. Sure that we telehealth.

Around Covid 19, I would assume all those security things are now front and center. A lot of the, a lot of the security relaxation, it's not really security relaxation, it was, it was really a lot of privacy. Privacy, relaxation around using things like Zoom or other tools to do telehealth. Right. And, and a lot of that was just the realization at the time.

Again, everybody was . We gotta take care of patients and families. Yes. And we can't bring them all to the building safety first. So how are we gonna do that? And they relaxed a bunch of rules to let organizations be able to do that. Now, I think what happened in the meantime is that organizations may have opened up and used a bunch of those tools for telehealth, but as they got to the point of sort of realizing like.

We're gonna do more telehealth than we ever did before, and this looks like a thing that's probably gonna stick around. Maybe not at the level that it was at the height of the pandemic, but this is a new way for us to deliver care. And that's just how it's gonna be. That I think they on their own, have continued to sort of say, we're gonna stop using, using this.

We're gonna start using this. We're gonna consolidate tools because they turned a whole bunch of stuff on. Just like they did in all the other areas during the pandemic, and now they're starting to go back and reconcile their decisions and, and that's some of what's going on. Now. Some of the, one of the things that really still torks me off a little bit is the, the being able to practice medicine across state lines.

And there's still, there are states now who are res are pulling those rules back, but kind of for a while there said, we're not gonna enforce those rules if you're doing telehealth visits. There, there were some exceptions that were created in, in the regulations that would allow doctors to practice medicine across state time, state lines.

Some of those are being pulled back now, and there's a big movement that has been going on for a while that just says, I. W why can't, if they're doing telehealth visits, why can't doctors just have a 50 state, uh, license to be able to do that kind of care? I'm with you. I asked the question of, of Dr. Uh, Joseph Vidar?

Yeah. Who's American Telemedicine Association, and he said he supports the state's limitations on practicing.

This, this needs to go, this is from a day gone by, it would've been him and he didn't. And so, and I've since talked to some doctors and they do support it. They support it for, and I'm not sure I fully understand it, except there are some risks that came up prior to having those things in place. And you and I are bo are not physicians, so I'll save that for another conversation with thanks.

Sounds good. I, I, I, I mean, Dr. Joe, I've heard him speak in many different forums and, and he's a logical guy. I'm sure that he has reasons for that logical guy, head of the ATA and Harvard professor. I've, I'm thinking he's thought through it a little bit, so I'm thinking he spent some time thinking about this

But let ask you this, this is right in your wheelhouse. Unpatched systems and legacy devices, devices. It's hard to do anything about. You need money to take care of that. I mean, you can section 'em off and whatnot. Unpatched systems though, I wanna talk about, we had, this just feels to me like it's laziness around process.

Everything that has an IP address needs to be patched at some. Some intervals, some given time. And so anytime we put a new device in, we had a, a, a process that was added to our normal IT operations to make sure that we were checking and patching all those systems. That was like, that was blocking and tackling 1 0 1.

And I felt like we did that pretty well. And, and that was back in, you know, 20.

Why we're not ahead of this yet. I know. I, yeah. I mean, how many times have you seen me say or post when a new vulnerability is, is issued? Patch your junk. Patch your junk. Patch, your junk. But realistically, I also understand that sometimes that even if you have a really good type process. There are reasons that you can't patch things and there's, there's reasons that you can't patch things really quickly, and that is because you need to take it through some kind of a testing process, right?

So you get the patch on, you know, Tuesday, and it might take you, depending on how many people you have working in the qa, you know, section, it might take you a week or more to get through some sort of a testing process to make sure that you don't break some clinical workflow because you decided to patch a system.

And I don't mean medical equipment, I just mean. Something that is in the clinic that is a PC that runs a particular application that's unique to that clinic, which ties to the legacy conversation, right? Right. Because the application that runs on that PC in that clinic might also be some really old thing that.

It doesn't like security patches on the operating system that you really have to consider. Do we upgrade that? Do we replace it? Do we, you know, do something else? And so when you can't patch systems, you have to think of something else, which you're compensating control. You're gonna firewall that thing off and do some other protected in some other way.

But it's complicated. I mean, I know it sounds easy. I say it to pat your junk, but it's not as easy as you think. Well, there's also an architecture conversation to have here. We all know dev test, prod is, is the way to go, but when you get into the practical conversations around, alright, we're buying a new EHR system, we need a test environment in a, in a production environment that costs money.

It takes time to set that up. It takes time to keep that synced up so that you have essentially the same environment. So if in environment. What, what's going on in the production environment. And so there's a whole workflow that needs to go around that in order to, to do that effectively. And uh, that's where I, I, I sit back and I go, yeah, there's, there's a cost of doing it, right?

I was at a large health system. We had a fairly sizable budget. We still couldn't do everything right. We rarely had a dev environment. We had tests and, and prod, but not with all of our systems. Only not with all of your systems. Only. Only certain systems. I was gonna say only a key systems, but that wasn't true either.

I definitely can relate. Yeah. You, you would love to say that it was the top 10 key systems that you had test, uh, environments for that were mirrored up with your operat operat systems. We did not have a test, no, no test system for our PAC system. Yeah. It was just, it was just too costly. But we had, we did for our EHR system.

Anyway. Hey, next thing on here, , I, I laugh. Flat Networks, we've talked about this. I used to be a, you know, a, a zealot for flat networks. 'cause it's simplified everything. It's it simple. And, and then you security people came in and said, what you doing? And I'm like, oh yeah, this is bad. Flat networks are are bad.

Why are flat networks bad? ? Well, flat networks are bad. I mean, look, flat networks are good and bad, right? Flat networks are great if what you're trying to do is keep the environment really, really simple. It makes sure that everything can connect to everything else on that network without trying to traverse some kind of a firewall or doing something weird.

Makes it really easy to troubleshoot, does all kinds of other good stuff. But all the good stuff that it does is also really good stuff for bad guys. So once I've compromised, once I have credentials and I've compromised an account or . I'm in your ad or I'm somewhere else. Then once I move laterally, I, I realized pretty quickly as a bad guy, like, oh yeah, it's a flat network.

I can get to everything. And those . Those keys, those accounts are really valuable on the black market because if you can tell others that I can sell you access to a network that has this many nodes on the network and it's flat and you don't have to fight, and you don't have to go around worrying about ringing alarm bells, those become really, really valuable.

So there's also the opposite, you know, end of this too. Of course you wanna segment your network, you wanna do some of that kind of work, but you can overdo it. Right. It makes, it makes everybody crazy trying to run things on that network. So it's about finding balance and not just having just a big flat network.

Yeah. Yeah. So, third party security risk. You touched on earlier, uptime concerns and prioritizing security. I, I would think that every health system in the country is prioritizing security. If you're having trouble with that, I've done, I don't know, about 12 shows in the last two months. Just take anyone, Carl West and I talking about the Sky Lakes Medical Center is one I just talked to, uh, Vic Naji last week on No, he did great.

Yeah, he's doing some interesting stuff on helping organizations to think through the recovery and he, he brought some stuff up that I had not thought about the time on your network. Sometimes these people have been on your network for a month or two months. And so your backup systems, they'll just infiltrate until your backup systems are essentially compromised.

And so when you go to restore, they're, they're right back in. Yeah. And I'm like, they're, they're really smart. I mean this, this idea of. We think about this very, I think in a linear way, right? The hacker who somehow compromises credentials and gets into my network, then immediately fires off ransomware and causes chaos.

But realistically, I. It. There's a whole economy built around this, so there's a bunch of bad guys to simplify it kind of. There's a bunch of bad guys who really specialize in compromising the credentials to be able to get into the network, and once they have that, they go to the black market and they auction that piece off and that.

The buyer of that comes to that network, and they are really, really good at very carefully scoping out your network and not setting off any alarms, figuring out where all the crown jewels are, and then they back out and they sell those credentials with all of that intel on the black market to another group of bad guys who come in and go, okay, now that we have all this, let's, let's exfiltrate some data.

From those crown jewels so that we know that we've got them, because the double extortion thing is real, right? We're gonna ask you for ransomware. If you don't pay it, we're gonna release a bunch of data and you're gonna pay for it in a different way. So the double extortion thing is real, and then they may actually take some of that information and sell it again on the black market to people who specialize in blowing up ransomware and doing the negotiation.

And so you think of this as kind of like one bad guy who has all these skills, but it really is sort of like a conglomeration of, uh, a mafiaa of cybersecurity criminals who kind of figure out how to, how they divide it and conquered how they've specialized their skills so that the thing they do really well is benefits everybody who's involved in the, in the process.

Wow. You're, you're starting to, I, I remember that when, when my internal auditor used to bring their cybersecurity people in, I used to, I used to go home and, and I'd, I'd like look over my shoulder and I'd be worried if I hug my dog and cry, oh my, oh my gosh, this is so hard. I mean, everybody in their brother wants all the stuff that's behind my firewall.

And it just felt like they're, they're really well funded. They're really smart. And you think, well, these are people in a garage. They might be people in a garage, but they're really well educated and they really understand how these systems work. And they're, and now what you're telling me is essentially they're connected.

There's a whole connected, I mean, they're connected economically, but they're also connected by specialty. It's, I'm gonna hand, I'm gonna do my specialty and hand it off to you. You're gonna do your specialty and hand it off to the next person, right? And in the end, I mean, there may be no money that's exchanged for these deals, for these selling credentials, selling crown jewel information, all of that.

That may all be, we all wanna make sure that we're connected to the guy or the lady who is really good at setting off ransomware and then . Collecting, right? Because we may not get ma paid until we get a cut of that final deal. That may be the, the relationship that you've built. So it's crazy, man. It's, it's amazing and scary and, uh, not, not to scare folks.

I mean, that, that's, that's the reality of the world. That is, that's the world we live in. I mean, you could bury your head in the, and that used to be a strategy. I remember talking to somebody and they're like, look, my don't. No, anonymity is not a strategy and head in the sand is not a strategy. I don't think it's a thing you can do anymore because look, healthcare is critical infrastructure and just like pipelines and just like meat packing plants, and you go right down the line.

Healthcare is critical infrastructure, and if we're indeed, perhaps. Collateral damage in some kind of proxy war that's going on right now. It's not about you. It's about a lot of. Organizations like us and how taking us down could affect the critical infrastructure of the country. So don't, don't think about this.

So personally or so organization centric, right? You may be one in the domino chain of the thing that the bad guys are really trying to create a cause or get to. Yeah. The story I tell people do not take it personally is the same exact email that went to Sky Lakes, went to St. Lawrence Health System in New York.

It's like they didn't, they didn't distinguish by state. It's not Red State, blue State, it's not, it's not large health systems, small systems. They just shot that email out to a bunch of health systems. The ones who clicked on it, they said, all right, these are the ones we're gonna go to work on. That's why they call it phishing.

Yep. Yeah, just throw your nets out there. Well, Drex. I, I always love talking to you. I mean, I'm a little scared. I'm gonna go hug my kids and and my wife when, when, when I leave here. But I really appreciate, appreciate you coming on the show and again, another great conversation. Thanks a lot. It's my pleasure.

I, I always enjoy being on and, uh, take care, everyone. I'll, I'll catch you all again soon. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show.

It's it's conference level value every week. They can subscribe on our website this week,, or they can go wherever you listen to podcasts. Apple, Google. Overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well.

We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.


Thank You to Our Show Sponsors

Our Shows

Today In Health IT with Bill Russell

Related Content

Transform Healthcare - One Connection at a Time

© Copyright 2024 Health Lyrics All rights reserved