Indiana University Health This Week in Health IT
April 13, 2020

 – Episode #

Guest Information

Share this clip:

Share on linkedin
Share on twitter
Share on facebook
Share on email

April 13, 2020 Today on This Week in Health IT, we hear from Mitch Parker, the Executive Director and CISO at Indiana University Health. The host for this show is Drex DeFord, and he catches up with Mitch about the current state of their health IT team and the obstacles they come up against in the fight against the coronavirus pandemic. Mitch shares what the most common IT threats are at present – including PPE scams — and how they are striking the balance between being responsive to the overwhelming needs of the healthcare system while keeping all the security processes intact. He also talks about the security challenges of telemedicine, how the compliance regulations for third-party applications might be adjusted, and describes how the crisis has accelerated the trend toward a heavier focus on outpatient care and home monitoring — a much more cost-effective model.   

Key Points From This Episode:

  • The most common health IT threats that are currently emerging from the COVID-19 crisis. 
  • Striking the balance between remaining responsive while keeping track of security and risk.
  • How Mitch and his team have been able to evaluate solutions in a much shorter timeframe.  
  • The security challenges experienced with telemedicine. 
  • A prediction about the compliance regulations that will be implemented for third-party apps. 
  • The difficulty of getting a large workforce working from home in two weeks. 
  • How the crisis has accelerated the trend of monitoring more patients from home.
  • Finding ways to reduce the need to rent expensive office space.   

Field Report: Indiana University Health

Want to tune in on your favorite listening platform? Don't forget to subscribe!

Thank You to Our Show Sponsors

Related Content

Amplify great thinking to propel healthcare forward and raise up the next generation of health leaders.

© Copyright 2021 Health Lyrics All rights reserved

Field Report: Indiana University Health with CISO Mitch Parker

Episode 224: Transcript – April 13, 2020

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[0:00:04.5] DD: Welcome to This Week in Health IT news where we look at the news which will impact health IT. This is another field report where we talk to leaders in health systems on the front lines. My name is Bill Russell, healthcare CIO, coach, and creator of This Week in Health IT, a set of podcast, videos and collaboration events dedicated to developing the next generation of health leaders.

As you know, we stepped up production over the last three weeks and Sirius Healthcare has stepped up to sponsor and support This Week in Health IT and I want to thank them for sharing our passion and to capture and share the experience, stories and wisdom of the industry during this crisis. Today, Drex DeFord conducts the field report for This Week in Health IT.

Special thanks to Drex for helping us to cover more ground during this time. If your system would like to participate in the field report, please shoot me a note and easiest way to do that is by email, [email protected] Now, on to today’s report.


[0:00:57.7] DD: Hey everyone and welcome to This Week in Health IT. I’m Drex DeFord, CI Security chief health strategist and president at Drexio Innovation Network. Today, we’re with Mitch Parker. Mitch is the executive director and CISO at Indiana University Health. Welcome to This Week in Health IT and thanks for being with us Mitch, I know that you guys are crazy busy.


[0:01:20.5] MP: Thank you very much for having me.


[0:01:21.8] DD: For sure. I’m just going to hit a few questions, we’re going to try to keep it short because I know you got to get right back in the ballgame but let me start with what are you seeing with regard to threat activity during the pandemic?


[0:01:36.2] MP: I’ll be very clear about this is that we’ve seen an up tick like everyone else in spear fishing attacks. That has been the major focus that we’ve observed. Huge amount of domains being registered to look like COVID-19, also we’re seeing a number of attacks about fake donations and a lot of donation scammers.


I’ve even personally been contacted by someone offering me surgical masks. I’m sure pretty high markup.


[0:02:04.0] DD: Two or three times I’ve gotten emails like that too. I mean, are you getting emails from folks on the staff who are kind of saying you know, what is this? Is this real or not real or you just kind of blanketing everybody regularly with some updates?


[0:02:21.8] MP: Well, we blanked everyone regularly. I mean, that’s just what we do, obviously we’ve had to up our game a little bit with what’s going on and also with a huge amount of people working from home but in general, I mean, just in the industry, everyone’s been getting these emails , talking about how much they’ve been, I was getting these emails and talking about how much they’re just doing slammed with scam emails.


[0:02:45.8] DD: Yeah, for sure. Any other specific threats they’re keeping an eye on, any other things you were thinking about or worried about?


[0:02:53.1] MP: Like everyone else, I’m just worried about criminals using this – as an opportunity to take advantage of organizations to make their mark.


[0:03:02.9] DD: Yeah. There’s a lot of activity right now, a lot of stuff happening in health IT. How have you been able to keep security integrated into the process. You know, how do you balance the – we have to be responsive versus we have to be secure and manage the risk. What’s your approach to that?


[0:03:26.1] MP: Truth is, we got a lot of work in prequalifying the number solutions that we already had. Went to the point and I had this discussion earlier today about being able to pull solutions off of the shelf that we could use to say okay, need a solution, we have something here this is what we recommend this is what works.


We’ve had to be very flexible and cut down our time to evaluate solutions, it doesn’t mean we don’t evaluate them, it means that we do it on a much shorter timeframe that we need to do.


[0:04:03.9] DD: Are there things you leave out of the process to cut down the timeframe or you’re really just brute forcing it?


[0:04:09.0] MP: Pretty much brute forcing it. Because I can tell you, a lot of our vendors have been very good about providing good security documentation and adding stations online. Been utilizing a number of those. Giving you an example, I did a contract for someone last week and we’re able to cut through it because it turns out this platforms they were using were already got certified.


[0:04:34.4] DD: You were able to just pull that data, pull those documents down and use those for all the reference questions that you probably would have legend them with otherwise?


[0:04:43.7] MP: yes, the other part of it is they needed to have a line in their contract about support and I was able to use the ISO certification, craft some language and got it past our lawyers in theirs.


[0:04:55.7] DD: Great.


[0:04:57.6] MP: Usually that takes about a week or two to do because well, lawyers, and it took us 48 hour to get that turned around.


[0:05:03.9] DD: That’s awesome, that’s terrific to hear. There’s a lot of new stuff that’s been rolling out and it sounds like you’re mostly trying to focus on stuff that you already have contracts with, stuff you already have in house. 


But Zoom, more personal devices, your undoubtedly have pushed a bunch of people to go work at home. How are you dealing with that?  How are you dealing with all that sort of new world order of what’s happening right now?


[0:05:32.4] MP: The big challenge when with telemedicine. Because we have to give good guidance to people that are using these new solutions because OCRs relaxed their enforcements. 


We had to reiterate to people, this isn’t saying hey, you can go use free Zoom, this is – you’ve got to enter into these relationships as if you were going to be getting a BAA with them,  we’re just going to not enforcing if you don’t have one, not enforcing you haven’t done a third party vendor risk assessment and but we want you to anticipate getting that BAA and doing the ground work.


Just get it out on the ground now. We’ve had to provide that level of guidance, I did some work with John Lin. Put up an article in Healthcare IT today, specifically referencing what providers needed to do because the first thing that happened is, infosec Twitter lit up saying, hey look, CR says you don’t need security in telemedicine.


[0:06:32.2] DD: Yeah.


[0:06:33.6] MP: Which was not the case and then we were a little bit unconventional about talking about what applications can be used because realistically, there are some vendors out there that are never going to enter in with BAA. Anticipate signal and bring into the BA to use their app in telemedicine.


However, I feel a lot better about using signal for telemedicine that I do some of the other apps out there.


[0:06:59.3] DD: Yeah, it is going to be interesting to see what happens as we get into this a little bit further, will they continue to extend, I will ask you what do you think? Will they continue to extend these sort of wavers or at some point will they start to set dates about now you have to come back into compliance and how will all of that work? 


[0:07:18.4] MP: I think they are going to set dates for coming back into compliance. They been good at setting dates lately. Take a look for example at the 21st century cures act final rule. They are going to set dates when this is over to say this is a date by which you’re going BAA for Telemedicine solution, however what I think is going to happen is that they are going to expand that list of applications you can use to be more than just CC and certified. I think you are going to start seeing more common platforms approved for Telemedicine.


[0:07:47.4] DD: Yeah. 


[0:07:48.3] MP: Because there’s one out there that are pretty simple that you can use that happen to have things like high trust certification such as Microsoft Teams. So I think that is where we’re going. 


[0:08:02.1] DD: How about the work from home stuff, is that keeping you up at night? Have you had to do anything different or interesting to support more folks at home? 


[0:08:12.3] MP: I think the issues are not with technology as much as they are with the logistics of taking a huge workforce that has never worked from home and getting them to work from home in two weeks. 


[0:08:24.6] DD: Yeah, what a challenge huh? 


[0:08:27.7] MP: Because if you think about it the biggest challenge that we have in work from home for doctors was the second we roll that EMRs because every doctor had the chart at home at night because I remember my big challenge to remote access was at my last job when I was at Temple Health, they rolled out the EMR that shall not be named were outpatient and the next thing you know, I had 250 doctors going to me going, “Hey Mitch how did I get Citrix set up. I need the chart at night.” 


[0:08:58.4] DD: Yeah. 


[0:08:59.2] MP: And so I think for doctors we already had it pretty well nailed down because of EM’s but is the rest of the workforce that isn’t IS that isn’t the medical staff that has to adapt and that is where we need a lot more handholding, however it is out of the bag now and I think when you take a look at cost in healthcare, if I tell any CFO out there I can save you 20% because if I have half the staff work from home I don’t have to build real estate. 


Or I can take real estate that people are in now and repurpose it for patient care, any CFO is going to look at you and go, “Are you crazy? You’re going to work from home.” 


[0:09:44.4] DD: Yeah, I think it’s funny I was talking to someone the other day and they were saying, “I don’t know how we are going to get everybody to come back, how are we going to get everybody to come back from a telemedicine world and from a work from home world?” and then that was quickly followed by, “And I don’t know if we want to bring them all back” you know so thoughts about that? 


[0:10:04.2] MP: And so that’s the truth. You take a look at where things are going in healthcare, the curve is going between inpatient and outpatient where in a few years, we are going to have more outpatient than inpatient and so therefore, you are going to have less of a demand for inpatient space and more of the emphasis on getting people back in a community and monitoring them at home. I think this current crisis what it’s done is it’s moved that time period up significantly. 


I’d say at least two to three years and I think also when you take a look at what hospitals are spending on new facilities, I mean it’s a lot of money. 


[0:10:45.1] DD: It is some of the most expensive property in the world, right? I mean inpatient facilities per square foot is massively expensive. So maybe we’ve come up with another way to solve that problem. 


[0:10:57.5] MP: I think realistically you have to think of it as something I learned from a CISO at another institution a few years ago, you reserve the hospitals for the sickest of the sick. There are other ways to care for those who don’t need it. They’ll need that full inpatient stay and I think what is going to end up happening is that we are going to be able to diverge IOT and we’re going to leverage the hospital command center model that Hopkins pioneered. 


And we are going to use that to take care of patients and it will take care of a lot of them and at the command center model is going to expand to outpatients. We are going to do a lot more moderate for compliance at home. In inpatients that is never going to go away but it is going to change. We are going to have less of it and anyone, I have read the reports from some of the big four firms, everyone’s forecast less inpatient beds. 


That is going to happen also with medical offices, office space is expensive. I want to use every single solitary inch of that building for patient care to maximize those costs but if someone is working remotely and use that space for patient care, my revenue per square foot goes up. Well I don’t have to put in for a cube farm or other office space because again some of the office space out there, some of my peers at academic health systems on the east coast that is the most expensive office space in the world you’re talking about. 


[0:12:22.2] DD: Definitely. 


[0:12:24.0] MP: An off system doesn’t have the revenue, the management consulting company that’s leasing space in the same building. 


[0:12:29.6] DD: Right. Hey – I’m sorry go ahead. 


[0:12:34.9] MP: Go ahead, I’m sorry about that Drex. 


[0:12:36.0] DD: That’s all right, I was just going to ask you real quickly about any best practices to other stuff that you have come up with that you have implemented from a cyber-perspective over the last few weeks that you like to share with folks that are listening? 


[0:12:51.2] MP: I think the biggest thing you can think of is to get in place a program to do thread intel and my advice to every organization, HISAC has free memberships, please take advantage of those. 


[0:13:10.0] DD: I saw you post that on Twitter the other night. 


[0:13:12.0] MP: Yes. 


[0:13:12.8] DD: Yeah thanks for doing that. Anything I didn’t ask you about that you want to add? 


[0:13:18.0] MP: No, I am good. Thank you very much. 


[0:13:20.2] DD: Okay, hey I really appreciate you being here. Again I know you are super busy, crazy busy, thanks for being on and we’ll catch up with you again soon. 


[0:13:29.1] MP: Absolutely. Thanks so much Drex, have yourself a great day. 


[0:13:32.3] DD: You too. 




[0:13:32.8] BR: That is all for this show. Special thanks to our sponsors, VMware, StarBridge Advisors, Galen Healthcare, Health Lyrics and Pro-Talent Advisrs for choosing to invest in developing the next generation of health leaders. If you want to support the fastest growing podcast in the health IT space, the best way to do that is to share with a peer. Send an email, DM whatever you do. You could also follow us on social media, subscribe to our YouTube channel. 


There is a lot of different ways you can support us but sharing it with a peer is the best. Please check back often as we would be dropping many more shows until we’ve flatten the curve across the country. Thanks for listening. That is all for now.




Play Video