This episode is brought to you by Island.

Today's healthcare staff needs safe, convenient, and dependable access to patient data across various applications. Island, the Intraprise browser, simplifies and secures healthcare data access. It's a new take on the most common application we use every day, the web browser, tailored for the unique demands of healthcare.

Clinicians can safely log in from any device to interact with HealthSystem applications and PHI. Built in last mile controls keep data where it belongs, so access is simple, data is safe, and patient care is smooth. Visit ThisWeekHealth. com slash Island to see Island for yourself.

 Today on Unhack the News.

(Intro)  it's really about creating those guardrails at the user level that I think is an important vector that we finally have reached whereas before we'd have to just look at the data and work from the data.

Out instead of looking from the user in,   📍   📍

Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News. (Main)   📍 Hey, everyone. I'm Drex. This is Unhack the News. We talk about all kinds of cool stuff that's happening online in magazines. We go all over the place.

My good friend John Kirkman's with me today from Island. Hey, John.

Hey, Drex. How are you?

Conference season is over. How'd conference season go?

It was good, but it was really compressed. And it also happened to fall in line with the beginning of our fiscal year, which also means we had our company's overall, onsite for the whole company.

So inside of one month I was doing a lot of Las Vegas and Nashville, but very attended. And I enjoyed it. So good way to kick off the year, but it was a lot altogether.

I agree. We had stuff. Prior to the start of Vive, and :then we had Stuff in the Gap, and we had HIMSS, and then, so it's been a whirlwind.

I'm glad to be home this week, but I'm back on the road next week. We do city tour dinners in Kansas City and Nashville, I think, next week. Probably when this airs, we'll be on the road again, but. Great. But it's good to see and it's always good to see you on the road to and be able to hang out.

Yes. Yeah.

That's one of the great things about the community that is, so tight, even though healthcare is a huge industry it really does seem small when you get together with, the people that, you know, and that's one of the great things about it. A lot of great sharing of information. It's not just, these things get really big and there's lots of, giant displays and all of that, but I really think it's the small conversations that are really interesting and even if you can get, a few people involved in a conversation together, not just, one company selling to another, but instead having these collaborative one offs and was able to do that with a couple of folks from your team and the folks at SHI, which was excellent.

So we did some cool stuff.

It was a great time. Okay, let's get to the news. Yeah, there's a story in dark reading. Cyber security's future is all about governance. Not more tools. The assertion there being we continue and maybe it's more of a maturity conversation.

We continue to go through this process where there's new framework. So there's new stuff that comes out in the frameworks. And we love to buy tools. And so there are a lot of tools and we don't retire the old tools and that whole challenge. The argument in this article, in this commentary is really more about moving to more governance and more prioritization.

What do you see as you travel around the country and talk to folks? What's your kind of input on commentary like this?

Yeah, I think it's the age old, shelf where conversation. If we're trying to be efficient with the money that, we have a finite amount of, especially in health care, it's just not really acceptable to have anything that you've invested in that you're not getting value from.

And I think sometimes it's hard to, keep, either your partner community or vendor community honest with, have you provided what it is we discussed? sort of everybody's problem. It's not one person's problem. But it's something

I think with some of the more modern capabilities then the importance of deployments and actually using the software to get its desired effect is being held accountable by things like SAS. If it's, SAS is a little bit easier to change out who you're working with than it was in the old days where you had a big lift to replace things.

drives this accountability, which I think is actually helping help the industry at large

the accountability comment. Do you mean the accountability of the vendor partner? Or do you mean the accountability? To the organization, the decision that was made and getting the ROI out of it.

What's your angle on that?

And the answer is yes, because it's both. The, there's these simple things that you see people try to have a standard practice around. Let's call it a quarterly business review, whatever term you want to use. To try to accomplish these things.

So it's not as if it doesn't go on, but I don't think it goes on with the regularity that it needs to. It should really be a standard practice for everybody that deals with health care to take a look first, define what we think we're trying to accomplish. And then revisit it an organized way.

I, that's what I tasked my team to do. We're really not happy until people are getting the value. And there's two reasons for that. One is it's just good business to do what you said you're going to do. That's just the way you should operate. But secondly, if you're trying to build a sustainable business that relies on an annual recurring revenue basis, you better make sure that your customers want to stick with you.

And that's a critical component to the growth strategy for many software companies. So I think it's, about making sure the utilization happens, making sure that the value is derived and revisiting it. And if it's not, what can we do to tweak things to make that better.

I think that flows through not just to the company that you're working with. But as a CISO or as a CIO or a chief digital officer, you have to then turn the chair to the board and say, I'm bringing you value. You start to play the role as the partner, right? And the delivery of great healthcare to patients and families.

And you have to be, able to show that you're giving good ROI, that you're getting everything out of the products that you've asked them to give you money to go buy. And I'm looking at this report an average of 76 different security tools up from 64 tools that were used the year before.

So more and more tools thinking about all this stuff like consolidation and app rationalization. And, we struggle with that even today in a lot of healthcare organizations.

Yeah. was exacerbated by COVID, in some ways too, it was like.

Okay. Now we have to serve the community outside of our network. So now we have to either add on to something that maybe wasn't the greatest, but we got to do it now, or gosh, we got to make a quick decision. So they, through some quick tools at the problem. This is the perfect time to go back and start looking at rationalization.

And the fact is, there's been a lot of. Sprawl and it continues. You're seeing the statistic you just mentioned. It really should be starting to get more consolidated because if you look at the standardization, like things like Chromium as a background for the browser. Now, things should be portable and

the code should work across those platforms. With that in mind, it shouldn't be so specialized. It should actually start to be more normalized. And, there are more suite approach to doing things. That's always been a Challenge. Do you go with, somebody for more of your things and rely on their integrations and their ability to be a partner?

Or do you, have a bunch of different pieces? And that gets pretty unwieldy pretty fast. So what we're finding out there is it's resonating quite a bit, particularly at the CIO level, but also CTOs really from an architectural standpoint, trying to figure out how is it that we are going to get the dexterity that we can get out of these modern architectures, right?

How are we going to look at some of the existing technologies for application access? There's very, heavyweight technologies being used there today. Still things of the like the VPN or even the VDI, type of, technologies that we can now. Really collapse into something, much more harmonious and easier to use, therefore driving a better ROI.

So it goes hand in glove, simpler architecture, modernizing and lowering cost, is the name of the game. If you can pull it off.

It's interesting to me to the reality. I think that I see with some health system executives who made really great decisions, maybe during the pandemic to be able to solve problems that they needed to solve at the time, and they really have.

Fallen in love with those decisions and that technology. And sometimes it's a really hard, like you're trying to pry those glasses off their face and say like the world changed. The bad guys are different. Technology has evolved. There's so many new and interesting things to look at. That can be a big part of the challenge too, is just getting them to take a step back and look at the world in a whole new way.

Yeah, absolutely. That's a really good point. It's a time to relook right now, I think is really the message and you should be able to find people to partner with you in that fashion. It shouldn't be a challenge. I think when it is a challenge is when everybody's just looking at their one little slice.

It's, we have to work in a more holistic fashion across the ecosystem. There's lots of technologies that have built in integrations and there's lots of, vendors that are teaming up, which is awesome. That's the idea. Make it better for the client. By teaming up as an industry. So I'm a big proponent of that.

Hey, I want to switch to another story before we run our clock out here. There's a story in the register that says from this from Microsoft, they say that up to 75 million is needed to fix up rural hospital cybersecurity as ransomware gangs. Keep scratching at the door.

And I'm doing the math, that Microsoft said it will take 30 - 40 thousand per rural hospital to raise the security posture to a basic standard. And my gut tells me like that number is low. That doesn't feel like even enough. So I think that big number must be low. What do you think?

Yeah, absolutely.

When I read the 75, I was like, Oh, yeah, that's for one system. Being facetious if there were one rural hospital, but , these are not inexpensive or trivial problems to solve, but what I think is important is if you can find a way when you have these programs that we see out in the healthcare business where they're doing community connect and the EHR space, things like that, I applaud some of those things where you're doing is helping The larger, call it more mature, more staffed organization, help more of the locals.

And so we need to do is think about more ways for the entire like software industry ecosystem to support those models. I think that's going to be a more effective way to help one another is if we can either do things where we do a collective and we say, Hey if you're able to work with us.

We can help more than one system at a time and just blueprint it for them so it's easy so it doesn't cost them too much money really the resources and skill to do it is the other big shortage that I think needs to be addressed, right? I think it's about business models and looking at new ways.

In our case, we did want to create something that can be done even down to a very small organization and we do that quite a bit. So we scale up to some of the largest in the world down to something simple and small and have a support model that's designed for that so that these, rural, let's call it maybe they just don't have as much resource or, maturity in their IT model to just be able to take that over for them, provide it as a service.

That's the idea. Make it a utility, right? The best we possibly can, so that everybody can participate.

think that you're absolutely right. Because I think I look at this to the 75 million dollars is a one time expense. When you look at a lot of those smaller. Health systems. We have a lot of them here in Washington,

but you sit down with these folks and they have one person in the information services department or, they pointed each other and say things like. How do you get three people in your I. T. Department? That seems like unfair. So they're really struggling at that level of manning and support, figuring out how to not only get them up to a good standard, but keep them at a good standard over time.

I think the numbers a lot higher and that whole how do you create a cyber security utility for them is seems like a really strong idea.

Yeah, I think the other piece just to tie off on that cost component is it goes back to the earlier comment we were discussing with rationalization. So if you could have somebody that can help you to understand what you have, maybe there's some newer architectures or newer suite type offerings that.

Consolidate those things and create a positive ROI. We will see that we will see that actually it can be a smart business decision, not just a pure expense. Maybe they're baking that into the 30 40 K number. I don't think so. But it can be done with thought. But you have to look at you have to be willing to change.

if you are, you there are options out there.

Yeah. And as we know, change is hard.

Yes.

There's another story today. We'll just touch on this one briefly. It says 560, 000 people in prior impacted across Four health data breaches. This came out yesterday. It mentions the health systems here.

A lot of the health systems, These events happened last year and we're just reported today, but it feels like I could almost write this story every week if I just went to the HHS breach portal and on, any given Friday, just looked at what was reported this week. There's always a big number like this.

I want to ask you why. And I want to ask you, Oh, what can we do about it? But it almost feels like it's unfair of me to ask but I'm going to ask anyway. Why do you think this is just like a chronic drumbeat for us in healthcare?

Yeah. It really, when it came down to is, several years ago, it went from one person attacking one organization to get somewhere, they started getting smart and saying what if we just monetize. The access. So now all of a sudden, this thing just mushrooms out. There's so many threat actors spanning the globe that could be from nation state all the way down to somebody in their basement, right? And it's so now you've got so many attacks coming from so many different types of groups.

And so you have to start to think about what is it that we can start to do a little bit differently instead of trying to necessarily comb through and see where our potential problems are and try to name all those things. What if we thought more about in real time in the experience of the end user doing more to guide their activities and put up guardrails.

To save them from themselves so that you in effect, reduce the probability of clicking somewhere bad or cutting pasting data somewhere you shouldn't or downloading data somewhere that shouldn't land on your machine, right? So it's really about creating those guardrails at the user level that I think is an important vector that we finally have reached that we can do that now, whereas before we'd have to just look at the data and work from the data.

Out instead of looking from the user in, so I think that's just a different mentality that I'm excited that, this is the space we're in now and this is where we can help.

It's interesting to think about that mentality about the user experience. Used to be really focused on one system at a time that we were deploying.

How do we make it really easy for the user to do the right thing and very difficult for the user to do the wrong thing. And over time it's expanded into. All the UX like everything that you do, no matter what you're getting to, if you're getting to it, through a browser, for example, you try to figure out how to make it really easy for them to do the right thing and really hard for them to do the wrong thing.

And that's a really interesting expansion of that UX.

Yeah, I just think I look at it. I think of it like guardrails is probably the best way to go. We're going down a pretty dangerous highway and there's ice patches and we don't know what's coming our way. But if we have the guardrails in place, at least we're going to keep the thing on the road.

So I think that, let's be realistic about it. But. The future is here when it comes to that, we can, that is a possibility that is something that can be done today, given the current technology landscape. I would just challenge folks to, think about maybe rethinking things, looking at it from, again, from the user into the environment versus this big sprawl of all this data and it gets super daunting, like just maybe simplify the thinking.

It can feel overwhelming. Hey, John, thanks for being on the show today. I really appreciate it. Always happy that you're on and I'm looking forward to seeing you on the road sometime soon.

For sure. I'm sure it's going to happen.   📍 📍

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus. 📍