This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the News): The Duplicate Delema and Merger Instability with Kevin Day

Revolutionize your approach to interoperability. Visit ThisWeekHealth. com slash Rhapsody today and unlock your full potential.

Today on Unhack the News. (Intro)

Kevin Day: primary attack vector is shifting from your end user clicking on a phishing link, that's still a big problem. But I think it's shifting toward unpatched, unremediated third party software that's in your ecosystem.

One of the articles I read in preparation for our discussion talked about that as the new soft underbelly of healthcare institutions.

. And now, this episode of Unhack the News. Hey everyone, I'm Drex and this is UnHack the news. Really excited today. Got Kevin Day from Rhapsody. We're gonna talk about a bunch of different stuff, M and A and data, and maybe even the HHS Wall of Shame.

Kevin, welcome to the show.

Kevin Day: Oh, thank you so much, Drex. It's a thrill to be here.

Drex DeFord: this isn't something I normally do, but it's the first time we've really had a conversation. First time Rhapsody's been on UnHack the news. Tell me a little bit about your background.

Tell me a little bit about what Rhapsody does.

Rhapsody, we have the opportunity to serve. Thousands of customers worldwide with our digital health enablement platform. That provides the data interoperability layer with our award-winning interoperability integration engines, but also the opportunity to protect identity information and matching identity so that our customers can know they always have the right person at the right time with the right data.

we also offer semantic terminology. It's a pleasure to be here and I'm really glad that we were able to get together today.

Drex DeFord: Yeah, me too. So I'm gonna hit a couple of stories and we talked a little bit about how we do this. We can dig into the stories. Mostly the stories are sort of like the opportunity for us to just riff on some of the issues that sort of come out of those stories.

I was involved in two of them. One of them was CIOs, one of them was CISOs. And a big part of the conversation in both of those rooms was around data figuring out what the source of truth is for data, the whole data governance conversation and then how to line that up for reporting and exchanging and everything else.

You must see a ton of this as you go across the country. Tell me some of those stories.

Kevin Day: It feels like the digital health mandate was well over a decade ago and yet there are still healthcare institutions especially those in the remote settings that are just struggling to get the right information. And when you think about health records in general, as soon as you run into a problem, is it this person or this person?

You end up just giving up and creating a third dispar, oh my

Kevin Day: It's incredible. Actually, just to share a quick personal story. My father, he is in his eighties and he is suffering from uh, kidney problems. Every time he goes to the specialist, they start all over and it's like they're wasting so much time and resources to get him the care that he needs.

What we're seeing and I think it's going to. Perhaps get even more acute not to overuse that word, but as these institutions have an opportunity to actually gain real benefits in AI, if they don't have the digital superhighway going they're gonna lose out on that opportunity.

So this is the right time. And, the real problem is you can't dictate what you're getting from upstream. So, EMRs, EHRs CRMs, workday, you can't dictate the formats that you're getting from those upstream sources and also your organization may be

Drex DeFord: it really kind of starts at the very beginning too, right? I'm going back to the duplication record issue training the people who are on the front lines, who may not be the highest in paid employees that we have to search in the right way to make sure that they find the patient that is actually standing in front of them instead of sort of like taking the easy route and saying, I'm just gonna create a new record for this patient. Because it really

affects the patient and their safety too. Right? Right. Like with your dad's background and experience, instead of asking all those questions again, which he may not remember all the things that he should say every single time. Right. That's what the record's really for.

we do specialize in not only data interoperability, but identity management. And the problem that we're trying to help solve for our customers is that. The opportunity to de-duplicate data and we really believe that AI can help with this problem, but there still has to be the organization's workflow and processes that are enforcing the system of record and what is your source of truth.

And then through tooling, like what we offer at Rhapsody, certainly, but through tooling, you can actually. Enforce the system of truth and make sure that the staff is well trained, but also that you are incorporating common sense automation to help that process. We have a lot of customers that come to us with hundreds of thousands of potential duplicates and with

no idea how to tackle that problem. Do you just push the reset button? Do you need to put an army of data stewards at the problem in order to, to actually make a difference?

But that's really kind of only part of it. And if you can use AI to help with that, obviously streamlines, intakes. Probably some degree of pain out of it. At least by the time it gets to the human to look at it. They have all the things that they need to make a reasonable decision pretty quickly instead of doing all that research on their own.

But then that data flows to other organizations, right? Other organizations where patients and families get their care mm-hmm. where they may get prescriptions or other tests that's incredibly important and that sometimes gets lost in the shuffle too.

And then we're gonna enable it to be part of these major workflows. And so that way you always have line of sight of where the data is. You have the assurance that it's protected and encrypted every step of the way. And you also, again you're enforcing the rules of the game.

So that way the provider can be efficient with that information.

And that M and A process is really difficult. And I know you see a lot of M and A what's your feeling about how this is going and how we can maybe do it better? Some stuff you see from the field?

Kevin Day: It does seem constant Our customers are coming to us at that point of, Hey we're, we're the gaining organization and we are acquiring and it is usually I would talk to the CIO or the CTO or their head of IT operations. Often they don't know that it's happening until it's happened. Right? So there's the, you know, one, one key suggestion is you, especially at the CIO level, make sure that your team members are part of that due diligence and discussion. And you have to have the trusted members of your team if not helping.

Drex DeFord: I'm a hundred percent with you. These are all experiences that I've had too, and it is I think you do yourself an injustice if you're a leadership team in a health system, you're doing an acquisition.

You don't have the CISO and the CIO at the table because those folks really are risk focused kinds of people and they'll also help you understand that maybe the deal you're making isn't as good as you think. Sure the deal is because of the underinvestment in the system being acquired or whatever the case may be.

Kevin Day: that moment in time when it's announced before everything is integrated, that's the soft underbelly of M and A activity and it's right for cyber attack. And that's exactly what cyber criminal professionals are looking for those windows of opportunity. When the SSO system, for example is in two different directions,

maybe you're not enforcing that. Every end user has antivirus, suddenly now you've spread out your attack vector to the number of employees in both organizations.

It's usually also an opportunity to look to see if the smaller organization that's being acquired are they SASS or in cloud? Is this an opportunity to migrate them up, but we all know it's this is the time when your organization, even the large

maybe highly secure gaining organization. They're absolutely also more vulnerable to cyber attack during that process.

Drex DeFord: Yeah, for sure. The other thing I was just thinking about, so I mean it's sort of interesting to hear you say you help them with their, application rationalization process.

Kevin Day: I think that's the best time. And it goes back to the, did you account for that in your budget? For the integration. And I have to admit, our Rhapsody is formed from a lot of great products and companies over time. And we're unified in our digital health enablement platform. But we're five companies over a period of five years came together to form what we have now.

And I'll be honest with you, we just reconciled like. Not having five different code repositories to do software. So if you don't fund it upfront, you're gonna pay for it until it really is a problem. We happen to have converged on code repository, so we can get real leverage of coding assistance now with AI.

Drex DeFord: Yeah. Don't let that automatically be a No we can't touch that. Like, exactly. There's other, I mean, sometimes both. Organizations are customers of that partner. They wanna keep the big one. They might be willing to make some kind of a deal on the small one to let them outta the contract or something in exchange for something.

I know you were out there poking around. What'd you find?

Kevin Day: So, I think we all know the rules. Like , if your breach impacts more than 500 people, you're legally obligated to report it. Now keep in mind these are under investigation, so they could turn out to be

So to me this means that the primary attack vector is shifting from. Your end user clicking on a phishing link, that's still a big problem. Sure. You know, you're, You absolutely need to protect against that. But I think it's shifting toward unpatched, unremediated third party software that's in your ecosystem.

One of the articles I read in preparation for our discussion talked about that as the new soft underbelly of healthcare institutions.

'cause the data's really interesting and I'm usually trying to figure out like, am I really seeing a trend or not? A regular trend too around third parties. So a lot of these breaches hacking incidents are actually tied to BAAs Business associates. Yeah. Who are breached their own security has some kind of a problem.

They're breached, but it turns out that they're the core system for something for 25 health systems or 500 health systems. And so all 500 of those health systems had data lost in that breach. Now, the BAA may have to report it, but all 500 of those health systems have to come back and report it too. So that can be

another angle on this.

Maybe I'm mistaken, but I believe that's way beyond their normal patient population. Must also include research records that were through a BAA granted to them. But the whole thing is they have to report that the whole thing was lost at, at this time anyway.

But the, we go back to the vendor management and at rhapsody we pride ourselves. We don't want be called that V word. We don't want to be your vendor. We want to be your partner. So. When you are going through a screening process, we wanna be upfront with you and go along in that journey with you.

We'll share all of the results from our cyber programs like ISO and SOC two and HIGH trust. But we'll also partner with you on your penetration tests and your game day events and disaster recovery and BCP. All of us in this space this protected information space

Drex DeFord: That is absolutely the key to the operation, getting back in business and taking care of patients and families. Yeah. Kevin, thanks for your time today.

I really appreciate it. Absolutely. I'm glad you were on and I'm looking forward to the next time our paths cross.

Kevin Day: me as well. Thank you so much for having me.

Drex DeFord: Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.