August 27, 2021: The IT system is a living, breathing organism. It changes. It evolves. Things are added. Things are removed. Things are altered. It’s a living, breathing beast. And that’s how you have to look at it. David Ting, Chief Technology Office and Founder, takes us through his journey from Imprivata to Tausight. Tausight is designed to help CIOs and CISOs ensure the confidentiality, integrity, and availability of PHI. It’s not a matter of IF you’ll have a cyber incident. It’s a matter of WHEN. And more importantly, how do you get back to business? How do you start the defense of your system? How do you gain visibility into the PHI? How it’s used, where it’s moving to, how it’s secured and who’s using it? How do you get statistical data from across your entire infrastructure to say how consistent can I make my infrastructure and how precise can that be?
From Imprivata to Tausight with David Ting CTO and Founder
Episode 438: Transcript – August 27, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: Today on This Week in Health IT.
[00:00:02] David Ting: It’s not a matter of if you’ll have a cyber incident, it’s a matter of when. And more importantly, how do you get back to business?
[00:00:13] Bill Russell: Thanks for joining us on This Week in Health IT influence. My name is Bill Russell. I’m a former CIO for a 16 hospital system and creator of This Week in health IT. A channel dedicated to keeping health it staff current and engaged.
[00:00:25] Special thanks to our influence show sponsors Sirius Healthcare and Health Lyrics for choosing to invest [00:00:30] in our mission to develop the next generation of health IT leaders. If you want to be a part of our mission, you can become a show sponsor as well. The first step is to send an email to [email protected]
[00:00:40] Your response to Clip Notes has been incredible. And why wouldn’t it be? You helped create it. Clip Notes is an email we send out 24 hours after each episode airs and it has a summary of what we talked about, bullet points of the key moments in the show and four video clips. So you can just click on those and watch different segments that our team pulls out that we think really captures [00:01:00] the essence of the conversation. It’s simple to sign up. You just go to this weekhealth.com. Click on subscribe. It’s a great way for you to stay current. It’s a great way for your team to stay current and a great foundation for you and your team to have conversations. So go ahead and get signed up.
[00:01:15] Today, we have a special treat. We have David Ting, the Chief Technology Officer and Founder of Tausight. Good morning, David. Welcome to the show.
[00:01:22] David Ting: Good morning Bill. And thank you for having me.
[00:01:25] Bill Russell: Well I’m looking forward to this conversation. This is actually the first time we’ve met, although I’m a [00:01:30] huge user of technology that you were a part of founding at St. Joe’s. You were the CTO and co-founder of Imprivata. We had Imprivata everywhere within our environment. It was pretty much central to our single tap in identity across the entire clinical enterprise. So I’m really looking forward to this. I’m actually kind of a fan because we love the Imprivata technology and I’m looking forward to learning about Tausight as well.
[00:01:57] David Ting: Well thank you. Always [00:02:00] flattered by people who say we put your system in and clinicians love it. I think that’s what gives me the joy is watching friends of mine that say, oh we put your system in and it saves me all this time. I have personal friends that are physicians that are using it.
[00:02:15] Bill Russell: Well, I’ll tell you what I I think we’re going to start with the current and work our way back to the past, because I think the number one question people want to know is Tausight. So let’s start there. What’s the challenge that you envision that [00:02:30] Tausight is going to address in healthcare?
[00:02:32] David Ting: All right. So I see healthcare IT systems as truly a mission critical infrastructure, and having worked in infrastructure for my entire life one of the things I really look for is how do IT managers, understand what goes on across their system?
[00:02:48] How do they get to know what’s happening on their infrastructure? How do they manage? How can they see what’s going on in real time and how can that help them create a better system? We [00:03:00] chose Tausight. Tau is the Greek letter that’s used in math for statistical correlation. How do you get statistical data from across your entire infrastructure to say how consistent can I make my infrastructure and how precise can that be?
[00:03:16] Because that’s to me having visibility, having insight, having the ability to compare both in, across all your end points, across all your users, across all your apps. That’s the [00:03:30] basis for how you build true reliable infrastructures. Infrastructures that are safe infrastructures that can deliver the kind of performance you want and the kind of security you want.
[00:03:40] Bill Russell: Wow. As you’re talking about that, I sort of have chills cause I remember being a CIO, we have what you just described. We have 15 to 20 tools that provided a snapshot into different pieces. What was going on across the network, what was going on with our PHI with our PII, with our EHR. So we created a [00:04:00] dashboard that pulled all that together, but it was from a lot of different systems. It didn’t really give us a comprehensive view and it wasn’t smart by any stretch of the imagination. It wasn’t a learning system at all. Is that the direction you’re heading with this?
[00:04:13] David Ting: Okay. You basically just said my story. What I recognized was in healthcare, the clinical workflow in digital health is all around patient records. You count on digital records, you make it available. You make sure that the [00:04:30] clinicians can get to it. How do you start the defense of your system? How do you gain the visibility into the PHI, the medical record environment?
[00:04:40] How it’s used, where it’s moving to, how it’s secured, who’s using it? What applications are you using it? How do you gain that visibility across, all your end points across time across your clinicians? So you focus on securing the workflow and then transcend that to what does the technical infrastructure [00:05:00] need to do to support that?
[00:05:02] So changing the perspective from one purely defending and managing your technical infrastructure to managing what’s critical in your operations and your business is the change that we believe.
[00:05:15] Bill Russell: What makes it so hard? What makes healthcare data so hard and what makes healthcare so hard to secure? I mean, we just had some very public challenges.
[00:05:26] David Ting: So one of the things. PHI is [00:05:30] everywhere. PHI is the basis by which healthcare runs. Healthcare is late to the digitalization game. Every other industry started digitizing decades earlier. I think digital information in healthcare came about primarily in the last 10 years, last 15 years, I’d say. A lot of the systems have grown-up. Have been added. The complexity is high, the interconnected needs are high. One of the [00:06:00] things I had the pleasure of being part of was the cybersecurity task force that was put together in 2015 and getting briefed by the government agencies. And one of the things that came out was healthcare unlike the other verticals is hyper-connected. It is basically an environment that’s extremely difficult to secure because there’s no physical barriers to the machines themselves. Your patients’ rooms have computers. You [00:06:30] have computers out in the hallway. You have machines everywhere. You have a higher end points to use your racial than any other industry.
[00:06:37] You have workers want to access that information from inside the organizational walls to their clinics, to their home. So you have information that’s going out everywhere in this decentralized healthcare delivery system. So the thing that you can’t secure is the information where it goes, how it’s being used and [00:07:00] PHI patient records are generated contemporaneously anytime a doctor or a nurse sits down or a business office puts together a note you have PHI. PHI is not just centralized in your large EMR or your lab systems or your imaging systems. It’s everywhere, it’s pervasive and it goes everywhere. So when you want to do is to start to look at what are the system that deal with the PHI, how can I gain visibility into finding it, [00:07:30] locating how it’s being access, how it’s being secured, how it’s being encrypted. Where’s it moving to? What applications use it? What’s the integrity of the applications? Do I know every aspect of that application? Do I know the DLLs that this applications loading. Do I know what they underlying driver’s system network connections physical devices that are connected to all my end points. Hey, can I correlate all that data using [00:08:00] AI? Can I use modern data science to correlate that data around how PHI is being used in that clinical workflow? So you can do this without having to have teams of people scouring multiple tools, trying to aggregate that view around how clinicians access their PHI. So it’s a much more integrated inside out view we call it. Start with the data, start with how the clinicians use it in their workflow, and then move [00:08:30] that down to the technical infrastru. So I want to be able to tell a CIO, here’s what your PHI looks like.
[00:08:37] Here’s how it’s encrypted. Here’s how it’s being generated. Here’s all the unsecured data that you might have on some end point. Oh, by the way, those drives that you bet are supposed to be encrypted. We’ll verify that. So it’s a zero trust model as well. Oh, by the way, your machines might have deviations in terms of the patching level of certain apps or [00:09:00] certain operating systems or it might have different drivers. How do we help you the CIO understand the complexity without having a whole team of specialists look at multiple tools to try to correlate them back to what’s really happening on my system. So to me, it’s like watching, if this were a power system I would want to know where’s the voltage going? Where’s the juice? And in healthcare to me, the juice is your digital records.
[00:09:29] Bill Russell: It’s interesting [00:09:30] because as you’re talking, I just keep having flashbacks. I remember when one of the consultants came in and said your approach is wrong. You need to assume they’re already in your network. And I was like, I started pushing back and she looked at me and she said, all right, you draw me the edge of your network. And I was at a health system. I’m sitting there going well, it’s here. And she goes, okay, what about your partner s that are handling all the data around supply chain and potentially some payers and those kinds of things.
[00:09:58] And I’m like, okay, we’ll extend [00:10:00] it around there. And she goes, okay, what about your physicians that work at home? I’m like, all right, we’ll send it there. Okay. What about your medical devices that are. Monitoring these home-based patients. And before long she’s like, you can’t even draw the edge of your network.
[00:10:14] How are you going to tell me that you’re going to secure that edge? You almost have to assume they’re going to be in. She goes, now you have to look at exactly what you’re talking about, but we didn’t have great tools around that we had to look at. How is the data being used? Who is accessing what device? Does that device [00:10:30] have the rights to actually access a biomed device? Or would it make absolutely no sense for that device to access a biomed device and that kind of stuff?
[00:10:40] David Ting: Visibility at that level, because the question you raise is what makes healthcare so difficult, is because first of all, that edge is totally diffuse. There is no hard edge. It is at every point where a clinician accesses the information. Look at review or history, make a procedure change, make a [00:11:00] treatment change anytime, or create a note to hand off to somebody else. New PHI’s is being generated. New security risks are created when you really need to know is how can we see that kind of movement?
[00:11:14] How can we see that level of activity and all the edge points? And then convey them back into a central place where you can aggregate that data and put it into one pane of glass that focuses on what are the real issues that you need to worry about, which is, [00:11:30] and you go back to the HPE the guidelines that they have to say figure out how you’re protecting your data. Figure out how you’re protecting your systems. Figure out how you’re protecting your workflow. And if there’s one thing that the cyber security task force worried about, it was, gee it’s not a matter of if you’ll have a cyber incident, it’s a matter of when and more importantly, how do you get back to business? How do you continue operations knowing that everything that the cyber blast radius has been contained, that you [00:12:00] know, that your system is back to an operational status recovery in this modern world.
[00:12:06] Is is as important as detection. It is as important as protecting. And so we want to make our tools have the ability to give you visibility, help you understand what’s going on, help you figure out where are my assets that I need to defend. Figure out what’s changing on my system. Help you respond and recover.
[00:12:27] Bill Russell: Yeah. What about the business associates? That was always one of those things [00:12:30] that was in the back of my mind. We have all these business associates, we’re doing transactions with there. They’re taking some of the data to do the work that they’re doing. Is it possible to extend this kind of framework across even the business associates?
[00:12:43] David Ting: So what you brought up is the fact that your security, your edge extends outside of your firewall is that what you need to do is to leverage the cloud in the cloud hosted solutions that you can allow your partners to deploy. So why would I send or work with you if I can’t [00:13:00] verify that the endpoint that you’re using to connect to me to handle my data is securable. How can I allow permission to work at her clinic if I can’t verify that her machines in our clinic that is her property that this connecting to my system is securable or has the integrity I need to handle my PHI or my records. And how do I extend that model?
[00:13:25] So we built our solution to be a SAS deployed product [00:13:30] where the technology can be the service that we drop in on the end points are managed out of the cloud. And so the data can be aggregated from any place where you mandate gee, you should you’d need to have this calcite service running on your end point before I will allow you to exchange data with me.
[00:13:49] So business associates, we would expect them to conform so you know what they’re doing. You know how well they’ve been secured. How much PHI going [00:14:00] out there is secured or whether they have very lax policies or protection.
[00:14:07] Bill Russell: You’re presenting at HIMSS, coming up with Aaron Miri who’s been on the show a couple of times is one of the most articulate CIOs that I’ve come across. He’s one of the few people I don’t send any questions ahead of time or whatever and he just looks at me. He goes, okay, ask me anything. And he’s ready to answer those things. I’m curious, you guys are going to talk about it using a holistic framework and why is a [00:14:30] holistic framework important for a CIO for for a health system?
[00:14:34] David Ting: Because I think the complexity of the system have gotten to the point where you require so many specialists, you require so many different disparate tools. My goal is to say, how can we help build you in healthcare a specific tool built just for healthcare? It’s not designed to be manned by multiple user specialists. And it’s focusing on what you really need to worry about which is [00:15:00] how can I secure my workflow, starting with my patient records, my systems that allow the clinicians to access that data. And so you work from the data out, manage the security of the data, understand where it is on all your end points, understand the environment that have applications that use it, understand the privileges and use by the clinicians to say and understand the sessions that they connect to. So I [00:15:30] always tell people, unlike the rest of the other industries, clinicians don’t have just one machine. They have every machine. They have access on every machine. You and I have a handful of machines that we were a con. This is typical of all knowledge workers.
[00:15:45] Healthcare is totally different. They use every machine. So when you really need to do is to figure out how do I track what that clinician actually does across multiple end points, flip the equation around. So you’re looking at, give me the [00:16:00] perspective from the clinician’s perspective. What does she do from the moment she leaves her clinic to come to my hospital? What are the machines that she uses? What are the machines she uses when she goes home? What’s the total aggregate view? And today I challenge you to find a machine, a system that can do that for you. Be that clinician centric, be data center. And then work from that point out to say, what’s the security level, as opposed to gee, I’ve got [00:16:30] tools that monitor the endpoints on all these machines. I have no idea how to correlate them to the user.
[00:16:36] Bill Russell: I’m going to go to the question, that you’ve done this before you were co-founder of Imprivata and CTO as well I’m going to ask you the question I asked before we started the interview which is why not retire? I mean Co-Founder of Imprivata. Imprivata did quite well, so why not retire?
[00:16:52] David Ting: So one of the enjoyable things I had was talking to a lot of CIOs and I recognize the complexities of the healthcare [00:17:00] system. I recognize the line that when you’ve seen one healthcare system, you’ve seen one healthcare system. I recognize that it is not an easy environment to secure, and it’s not one where conventional tools can do the job. It’s one where you need multiple tools. And Aaron and I have had many conversations about this. What we wanted to do in starting Tausight was how do we build a focus tool just for healthcare that worries about securing your clinical workflow, but taking into [00:17:30] consideration all the other things that you’d need to do?
[00:17:33] Our goal is not replace all your tools. Our goal is to give you a better perspective of managing how you secure clinical workflow, starting with understanding where your PHI data is. How it’s secured, how it’s being used, where it’s moving to and the ecosystem around that PHI. How do I defend all your applications?
[00:17:54] Frankly, I tell people if my Amazon music applications is compromised on my system by [00:18:00] rogue software, I really don’t care in a healthcare setting. If there’s a piece of software, that’s supposed to be touching PHI and it’s compromised. I want to know about it. And immediately, if there’s a system that can be compromised, that will affect the availability that machine.
[00:18:17] Because PHI is being used and the clinicians using it, I want to be think I want to be alerted and I want to be able to deal with it from that perspective. So when I saw the needs, we talked a little bit about the fact that I was on the [00:18:30] cybersecurity task force and we saw the complexity. And just as we’re about to publish the findings Wannacry hits in May of 2016. And all of a sudden the HHS focuses completely on how does US healthcare systems protect against WannaCry? And I had also European customers who got hit by WannaCry. We said, we are helpless. We watched our screens turn red and we didn’t even know what happened. And we went on the overhead pager and [00:19:00] told the staff to unplug.
[00:19:02] Just power off the computers as fast as they could. To me, that was a new indication that as an infrastructure, we didn’t have the right tools. We didn’t have situational awareness that will give somebody alert that says machines are running. There are processes running on our machines that you guys don’t know about.
[00:19:21] There are things that are coming the availability of the environment. We also saw tons of breaches applications that were exfiltrating PHI data. [00:19:30] Well why couldn’t you see those? How does the 80 million records slide out of a healthcare system sight unseen? If they were in paper records, I calculated that if every patient records weighed a good four ounces in a jacket, you would be a couple hundred thousand pounds of paper that you have to exfiltrate.
[00:19:49] And yet people steal them. Electronic. There’s no mass. I wanted to say, how do we do this better? How do we create a better tool [00:20:00] for healthcare? And the team that we recruited as are all people from the healthcare industry. They all have the same passion. And when you get a bunch of people like Aaron and then other folks telling you, Hey, this is the right thing to do.
[00:20:13] You go, yeah, this is newer technologies available, things that weren’t available even five years ago. We talk about the advanced uses of machine learning. We talk about the power of the cloud. We talk about the analytics capabilities. We talk about IOT. [00:20:30] Technology and the ability to transfer information compactly.
[00:20:33] Mostly we talk about the increase in computing power that we have on the end point and the ability now to deploy AI right to the edge. So the ability to run AI right at the end point to do things that you couldn’t do in five years ago. TensorFlow all the technologies that we have today are just far more advanced than what we had certainly five, [00:21:00] six years ago. And so the culmination of all that basically said you can’t retire. Besides I basically sat around and my wife says you got to do something.
[00:21:13] Bill Russell: Thats the most common story, by the way for serial entrepreneurs. It’s like they’re sitting there and their family’s going okay. Are you ready to start the next? Even if it’s a lemonade, stand, just go out front and start something.
[00:21:24] David Ting: We did, we did the four month break and it’s dead of winter and reading and catching up on [00:21:30] new technologies and going, wow, this is really cool. The advances in machine learning, which years ago, when I was in grad school, I did a lot of machine vision and now the technology and the computing power is so much more advanced. And you say, how do we deal with the shortage of cybersecurity experts? How do we imbue a lot of their Intel into the machine learning algorithms? How do we apply that so that we can [00:22:00] do better? We can help sift out the unknown and hence the name Tausight.
[00:22:05] Bill Russell: Yeah. Is there a metric that scares you the most? I mean, the metrics I recently heard that scares me the most about healthcare is the average time that somebody is on your network before it’s recognized is something like 60 days or something to that effect.
[00:22:20] David Ting: Actually longer than that. In the Verizon breach report will tell you that the majority of the people CIO’s who are asked, do you know if you have an advanced persistent threat will [00:22:30] say I have no idea because I don’t know what’s running across all my end points. And so the fact that you can have something sitting there lurking, without your knowledge running in a privileged mode, those are things that you need to worry about. Those are the things we’ll take you down. And that’s the things that, so computer systems are incredibly complex in every end point has thousands of settings that can affect this performance. Has hundreds and hundreds of processes that [00:23:00] run and you cannot track that in any way, shape or form by hand. Just keeping up with what happens on one machine as a baser applied as you, new softwares installed. There’s just no way you can sift through that 24/7 at every activity across all your end points. Thousands of endpoints, you multiply that and all of a sudden you’re into the millions and millions of data points.
[00:23:27] And so the only way and skilled [00:23:30] teams will sift through a handful. You want to have the ability of AI at the end points, as well as AI, the cloud, to help you digest that data. And so sifting through changes is what you really want to focus on. So it comes back to how do I keep a consistent system? How do I make sure my system doesn’t deviate from what I believe it should have?
[00:23:55] Bill Russell: I’ll tell you the most common thing, we have these cyber professionals come in and they scare [00:24:00] the bejabbers out of you as a CIO. And then they walk out and I think the question they ask is, did we get their attention? What I wanted to say is you had my attention before you walked in here. I I’m already scared. What I want is a solution to this and not. It’s kind of crazy. So you’ve done the co-founders thing before now. You’re the founder of Tausight, what makes it easier to do the second one? Is it easier to do the second one? I would assume you have some learnings that make it easier to do a second startup.
[00:24:29] David Ting: [00:24:30] You have all the, I think it starts out with you have all the contacts. You have all of the prior knowledge. You have all the credibility that you didn’t have before. So the North American Venture Association basically actually has some statistics that reflect that the ability for an entrepreneur to succeed, where I think the exit is over a hundred million dollars is like 18% ff you start out the first time. If you fail the first time and you come back [00:25:00] to do a second time, your probability goes up, your percentage of success goes up to like 21%. If you succeeded on your first attempt, your second one probability, something like 35%. Your chance of success which is substantially higher, right than 18 or 20%.
[00:25:19] And the reasons they give for that is due to the fact that other people are more willing to help you because you had that glow. You have the aura. And I have to tell you, [00:25:30] the people we’ve met in healthcare have been tremendous. They’ve been very supportive. They’ve been willing to contribute their expertise, their time.
[00:25:38] Just listening to your ideas and basically pointing out the gaps. That I found really helpful. When we came in with Imprivata, when we went into healthcare, there were a handful of people who really helped me. Basically took me by the hand and said, you don’t know much about healthcare. You might know things about security, but let me teach you what goes on really in [00:26:00] healthcare.
[00:26:00] And that experience has been really helpful. I mean Imprivata’s has been in healthcare. Probably 15, 16 years at this point. And I was there for at least 12 years of that, where we understand what goes on in healthcare. We understand also the technology that’s in healthcare. So when you combine all those two things together, you have a lot more credibility with with the investors. It’s much easier to get started. It’s much easier to recruit the team [00:26:30] that will help.
[00:26:31] Bill Russell: Yeah, the money, the teams, the conversations with clients, but just from the outside, listening to that one of the things that you had is a willingness to listen and to be humble. Some technologists come into healthcare, I mean, not to call anybody out, but IBM Watson sort of comes to mind as I think about this, but they come into healthcare loud and proud. Like we’re going to solve all your problems and it’s the exact opposite path to success. Healthcare is willing to help you [00:27:00] as long as you come in there and say, okay, help me to understand the worlds you live in and we’re going to bring our expertise to bear around that.
[00:27:08] David Ting: The partnership, I think I would never go into an environment where I say I have the perfect solution for you. I’m willing to go in and say, I have a lot to learn from it. But I also can show you what technology can do because of our focus. The fact that we put together a team that has very specialized skills in [00:27:30] cybersecurity, machine learning, ancient IOT designs, using user interface designs, we want to help build the thing together. And I always talk about collaborative design. Our goal is to help healthcare build the tool that they need. I don’t operate a hospital system. People like you do. So I’m looking for your help with your input and your help to help drive what we do. Where on the technology side, we’re deep [00:28:00] into the nuts and bolts but we want it to be applicable to healthcare.
[00:28:04] So. Qhat you look as as humility is our willingness to learn. Our willingness to try. And our willingness to ask for help.
[00:28:13] Bill Russell: You’re focused on healthcare but it sounds like your tool could be applied across other industries if you really just tweaked it a little bit.
[00:28:21] David Ting: Correct. We have a really cool set of investors who are focused both in healthcare. Healthcare tech, as well [00:28:30] as cybersecurity and healthcare tech. And they’re basically saying it’s the common mistake for startups to say, I could boil the ocean. Take take that straw and have that narrow perspective and win in one focused market and then branch out succeed first, then branch out.
[00:28:50] Don’t try to boil the ocean and say, I can succeed in pharma in legal, in business, like all week. That’s a recipe we don’t want to follow. [00:29:00]
[00:29:00] Bill Russell: So you served as an appointee to HHS cybersecurity task force. So that’s another lens at which we look at healthcare through that regulatory government lens. What did you learn from looking at healthcare through that lens of that task?
[00:29:19] David Ting: It was interesting. We got briefed by all the specialists in the various verticals. The attempt at first was why can’t healthcare as a [00:29:30] information-based business, just adopt financial services best practices? And so that was the obvious one. Why isn’t it the same as energy, which has similar value or manufacturing, precision manufacturing.
[00:29:43] Why can’t it be like pharma and what you end up with is a conclusion that healthcare is totally different than any of the other ones. Has facets of what financial services. You have value in the information. You have facets of manufacturing. You [00:30:00] had facets of other critical sectors. The differences are the things that we pointed out. Higher ratio of endpoints to users higher than any other industry.
[00:30:11] The lack of physical protection because your systems are all out in the open, in a hospital. You can walk up to it, practically, a computer connected to the network in any patient’s room these days. You can find them in the hallways. The fact that your clinicians work everywhere, they’re not confined [00:30:30] to the perimeter of your hospital.
[00:30:31] And then finally the interconnected, the number of physical devices that are connected to your end points and the number of special devices that are hooked into your network makes it a extremely challenging environment. And so all of a sudden it was the awareness. None of the needs are being met because this is a complex problem that’s not being solved using technologies and approaches that are used in other [00:31:00] verticals. And so while there are commonalities from your firewalls and point detects and point detect and respond AB what’s different.
[00:31:08] Bill Russell: You know what, David, I go one step further and say, we talk about healthcare like it’s one homogenous. But the reality is I just interviewed a health system that has 150 beds. I interviewed health systems that have a hundred hospitals. And so the A, you have critical access, you have rural versus urban, you have access to cyber resources. The budgets are [00:31:30] different. The talents different, the just implementing a framework is so different. I would think from the governance standpoint, you’re just looking at can we just get an agreement on a framework to approach this and get adoption across healthcare.
[00:31:45] David Ting: That was the conclusion of the first cyber security task force, which is adopt the NIST cybersecurity framework as a model for how to approach securing your system. And that starts out with inventoring all the assets that you believe are critical to your workflow. [00:32:00] Well if I had inventory then it would be the patient records, the applications, the end points that you need to deliver your workflow. The second piece is figuring out how they’re protected.
[00:32:11] How do you secure the data? Is it encrypted? Does it have proper access control or your application secured? Who has owner and access rates to modify those? The third aspect is track or detect and risk of changes in your system. Well, how are you going to do that? You don’t even know if there’s a [00:32:30] piece of rogue software sitting on your end point and it will take you 60 days to find it.
[00:32:34] Is that going to be sufficient or do you need something that’s closer to real time. If you don’t have that how do you even begin to respond to the challenges of software that gets exfiltrated? Applications that get compromised? Rogue software that, that worms its way across multiple end points.
[00:32:51] You need to have visibility into what’s going on across your system, in order for you to respond. And then when you do [00:33:00] get compromised and you do have an incident, how do you know you close down all the secondary potentials for secondary attacks? How do you know that first one wasn’t a ploy to deploy deeper other agents?
[00:33:13] So why does it take so long to recover after an incident is because you have to scrub every system to say, are there things that I didn’t know about that were planted by that first wave of the attack that implanted deeper agents. Modified more software on my [00:33:30] system that I didn’t know about. How do I know that wasn’t something lingering?
[00:33:33] So the whole model for the framework that you talk about is how do you approach it in a systematic way? And I think that the guidelines that are used are rigorous and it requires a whole rethinking of how we do this, as opposed to just try to secure the perimeter, just try and secure networks, which is to me, a good technological approach for securing the hardware and the systems, but you really need to do as a [00:34:00] secure and have visibility to what’s changing on your system.
[00:34:04] Where’s the data? And what are the things that impact my work flow? So it goes all the way back in healthcare to the clinician. What did they touch? What did they interact with? Where did they do this? Across all the end points. And do I have visibility from that perspective? And can I do this across time and across all the end points and do it in an integrated fashion?
[00:34:25] Not trying to pull logs from multiple machines and try to do [00:34:30] this ginormous blend and do this, frankly, in pseudo real time. None of this, gee, I have an incident, let me go pull the logs and see if I can sift them together.
[00:34:41] Bill Russell: I wish you were around back when I was CIO, that’s all this gray hair and this receding hairline is somewhat from cybersecurity. I remember asking for you, you started with get an inventory of all your systems. And I started with that and I ended up four different reports and they were all different and I’m like, oh, okay, what’s the single point of truth then? They’re [00:35:00] like, that’s a great question. I’m like, well, which one of these do I believe?
[00:35:03] I’m not really sure. And the numbers in fairness to the team, the numbers do change. We close down wings. We open up wings. There’s new devices being brought online. There’s devices that are in closets that get brought online from time to time. Then you have physicians who are going to their homes doing reach from homes and those kinds of things. And it is a dynamic environment. I mean, just knowing your inventory is, is not easy.
[00:35:27] David Ting: Exactly. So I always tell people [00:35:30] the IT system is a living, breathing organism. It changes. It evolves. Things are added. Things are removed. Things are altered. It’s a living, breathing beast. And that’s how you have to look at it.
[00:35:43] But you have to have visibility into what goes on across all of these notes across all your end points. And you have to have it in an integrated fashion where you’re not trying to sift through the data yourself. You’re getting the insight and what I want to do is to leverage the [00:36:00] best of ML, not in the big data kind of way, but in a very targeted manner where we take the best of cybersecurity knowledge and apply it and say, how do we take the know-how of people, it with cybersecurity healthcare expertise and apply it so that the things can apply to the small, critical care hospitals, as much as they can apply to a large IDN.
[00:36:27] Bill Russell: I would think your, I would know your [00:36:30] strategy doesn’t depend on timing, but your timing would appear to be really good with the Scripps, Sky Lakes, St. Lawrence, some of those recent attacks. I would imagine that the conversation has moved to the executive level.
[00:36:44] So there’s a lot of exposure there. There used to be a time where having a cybersecurity conversation with a CEO was not an easy thing. They would just push you down in the organization. And even some CIOs would say, just talk to the CISO. But at this point it seems like all the way up to the board, [00:37:00] everybody’s interested.
[00:37:00] I’s a really good time to be bringing a solution like yours to the market.
[00:37:05] David Ting: Well, it’s all about timing. We basically approached the problem, not from a gee, these bad things are gonna happen. We approached it from the perspective that this industry needs a better set of tools to help manage the concerns that we talked about.
[00:37:20] The technologies are right. The know-how is there. The need is there. So how do we bring together a tool a team that can build.[00:37:30] COVID in some ways has helped sharpen our focus. It also changed the perspective in the sense that decentralized healthcare, we’ve had people working at home all of a sudden., We’ve had people getting, I always tell the story, my two doc dental practice during COVID gets compromised. Gets ransomware. I go back for my dental cleaning after he opens up and he’s there cleaning my teeth. He said do you know anything about ransomware, by any chance? I’m going, I’ll talk to you while they’re there doing some [00:38:00] procedure in your mouth.
[00:38:00] I go, yes, I do. And then he said we got compromised. We’re a two doc practice. Why would they attack us and ask for for dollars? And I said, they’re doing the same thing we’re doing, they’re working from home and they’re finding every target they can find. I said, things didn’t change. And so during this interval, we’re a virtual company.
[00:38:20] So we basically went back to saying, okay, let’s close down our office and focus working at home. And live on Zoom like we do today. The [00:38:30] focus and the change in perspective from our CIOs has been, boy, we need this even more now, as our docs are working in multiple places at their homes and their multiple offices that they might have.
[00:38:45] This is a changed world. And as decentralized healthcare pushes care and clinical access further and further from centralized provider organizations, how did the purview of your CIO [00:39:00] manages the place of manage the inside the firewall? We’re seeing this as a problem. That’s going to be even larger over time.
[00:39:09] Bill Russell: Do they scale the demands based on a two doc dental practice? I would imagine how much Bitcoin are you asking for?
[00:39:18] David Ting: He said, I had to look up what the Bitcoin was. I had to go in and sign up and buy a Bitcoin with my credit card to pay these people off. And so I said, this [00:39:30] is awful.
[00:39:30] I said what happened? And he said, we have one XP machine that was used to hook up to our dental film scanner, which phone home to get updates. I said, XP machines. He said, no, the application phone home. Left the tunnel open. And they came back into it and compromise my entire set of machines. I said, well, at least you figured it out.
[00:39:52] And he said, yeah, after I paid somebody to come in to clean it up, I found out how they got in. But he says, this is just like two, [00:40:00] he said, we’re just a tiny little suburban dental. So I use that as a gauge to say, how many other potential targets are out there? How do we help them secure the fact that you left the port open?
[00:40:16] Do you have an application that left that leaves the port listening for outside traffic? I mean, he said I had no clue these applications were even running on this machine, looking for updates. [00:40:30] I said, that’s the problem you guys were dealing with.
[00:40:32] Bill Russell: No visibility. So I’m going to get, I’m going to go off the beaten path towards the end of this interview and someone with your experience, I want to tap into, we must fair amount of students who follow the podcast. And I just thought, I’d throw this question in for them. When I was going to school, they used to say, learn computers, learn a programming language, that kind of stuff. Back in the day, what would you say to those who are really [00:41:00] getting ready to go into school, maybe undergraduate or looking for a focus now that they’re in school to take them into their career if they’re looking at technology at this point?
[00:41:11] David Ting: Wow. That’s a, that’s a good question. I mentor a lot of entrepreneurs both in school, as well as startup companies. And it’s the same characteristics you look for you want to get into a field where you can leverage your entrepreneurial skills.
[00:41:26] And so to me, it is about understanding [00:41:30] does your school have an entrepreneurial program you can, you can get in to? Are there things that lead upto it could be in anything from farming. To biotech, to ML data science, to computers. I mean, I think we’re at the beginning of a huge wave of change because of data science.
[00:41:50] I think anything has relevance in how you analyze large amount of data. So the benefit of what happened in the past 30 years is we [00:42:00] digitize the world. Everything now is available. Everything from you know your, your ancestry.com, a record of your grandparents, immigration to some countries now digital and available.
[00:42:13] But we now have is an explosion of data and the availability of the data. We don’t have the manpower to review all that data. So data science now has all of a sudden taken a huge leap forward. And I think the ability to leverage and understanding the [00:42:30] math, the science behind data analysis is going to drive what we do next.
[00:42:36] The AI model. I hate to use the word AI because it’s really an extension of just better data science and being able to see the insight from the noise of the data. So to me, if I were going to school, I would basically tee that up. I would make sure I have a good background in understanding how to analyze large amounts of data and also couple it with the [00:43:00] practicality of whatever other field you, you choose whether it’s engineering, science or medicine, or even arts and literature. I mean, I have a friend who is using AI to analyze pictures, to see if their paintings are fraudulent or have been repainted. So there’s all kinds of ways that data science is changing. How technology can apply to different fields.
[00:43:26] Bill Russell: So, do you see yourself as an entrepreneur first and a [00:43:30] technologist second? One of the ways you started the answer to that question is study entrepreneurship and obviously data science was a big part of that answer as well, because just the future of the next 30 plus years, we digitize everything. The amount of data is growing so rapidly that there’s just huge opportunity there, but you would actually study entrepreneurship?
[00:43:50] I would.
[00:43:51] David Ting: I started out as a technologist. I started out working in research labs. So technology is always in my DNA. I look for new technologies. I underst I [00:44:00] try to understand how they can be applied and what’s their applicability to specific problems.
[00:44:06] But if it just stops there and my fascination with technology, with what it can do. It doesn’t apply to you solving real world problems. I think the era of the large research labs it’s gone. I think the whole model for how technology gets ingrained into our everyday lives is through entrepreneurs that take the risk to take [00:44:30] technology, to try to solve a problem, to solve it and make sure that there’s a business model behind it.
[00:44:36] To me that’s how technology gets curated and pushed into the world. It’s no longer going to come out of the large, large corporations that have the traditional R and D groups. I think those are the groups are going to leverage the output of these smaller entrepreneurs that can take advantage of new science, new approaches.
[00:44:56] Take the risk. I always tell them. Take a [00:45:00] risk life’s too short, right? I mean, you, you know it, I look for people who basically can say, I understand the science. I understand what can be done. Now I need to figure out how do I succeed as an entrepreneur to take that, curate it, cultivate it and make it into something that can succeed on its own.
[00:45:20] Otherwise it sits on me. I wrote papers and I did research and they were great as papers and articles that you can stick into a journal. It was only when I started [00:45:30] building products for people that I go, this is what I want to do. This is seeing the results of cool technology being put into the hands of people.
[00:45:38] We built display systems for the first generation of CAD system. We saw digital technology applied it in photography. In everything from photography to law enforcement. It was only in healthcare that I said, okay, the problem here is the workflow. How do we streamline authentication workflows? Again, it’s curating the [00:46:00] technologies to solve a problem.
[00:46:01] And the end result of streamlining that clinical workflows, which you saw at St. Joe’s, the doctors loved it. So my theme here is go out and take the risk. You know understand how entrepreneurs work. How does that model apply? How do you take an idea? How do you formulate it? How do you test it?
[00:46:20] How do you go out and seek the funding that you need? How do you organically or inorganically grow this so that you can basically take that little idea, [00:46:30] blow oxygen on it and watch it glow and turn it into a fire and hopefully turn it into a raging field where it’s burning and you’re conquering the market that you want. That is how I believe innovation occurs. It’s going to occur in the next 30 years.
[00:46:46] Bill Russell: Wow. I’m going to close the interview with this question and it’s one of those little. Give me your report on the world and all that is within it. But I’ve been asking leaders in healthcare this question and it is what do you think the lasting [00:47:00] impact of the pandemic on healthcare from a technology perspective will be?
[00:47:05] David Ting: I think it’s the adoption and acceptance of televisits. It’s the adoption of use of technology to do non in-person care of patients. I think within the first week of the lockdown in Massachusetts, I had a physical scheduled where the doctor calls up and says, we could cancel this, or I can do this on a virtual.
[00:47:25] I said, why don’t we do this virtually? And we were trying to set up, he said, our [00:47:30]organization isn’t set up yet for any kind of televisit. I said, I can give you a Google meet and I’m comfortable disclosing anything over the Google Meet if you want. He said, I’ve never done this before. So I called them on my phone to walk him through how to set up Google meet on his end.
[00:47:46] I sent him an invite and we did the physical. He said, if IT found out, they’ll say, oh, you’re not allowed to use Google meet. I said, I will sign whatever you need to validate that I’m comfortable with this technology because you’re not sharing [00:48:00] anything. I’m not sharing anything that’s persistent. To me that was the first of many. The second time I had a physical, he had it all set up on his system. And I said, that’s the evolution that over the first one year of COVID we went through. It’s our adoption or acceptance. He said, oh, I’m really comfortable. I’m doing all these visits now from home.
[00:48:22] And all these are quote wellness visits anyway. So we can wait for the in-person physical until [00:48:30] after you know vaccination or whatever, but to me there’s a general acceptance of use of technology in taking care of patients. Everybody I know has adopted the same model and two years ago, pre COVID, I would have gone, oh my God, am I going to have to do this remotely?
[00:48:50] I mean, I would never do that, but now we’re forced to.
[00:48:54] Bill Russell: Well, I’ll tell you back in 2010 and 2011, we were looking at [00:49:00]telehealth solutions and we had a bunch of them implemented at our health system, which is the nature of health systems right. You don’t implement one, you implement several.
[00:49:09] But the reality is we could do this in 2010 and 2011. It wasn’t like it was foreign. American Well existed. And I mean, Teladoc and others existed back then. It just was such slow adoption. I mean, my gosh from March until June of last year, the adoption [00:49:30] curve was just really steep.
[00:49:32] It was unbelievable how many health systems did things like you’re talking about with the easing restrictions. I had one CIO tell me there was a group of doctors who said we’re never going to do telehealth no matter what. And then COVID hit. They asked them for the technology game, the technology, next thing you knew, they were quoted in an article in the local newspaper as what a great thing telehealth was and how they appreciated how they connected. Because that would have never happened in my lifetime [00:50:00] if it weren’t for the pandemic.
[00:50:01] David Ting: Yeah. And I think a lot of clinicians who had reservations about it were forced into it. I think their adoption was basically okay I have no other means except to adopt this. Let me make the best of it. Thinking that it would only be three, six months maybe. And it turned out to be what a year and a half, two years. And a lot of them still do this.
[00:50:23] Bill Russell: It’s prettty exciting. David, thank you for the interview, by the way, I’m really excited with the stuff that you’re doing. Hopefully you’ll keep more [00:50:30] CIOs from receding hairlines, and gray hair by giving them that visibility across the entire enterprise. I think this is, this is exciting.
[00:50:37] David Ting: We’re very happy with our approach and we’d love to share more with you later on, but thank you for your time.
[00:50:45] Bill Russell: What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It’s conference level [00:51:00] value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That’s all [00:51:30] for now.