This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

I have a architectural diagram to understand these are the systems. that Could house data, and this is where the data should be going the problem is looking for anything that's outside that norm. You may think, oh, it's this database transacting to this application, which goes out to. this It's actually hundreds, if not thousands of spider webs of connection hopefully encrypted. But how do you check for all of that? How do you know for sure

Welcome to This Week Health Community. This is TownHall a show hosted by leaders on the front lines with interviews of people making things happen in healthcare with technology. My name is Bill Russell, the creator of This Week Health, a set of channels designed to amplify great thinking to propel healthcare forward. We want to thank our show sponsors Olive, Rubrik, Trellix, Medigate and F5 in partnership with Sirius Healthcare for investing in our mission to develop the next generation of health leaders. Now 📍 onto our show.

Welcome everybody. My name is Frank N I'm CEO of to site. And with me today is Aaron me. I'll let him introduce himself.

Hey, how's it going? Everybody. Aaron, me senior vice president, chief digital officer here at Baptist health in beautiful sunny, Florida. Good to talk to you. It's good. Seeing again, Frank Long time.

No. See you.

It is. I'm looking forward to seeing you at one of these conferences coming up.

Absolutely. As well, come down to Florida. It's always sunny here. It's beautiful beaches. Gotta love.

Come up to Boston, the humidity is great.

I will, I will absolutely come to Boston, not in a winner, but yes, absolutely.

listen, we're gonna have a quick conversation today. So what's top of mind, what are big initiatives you're working on and question over the top. How do you prioritize all these priority initiatives?

Yeah, no great question. So obviously right now we are, hopefully knock on wood on the tail end of the COVID surge.

So it's now back to healthcare as normal. However, we learned a bunch of things these past couple of years that we are trying to transact one, obviously the way we did business and the past, particularly managing risk and managing E P H I assurance has to change right? When folks left the hospital and started working from home.

You really started sharing data really across, outside the four walls, we realized just how healthcare has not been systems been designed to transact EPH. I, so we are laser focused on third party risk assurance, knowing where our data is, where those crown jewels are and understanding truly how to manage risk appropriately and manage it the way that's transparent and easy to underst.

What I appreciate also is the knowledge of our board of directors and boards of directors across hospitals everywhere have realized the importance of cybersecurity assurance. You saw this with the university of Vermont attack that occurred, right around the presidential election time. You see what happened to Boston children's a few months ago, and they were attacked by the, that Iranian malware.

You keep seeing this over and over again with state based threat actors. So the awareness factor is now definitely there at board of directors. And unfortunately, Insurance companies are saying, Hey man, we can't cover your cyber insurance liability coverage anymore. Those umbrella coverages you got in the past those days are gone.

So hospitals have to get real. So that's where we're starting to look at. When we look at cybersecurity is really up in the Annie, but we don't have the margins that say a for-profit development company does. So we have to get smarter about using automated machine learning and intelligence that we maybe not have historically.

Fair enough. And it's amazing to hear that projects are prioritized at the board level these days. Amazing.

They are. And what's also, I appreciate is a transparency aspect that it's no longer that it can be the iron box that just keeps things running. It's what is my return on value?

I keep hearing that word over and over again, which I'm so glad to hear it in healthcare that has not been here traditionally, it's always been a return on investment. What's your, IRR, what is your break even what's that, performer look like all those things are important, but now it's about answering the why.

And particularly shifting back into the cybersecurity space, boards of directors, wanna understand where our investments what's going on? How are you managing risk thoughtfully, proactively, and being transparent about it? I will say, I remiss that CIOs historically and CDOs, maybe haven't had that relationship with boards of directors in the past, and that's been an encumbrance nowaday.

That's absolutely requirement. Can you talk to a board and show them in plain English? Just exactly what's going on. That has to be front and for in your Arsen.

Fair enough. So here's something conflicting ideas, information, sharing, data, blocking compliance, sharing Phi, not sharing it. All these terms are in block with each other, they seem to conflict with each other.

So you're speaking with your board. You have to share information, you need to secure information. How do you rationalize those both ends of the spectrum?

Great question. So you're exactly right. You have the 21st century cures act, which is signed into law that basically gave assurances to the public, to a patient that your information as a patient is accessible to you on demand where you want it, how you want it, where you want it.

Then you have HIPAA, which says, all right, covered entity, AKA hospital, or healthcare delivery organization. You're accountable. If you inadvertently disclose patient Aaron's information. So then you're looking as a hospital going wait a. minute I'm doomed. If I don't share all the information, I'm doomed. If I don't.

So how do I do this? So what we've begun to do is crosswalk and look at exactly what the criteria is for how you share appropriately in the information, sharing regulations. You are allowed to delay sending information. If you can prove reasonable harm and also for other security concerns, but you have to work with your patient.

That's asking for, it to teach them, Hey, man. You don't wanna put this data in this app. That's guess what hosted in, China because of potential concerns, but the problem is we've never had real visibility to where EPHI is going. So now think about I'm patient Aaron presenting to Baptist health saying, Hey, I want my data sent to this app.

How do I know as a CIO, right? That the data made it to that app or should not be going to that app. And more importantly, where all of patient Aarons information is today, you think about it. You're like, oh, it's an electronic health record. Actually. It's not, it's in hundreds, if not thousands of other systems that surround the EHR while the the EHR is important, it is not the end all be all.

So this October information blocking actually antes up the. rules On October 8th of 22 this year, there's now a full definition for, EHI electronic health information that is HIPAA plus the designated record set, which is all the other information contained about Aaron plus. Anything else that is contained in that.

And so when you look at the total spectrum of data, that is a tremendous amount of data. points It's not just what's confined in HIPAA. It's everything. Now you really raise the stakes because the penalties are a certification of completion. And it's a certification of accreditation that could be at jeopardy.

And making sure that as part of the process, when you attest the CMS, is that I am actually following this. You know, It's only a matter of time before there's regulation out there. It's already being composed and it's going through rule making of just what that's gonna be. Is it the OIG that shows up and knocks the door going, Hey.

man We wanna know what Baptist health does or what's gonna happen. We will find out soon. But right now we are trying to get our act together, preparing for that because of a condition of participation issue that could happen. If you do not comply with information blocking. And then of course, we all know what the penalties are for.

Not complying with HIPAA.

So, ] , where do you start? Speaking with CIOs, chief privacy officers, we don't have trained staff. We're short staff, where do you start? And what's your notion of this basic cyber hygiene? Like 4 or 5 D. Is that a good,

start

yeah, the typical way it goes as CIOs.

First thing you do is you weep. You know And you sob uncontrollably for a little while, realizing that it's a pretty, pretty deep hole, but no, I'm kidding. The reality is the first point you start is identifying where your crown jewels are. Right. Do you know your systems that transact your data here at Baptist?

I have a giant think about architectural diagram that connects all of my applications, servers, databases, infrastructure, to understand these are the systems. that Could house data, and this is where the data should be going to. The problem is looking for anything that's outside that norm. Right? How do you figure out, because we all know how apps work.

There's open up this port, open up this port, send this FTP out, send this via HL7 here. So even though on a map on an architecture map, you may think, oh, it's this database transacting to this application, which goes out to. this It's actually hundreds, if not thousands of spider webs of connection going across most of the time, over port 80 or port 443 right over the internet, hopefully encrypted.

But how do you check for all of that? How do you know for sure that's the gap right now is we think the level set is this, but the actual set is this. And looking at that Delta. Today, that's a manual process where you have armies of people often tremendously understaffed, right? There's nobody that can afford it, including myself, trying to figure out what is the reality of it.

So we're trying to get smarter with automation and looking at things, but that's where you start is looking at the crown jewels, transacting that, and then honestly, QAing that right? Is that really happening or not happening today in a very manual process? Tomorrow has to be.

automated 📍 📍 We'll get back to our show in just a bit. I'd love to have you join us next Thursday for our webinar, don't pay the ransom. Cyber threats are mounting everywhere, especially in healthcare leaders. Thomas Jefferson university health, as well as St. Luke's university health system and rubric are gonna join us to discuss solutions around protecting all healthcare data, even epic in operations on Azure. This webinar will be on Thursday, August 18th at 1:00 PM. Eastern time. You can register now at this week, health.com or by clicking on the registration link in the description below. Now back to our. 📍 📍

So it sounds like you have situational awareness up to a point, but let's bring up this term, but we we're starting to talk about situational awareness of your protected health information.

If we were to pull the industry, what percentage of folks, friends, family, industry CalWORKs out there would have situational awareness of their Phi, where it is, where it's going. Who's touching.

Such a great question, Frank. So I'll tell you, what's interesting is that N has published a new bulletin, really diving deep into E Phi situational awareness.

There's a recognition that the industry simply doesn't have it as part of the standards. Most of us mapped the NIST cybersecurity framework, however, N cybersecurity framework. Really didn't reconcile with the necessity for specificity around E Phi detection and logistics. Basically, as I call it, where's it going?

Who has it? Who's touching it. And so there's actually now a reg that's running through the process that really starts to put some teeth around this and truly in plain English. Transact and tell the CIOs, this is what you need to be doing with E Phi. It's always been about protection of data confidentiality, the, the CIA, right.

Confidentiality, integrity, and availability. But now it takes a new level by specifying around E Phi, the crown jewels. So to the degree of it, that's the root of your question, which is how do we get there? It's those adoptions of those standards likeness, which enable us to hold our vendors accountable to a standard.

Benchmark ourselves towards something. And I would say today it would be maybe 10%, if not less, which is why N right. Which is funded by the federal government has a bunch of smart people, brilliant people working on it, going, we gotta be really, really clear because guess what? The attacks are not stopping.

They're increasing. And it seems like every single day I'm getting a flash bulletin from the FBI. From HHS in general saying, Hey, watch out for this new threat, this new malware, this new attack. And I mean, it's overwhelming at times.

Fair enough. I'm gonna hold you this one. What percentage though, of folks out there really have an idea of their situational awareness over their PHS?

Yeah, so like I was saying less than 10% in my opinion, and I'm probably being very generous cause I know a lot of the CSOs across the country and they're phenomenal people doing heroic job, understaffed and overworked, but I would say 10% or less. And the other 90. Honestly, probably don't want to know, because once you have an accountability to do something, however, the federal government is mandating it.

So we will do it because what drives a healthcare industry better than compliance regulations. So that absolutely over the next 24 months, I predict will become the number one issue that folks wanna know is truly in reality. Where are we from a situational awareness perspective around EPH? I,

well, listen, Aaron, thank you for your time.

It's always so great speaking with you. I always learn something and I'm sure everybody that's gonna listen to this are gonna learn a lot as well. And thanks for bringing your passion, your big heart to healthcare.

Thanks Frank. And thanks for all outsides doing and everything you're doing for the industry as well.

My friend. Good seeing you.

You as well. Take care. Have a safe trip.

Cheers.

Bye.

I really love this show. I love hearing from people on the front lines. I love hearing from these leaders and we want to thank our hosts who continue to support the community by developing this great content. We also want to thank our show sponsors, olive rubric trellis. Mitigate and F five in partnership with serious healthcare for investing in our mission to develop the next generation of health leaders.

If you wanna support the show, let someone know about our shows. They all start with this week health and you can find them wherever you listen to podcasts. There's keynote town hall and newsroom. Check them out today. And thanks for listening. That's all for now.