This Week Health

Don't forget to subscribe!

Hopefully as a CIO you understand that the Change Healthcare issue is partly owned by you. But if not, today I discuss.

Transcript

Today in health. It, my name is Chuck. I'm a healthcare CIO and I'm part of the problem. Great post from Chuck Podesta in response to the cyber attack on change healthcare. And today we're going to talk about it a little bit. My name is bill Russell. I'm a former CIO for a 16 hospital system. And create, or this week health, a set of channels and events dedicated to transform healthcare. One connection at a time. We want to thank our show sponsors who are investing in developing the next generation of health leaders. Notable service now, enterprise health parlance, certified health and Panda health.

Check them out at this week. health.com/today. If you're wondering. We every year we sign on new sponsors and they change what they sponsor. And so this is the big shuffle. So this is the new set of today show sponsor. So there you go. There are great companies. Check them out. All right. Let's see. One last thing. Mentor someone figure out who it is.

Hopefully it's somebody who's pursuing you. If somebody is pursuing you, give them some time. Share this podcast with a friend or colleague use it as a foundation for daily or weekly discussions. On topics that are relevant to you and the industry. They can subscribe wherever you listen to podcasts. All right, let's get to this. The change healthcare thing has caused a lot of questions and introspection. I posted a after change, healthcare, more effort needed to avoid cyber attack chain reactions. I posted that story out on like them. And my comment was what other. It systems are vulnerable to these chain reactions, style attacks. I would think the question is being asked at every health system. Physician practice and pharmacy across the country, but just in case. Here it is for your consideration.

I hope the questions being asked. One of the more interesting responses though, was Chuck Fidessa, who is the CIO at renown health. And Chuck has been. At a bunch of places, I think he was in Gosh, she was in New York. He was at UCI. Do you work? I think at Stony Brook UCI. He's now at renown.

I know there's a couple others. I'm not going to hit this. His post cause that are his profile. Cause that'll take me away from what I want to read. But here's what Chuck had to say with this, about this. My name is Chuck. I'm a CIO and part of the problem. Wake up call. Back in the day, everything was on prem. You only had to worry about your own house. As CIO as we thought that was risky since a compromise or system outage. Would impact the entire organization. We thought moving to third-party cloud solutions would spread the risk and mitigate a complete outage. Third parties had deeper pockets and could do it better. Yay saving money.

Unfortunately, besides a BAA, we don't have much visibility into third-party vendor security programs. Should we now have two clearing houses costly. Oops. Only one vendor providing the service due to market consolidation. As Kevin indicates a hug. You would think we could work together, client and vendor? To come up with more secure platform and built in business continuity.

Sadly. No. Now the federal government will get involved to pass some rules to tell us. To do what we should have been doing all along. As an industry. Could you imagine if we took care of our patients, like we take care of. If we took care of our patients, like we take care of their information. Can we please stop chasing shiny bright objects and fix this. You don't spend money renovating the kitchen when your basement is full of water. My name is Chuck. I'm a CIO and part of the problem. I love that post.

I love the honesty of that post. I clearly I'm going to pick it apart as I always do with these things, but I checked Fidessa. I really enjoy my time with Chuck. He is a. I'm a very experienced CIO when a person who causes me to think, and by the way, this has 12 likes to it. As it, so I'm not the only one who thinks this is a really good post. Or a good comment. So let's talk about the CEO's role in this.

He says, wake up, call back in the day, everything was on prem. You only had to worry about your own house. And as CEOs, we thought that was risky since the compromise or a system outage. Would impact the entire organization. We thought moving to third-party cloud solutions, which spread the risk and mitigate. A complete outage. All right.

So let's start with the move to the cloud and everything being on prem. The move to the cloud. Somewhat.

And by the way, the move to the cloud is never a. A cost savings endeavor. I've yet to see. A ROI model that shows a move to the cloud saving money. It moves money around. So we're not moving there to save money. So why are we moving there? A couple of reasons. One. We.

Agility. I think the number one reason we moved there as agility. It gives us the ability to move faster. Why can we move faster in the cloud than we can on prem? Because we are able to say no to the organization. Not because we're saying no to the organization, but because someone else is saying no to the organization, This is one of the areas where we've fallen down to CIO is again and again. We have to stand in that gap.

It is our role as CIO sustaining that gap. And educate the organization on the challenge of expanding systems. The challenge of expanding scope of projects, the challenge of adding more applications. Increasing the complexity of our environment, increasing the attack vectors on our environment. Creating more points of integration, brittle points of integration. Between these systems. And so if we're honest, we moved to cloud and our EHR provider, and we say epic first or EHR provider first. Because they're able to say no to the organization where we are not able to say no to the organization.

We are not able to educate and stand in that gap. So that is one of the failings of us as CIO. Are we able to articulate the problem with adding application after application? To our environment. So that people understand it. And take it into consideration as we are evaluating new systems and new functionality. So that's the first thing. Agility.

Second is our ability to control the architecture. The third is just modernizing the architecture. We've been unable to articulate. The problem with tech debt to our organization for decades. Tech that kills an environment. And one of the problems with on-prem. Was not potentially was not that the architecture was bad.

Although I can make that argument that the architecture at most health systems is bad for their on-prem systems. But without that being said we haven't been able to control tech that we haven't been able to make the case. Hey, these systems have been bought. This data center has been bought. Money has to be invested in these things. One of the things. We had to do at St.

Joe's when I got there, because we, I was the recipient of a massive amount of tech debt when I got there.

I always forget the number, but it was over 80%. Over 80% of our data center was end of life. Not old. Not coming up on end of life. End of life. Like it was so old that the organization said we will no longer support it. Okay. So that's the environment. We had a 25 year old Pete PBX. From Nortel, which didn't exist as a company anymore.

Alright. So this is the kind of thing. That I inherited. And I had to create a narrative to the CFO, starting with the CFO. And I sat down with the CFO. I said, Hey, Here's what I inherited. Here's the problem. Here's why the data centers going out. Here's why the outages will continue. Until we address these things. And we did address those things, but we addressed them in such a way where we extended life cycles.

We went to a thin clients so that we could. Go from, four year life cycle to seven year life cycle on equipment. So in the process of upgrading, we actually extended the ability for that environment. We went to software defined networking. Because it is more agile and it has a longer life. Then hardware based. Environments. And again, we adopted cloud and in cloud architectures. Because we understood that there are some workloads that we have to ramp up and ramp back down. Cloud has a significant place to play in your environment. Now I'm not talking about, so I'm talking about infrastructure as a service.

Now we're going to talk about applications as a service or software as a service. We signed contracts with these vendors all the time. All the time. And some are big. Some are small. And it is our responsibility to ensure the security of those environments. This is where we get into trouble. And actually it's not the big, it's not like the workdays and the service nows.

These are not our problems. They can be someday. They could be but clearly we've seen it with Kronos. Going out now we've seen it with change healthcare going out. Third-party risk is a significant problem in healthcare. I'm tired of people saying it's a problem without putting viable approaches to addressing it within their health system. I hear it over and over again.

It's almost like a refrain. Oh it's almost like me talking about putting on weight. Oh, I'm putting on weight. What are you doing about it? Last year I did a little thing and I lost a little weight and it was good, but now I'm putting some of it back on. That's unacceptable with third-party risk, that kind of mindset, that kind of approach is unacceptable with third party risk. With third-party risk.

We have to have a plan. If I were on your board. And I were sitting across from the CEO. I would ask them, what's your plan to address third-party risk. And when they looked at me dumbfounded and without an answer, I would say. That's a problem. As a CEO, you should understand that third-party risk is one of the biggest exposures you have not only for your patient information, but for your operation. And you need to get in front of it. As a board member, I'd be saying that, you know what, as a CIO, I'd be saying it to. I'd be sitting across from the CEO who I had a good relationship with and saying, look, third-party risk is a significant problem for us. And I would like some money to address this.

I would like to put together a program to address this. I would like to work with other health systems to identify a solid program to move this forward. I may need to make some investments. I definitely will need some people to address this. We need to audit the security of our third parties. We need to audit the business continuity of our third parties.

We need to identify all of our third parties. So my problem on the CIO side is, are we having these conversations or am I going to hear for the next two years? Third-party risk is one of our biggest challenges. If it's one of our biggest challenges, let's get ahead of it. It's not like it's not solvable.

It is solvable. So let's get ahead of it. Let's identify an architecture that works. Let's jettison those third parties. That are unwilling to work with us on these things. Let's identify a fail over. And by the way, he goes on to say, oh, we have to pay for two a hug. Like that's not going to save us money. There are ways to have a primary and a backup where the backup doesn't cost you much, but you can spin it up very rapidly. In the case of an outage of the primary, you could have relay health sitting there as a secondary. And all the integration and all that stuff done, and yes, there is a little bit of cost associated with that, but you don't, you're not utilizing it as your primary tool.

That's your fallback tool. And then you've changed. Healthcare is your primary tool or vice versa? So just something to consider. And I understand that it changes workflows and whatnot, but that's the kind of thing from an architecture standpoint that we get in front of. Um, it's I love the fact that he ends with this. As an industry. Could you imagine if we took care of our patients, like we take care of their information. The problem is we, as patients have no recourse. And it's really sad that we have no recourse. I'm going to go to the hospital down the street, regardless of how good or bad their it infrastructure is. And we have these conversations all the time. I was talking to a CIO.

Who's caring for their sister at a health system. It was not to be named. And they were telling me all the challenges and all the problems at that health system. And I'm like, we can do better. We can get ahead of it. Now, a lot of those problems and challenges are not it related as you would imagine. But. Part of it is in as much as it depends on us for our part.

How do we make this better? And we want to make it better so that people can focus on the things. Like caring for patients that are so important and give people that time and the. Capacity, the mental capacity and the focus. To focus on the things that are important in the delivery of care. Anyway. Thank you, Chuck.

Fidessa appreciate you and agree. That there is a part of this that is CIO's culpability. And we have to think through this take responsibility for the things that are ours to take responsibility for own them. Make them better. And come out the other side as better organizations for it. All right. That's all for today.

Don't forget to share this podcast with a friend or colleague. Mentor someone. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, notable service. Now interprise health. Parlance certified health and 📍 Panda health. Check them out at this week.

health.com/today. Thanks for listening. That's all for now.

Thank You to Our Show Sponsors

Our Shows

Solution Showcase This Week Health
Keynote - This Week Health2 Minute Drill Drex DeFord This Week Health
Newsday - This Week HealthToday in Health IT - This Week Health

Related Content

1 2 3 252
Transform Healthcare - One Connection at a Time

© Copyright 2023 Health Lyrics All rights reserved