October 17, 2022: Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint joins Bill for the news. The CommonSpirit ransomware attack has delayed patient care at hospitals across the US. What does this kind of outage mean for patient safety? And what does it show about the risks of merger and acquisitions in healthcare? For an acquisition to work, the executives and board need to understand the technical debt, security and operational risks. It’s time to modernize the healthcare C-suite. For organizations to succeed in the future, their leaders must have roles in strategy, experience, wellness, diversity and more. Health equity is a business and moral imperative. How can we use this to drive ‘health’ care instead of just ‘sick’ care?
Sign up for our webinar: Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care - Thursday November 3 2022: 1pm ET / 10am PT.
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today on This Week Health.
If you go back to the core mission of what is healthcare here for? What is the mission? And essentially it's about patient care, about patient safety. If that's not happening, then undoubtedly, you're impacting the patient in an adverse way.
It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst who are our Newsday show sponsors for investing in our mission to develop the next generation of health 📍 leaders.
All right. It's News Day and we are joined by Ryan Witt Industry's Solution and strategy leader for Proofpoint. Ryan. welcome back to the show.
Always good to do these ones. I love these Newsday segments.
Yeah, this is fun. We've got a lot to talk about. I've saved, I mean, obviously there's the most pressing is the common spirit outage.
I wanna talk through that one with you a little bit. And then we have some other stories. Modernizing the healthcare C-Suite I think is a good one. There's an article on Amazon dominating the Smart Home Market. health equities in business as a moral imperative. That's a great Oliver Wyman post, but we're gonna start where I think a lot of people's minds are at right now, which is the, outage at Common Spirit, which continues as we speak.
And we're gonna go to an NBC news story, give you a little XRP here. Ransomware Attack Deploys patient care at hospitals across the us. It's important to note that. it says, While Common Spirit declined to share specifics, the person's familiar with the remediation effort has confirmed to NBC news that it had sustained a ransomware attack.
And all the, all the markings of this are ransomware. Right? For sure. There are, let's see, They give you some names of the hospitals or the areas. CHI Memorial Hospital in Tennessee. Some St. Luke's hospitals in Texas and Virginia Mason, Franciscan Health in Seattle all have announced that they were affected.
And I've heard recently that they are deferring patients. So they are moving patients to other systems. So that would indicate that there's a significant outage. And when I saw this article is actually linked to a topic we're gonna talk about on a, webinar you and I are gonna talk about, which is, does this impact patients and patient safety?
And the article talks about some people that were turned away and they're not coming in. And it also, I don't know if it was this article specifically, cuz I've read so many on this topic. Yeah. but you know, there are instances in the United States, I think that the one that's most noted, I think was outta Louisiana, where there was a ransomware event that a baby was born and ended up dying.
The mother has alleged is a result of negligence on that part of the hospital. So these Alabama, but yeah, you're right that that's, Oh, Alabama. Okay, So these, these events, are now being linked to patient safety issues. This is a, this is a serious outage
it really is. And I know it's an uncomfortable conversation for US health systems, and I get that. I also think it's probably really good that we start addressing this as a community, as an industry, as a nation. Because the reality is anecdotally we can see through articles like this that very clearly when you have a cyber event, in this case it appears to be a ransomware attack that has such an impact that has taking down systems and is causing patient procedures to be delayed or patients to be diverted to other, other health facilities.
Treatments being stopped, kind of mid cycle. Patients having to stay in the hospital longer. There's untold level of impact here. That is driving an adverse impact to patient outcomes and the patient experience. And if you go back to. The core mission of what is healthcare here for?
What is the mission? And essentially it's about patient care, about patient safety. It kind of hearkens back to the hippocratic oath of Do no harm and how do you adhere to that? that really lofty sort of value of do no harm if you can't have access to all the systems modalities. Other sort of medical procedures that help drive patient care.
If that's, that's not happening, then undoubtedly, you're impacting the patient in an adverse way.
Yeah. there, there are treatments and there are regimens that require access to. Right. So if you're, if you're on a periodic chemotherapy, cancer treatment and those kind of things, if they can't access the ehr, if they can't access their systems, those people have to go elsewhere.
And plus that record may or may not be available depending on how they're set up for sharing. I mean, there's, there's so many implications here. When I wanna sort of, Get to I, I'm gonna put out a premise here, and I've put this premise out on social media and I don't know anything. I just wanna be real clear with people I don't know anything, right?
But my premise is you took two very large health systems, Common Spirit and CH I, they're both very large health systems and you bring 'em together and it creates a certain level of complex. that when you're bringing those kinds of organizations together. Now, if they're two really healthy, strong organizations, and I guess the assumption here is that they were, but if you're, if they're two very strong, great foundational technology, great foundational security models, you can bring those together without much of a hitch.
But if there's a gap in either of them, right? If there's a gap in either of them, you've increase the potential impact of a cyber event because they can come in through Common Spirit or they can come in through CH I and they can impact others depending on how the network is sort of situated.
And so I put this poll out there on LinkedIn and the poll was essentially, should the FTC. , which really doesn't have the authority to do this, or state regulators require health systems to provide a security and operational risk assessment prior to m and a activity. And I gave really three answers.
Absolutely no. And who cares? Or it just wouldn't matter. Right? And as you would imagine, there's, 5% of the people. Who cares, It's not gonna matter. You could do that operational risk assessment, but there's so much money involved here and there's so much so much politics involved here.
It's hard to stand in the way of these things. Do you think we'll ever see technology or security posture be a reason for a merger or acquisition not moving forward in healthcare?the American Recovery Act of:
That those health systems, by and large, adhered to the compliancy requirements. Like they, they got the required checks in the boxes knowing full well that they probably weren't secure. And so we cleared the compliance bar. Great, I guess. But we really didn't clear the security bar.
And I think that's one of the reasons why. Healthcare has a problem and has today is we kind of put our head in sand there a little bit. And I am being provocative for a reason because I think it's about time that we stop and we reassess about what we require from our health systems going forward.
These are really important institutions doing incredibly no work. And if you're not able to do that work, because you don't have the basic sort of fundamental building blocks of a security sort of program, meaning that amongst not being compliant or having financial risk, reputational risk, but it really gets down to you can't actually provide the patient care that you're supposed to be doing. That's, that's a big problem. A big problem that requires solving.
Yeah, it's, the reason I put the poll out is not, by the way, I don't think you wanna talk about an overregulated area. It is healthcare. So it's not, I'm not asking for more regulation. And it's interesting cuz I think 80% of the people are saying Yes, go ahead and regulate it.
Because I would fall down on the other side and say don't regulate it, but I want visibil. I want, I want some sort of, We did the security and operational risk assessment. We identified these things. The board saw it. The executive team saw it and were aware and we moved forward with the merger or acquisition.
And then there's some accountability. It's like, and people are like, Well, who would do that audit? Well, I'll tell you what. My gosh. Deloitte did phenomenal audits for us. I mean, they were exhausted. They were, there's plenty that could do them,
but shouldn't we, Getting to the point that these large health systems or any, these entities who are, who want to come together do that because it's the right due diligence. It makes business sense. Not because there's some sort of overlord, in this case, a regulator. Regulator saying thou must do.
The obvious answer to your question is yes, . And then the question is, does it happen? So I, I will just share my own personal story. St. Joe's in Southern California, I think was a phenomenally well run healthcare organization.
Our margins were about seven to 8% on good years and on bad years, quite frankly, it was still in the positive range. So we were well, We operated very well. We tried not to make money just on price increases. We did a lot of things from a cost standpoint. Our cost as measured from an IT standpoint against other systems was below what other systems were spending on it.
So we were very cost conscious. We were very good. Okay. I say all that to say I am very proud of the work we did at St. Joe's. However, in the area of m and a, Twice they came to me and said, Hey, we made this acquisition. Can you take a look at it from an IT and security standpoint and technology standpoint and tell us what we bought twice that happened after the first time.
I said, don't do that. Like, let us go in And and we did it again. And to be honest with you, I think there was a time, and it still might be pervasive where it's like, look, this is the right business decision u it guys will figure it out. Right. I don't know if that happened in this case.
yeah, and I'll come back to the m and a thing for a second here, but I think we may have mentioned this on a previous sort of news day call. But who requires your bank? My bank, everyone's listening to text you when they suspect there's a fraudulent transaction on your credit card.
Well, they're now taking responsibility for it. So, I mean, quite frankly, I don't know about your card, but my card, they're like, Hey, don't worry about it. So they, they identify those things immediately.
Right. But they're not required to. They do have, cuz it makes good business sense. Right. And they build the systems in place to go do the detection, to allow them to make an evaluation saying, Hey, this may or may, this does not feel like a legitimate transaction.
So they make the investments cause it makes good business sense and. I think healthcare has to pivot to that sort of ethos. I know it's hard when you're operating on seven, 8% margins on a good year. It's hard to do that at the same time. What choice do you have? Cuz if you want to maybe broaden it into a different sort of discussion with other sort of news stories that are coming, Healthcare under attack through all these interlopers who are used to be on the sidelines and now entering the field of play about saying, Hey, we can offer a different sort of experience. We're not a traditional healthcare entity. But we think we have something to say in this area. And they start with easy things like prescriptions and urgent care delivery.
That kind of the more basic sort of patient services. But that's, they're not going to stop there. . As long as healthcare keeps that door open, they're gonna keep walking through that door. So kind of like healthcare has got really a lot of strong motivation just from a self preservation sort of stand to try to solve some of these problems.
📍 📍 we'll return to our show in just a moment. I wanted to take a second to share our upcoming webinar. Cyber Insecurity in Healthcare, the cost and impact on patient safety and care. Cyber Criminals have shut down clinical trials and treatment studies cut off hospitals, access to patient records demanding. Multimillion dollar ransoms for their return. Our webinar will discuss it. Budgeting project priority, and in distress communication amongst other things. To serve our patients affected by cyber criminals. Join us on November 3rd for this critical conversation. You can register on our website this week, health.com. Click on the upcoming webinar section in the top right hand corner. I look forward to seeing you there.
Yeah. I'm gonna try to stay in our swim lane here cuz there's a case to be made that this was a bad acquisition by Common Spirit to, by ch I c I was a lot of disparate. Systems and it, it wasn't a well thought out, right, right. Set of, of acquisitions, they had like one hospital in Houston and everybody's acquisition strategy is scale and essentially within a market.
And they sort of didn't do that. They bought something in Kentucky, something in Houston, something over here. And so it, a case could be made that that thing should have been broken up and sold to. Five different systems and it would've been healthier but I'm not sure.
That's a really good point. That's, that's a really good point.
Alright, so, but I do wanna come back to staffing. So It's interesting. So when we do mergers and acquisitions, staffing becomes real key cuz you have to communicate real well to make sure that you retain your best staff. Becker's notes, and I'm, I'm gonna give them the benefit of the doubt here.
They just make an observation and the observation is absolutely true, and their observation is, Hey, five key executives left Common Spirit just prior to this incident or in the months leading up to this incident, you had the CIO. leave You had the Senior Vice President of Digital and Human Experiences leave, you had the Vice President of Digital Healthcare Platform Strategies leave let's see, Vice President of Digital Products and Analytics and let's see, Vice President of Clinical Applications also left.
So you had five key roles left. Now I'm on record is saying there's no correlation here, no causation, correlation, whatever. It just doesn't exist. It's I'm not sure these people leaving caused the incident, and I'm not sure that's what Becker's is saying. They're just saying, Hey, here's an observation.
about this when a team leaves like that, should we anticipate security incidents or, really not i, I would, I would guess we shouldn't expect the thing to fall apart within the next three to five months.
Yeah. I, I really don't think so. And I'm on record of saying that we should never underestimate the cyber criminals desire to really use social engineering to go launch their sort of exploits. And so an example of that would be them being aware of this level of activity. But I think that probably takes it almost bit too far. In this instance they're, they're more around following. What the new cycle is of the day and, and tailoring their exploits accordingly.
So this probably is a little bit too deep into the weeds without, at this stage of the game to kind like, make that sort of pivot.
Yeah, it's it is hard to speculate at this point. We're gonna come back to this story probably several times over the next couple of months. I hope this is a. quick incident that they recover from.
My experience would tell me that it will take a long time for them to come back from this because generally speaking, the investments prior to an incident will determine the longevity of the incident and the ability to. And the impact, quite frankly, the ability to come back from it. And I'm not sure the, I'm not sure all the investments were made that needed to be made to ensure a quick comeback from this event.
And if there's kind of one, I agree with that. And if there's one key takeaway, maybe for people listening to this, this podcast is if it could happen to one of the largest health systems on the planet. Could happen to anybody.
Yes it can. All right. I'm gonna skip one and go to modernizing the healthcare C-Suite. This was an interesting conversation and I'll come back to the other one. And this was the CEO for uc, Davis Health System. David Lebarsky and he took over and he had this conversation around what are the roles,
what are the future roles within healthcare? And I found this really interesting and the reason I found it interesting. Is I think it, if we talk about it in terms of roles, not exactly individuals in these roles I, I think each one of these needs to be represented at any health system, no matter how small.
And that's strategy and transformation as a, as an entity, as a role. Digital health or innovation needs to be represented. Experience needs to be represented. Wellness. So as we transition from a sick care system to a WellCare system, a wellness officer, not only externally, but internally, wellness of our caregivers marketing officer, becoming much more important in this digital world.
diversity, and equity inclusion, d e and I officer I think is pretty interesting as well. To have somebody who's coming in every day and really focused on. that And then sustainability. In talking about sustainability. So those are the, those are the roles he's putting out there as you hear all those roles, it sounds like an awful lot of money to me if you put a VP title in front of each one of those.
But what's the reality of having those respond not responsibilities? What, what's the word I'm looking for? Just those and requirements is too strong. I don't know. Just, I,
I think I know your question, does healthcare have a choice? And by that I mean, Digital transformation has impacted just about every industry that we all know of. And the one laggard here, and there's maybe more than one, but the one obvious laggard is, is healthcare. Where we really still haven't seen that take hold in the way we've seen other industries It has in other industries. It's going to come. It is coming. We were already seeing the Walmart, the Amazons, and the Apples, and the Googles starting to eat some of that healthcare pie.
And I don't think that's going to stop. And so either traditional healthcare entities respond and try to transform how they can provide care provision and care delivery, try to upgrade their overall patient experience, or they continually run the risk of others encroaching on their space and probably mopping.
up Are focusing on the higher revenue oriented sort of procedures and patient services leaving the more difficult and more challenging, and the ones that are very costly for traditional healthcare providers to kind of fulfill. And that's a recipe for financial disaster, for patient disaster in terms of getting access to care.
So let me ask you other industries. So outside of healthcare, do they. Strategy officer, Transformation Officer Innovation. Digital officer, experience officer. Do we see those in banking, finance retail? I mean are those roles that we see?
I think we do. But maybe less so in so much that they've already kind of went through that metamorphosis. Right. So those roles, I think were much like those kind of like roles in these very kind of very branded. Existed 10, 10 years ago, but now they become kind of rolled into people's overall sort of job functions, yeah. So I think we did see those, and we still do see 'em occasionally, but I think it also, it's those industries already been transformed, so they've kind of gone through that process.
That's very fascinating actually. I'm just
think about how you buy food, how you go to a restaurant, how you access, how you buy things from Amazon even exist, but how you buy things online, how you book a plane. Fair travel, I mean, Those also used to be very service oriented industries.
Bricks and mortar type institutions, service-oriented industries kind of sound a lot like healthcare. And almost all those experiences have been gone 180 degrees, completely opposite way it used to be Not always. Not always in a good way. , right. There's some downside to all that, but they've been transformed nonetheless.
And I, and I don't see how healthcare can avoid it much longer. So if you don't, if they don't make these roles, they don't have that appetite to consider, how do they transform their patient experience? Are you basically on this comic conveyor belt to. Running out of business at some stage if you don't start, make that I know, I know with critical access hospitals and community based hospitals, there always will be a facing net there for some, but it's going to be continually challenging.
And the seven, 8% margins on a well run health system will feel like calcium days compared to maybe what's coming. If imagine if you lost back in your day your, your better revenue generating sort of procedures to an, or an Amazon or a Walgreens, or That, that wouldn't feel good.
No, definitely not. All right, so I do want to hit this. This is such a great article. And if people wanna see it, it's on the Oliver Wyman site. Oliver wman.com, and I love their stuff. It's, it's exceptional. And this one is health equity is a business. and moral imperative. Now, we're not gonna spend a ton of time on this not because of the topic, but because it's really talking about insurance carriers.
Healthcare providers per se. But I think some of the things carry over and they say insurers should start with these no regret moves. And I think they, they do carry over as they build out their capabilities, collect data, analyze outcomes, and access across different groups, reflect the members you serve, and create communications that meet members where they are.
I think that's great advice for the equity programs at healthcare providers, right?
A hundred percent. Yeah. It's is isn't that, I mean, one of the real main benefits of digitizing your patient record , is then you can run these deep analytics. in trying to understand exactly what are the makeup of your patients across your health system, What services are looking for trends, all that sort of stuff. Is that really kind of like one of the main beneficiaries of all this?
Yep. It's it's interesting Moving beyond the basics building member initiatives. Again, this is, is carriers, but number one, are you solving fundamental needs? And this is something when we talk about the health of our population, the health of our communities we are a sick care system, but at some point we need to make this transition.
And part of that is taking responsibility for what's going on in the communities that we're serving. Do you want to improve access to care? And I, And finally do you want to create a support system? But that second one, do you want to improve access to care? It's interesting. I, I've now been in this industry for 10 years and. We've been talking about access to care since the day I got in here and we're still talking about access to care and I think it's a great a poignant question, which. is Do you want to solve this problem? there's a parable in the Bible where Jesus says, Do you want to be made well?
And people are like, Why would he ask the person who's paralyzed if they wanna be made? Well but it's a good question because do you want to improve access to care is probably a valid question to ask a lot of health systems that have been struggling with the problem for 20 years and haven't been able to improve access to care to say, Are we really trying to solve this problem? And I would think we are trying to solve this.
This is where maybe the going back to your earlier theme, this is maybe where we're, we're overregulated Cause the regulation means that we can't, we haven't always been able to, I know it changed during covid, but we haven't always been able to offer things like telehealth and the way we wanted to.
We haven't been able always leverage expertise across the country, across date lines to go help out. That access to, to to care services in the way that I think we've always thought we could do if we wouldn't have the regulatory sort of curtain kind of stopping all of that,
all right. Can we end with this, cuz I want to ask, we're gonna go over a couple minutes and I apologize for that, but Amazon dominates 113 billion smart home market. Here's how it uses the data it collects and it has a whole bunch of information. About this smart home market and the competitors and number of devices.million devices. Yeah, by, by:
They now have cameras on them as well. We have listening devices. I wanna talk to you about privacy a little bit here. Especially in the home. there's at least two devices within earshot of where I'm at three, now that I'm looking at it, that if I said magic words, they would actually respond to me.
And I would imagine if I go into every one of my rooms at my house, Speaker connected to my tv, my tv, the Echo I do have in my other room. I mean, there's, there's three devices in almost every room we have in this house that can hear me or see me, and there's a doorbell on the front that knows when I come and go from the house.
I don't have a Roomba per se, that's going to map out the, the thing at my house. How concerned about privacy should, should I be? It seems like I've thrown it out and I'm somebody who understands the information they're collect.
You know, I, I'm calling you from Silicon Valley. It's where I live. It's where I grew up and the prevailing opinion I get from around here. I know Silicon Valley is not necessarily representative of the whole country, but they're talking about the people who build all these things that you're talking about. So I, they understand their opinion maybe, maybe is helpful here.
The sense I get from the leaders of those companies or executives in those companies is, Provided they give you a good experience. Most people are happy with the invasion of privacy. And the way that was explained to me was if you wanna buy a car, whatever, and you're surfing for, I dunno, wanna buy an EV or whatever, so you're looking at Tesla and then the next time you log online, you get a lot of popup ads for other EVs.
That's clearly somebody. It's been stooping about your activity, serving you these ads. It doesn't feel like a great experience. You fast forward two days later and you're like, ah, I need to fly to San Diego. I'm gonna book a flight on on Southwest, and it is easy and I'm gonna fly next week, 24 hours before your flight.
You're like, Ah, I want the A, I want the a, I want the A boarding group. And a little popup window pops up on your, on your email that says, Time and check in. You're like, Oh, that's cool. I want that a, I want that a group. So I'm checking in now. Yeah, the same sort of privacy intrusion happen to both examples, but one offers a much better sort of experience.
So you accept it. You're like, That's cool. Or if you get into your car and your car says to you, Oh, I think you're going to this location. Let me, let me load that map into your car for you. You're like, That's pretty cool. I like that. But it's, it's all a privacy intrusion, right?
So let me ask you this. For some reason, you are taken to jail. Now it's pure. I mean, we're hypothetical at this point, right? You're taken to jail and now all of a sudden they start pulling all this stuff in and go, Hey, here's what we saw on your camera. Here's what we heard in your living room. Here's what I mean. At that point, are you concerned? I mean, because there are, One of the things they talk about is some of the cases where information has been turned over to the authorities.
And around some of the information that's been collected, especially with the ring doorbells and stuff, that they happen to have cameras outside and they, they see certain things.
I think we should have to probably all accept that we're, that we are living now or soon we'll be living in this sort of environment.
Yeah, incapable I, I recall a
as long as you're comfortable with it,
I'm not entirely sure I am. You, There was actually quite a it's been a well reported story, but you remember the website, Patients like me?
Yeah. So that was offered a really unique service. To patients who had an ailment or an illness and offer them to go find people who had something similar and enabled kind of to share stories and all that stuff.
And they were big into anonymizing de-identifying their data and they did that very successfully. However, and unfortunately, and this has, this has been publicized The aggregators who buy all these data, so they buy data from these various, various sources, can build that jigsaw puzzle over time and start unintended consequence, but start identifying people.
And this is where it can get sticky. Cuz if you talked about all this aggregation of like looking your ring doorbell, what did your iRobot say? What'd your Roomba say? What did your all of a sudden you're like, ah, I think I can figure out who this thing is. Now that's not easy of course, but it's not impossible either to go assemble jigsaw puzzle in a way that's, Gonna be probably concerning for us going forward.
So, am I comfortable with it? No. Do I recognize it's a, it's a reality unless I wanna just live, leave the grid entire entirely. Yes. That's what's gonna happen.
Yeah, knowing what I, and marketing automation systems are incredibly powerful, and this is why Apple's whole. Model of blocking some of these things is really causing an uproar in the marketing world, because I, in the marketing world, they, if you're on a standard browser and not blocking anything and whatever, just going to your Google search and whatever they pretty much know.
I mean, your digital exhaust that you're, you're leaving, they, they can create a pretty good profile of who you are. They used to be able to do that on the phone, on all the phones. They can still do that on Android. They can't really do it as well on the iPhone. But I'll tell you, there's so much money in, in marketing.
They're trying to figure it out right now, how to still get that information. So I think it is safe to assume that privacy we don't have it anymore and we should act accordingly and be cautious. Not like I'm gonna go off the grid and whatever. I did talk to people who were like, I'm never gonna bank online.
I'm never gonna, I'm like, I'm not sure that's the response. But not why nor am I, but, but, just be buyer beware. Just be aware that that's going on. Ryan, always fun to have these conversations with you and I really appreciate your time.
Likewise. It's been 📍 great. Thanks.
What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to show just like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com. They can also subscribe wherever they listen to podcasts. Apple, Google, Overcast. You get the picture. We are everywhere. Go ahead. Subscribe today. We want to thank our news day sponsors who are investing in our mission to develop the next generation of health leaders. Those are CrowdStrike, Proofpoint, 📍 Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst. Thanks for listening. That's all for now.