March 31, 2025: Sarah Richardson and Drex DeFord of This Week Health explore the most impactful events in healthcare today. As cybersecurity regulations continue to advance, how do struggling systems keep up? They discuss the recent Johnson & Johnson investment of $55 billion in healthcare and what the current financial landscape means for innovation. Lastly, governance continues to be a complex issue for system leaders, but the solution could be as simple as saying “no”.
Key Points:
News Articles:
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[:Part of our challenge has always been we have a cool technology.
Can we find some way to use it? Versus we have a problem, can we find some way to solve it? My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts
Now, let's jump right in.
(Main) Welcome to Newsday. I'm Sarah Richardson, and I have Drex DeFord joining me today as well. We're gonna cover a few topics that we think you might wanna know about, and also make sure we get a good mix of what's happening out there in the HIT universe. Thanks for joining me, Drex.
Hey,
it's always good to be here.
Hey, let's jump right into it. Let's talk about cyber attacks that are sparking credit downgrades at a couple of health systems.
a while when you have a big [:During the breach. Cleaning up, taking care of tech debt, all that requires a bunch of additional expenses. And all of that has impacted their bond ratings.
So when I think about what this means for healthcare systems in general, there's a piece, specifically, the whole financial vulnerability piece to me feels like these lead to immediate operational disruptions, but also they have some long-term financial consequences, which, correct me if I'm wrong, increased costs for remediation and even revenue losses from delayed services.
What are you seeing out there?
Yeah, absolutely. When you [:depending on how long you have to file a claim. With a particular insurance company, a particular carrier, you may lose the window, which means you may lose the money. And so it's all those kinds of things. I think now more than ever, probably people think through this and understand what their impacts are, but I think until you've been through one of these things or two of these things that you don't really understand all the little gotchas that are there that are built into the system to cause you even more pain than you imagined you would be able to suffer through a cyber attack.
ironment is that some of the [:It still feels like our CISOs are inundated with keeping up with regulations and all these best practices. So is adding more regulation going to make us that much safer?
I think there's, opinions vary, right? We're from the government and we're here to help sometimes is not actually very helpful.
Having been somebody who was in the government for a long part of my career I think that you put these. Regulatory requirements into place, but you don't create any funding to support the adherence or the compliance with those regulations. You create pressure on a system that is already under a huge amount of strain.
rofit companies and all that [:But man, how you get there, how you create the funding to get there. Especially in rural hospitals and inner city hospitals, other organizations that are under a tremendous amount of strain, what are they not gonna do if they do cybersecurity? Does it mean that they're going to have to close the emergency department?
Does it mean that they're not going to repair the leak over the supply chain, storage, building what are they not gonna do? And these are all the, things that we wrestle with as we go through this. Kind of process of do we need more regulations, do regulations help? I think they help guide what good practice looks like.
It's the funding part that is probably the place where this is most likely to break down.
e prioritizing cybersecurity [:What else do you do besides proactively making the right investments, training the team, collaborating with like peers, government agencies? What are some other proven things that work well? For CISOs when, to your point, you may be deciding if you're buying a patient bed, fixing a leak, or strengthening your security profile.
absolutely. The, other things that kind of work, I think are the things that are just. Good practices from an operational perspective. Do we have 160 security applications? Is there some way to consolidate those down to a more limited number? Do we have folks trained in all those things that we've bought?
them or we don't use them at [:Look at what you have, understand all of the tools that you have and how are you using them? And then in the spirit of everything's connected to everything else, it's not just about the applications that you use in security, but it's about all the other applications and the tech debt and the tech debt that isn't only tied to applications, but it's tied to infrastructure and tied to everything else that you have in the building, including building control systems and all these iot devices and medical devices too, can be.
Vectors for a cybersecurity problem and you need to understand what you have in that inventory, how you're managing it, how you're protecting it, and can you consolidate that? Can you simplify that environment? because simpler is always easier to secure. And that's just a good practice in general, I think for everyone.
Not just the CISO
ation at the CISO level is a [:They're gonna open their first facility in North Carolina. That's gonna over 500 jobs. That's gonna focus on oncology, robotic surgery, next gen therapeutics. These things all eventually show up in your hospital, have to be protected, have to have infrastructure. Have to have sort of the automation and AI components.
They do create jobs. But what I find really interesting about all of this is that it's going to expand. It needs how you integrate with the EHR, how you think about your cloud and how you think about data-driven research and tools. But if we layer in that cyber and data perspective, what else is that gonna mean for healthcare IT leaders?
look at the, that kind of an [:Humans respond well to this drug or poorly to this drug, or they respond well to this drug and it has these side effects. I think the investment they're trying to do here is to do things that are much more personalized, which means a couple of different things. One is you're gonna need more information from those patients to find out.
fic data on that patient and [:Which means there's a lot of intellectual property stuff that needs to be protected there, but there's also a lot of personal, private, data that needs to be protected there. I think it's gonna be fascinating to see as we go through the next few years with ai, with a lot of the work that's happening on the pharma side, how we're going to create a situation where we protect the patient, we protect the data, and we protect that intellectual property, which is gonna be incredibly valuable.
So it's almost like a whole separate aspect of a job. You start to learn about, to your point. How do you protect intellectual property theft? How are you looking for vulnerabilities within AI models and thinking about zero trust architecture from the get go? Continuous monitoring of these different systems and blockchain coming back around as a.
s, and then it went away for [:I think it's such a broad statement. You'd have to have a particular, what would the use case be? Yes, it absolutely has some application. I think there's probably some effort that goes into figuring out exactly what that is. Part of our challenge has always been we have a cool technology.
Can we find some way to use it? Versus we have a problem, can we find some way to solve it? There's other things that have propped up in the past that were really cool ideas, but for whatever reason, they didn't apply at the time. And I, so I think about things like personal health records, right?
nd a lot of other data about [:We've progressed and with Ag agentic, ai, and maybe we're getting to the point we talk about personalized medicine, all the things you need to know about that individual, where they live, the food they eat, the exercise that they get, the travel that they do, and all the stuff that happens to them in a medical facility.
In reality is probably just a small portion of any medical information that you would have on an individual. Honestly, if you looked at them holistically, all of that could go into a PHR and maybe the patient could even have some kind of authority. Should have some kind of authority to manage that data, to use it in any other kind of research or, maybe I could sell that data, make money because I'm a really special, interesting.
d maybe will come back. It's [:We've come all the way back around to that
If you have all that personalized medicine, let's just say that, we're mapping all of our own genomic data, all of our own drug therapies. You may even need what quantum computing to handle some of that. And I think of just the amount of clinician training and even IT training on how to handle all those different parameters.
Yes, we're gonna get into more and more advanced medicine that comes with the cost as well, both from a human capital perspective as much as having the capital to do it in the first place.
Who's gonna ultimately pay for that? Who's gonna pay for all the tech? The folks, Johnson making a $55 billion investment.
s that create even more of a [:billion in:AI is really becoming a key differentiator and either having proprietary driven data, having integration into workflows, or even thinking about the efficiency and ROI for health systems. we put our CIO hats back on, and if we're thinking about our ability for a startup, especially to focus on ai.
out where to put it. That's [:Otherwise, you have to figure out a way to make this thing scale, how to make it secure, and how to make it integrate with your systems. But I'm gonna throw it back to you again and say, from a cyber and risk perspective, what does this mean for us? And is automation as well. It's gonna have the impact on the workforce that allows us to have the humans to do the extra work to a degree that's being created by some of the problems we're actually solving.
That is a very good and very complicated question. I think that ultimately if we get down to solving the problem, that's probably the most important thing. What's the problem you own? We talk about that with our partners and a lot of our friends all the time. What's the problem you own in healthcare?
spective and a cybersecurity [:That means we're really gonna rely on those third parties to also have their act together. When it comes to cybersecurity
[Mic bleed]
the way things are structured today, we're gonna have to look at their cybersecurity with them. We're gonna have to audit them. We're gonna have to document that we've taken a look and that we're comfortable with where they're at from a cybersecurity perspective, because if they have a breach.
Odds are still really good that we were on the hook for the breach because they were one of our partners and we gave them access to our data. So that's a big part of the challenge. I wanna say something about this pilot thing too. So you and I talk, you and I have talked about this a lot. If you're a partner and you're going into a healthcare organization, you wanna do a pilot.
A lot of organizations still [:That's not really a pilot. That's really. That's something else. Yeah that's, we are making a commitment to this. Pilots really have the beginning and end, and then we make a decision about, eh, are we really gonna do this? Are we not gonna do this? What did we learn from it?
How would we do it differently? It's supposed to help you get to the next step. And a lot of organizations don't do that, and when they do it, they don't do it well. From a cybersecurity perspective, either
That's the whole thing about governance really still being one of the biggest barriers. We hear AI adoption has challenges with data privacy, security, interoperability, skepticism. Half the time in our conversations at city tour dinners and summits, it comes back down to the governance aspect of what decisions to make, whether it's pilot or otherwise, but really the technologies to be considering.
And so why doesn't [:You just like to hear me lecture people about governance don't you
I interviewed you like seven years ago for my HIMSS podcast about governance, relentless prioritization, and it's still one of the most listened to episodes from that era
it is funny as we go around the country, we do city tour dinners all over the place, and I don't know how many we have done, but we're gonna do 40 this year across the country, plus all the summits where it also comes up all the time, and it is the built in weakness in healthcare, our inability to say no to things.
of these projects done? And [:you can't really do all of them. And I use this analogy about water in a bucket and and beautiful flowers.
Those projects are flowers that your end d users, your leaders want you to plant. They want the beautiful flowers. They think they look amazing and smell amazing. The problem is everyone wants their own flower and you only have so much water in the bucket. You can only water so many of those flowers to keep them alive and keep them beautiful.
And if you try to water all the flowers, they're all gonna die. You're gonna die because there's gonna be no water left in the bucket. So I've stretched the analogy probably too far, but it's about resource allocation and prioritization and saying yes to some things and actively saying no to other things so that you ultimately have the resources you need to get the things done that are most important to the organization.
deprioritize also seem like [:[Mic bleed]
Which we pause for because we all know that you don't go into healthcare to become the millionaire of the idea, per se.
I say that completely tongue in cheek.
Here's the thing though, and I appreciate Stanford and others who have put together essentially a checklist by which, even before a partner, a vendor solution can come in the door. I mean, Get to their governance process. For an example, you have to meet NIST
just go back to the million [:How sustainable is AI in our healthcare systems and how much of a bubble do we risk facing ourselves with? Similar to what happened with dotcoms and even telecom in the earlier two thousands.
[Mic bleed]
I think we have, so this is where you look at health systems across a spectrum here.
There are some health systems who are going to, deploy their own AI and build their own LLMs and run those and customize those and do all kinds of, amazing things with them. The vast majority of healthcare is gonna do what the vast majority of healthcare has probably always done, and that is they're going to buy commercial off the shelf products, whatever those ais are, or AI that's built into products that they already own.
onna allow that AI button to [:Can they afford it? And then really figure out what do you do with the data. It can't just be there to be cool. It has to be there because it either. Brings additional revenue or it helps you cut cost.
So if we were to sum up most of our conversation today, it would be that you don't chase the trend that needs a problem to be solved.
Really look for some of those problems that already potentially have some. Partners or opportunities around them. Make sure you have cyber, make sure you have funding. Make sure you have some efficiencies and goodness sake, have governance in place from a data, ai and even project perspective. And if you're mature enough in your system, those are actually all happening, those governance models in one place.
That would be great. I think that's an ideal state to reach for sure.
e two committees now have to [:And actually sometimes in those scenarios, you get to a point by the time you get to Yes, you don't even wanna do it anymore.
Yeah. You're already over it. Or you've found some other solution. These are the kinds of things that kind of immovable bureaucracy also creates its own unintended consequences of people figuring out how to work around it.
This is why we have probably not the right term 'cause people hate it, but that's why we have IT hobby shops. It's why we're going to have AI hobby shops. If you can't find the right way to get something approved through your organization, most people who are in healthcare, who are here in the interest of helping patients and families, will find ways to get their jobs done That may not be an approved way, and that may put you and the organization and your data at risk if something bad happens.
hing else we cover. We don't [:It's true. There's a lot of market insights I think that come from us touring around the country and talking to health systems and other organizations large and small at city tour dinners.
So it's always a lot of fun. It's great to see folks and
man. We're loaded with a lot of brainpower too. Those folks are amazing,
it is. I love the things that we hear and the things we're able to help them solve. Always so much fun that would hang out with you. It's not in person virtually.
Certainly works too though. Thank you for joining me today.
Of course. I'll see you on the road next week.
Absolutely remember to share this podcast with a friend or a colleague. Use it as a foundation for daily or weekly discussions on the topics that are relevant to you and the industry. They can subscribe wherever you listen to podcasts.
Thanks for listening. That's all for now.
x. Sign up at thisweekealth. [:Thanks for listening. That's all for now