August 29, 2022: Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint joins Bill for the news. IBM reports that cybersecurity attacks cost healthcare systems more than any other sector. At $10.1 million per breach, that’s a 42% increase from 2020. North Korean hackers are taking aim at health care with Maui ransomware. What do federal agencies know about these malicious attacks and what are the reasons behind them? The HIMSS 2022 Future of Healthcare Report shows that payers and providers look at Big Tech differently and half of physicians and nurses don’t think their orgs are headed in the right direction. And American Airlines announced that it’s buying 20 Overture aircraft from Boom, with the option to purchase an additional 40 planes if all goes well. That’s pretty amazing support for a startup that has yet to build a working passenger jet.
Sign up for our webinar: Challenges and Solutions to Unmanaged Devices in Healthcare - Thursday September 8, 2022: 1pm ET / 10am PT. If we had to troubleshoot just a few devices every once in a while, our hospital systems would run as smooth as butter, right? But when missing devices, security issues and friction caused by interoperability hits, we can’t expect a smooth operation. Our webinar will answer many questions surrounding the devices integral to keeping patients healthy.
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
Even though the attacks are still very, very prevalent and hugely problematic I'm probably more encouraged now than I ever have been in terms of healthcare bridging some of that gap. One is it appears to genuinely now be a board level issue. Secondly, we're seeing many more examples where there's a direct correlation towards a cyber event and an adverse sort of patient outcome. And almost nothing will focus the boards more than them seeing a need for cybersecurity as a core component of their overall mission.
It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst who are our Newsday show sponsors for investing in our mission to develop the next generation of health leaders.
All right. It's news day. So you're with Proofpoint we talked generally, I save up some cybersecurity stories to talk to you about, and we're gonna do that today.
And we have some other things that are going on. We're gonna end this with I find that we are kindred spirits in some of this stuff. And we're gonna talk about this end gadget story that I saw this morning that American airlines has agreed to buy 20 supersonic jets. And we'll go there.
It sounds like UI and Dr. Have a lot in common cuz we follow the SpaceX and this kind of stuff. So we'll close up with that. Okay. Let's start with cybersecurity tax cost, healthcare systems more than any other sector. this number's actually going up, which is kind of surprising to me because the number was already higher than any other industry. Why would it be going up?
I think it's a couple reason it's going up and, and this is an interesting story and not a good one for healthcare really, but Poman initially now, IBM I think just is, has taken the mantle up on this one where they kind of do pretty deep dive analysis on the cost to recover from a breach and various industries.
And they've been measuring this out for best part of 10 years. And like you, as you kind of pointed out, healthcare has always been the top of that stack in terms of like the most. cost To recover from a breach or highest amount of cost recover from a breach. And at times it ebbs and flows and at times it gets a little bit closer healthcare in terms of their overall cost versus other industries. But right now and has always been the case, healthcare does lead that sort of category and the kind of category you don't wanna be leading in, of course,
it's because we have ransomware attacks now that are actually shutting the place down, as opposed to just breaching data.
I don't know that that's wholly unique to healthcare be ran somewhere, appearing all over the place. Right? I think the things are the couple things that are really different about, about healthcare is one is, and this is kind of like one of those inconvenient truths healthcare's just behind and it's adoption of technology to go stop the bad actors.
Right. There's a real reason why a. bank Can detect a suspicious charge on your credit card, within moments, right. And they're immediately texting you saying, Hey, do you make this charge? It's not cuz the banks are more clever than hospitals it's because they have the technology in place to go detect that sort of activity.
And then at the automation sort of kicks in. Healthcare could do exactly the same and I'm sure will eventually do the same, but they just don't have that investment in place today. That's number one, number two, there are some unique aspects to healthcare about the value of that data, the longevity of that data, the stickiness of that data that separates from other industries and therefore makes that data far more attractive to threat actors than say credit card.
Yeah, well, I mean, one of the things they cite here is that hospitals typically have to pay 250,000 to $500,000 to recover access to their technology after a ransomware attack. And I'm wondering if there's an aspect, that's the complexity, right? So 16 hospitals, when I say some of these numbers to people in other industries, they sort of just, they cringe, but 1900 applications.
It's not like in 1900 applications, the number of integration points and that kind of. That's there as well is pretty significant. And so if we do have to restore anything, rebuild anything and that kind of stuff, there's an awful lot that goes into that. Plus there's a testing aspect of it as well.
If our data center just had a power blip and the whole thing went down and we brought it back up, we had to do the better part of two to three hours of testing on the EHR before we could release it back into product. So there's a, I think there's a complexity aspect to it as.
I think there is, but I'm just not sure that's totally unique to healthcare. I mean, some of those banking app, just if you wanna use banking or as a comparison, and there's the same level of sophistication in their technologies and their systems, their robustness of their testing, the safe cars they have in place. I don't know that it's who different. Although I think the banks.
Much more well funded, right. And from a technology standpoint, from an automation standpoint, from an AI standpoint, from a resource standpoint, I think that plays a huge,
all right. Let's assume your healthcare system had a 3 million budget and I'm gonna give you $1.5 million additional to spend. Where should we be spending it? I'll let you answer the question first. I'll come back and try to answer it for me.
I mean, I guess I'm a technologist. I mean I am calling you from Silicon valley. I was born in Silicon valley. So I do kind of feel like technology is a big part of the solution for many parts of our lives. But with regards to cybersecurity, if I had extra incremental budget to go spend and knowing what a traditional hospital or healthcare system looks like from their overall expenditure and technology, there's a lot more that can be invested to go. Just to play, catch up, to go put healthcare on par with other industries to make sure they have that same level of. Of layers of security in place that goes a long way.
I mean, sure. we need people to go run systems. We need to make investments there. We need to make investments in security awareness training, but the more you can embrace technology and utilize technology to keep people away from that decision making process in terms like what is a bad or malicious sort of email or link, the more secure you're going to be, that it's approach that other industries are taken and embrace really.
I think I agree with you in that if I were, if I were given an additional 50% over my budget and said, Hey shore us up in some areas, first of all, the I would make sure that we have, a complete assessment of our environment. I would know for we had one through five rating on each one of about 10 to 12 stacks. So I knew where we were at. So at any given time, if you gave me more money, I could say, all right, this one's going to really move the needle for us. So this is sort of offhanded. I mean, it's, we don't have enough information to make this decision for your health system, but if I were the area I would want to really shore up is in the event of an attack, I wanna make sure it doesn't go lateral.
And I wanna make sure that I know quickly. That something is happening. And so that, that whole detect aspect of it so that we can actually respond very quickly. I would wanna know what's going on and then I'd also wanna be able to set up the gates to make sure that I could isolate the. Blast radius, I guess, is the terminology we would use.
I mean, so that they can, they can hit what they're gonna hit, cuz they got in. But they can't go outside of that outside of that radius. But like I said, it normally at a health system, I would highly recommend having a comprehensive framework that you're looking at that at any given point, Hey, we are strong in this area.
We're weak in this area. And if I got any additional. Knowing exactly where that is to spend. In fact, if I were an auditor and came in and asked that question and you didn't have that I'd probably scratch my head and say, yeah, that's a gap. Get that together as quickly as you possibly can.
And I wouldn't diminish the need for that level of knowledge, for sure. It was kinda the assumption that some of that would already be in place at the same time. I, and again, I don't wanna diminish the need for this. I wouldn't wanna overengineer it, because you can look at a multiple, you can just look at the N sort of framework do it, just do a quick eyeball examination compared to like, where are you today versus what this says should be in place.
And you could pretty quickly. Makes and determinations about what needs to happen. Right. So yes, I would definitely embrace the community that can go help me build that sort of plan and then go layer in how do I sequence these investments and these sort of layers, these sort of controls.
But I would also make sure I put money towards things that were gonna be stopping lateral movement, reduce the blast area. And I would also be making sure that I'd be making some investments and things that. Categorically do help. I mean, if you're not using multifactor, for example, I don't necessarily need it. I don't need a report to tell I need multifactor. Right, right. There are certain things that I know I need.
Yep, absolutely. one of the common statements from people is we can protect against most things, but if nation states come after us that's a different category. Well, One of the stories we're looking at here is essentially that hackers from North Korea are taking aim at healthcare with Maui ransomware. I'm not sure it's a nation state per se, or just people within the confines of North Korea, but they're specifically targeting healthcare.
Some of it could be financially related. Some of it could just be disruption related. What do we know about Maui ransomware at this point? Do we know a lot about it?
Yeah. I mean, I think it there's just one it's one of the various malware that are out there. I mean, to a degree from cyber security standpoint, do I place a lot of emphasis on this exploit versus other exploits? Not necessarily. I mean, I'm concerned about all ran somewhere. Maui certainly has appeared and seems to be targeted towards healthcare. We don't necessarily always know why.
I mean, we. We don't talk to bad actors. We don't know what their motivations are. This one does appear to be nation state oriented. For the most part, when we see nation activities yes, there's usually kind of two motivations. One is disruption or two is some sort of exfiltration of IP. So in the early stages of the COVID.
Oh, so this may not be about medical records. This may be about going after IP from health systems.
Correct. Interesting. Interesting. Yeah. I mean, certainly in the early stages of COVID when vaccines were still being developed, we saw a lot of attempts to go pill for exfil trait research data around COVID re around COVID sort of research. I mean that we saw that a lot and it almost always exclusively was coming from nation state actors.
Yeah. So since may of 2021, the FBI has observed and responded to multiple Maui ransomware incidents at HBH sector organizations, federal alert, raids, north Korean state sponsored cyber actors used Maui ransomware in these incidents to encrypt servers, responsible for healthcare services, including EHRs.
Diagnostic services, imaging services, intranet services. In some cases, these incidents disrupted the services provided by the targeted HBH sector organizations for prolonged periods. All right. So we have nation state actors coming after healthcare as well. That's good. That'll help people to sleep at night but this is what we've been living with for the better part of.
I don't know, my gosh, it, it feels like for the last decade, I was gonna say the last couple years, but it feels like the last decade, maybe it's ratcheted up some in the last couple of years, but I remember looking at our log files or somebody giving me a report on our log files, the number of attacks coming into our health system on a minute by minute basis. It was staggering to me. It's like every minute of every day, there's someone trying to get.
Hundred percent. if you permit me a moment of provocation, sure the more I think about this, the more I reflect about why is healthcare different and what are the challenges in healthcare that distinguish it from almost every other industry?
Yes. We could talk about the things we've already kind of referenced in terms of the value of the data compared to other sort of industry data. But more and more, I point back to the meaningful use era where there's a tremendous amount of grant money available. I think it got up to about 39 billion.
Ultimately got given to us health institutions to go roll out EMR. It feels like way too much of that money went into compliance. I mean, there certainly were. Checkbox sort of exercises around, you had to demonstrate compliancy to kind of get that money. I mean, there's other things you had to do as well, but I think it was pretty clear that way too much investment went into being compliant with probably in many cases, the understanding that they weren't gonna be secure.
And so we kind of feel like healthcare tackled the security issue with meaningful use to compliancy. And the reality was we did everything, but we just became us mitigating against our ability to reduce fines a little bit, but just there were gaps within the health system that has exploited ever since long sort of problem.
There's still a lot of work to do there. You and I are gonna continue to talk about this topic. obviously it's top of mind, we still. I feel a little better based on the conversations I'm having, it feels like the money is coming into the space in healthcare hundred percent, 1%.
It feels like it has board level, not everywhere by the way. But it feels like it has board level visibility, but we're also entering a time where health systems are. I don't wanna say struggling financially. They have pretty deep pockets to to fall back on, but operationally speaking, they are not experiencing their most flush times.
And one of the things that is common in those times is to push back investments in certain areas. And I just. At this point, acknowledge that there are some areas you can push back your spend on, and there's other areas where you can't. And this is one of those areas where the investment on the attacking side is not gonna go down. So you have to continue to push the needle on that side.
I think I could agree you more. I'm actually more, I mean, even though the attacks are still very, very prevalent and hugely problematic I'm probably more encouraged now than I ever have been in terms of healthcare, bridging some of that gap for a couple reasons.
One is it appears to genuinely now be a board level issue So it has board level attention is getting board level resources, budget focus. Secondly, We're seeing much, much more or many more examples where there's a direct correlation towards a cyber event and an adverse sort of patient outcome. And almost nothing will focus the boards more than them seeing cybersecurity, a need for cybersecurity as a core component of their overall mission. So the fact that we're starting to make huge strides in that area really encourages me.
📍 📍 We'll get back to our show in just a moment. I wanted to take this opportunity to invite you to our next webinar "Challenges and solutions to unmanaged devices in healthcare." This is where we're gonna take a look at the tools that are integral to keeping patients healthy in what we're doing to secure those tools and find them in some cases, guests will be leaders from children's hospital of Los Angeles Intermountain. And we're also gonna have representatives from mitigate by clarity on the call as well. And they're gonna share their experiences in maintaining these devices. And just some of the success stories, some of the challenges that they've had as well.
We're gonna do all that on September 8th at 1:00 PM. Eastern time, you could register on our website this week health.com top right hand corner has our, upcoming webinars. Just go ahead and click on that love to have you register for that. You could also give us your questions ahead of time.
I can give them to the guests and we can make sure that we talk about that. On the webinar. So your topics get addressed before the webinar, we're going to be having a briefing campaign, five short episodes on the channel about this important topic of securing your unmanaged devices in in the hospital setting. You wanna check those out as well. You can also check out those on this week health.com. So look forward to having that conversation. Love to have you join us now back to our show. 📍 📍
All right, we'll touch on two things in five minutes. Here we go. Payers and providers look at big tech differently. There was a HIMSS study released. We're just gonna look at a very small section of this.
Brian Eastwood wrote an article in healthcare. It today HIMSS has released 2022. Future of healthcare report and surveys, results suggest that payers and providers look at big tech companies differently while 40% of health system leaders report high competition with companies such as apple, Google, Microsoft, and Amazon, the majority of payers see these companies as drivers of innovation over the next five years.
However, the entities do tend to agree that personalized care and care coordination will have a positive outcome on both patient outcomes and clinician job satisfaction. It's interesting because that would resonate with me. Those numbers would resonate with me that healthcare providers look at these players as competitors.
Not Microsoft. I'm not sure Microsoft should fall into that category. Microsoft is an arms dealer. They'll sell to anybody. And, but apple, Google and Amazon have each made plays into healthcare that position them either on the outskirts of healthcare or directly inside of healthcare. And a lot of times they're seen as competitors.
In that healthcare provider space. Whereas I think the tools for the payers, because the payers are getting that first dollar, the tools that they're providing, the tools that apple provides gives them efficiencies. Right? If I can have everybody as a payer, everybody have an apple watch and reporting information back to me.
That's gonna help me to be more efficient on their. Google provides a level of analytics and I'm not sure how many payers are using them, but a level of analytics and that I think a lot of, at least health systems don't have payers may have that capability. But I think that the thing that we always have to remember about Google is. Is that aspect of Dr. Google most healthcare starts before they see their primary care physician on Google. And a lot of it stays on Google. So to the extent that they can identify that stuff early and do early interventions, that's good. And then Amazon is clearly. Seems to be positioning themselves as a competitor to providers and stepping into that space of being a provider, when you hear those stats, I mean, you're right there in the heart of Silicon valley. What are your thoughts?
I mean, to me, Healthcare is again, a little bit behind other industries in terms of that whole digital transformation journey. Undoubtedly, whether what, whatever industry you wanna focus on, these organizations have kind of flirted with this whole idea of, do we play a role that industry or do we enable and facilitate digital transformation for that industry?
And most frequently they. They have clear feet in both camps, right? They have a foot in both of those camps. If I was healthcare, I would do my best to embrace that technology because it's not gonna go away. These organizations are much too large, much too powerful for to kind of like thwart them.
So I would try to embrace what they're doing and try to see how I can use that innovation to go give me a competitive advantage or to provide me net new services into the organization, knowing full well that I'm partnering with somebody who is quite likely going to be competitor for time to time.
Yeah, but that's not, that's not too different than almost all walks of life. I mean, You know that's very kind of common. So if I was healthcare, I would kind of embrace it in the same way that other industries ever have embraced it.
All right. Let's close out. I wanna talk to you about supersonic flight. So American airlines is purchasing 20 of boom supersonic, overture jets, man. The picture of this thing is beautiful. I realize it doesn't exist, but the picture of it is really. Exceptionally looking, they are looking to bring back supersonic flight, essentially four hour flight from Seattle to Tokyo.
Same kind of, if not shorter timelines from the east coast to Europe. And they are looking to address all the challenges that faced super Sonic flight. So you've been following this for a while. they not only have the American airlines, I think they have a, an order from United as well. So
they order from United as well. Yes. Correct.
So it, it seems like we could see this coming back in our I don't know if it's our near future. Actually. It is our near future. Next couple years, they're looking to. Get this back. What are your thoughts on this?
I guess part of it is I, although I am a Silicon valley, I grew up in Silicon valley. I spent 20 years in Europe and 20 years really in London. So I watched very regularly, the Concord kind of coming in and out and you always, Concord was coming in and out because it was a Don Lee. It was this majestic site, but had this incredible roar of the engines. That alerted you to what was happening, so it's a site to behold, but the reality is it's much.
What's really interesting course is the ability to get from a, to B in a timeline that is just almost mindboggling and yes, we're embracing more and more the need for these sort of formats in terms of doing business. And the idea that being in our homes that we can evolve, that we can achieve is super interesting.
But we're never gonna move away from the fact of wanting to have in person sort of interaction. And I think people more and more want to go live and, or work where they wanna go live and work. And if we could take away. These sort of barriers from that. Then I think that's gonna be a tremendous step forward and I think there's enough of a marketplace clearly United in America would agree with us of people who want this level of convenience. Yeah. I think it's just, it's wonderful. And it's gonna be super exciting and I'd love to see this level of innovation happening generally.
So let, let me give you couple things from the article. One is the CEO talks about the fact that Greenfield is actually a benefit to them.
They don't have to figure out how to keep the 7 37, 800 line running and keep all those sales going and that kind of stuff. So being Greenfield, he's able to focus in and solve the problems for this specific thing. The the a hundred seats essentially is what this aircraft's gonna be.
And it's all business class. And so that's the market they're looking at the numbers look pretty interesting, but the innovation side is interesting to me cuz they're looking to solve a couple of the problems that you had with the Concord. So the Concord had a nose that they used to have to maneuver down and up.
And the reason for that was visibility. They had very poor visibility when that cone was up, which you need for flying at supersonic. And so essentially what they're doing is they have a whole package of cameras going out the front here to solve that problem. And they actually have great visibility in and around.
The aircraft, the second biggest problem, actually, probably the first biggest problem with the supersonic is it was a gas guzzler, and it was, it just absolutely from that perspective was bad. And what they're looking at doing is using renewable fuels to power this jet. And so they've built a, what they're calling a baby.
Is the small jet that they're. Try all these things out with that should fly later this year. And once that's flown and they prove out some of these concepts, then they will start construction and they're using some new alloys and new materials on the body as well to give it a little bit more Longevity in terms of its its life cycle in the air.
So, and reduce the weight. Yeah. Reduce the weight. I'm always hopeful whenever I read these stories, I get excited about the future and I also love the innovation solving, the problems that played the last go round, taking us to the next level, cuz I just did a European trip and the trip back was eight hours in the. And I don't wish eight hours in the air on anyone. And I know that's not the longest flight out there. I know there's longer flights. it's just an awful long time, so, well,
11 hours. So trust me.
Yeah. There's once you get through email, then you're like, I'm gonna be in this tube for another four hours. Depends on how much email you have. Ryan, always a pleasure to get together. Appreciate your time and sharing your insights with the community.
It's been great. I always enjoy bill. Thank.
What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to show just like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com. They can also subscribe wherever they listen to podcasts. Apple, Google, Overcast. You get the picture. We are everywhere. Go ahead. Subscribe today. We want to thank our news day sponsors who are investing in our mission to develop the next generation of health leaders. Those are CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst. Thanks for listening. That's all for now.