This Week Health

Don't forget to subscribe!

December 4, 2024: George Pappas, CEO at Intraprise Health joins Drex for the news. What must the healthcare industry do to finally turn its patchwork of tools into a unified, human-centric defense system? Can the recent legislative pushes in New York and the Senate, aimed at strengthening HIPAA and improving cybersecurity funding, truly protect patients and ensure compliance across diverse organizations? Join to explore the complex realities, untapped collaborations, and critical questions facing healthcare leaders today.

Key Points:

  • 03:22 Healthcare Cyber Legislation
  • 10:18 University of Utah and Common Spirit Alliance
  • 14:55 Professional Liability Insurance for CISOs

News articles:

This Week Health Subscribe

This Week Health Twitter

This Week Health Linkedin

Alex’s Lemonade Stand: Foundation for Childhood Cancer Donate

Transcript

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[:

Make cyber security a priority, not a headache. Cyber attacks put patients at risk and cost healthcare organizations millions. But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable and they feel little control over the safety of their patients, resources, and healthcare.

Reputations are bottom line. intraprise Health brings together cybersecurity experts with over 100 years of combined experience in healthcare to offer a comprehensive suite of innovative software and services. It helps leaders finally unlock a unified human centric cybersecurity approach. With intraprise Health, you can improve your cyber security posture, protect your patients, and simplify your employees lives.

Visit thisweekhealth. com slash intraprise health to find out more.

Today on Unhack the News.

(Intro) At the end of the day, the person who is trying to do their job needs a level of protection.

[:

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News. (Main)

Welcome to Unhack the News. I'm Drex DeFord, a long time recovering healthcare CIO and now massively focused on cybersecurity. And my guest today is George Pappas.

CEO of intraprise Health, a health catalyst company.

Yes.

Welcome to the program. tell me more about what's going on with you guys.

clients, they have a lot of [:

But they can't really do risk management the way it needs to be done because the manual effort involved. So we've been very busy in that. And, we're very pleased to have met Health Catalyst a little while ago. They saw what we were doing and wanted to help us take it on a bigger stage. And they became our corporate parent early in November, and we're thrilled to be a part of their organization and we've got a larger customer base, a larger stage to accelerate our innovation because.

The market doesn't stand still. We just released our latest Blueprint Protect product with GenAI for more automated third party risk management. It's a real step function in how our clients can manage this portfolio of tasks that are almost so challenging sometimes they just don't do it. So yeah. We're really pleased with where we are and look forward to the future.

h companies can solve. I was [:

I think about the same time it broke publicly. I'm very happy for you guys. I'm glad you're in. Thank you.

Yeah, they're a great company, great people, really pleased to be a part of the organization. Look forward to, Finding the right synergistic points as we're in the middle of doing that now.

But I think we have a lot of good things to come. Good, great. Thanks

for talking about that. I appreciate you taking a minute to do that. There's a lot of stories that we're going to cover today. A bunch of good stuff. The healthcare cyber legislation in the Senate, that looks like a lot of good stuff, even though we're in a lame duck session now for the new administration to.

Come on board, new senators, new congressmen to rotate in and out. My head, the curmudgeon in me says, I don't know that anything's going to get done, are my assumptions wrong? When

attacks this year, the irony [:

first of all, even though it's coming out of the HELP Committee, which is Health, Education, Labor, and Pensions, it was introduced by Senator Warner, who's chairman of the Senate Intelligence Committee. And he's been the instigator for a lot of this stuff.

It's been a long time. Person calling out the problems of cybersecurity's patient safety, the vulnerability of infrastructure. He's been really lighting it up the last couple of days over this telecom hack, which looks very deep and very wide.

Yeah.

Very embarrassing.

Yep.

And he was the original investor and founder of Nextel.

D [:ning HIPAA. Because HIPAA is,:

Yeah, I love the HIPAA security rule update that's coming, but like you said, HICUP, Health Sector Coordinating Council, we just had an all hands meeting last week, and we talked a lot about that too. That whole, How do you get people to continue to over time, turn the volume up on their cybersecurity game?

first one in healthcare since:

How, what is good? What is bad? What is level two or level 3. 6, right? What does that really mean? What are the missing areas? And then, validation. I've always appreciated about the HITRUST method because it requires validation of procedural execution, right?

Yeah, that ongoing

checking and making sure you're still doing what you said you were going to do and how you're going to do it a little bit better this week.

But HIPAA has no such requirement, nor does NIST. What does a CISO do of a 50 bed hospital that doesn't have a lot of resource but has 100 third parties? It costs a little more money. That's why we're trying to scale our risk management capabilities through automation and talent. But ultimately, what all these entities are saying in the New York law, I thought was the most pragmatic version of that, which they said, you got to report incidents 72 hours.

gs and you have to validate. [:

And in the New York state law, there's grant money and not just one time, but over time money to get the program up and running and stable. Yeah.

By 500 mil, And in the regulation text I thought it was very interesting.

Now they have to do this for state regulatory requirements. Anyway,

they

had an analysis by hospital size of how much they would need to spend within a range, right? That was factored into their grant was factored into the startup costs versus the ongoing costs. So overall, I thought that was really powerful legislation that was needed.

250 general hospitals in New York. Now, interestingly enough, did not cover. medical practices, skilled nursing facilities, post acute care. So that's the first kind of anchor, it's going to broaden out as we have an aging population and PHI all over the place and all these different pre and post acute settings, it's going to happen.

s been given cyber insurance [:

right? So things are all cover have also

gotten much more well documented, exactly. Exactly. So I think, it's healthy. The bill was the latest version of that.

It did have grant support.

Hey,

Harry, come on now, buddy. He's helping me answer the question. I see him back

there.

It had the best practices, of course, coordination with CISA. I think, we talked about this maybe a couple of sessions ago. Third party is not a isolated solution. It's a very broad solution.

So the whole notion of software bill of materials, software quality standards, software companies, basically notifying of breaches in a timely fashion, that's all gonna converge. And make doing this a little less daunting than it is now. It's interesting, all of these

things as they come up, there is a lot of overlap.

ink, perfect is the enemy of [:

how do you figure out how to do the assessment and make sure that you're actually in the place that you think you are, maybe that can become one standard, but in the meantime, if you're in any other state besides New York or Massachusetts, or there's a lot of those kinds of things that are going on right now, You should expect that the government's going to help you

And the other dynamic here is that we've been, as we do our work and build our platforms have been really trying to drive to is, these frameworks have different nuances, there's a common set of things that they all try to do.

m a board level perspective, [:

And, they want to know that in a centralized way of good practice, good liability management their organization is doing those things.

I'm going to switch to the next story because we could talk about this all day. I know how we are. I know you're also excited about this story on the University of Utah, common spirit, building a clinical alliance to better support the patient base in the mountain region.

should we read anything between the lines and all of this?

I thought so. Here's what I really liked about it, though. There's some ironies in here too, right? But when I saw in that, and if you combine that with what we're doing with interoperability, when people do disaster recovery or business impact analysis or other drills, like we've talked about, they're talking about within their organization.

them competitors or regional [:call it the hot backup of the:

Because it's a way to let your patients still be served. Now, it's so interesting, you think about the healthcare business model. and the economic structure we work within. And most healthcare entities want to have the entire patient life cycle within their kind of four walls, or within their four network walls, I should say.

And I think this is a good area where that's not true. And . Network, you mean healthcare system. Yes.

Correct.

[:

Right.

And because they were, in combination of CHS and Dignity 300 hospitals, how many different EHRs and EMRs, how many different systems?

Oh, my goals, lot of legacy

stuff coming together.

So that's where, the little Swiss cheese holds are everywhere. Exactly. And. Essentially, they bought a set of hospitals in Utah that allowed them to have this resilient setup with University of Utah. That's what made it possible. But I think it's a model that if HHS could do something about that, provide some incentive maybe or some liability management, because across the entire country, you have areas where you have multiple health systems within a certain geographical distance of a large populations.

And

yes, you're going to be. I'll use the word competing at the same time, you've got to collaborate when your patients need help. And so I think it could be a really good way to do something here.

[:

Yeah. Cybersecurity is not one of the things we compete on. Everybody needs to be. Exactly. There's also a study maybe came out a year ago, I think out of UCSD, and it was talking about San Diego specifically, challenges of when a hospital has a breach in any given market the result is that healthcare quality that are not attacked goes down.

Because of the rush of patients that come from those other facilities. So that attack on a single organization in a market has a cascade effect on everyone else in that market. Even when they're, doing their best,

these

wind up being overcrowded and emergency care jammed up. Yeah, another reason to build this in and plan for that flexibility should something bad happen to one of the hospitals in the

region.

the continuity, the patient [:

I think that with a little bit of thoughtfulness, a little bit of bigger picture planning, a little assistance from some governmental agencies, you could make the system more resilient in a more meaningful way. Maybe this will be part of new legislation

in the next, somebody will call you and ask you to help.

I'm in Virginia, I'll go to Capitol

Hill

and have a chat. Senator Warner's staffers will call you and say, Hey, the next story this is one of those things that keeps coming up. Especially for profit and publicly traded company, that sort of space. But I hear a lot of folks talking about it now in healthcare too.

ch of it is real, but that's [:

Yeah, and actually, let's start with the problem first because, over the last year and a half, there have been two or three CISOs who we've had conversations with, some of whom are clients, who are You know, rationally concerned because they're not officers of the corporation. They're not covered by DNO, Directors and Officers Professional Liability Insurance.

And as we already have covered on many of these episodes, they have very challenging circumstances. They have technology that is brittle and very vulnerable. Lack of resources, lack of help. They're making recommendations to the board and getting half what they asked for. Their cybersecurity posture is not very good, right?

roving a little bit, but how [:

as we know, and we've seen documented evidence of this year, what happens if you have an attack and someone dies or someone doesn't get access to care? Now they want to go find someone to go launch a legal action against. That person is vulnerable, right?

And, the other irony I saw in that article, because there's another article that was out, I think just a couple months ago, that talked about CISO pay is going up because it's a tough job. Very challenging circumstances. Even if you had full resource, and you had a great cybersecurity posture, if I could tell you would never be hacked again, that'd be a 10 million request, right?

If I could really do it. Maybe a 50 million request, that you can't. Yeah. At the end of the day, the person who is trying to do their job needs a level of protection. And there are a couple of ways to do this. We talked about this, I think, on our last episode. If that CISO reported to the CEO, they could be made an officer of the corporation,

right?

't need this. But if they're [:

Yeah, I wouldn't take a CISO job in a hospital if I didn't have it. Because you've got to think about your family. You're trying to do the right thing here. So Crum and Forrester, who's been out there with a lot of different coverage types, is the first carrier to do this. But I think it's, a trend.

I foresee riders to DNO policies you can get, right? So it's the beginning of a needed change, and your earlier thought there about for profit. The SEC has had a lot to say about that. That already, it's Sarbanes Oxley for CISOs in a sense, right?

And then you have a lot of private organizations where their investors are requiring a level of cyber disclosure, but do they have the resource?

Where's their security maturity?

Yeah.

Are you [:

When it really matters, and these are times it really matters. It's a challenging, challenging place to be.

There's one other thing in the article that I think is probably worth mentioning, and that is a lot of CISOs may have a side hustle, too. Oh, yeah, that's right. You want to have professional liability insurance if you're doing that, if you're advising someone else, if you're coaching someone else.

Make sure that you have, That liability insurance on your LLC and have an LLC. That might be another thing, right? If you don't have a limited liability company that you're actually doing that work through, right? You absolutely should do that. Those things are designed and built to protect your personal financials.

I feel [:

by the way,

limited liability company. Man, there's a little bit of this that is just a little heartbreaking, I think, to see this.

I, again, I'm with you. I talk to these guys all the time. So do you, I know how hard the job is. I know how much they struggle. Yeah. With what they would like to do compared to what they actually can do. And when you talk to them about, not what literally keeps them up at night, but what are the things that they really worry about?

One of the things they really worry about is the, this thing is going to happen and I'm going to feel bad because I asked about that, but I couldn't get the resources for it at the time. Money flows freely once the event happens. It doesn't flow freely

prior to the boom,

Keep good documentation. Yes. Make memo for records for yourself about conversation. I'm not, this is a bunch of CYA, look, this is the world we live in right now.

ure that you're keeping good [:

Yeah.

It's a feature of where we are, doctors have malpractice insurance, right? Hospitals have insurance. And one of the most important threats to the healthcare system over the last couple of years, that leader in that organization does not have, a formal way to be covered for liability, professional liability.

It's a little ironic,

especially in today's environment. Yeah. Hey thanks so much for being on the show today. I really appreciated George Pappas, the CEO of intraprise Health, a health catalyst company. Really glad you were on the program. Always have a great time when you're

here. And by the way, I want to thank you.

[:

2025 is going to be amazing. I will see you on the other side of the calendar page. Yes. All right. Take care. Bye.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.

Thank You to Our Show Partners

Our Shows

Related Content

1 2 3 299
Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved