Telehealth Funding, Apple Silicon, and 5G This Week in Health IT
July 7, 2020

 – Episode #

Guest Information

Share this clip:

Share on linkedin
Share on twitter
Share on facebook
Share on email

July 7, 2020: Welcome to another episode of Tuesday Newsday. Joining us is Drex DeFord to discuss a gaggle of telehealth stories, cybersecurity, 5G and more. What kinds of human errors cause cyber attacks? What is the Wall of Shame? And what did Apple just announce? We also cover security issues of the cloud, intelligent design architecture and creating a secure national patient identifier. A show not to be missed.

Key Points:

  • Drex’s Top 50 Over 50 [00:03:05]
  • The future of telehealth reimbursement [00:10:30] 
  • Apple announces Mac transition to Apple silicon [00:18:00]
  • Is 5G really the answer for everything? [00:24:27]
  • The complication of making findings on Cyber attacks public [00:28:25]
  • What is the Wall of Shame? [00:32:40]
  • Intelligent design architecture can save us from hackers  [00:35:25]

News Day – Telehealth, 5G, National Patient ID

Want to tune in on your favorite listening platform? Don't forget to subscribe!

Thank You to Our Show Sponsors

Related Content

Amplify great thinking to propel healthcare forward and raise up the next generation of health leaders.

© Copyright 2021 Health Lyrics All rights reserved

Tuesday News Day: Telehealth, 5G, National Patient ID

Episode 275: Transcript – July 7, 2020

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Bill Russell: Welcome to This Week In Health IT. It’s Tuesday News Day, where we look at the news, which will impact health IT. Today we’re going to talk about a lot of stories. We’re going to do a gaggle of telehealth stories. We’re going to take a look at what’s going on with cybersecurity. Since we have my friend Drex DeFord in the house, we always talk a little cybersecurity.

1.2 million paid out by a UCF should be an interesting story. My name is bill Russell, [00:00:30] healthcare CIO coach. This week in Health IT is a series of podcasts, videos, and collaboration events dedicated to developing the next generation of health leaders. We’re working on something called Clip Notes, which I am still not allowed to talk to you about, but we are excited about it.

The first one will be this Friday and it’s designed for you to make it easier for you to consume and share this content. This episode, every episode, since we started the COVID-19 series has been sponsored by Sirius Healthcare. We closed out the COVID series on July 1st, and we are excited to announce that [00:01:00] Sirius will be a weekly sponsor of This Week in Health IT through the end of the year. Special, thanks to Sirius for supporting the development of the next generation of health IT leaders. If you haven’t signed up yet for 3xDrex you are missing out. Text DREX, that’s D R E X to 484848 and receive free texts every week with the stories that you need to know to help you stay current.

This is a service of directs to, for our guests hosts. For today’s show. Good morning, Drex. Welcome to the show. 

Drex DeFord: Thanks. I appreciate [00:01:30] it. 

Bill Russell: Good to be here. It’s always good to be here with you. 

Yeah, well, I’m looking forward to the conversation. It’s you know, the last couple of times was really at the, well, I’m not sure we ended our COVID series, but I want to make it clear to people.

It’s not that we believe that COVID is. beyond us or past us, we just, we buttoned up that series and put it in the archive. There’s a lot of great stuff for people as they’re scaling up and preparing and those kinds of things. but you know, we feel like we collected enough of that information for what health it should do and be prepared to do.

And now we’re gonna [00:02:00] sort of go on to, really exploring some of the other things that. You know, some of the other topics that we didn’t explore as much during the COVID series, like, I don’t know, infrastructure and operations interoperability 21st century cures. I mean, there’s so much to talk about in healthcare.

It doesn’t all stand still. It all still progresses forward. But it’s great to have you back on the show, what did you, what have you been up to? 

Drex DeFord: Man, I’m just, working on a bunch of different stuff. obviously I have a, I don’t know, can I say their name? CI Security. I just did. I have a client. [00:02:30] I have a client that I’m doing a bunch of work with and we’re actually working right now on what I think is going to be a pretty interesting and kind of maybe a little bit of a head-scratching report on, the data in the wall of shame over the last 18 months and the trends that, that have been kind of going on there.

So I’m working on that right now. And I think we’ll probably have that out in the next couple of weeks and happy to share it. as soon as I get it done, you know, one of the other weird things that I’ve been working on, that I’ve kind of just not been spending a lot of time on, but, you know, I sort of bounced [00:03:00] back and forth between regular work and this.

So we have the, like, you know, the. The top 30, under 30, you see those lists all the time, that kind of stuff. So I’m working on, I don’t know exactly what it’ll turn into, but the top 50 over 50. So I’m thinking about, you know, and the beauty of it is, you know, since it’s mine, you don’t necessarily have to totally be over 50.

There might be a couple of squeakers that [00:03:30] get in there and there may be more than 50, but it’s a good little kind of a way to think about it anyway. So, if you’ve got suggestions about. Somebody over 50 who’s in health IT who you think has been like a real leader in the business feel free to drop me a note, [email protected]  I’m happy to take nominations. 

Bill Russell: [email protected] You know, I’ll give that a, I’ll give that a thought. I, there might be some people who don’t want to disclose that they’re over 50, [00:04:00] just. You know, for clarity. 

Drex DeFord: That’s true. That’s right. I know. That’s true. 

Bill Russell: Alright, so there’s, you know, there’s a lot of, a lot of news.

I’m going to kick us off. There’s a gaggle of telehealth stories as has been the case. So we’re going to continue to parse these for everybody and see where it takes us. So there’s a, Healthcare finance news story, 340 organizations tell Congress to make telehealth permanent providers to Congress.

Patients will lose access to care without permanent expansion of telehealth, [00:04:30] that Fierce Healthcare, hundreds of industry groups call on Congress to advance permanent telehealth reform healthcare IT news and senators. Call for CMS to provide a plan for telehealth changes. And by the way, that’s all just one category.

I’m going to, there’s two more stories I’m going to hit on with this as well. Let me give you a little context here. So bipartisan group 38 senators released an open letter on Friday asking secretary Azar, Alex Azar from a HHS and CMS, administrative [00:05:00] team of Vermont to provide a written plan for permanent changes to Medicare Medicaid and children’s health insurance program rules around tele-health.

We’re hearing from patients and providers who are concerned about when Medicare temporary changes to telehealth rules will be rolled back and whether they will receive any advanced notice. Wrote the senators led by led by senators, Tina Smith, Democrat from Minnesota and Bill Cassidy Republic from Louisiana.

So patients are anxious about when private payers will change the [00:05:30] rates for telehealth services. And if they decide to rescind telehealth coverage altogether, they said, so. generally what you’re hearing here is bipartisan support for, extending the, the, provisions around tele-health that were afforded to CMS as a result of the president’s declaration of a national emergency and, CMS using their authority to, grant  allowances. I think allowances or [00:06:00] provisions of some kind, to really expand the use of telehealth. And there was some rumors going around that essentially those were going to be pooled in some way, shape or form. And so it caused people to get all, angsty. And the reality is that there’s a three month window that the president has to restate the national emergency every three months.

So he can’t just do it categorically and Hey, we’ll end it when we [00:06:30] end it every three months, he has to reinstate that as per the law. And so that’s coming up in the middle of July. And so there was some concern that he was going to pull that. So if he pulls that. HHS and CMS lose their ability to just, just grant those, allowances.

So that’s the big one that the president has to keep that national emergency. And I don’t think with the, with two things, I think with COVID going back up.. NNd that being the minor one, but I don’t think in an election [00:07:00] that you’re going to see this president or any president for that matter, pull something that has this kind of favoribility rating amongst the electorate.

And so I think people are getting worried about. This thing being pulled. Now, granted there isn’t a lot of information around it because it’s, it’s, it’s a mishmash of laws coming together that have allowed CMS to do this, these provisions. And if you know, it’s like a Jenga, right? So if somebody pulls out one of the blocks, then the whole thing sort [00:07:30] of falls down.

But I don’t think there’s a, you know, I think this, this, what you’re seeing is a  secretaries are, has been consistent. Seema Verma has been administrative. Verma has been extremely consistent around tele-health. And what she’s saying, you know, the president is really on the periphery of the, but what, what you would say about the president is that he’s a, He would like to see healthcare disrupted by business and nothing is more disruptive to the business of healthcare than [00:08:00] tele-health.

So I’m not sure even from a, from a direction standpoint, I see this president pulling this. And so I see people getting worked up about this potentially going away and, and I’m not sure I see any signs that it’s going away. I mean, what, what’s your read on this right now? 

Drex DeFord: Yeah, I, you know, and I want to say, I can’t remember if it was Verma or Azar or somebody else at HHS had tweeted something maybe a week ago, giving an indication that they were absolutely gonna extend this [00:08:30] for another 90 days so now I have to go back and look in Twitter to find it. 

Bill Russell: Yeah, it was, it was somebody underneath Seema Verma. I believe Tweeted out and where the rumor came from cause I ended up, I called a.  about those and just wanted to talk it through and say, okay, help me understand the laws and how they all fit together.

So we talked through, we had a great conversation, but evidently when Trump was doing the rally, president Trump was the rally in Tulsa. he made some [00:09:00] overture on, on Twitter. about maybe not extending the, the national emergency. I didn’t see the overt tweet, but that’s essentially where people start to, you know, one of those Trump tweets that people were all sitting there going, does this mean this?

Or does it mean this? Or does it mean this? And they try not to read his tweets. 

Drex DeFord: It’s so conflicting sometimes. 

Bill Russell: So essentially people are like, well, that’s what he’s saying. And so they came back in and said, no, we have no intention. So that’s the, that’s the direction. This is. it seems to be [00:09:30] heading what I’ve told people on the show.

If you’re a regular listener, you know, that what I’ve been saying is if you’re in a health system right now, plan for this to be in place for at least another six months, this will be in place through the end of the year. at least the election cycle, for sure. If not further than so, Especially with the, with Azar and Seema Verma being so adamantly behind it, they’ve already made provisions through Medicare advantage to take that bulk of people in, right?

And make sure these [00:10:00] things are permanent under a provision from 2018 law that was passed. I think it was 2018. so they’ve, they’ve actually taken it a quarter of those Medicare patients and made sure that the provisions will continue. So you could see directionally that’s where they’re going. 

Drex DeFord: I think you’re right on the, you know, Jenga part, right?

And that there’s a lot, a lot of stuff in here. A reciprocity of licenses across state lines. There’s, you know, are, are you going to pay for a telemedicine visit [00:10:30] the same amount that you would pay for a visit when the physician actually touches the patient, a lot of those things are the things that are in this national emergency extension that lets all of this stuff happen.

So the best way to do this, I mean, in the spirit of never waste a good crisis is that you seem, so you do have bipartisan support for telehealth right now, maybe this is a good time to go in and, you know, sculpt something under really. tight conditions, that allow us to continue into the future. [00:11:00] I mean, you and I both saw, you know, health systems go from, a few telehealth visits a week to thousands a day.

And you know, almost overnight at the beginning of the COVID crisis, it’s clear that that’s something that patients and families. Want something that they like, from a consumerization perspective, I think from the, from the healthcare systems perspective, whenever they went into the mode of having to shut down and not do elective surgeries, it was [00:11:30] one way they could still see patients and still get payments that they might not have been able to otherwise, or might not have been willing to lean into it.

Otherwise. So I hope, you know, hope Congress does something. I think it would be, you know, this sort of legislation by extending extension of a national emergency every 90 days or a presidential executive order or whatever it turns out to be is not a great way to put a solid foundation under telehealth. So, I [00:12:00] think, I think we legislate it.

That’s the best way to go. 

Bill Russell: Yeah, no, absolutely. I mean, Congress is in control of the funding and they, they need to take care of that, but yeah, you know, here’s, if I were the CEO and you were my CIO, what I would say is, Hey, you know, stop, stop worrying about this focus on what matters, how are we going to use telehealth?

What areas, where does it makes the most. sense to expand it, to use, do we have a mandate within our health system at this point? Have the physicians, are they, are they really [00:12:30] buying into this? Do we need to build a story? Do we have the data? do we have a new group of champions around tele-health I’d be, I’d be looking at the CIO saying, Hey, you know, figure these things out.

And then, you know, for the most parC don’t come to me and say, Hey, I’m not sure if there’s going to be funded, let, let Mari and her team do their job, you know, and you do yours, you know, get the data, build the story. and then in fact, if you want to support Chime, the best way to do that is to give them some data for the stories.

Drex DeFord: For sure. [00:13:00] And I, you know you look at this, you know, from a longterm perspective and, this is part of the transition from fee for service to value based care, right? I mean, we’re, we’re worried about this and telemedicine and isn’t going to survive under this national emergency because we’re all using it as fee for service.

But realistically looking down the line as we continue to make the transition to value based care and take more and more risks. Doing telemedicine makes great sense. [00:13:30] It’s a much less expensive, much less time consuming way to see patients and make sure they’re healthy and that they’re staying healthy and staying out of the sick side of the system that costs a lot of money.

You use telehealth, it’s a digital health program. You really should be, should be pushing for, regardless of what the reimbursement model is now, because that model is going to change in the future. 

Bill Russell: Yeah. So let me, let me hit on a couple of the other stories right now. So the successes and pitfalls of using telehealth for home based [00:14:00] primary care, this is a story out of healthcare IT news, and it talked about a Northwell Health piloted program in 2018, 19, with some funding that they had available. And so Northwell serves a significantly large geography, in New York, around the city, Manhattan, Queens, Nassau, Suffolk counties, you get, get the picture, You know, they had the situation where they’re trying to provide home-based based care.

People could see roughly six patients a day cause they were doing tons of driving. So they did tele-health. And [00:14:30] what they did is that for that first visit, somebody went out, set it up, help them to do that, that first visit. And, you know, what they found is. Quite frankly, the results were subpar and it was mostly due to technical difficulties that was2018, 2019, over all the videos success rate was about 49%.

the patients expressed a high degree of satisfaction, but the, social workers and the care managers did not, about 23% while we’re not happy with how it went. So they, they modified it a little bit. [00:15:00] And, they started for each of these visits. they sent out, the EMS, the, EMS agency sent somebody out to the home who could actually troubleshoot and those kinds of things.

And so they were able to get a much higher success rate that second time around. I know that people in silicon Valley are listening to this going, what you’re actually sending people out to the home to do a digital and encounter. you know, these, the average age for these people was  88, 89 years old.

I can understand why [00:15:30] they chose this model. but you know, the sec, the second round, they said, you know, one of the physicians said, I like that I can touch 10 patients instead of five in one day. And I can see them on my own rather than relying on somebody else’s assessment, 

Drex DeFord: And in their home too. Right. In their natural setting, which reveals a lot of stuff.

Bill Russell: Yeah. Yeah, absolutely. So, I mean, there, there are some areas where it works and where it doesn’t, that’s the first story and the second, the Commonwealth fund did a, healthcare IT news again, [00:16:00] after initial spike, telehealth visits are on the decline, but that’s not the concerning thing. We knew that it was going to come back as offices started opening up.

But the reality is, you know, tele-health never went up to fill the void of all the in person visits and coming back. The the two aren’t meshing. So essentially what they’re saying is people are still deferring care. They’re still not, they’re not doing tele-health nor are they doing in person. And people are deferring some, some care that is going to have some [00:16:30] significant ramifications, longterm.

So, you know, it’s, it’s interesting. There’s a lot of promise here. And there’s a lot of opportunity, but we have to look back beyond the basic visit to visit. We have to start looking at all the different, options that are going to be available to us. You know, we are going to have IOT devices. We’re going to have just a bunch of different ways to do this, and it’s going to create.

Better models than just this one to one as well. We’re going to have a care team [00:17:00] be able to visit with a patient through telemedicine and it will be not only much more efficient, but much more comprehensive of a type of care I believe moving forward. 

Drex DeFord: Yeah. I think too, you know, that we have sort of wrapped our head around this idea of a telomere and being me using a Zoom, like function, to talk to, and, and have discussions with patients [00:17:30] and see what’s wrong with them and, you know, treat them that way. There’s actually probably a whole broad range of things that fall into the telehealth category. And so, it’s not just video.

It may be, you know, remote monitoring. It could be a lot of. Other technology that ultimately helps move us down this digital health path. 

Bill Russell: Yep. Absolutely. So I have a story here from a friend of yours. So you interviewed him for the show. It’s “Arm Yourself,” a Healthcare CIO, His Introductory Guide to Apple’s [00:18:00] silicon in healthcare IT today, Mitch Parker.

who you interviewed for thshow? And so, you know, for the first time, in 15 years, Apple has announced a major architecture change in the Macintosh platform. They used to be, you know, on those Motorola chips. And then they went to Intel-based chips. Now they’re going to arm based, Apple, silicon. So essentially they’re going to be building their own processors.

to power the iPhones that also power iPhones, iPads, and now they’re going to, power their computers. [00:18:30] And, you know, one of the biggest changes I think is with Apple and the iPhone iPad apps will be able to run natively on the Mac. Macco OS, Big Sur also has a control center just like iOS. This convergence of the app support and similar configurations means that the skills you use to manage iPhones will transfer over these new devices.

So Mitch lays out sort of, you know, this whole thing of don’t panic. We’ve gone through these things before. It’s the same, you know, same model. We use MDM, we [00:19:00] deprecate the legacy apps. We use virtual desktops and, you know, we learn a new set of skills and a new set of, tools to secure the environment.  Have you. kept track of this, Apple silicone story at all? 

Drex DeFord: I, you know, so I’ve, I read about it initially and I think my, and I, and I certainly read Rich’s article about it and it’s, you know, good solid advice from a really good solid CIO. So the reality is I think that as we see this transition happen, [00:19:30] there’s always going to be a bunch of things that nobody thought about until you’re in the middle of it. And then you have that, you know, Oh, shoot moment where, you have a security issue or, or, or maybe you have an operations improvement, thing that happens that you just. You didn’t know until you got out into the middle of that river.

So, hopefully there’s been a lot of thinking that’s gone into this, a lot of strong considerations. I’m an Apple ecosystem person. So I think it’s really [00:20:00] interesting to kind of watch how this is gonna unfold. And I, you know, I think the important part of this is just. Being agile and keeping your eyes open and thinking, thinking about your own organization and how you use apples and how you’re going to manage this transition and the work associated with monitoring and managing and securing those devices. 

Bill Russell: Yeah. This is a classic, simplification move, right? I mean, essentially what you’re going to end up with is  a [00:20:30] single OS across all the Apple. 

Drex DeFord: Everything’s an iPad. 

I mean, everything’s an iPhone, you know, at some point.

Bill Russell: Yeah, I never thought I’d be a fan of that, but you know, I can’t tell you how many, many times I’m now picking up my phone to do my banking, as opposed to using my computer because the interface is so much. better thought out on the, on the phone. 

Drex DeFord: Yeah. There’s definitely the situation too today where you have things that you can do on your computer [00:21:00] that you can’t do on your phone or vice versa.

And that can be really aggravating. I have a couple of, a couple of products that I use to help manage my home, that there are things that I can do on the computer that I can’t do on the handheld. And it’s frustrating sometimes. and it’s, it’s not just that I know there are a lot of apps that sort of have that problem. 

Bill Russell: This is what I’d like from Epic and Cerner and Meditech and Athena, if they would just sit [00:21:30] back and think through, you know, I don’t want them to rewrite the entire EHR for the phone. I don’t expect that nor do I want that. I do want them to start to layer interfaces. It’s not like it’s not like JP Morgan and Schwab sat back and rewrote every backend financial system that they had to make the apps work on the phone, but they thought through certain workflows that were consistent, that happened over and over again.

And then they made an interface to get to those things. I [00:22:00] think. If they just took a small team and I wouldn’t do anything more than that, a small team over to the side, work off the APIs that they’re already providing and say, look, we’re we, we would like interfaces for these five things that clinicians do every day or these 10 things and just keep building it out and building it out and building it out.

I think that eventually they could rewrite the entire. experience on top of the existing data structure, the existing set of [00:22:30] APIs, or at least they should, they should be able to increase the user experience. 

Drex DeFord:  I think, you know, when you think about how we should do thinking about these things, this goes back to our tele medicine conversation too.

It’s don’t, you’re not trying to solve world hunger here. Right? So, so telemedicine, isn’t going to replace all medicine and all treatment that we do just like this device, isn’t going to replace all the stuff we do with electronic health records. There will always be things that we’ll say it. Look, it just makes more [00:23:00] sense to do that on a computer.

It’s too complicated. It’s too hard to do on a phone, but if you take the things that you think would work on a mobile device and you have a mobile first attitude. About your product and then you prioritize the work that you should do. This is where we get the biggest advantage. First, if we do these things on mobile, then yeah, you should, you should certainly have a mobile first development flight plan. If you’re an electronic health record, it says, these are the things we’re going to put on the phone first. And these are the things we’re [00:23:30] going to put on the phone later and, and work through that process. I think you’re totally right. I want as many things on my phone as I can cause I have it with me all the time and that’s what I use 90% of the time.

But, but there are still things that are just easier to do on my, on my computer. So those should probably stay there. 

Bill Russell: Yep. I mean, the, I think the, So What on, this is his, his statement of don’t panic. I mean, we, we know, we know how to secure things in the environment. Just follow [00:24:00] sound, hygiene procedures.

You can be fine. All right, next story, 5G. So I know 5G, there’s a next iteration of the spec. additional power savings. It is kind of a power hog at this point as all technologies are when they first come out. So there’s some power savings stuff in it. A use of unlicensed spectrum, which if you don’t know most, most cell phones use unlicensed spectrum.

All the time. It’s just part of, how they, get additional, bandwidth and speed. there’s some things around positioning for [00:24:30] cars and stuff to get more exact and precise positioning, which you will want if your car’s being driven by 5G. And there’s some new deployment models, but let’s talk about healthcare for a minute because here’s what I’ve been saying.

I want to bounce this off of somebody else. I’ve been saying, Hey, these specs. These things take time and they evolve over time. And there’s really, no, I mean, if I were a CIO, I’d be reading these stories. I’d be staying up on the spec. I’d be, I’d be looking for that point, that inflection point that [00:25:00] says, okay, we’re ready.

We’re ready. to start thinking about what the deployment model might be and those kinds of things. Okay. But I still feel like, and this story even goes on. It says, you know, these, these changes won’t be happening overnight. Or even within a year, it’s been almost three years since the 5G spec was approved.

And though we’re starting to see networks and devices, they called the protocol as far from widespread. It’s likely we’re years away from seeing the power saving and bandwidth benefits in the real world. So they talk about. Even the specs we’re talking about, [00:25:30] that just came out. We’re not even going to see proliferate for another couple of years.

And that’s what I’m saying. I’m saying, look, this is probably not something be aware of it, but it’s not something you’re working on for another. Two to three years, even though I know some health systems are, you know, diving into this deep, I think there’s some challenges with diving in deep, unless you have a big budget and lots of people.

Drex DeFord: I think this is a, you have a small group of people who are looking over the curvature of the earth at things that are coming [00:26:00] as part of your, digital health technology. You know, planning program, that’s a good thing in 5G should be something that’s in their window. like everything else that we’ve talked about today, back to your don’t panic, kind of strategy on this stuff.

I think this is another one of those where you go, it’s coming. We don’t know exactly what it’s gonna look like yet. It’s getting clearer every day. Fogged is being sucked out of the room. We’re starting to understand a little bit more about what it will and won’t be able to do, [00:26:30] and think about. If you’re going to consider deploying it, where do you deploy it first?

Right. So if you think it’s an unproven untested technology and you want to try it out on some things, don’t put it in mission critical systems first, right? Find some non critical stuff that you can try it out on first and see how it works and learn how to use it and make your adjustments, and then deploy it to, you know, to the next level of the organization or to the next level of devices or apps or replacing [00:27:00] wired infrastructure, whatever it is that you’re going to do. So, I mean, I’m, I’m with you. This is like a lot of things. There’s a lot of cool stuff that’s coming and I’m me, you know, don’t, don’t get wrapped up around the actual don’t bet the farm on some of these things. They’re just. They’re not solid enough yet to say I’m not going to make investments in wired infrastructure anymore because we’re going to 5G well, that just, isn’t a good plan I don’t think. 

Bill Russell: Yeah, [00:27:30] well, I will. Well, this is going to be one. We’re going to have to keep an eye on. I’m going to let you. So I’m going to hastily go through the last four stories here that I want to hit. And this one’s in your wheelhouse. So UCSF pays 1.1, 4 million to decrypt files after ransomware attack.

And essentially the medical school was hit by an opportunistic malware attack on June 1st. And the encrypted data was important to some of the academic work that they pursue as a university serving the public good official said. [00:28:00] So essentially they got in, they put malware and. They then, they, they saw the attack coming, but before they could cut off the attack, they actually, you know, triggered the malware to, to, lock up  some of these files, some of the servers, entire servers.

Drex DeFord: Yeah. The sad thing is we never really hear the post game on this. Right. So we don’t really know. We never really get the full information on. You know what happened. Did they not have backups where they not patching. What weren’t they [00:28:30] patching? You know, what, what was there? Was there a situation with user  accounts?

Did they have tons of stuff? 

Bill Russell: Does anyone hear the backstory eventually? I mean, yeah.  Who outside of, you know, the, the people obviously in the it department at UCSF, is there an agency that would hear the full story? Is there, how would we get the full story, yeah, I mean, I don’t want, I don’t want it out in the public.

We’re not going to share it on this, on the show. I mean, there should be forums [00:29:00] where these people are sharing these, this kind of information, like, Hey, here’s how they got in. Here’s how they attack. Here’s the mistakes we made and that, you know, those best practices sort of proliferate as a result of that.

Drex DeFord: Yeah. I think you see some of that work now happening through the healthcare I-SAC, but a lot of it’s still, I mean, and you know, maybe rightly so. Right. as a. Cyber security interested guy. you know, I’m really sorry,  careful about any client that I work with, actually, even talking [00:29:30] to the client, you know, talking about who the client is or anything else, because sometimes that just paints a target, on the, on the individual client, likewise, publicly in detail, what has happened to that individual breach might make them more vulnerable in a, in a, you know, in another, another attack scenario. So I think the best you can do probably is take that stuff, gather it centrally. Talk about the challenges and issues that are, you know, that are kind of [00:30:00] anonymous for a larger group of, of organizations that have been hacked so that you can take steps toward, Protecting yourselfp

Some of it is, and I don’t know that HI-SAC or any of the I-SAC’s sort of keep a tally of, if you only do one thing, it should be pat your computers, right. That’s probably where the biggest problem is. And you know, you hear people talk about that, but I don’t know if there’s any sort of underlying metrics around that and that, you know, good general cyber hygiene [00:30:30] lists exist all over the place.

It’s, it’s likely that. One of those or more of those was the problem that you see. 

Bill Russell: Yeah. alright. So the next story, I’m just going to do the headline and ask you what you think. So the headline from healthcare IT news is hasty rush to cloud hosting during COVID-19 crisis could set the stage for a cyber pandemic.

In other words, we’ve all gone to the cloud and now if they take out a cloud. You know,  they could take [00:31:00] down several hospitals. I mean, how real of a problem is this? 

Drex DeFord: Generally speaking, I would say that if you use a reputable cloud provider, there’s probably, a significant amount of redundancy there that you in the grand scheme of things compared to hosting it yourself on your own servers, in your own data center, you’re probably in, in a, in a better place. The challenge with that is in the military. We always talked about a center of gravity. So the center of gravity now has moved, right? So if [00:31:30] somebody can successfully take down a cloud provider, they could take down lots of different organizations, not just one. If I was running into my data center, would I be better protected or less protected? And if they attacked me and took me down, I would be an N of one instead of a cloud provider, which might be an N of a thousand. So it could be, it could be a much bigger deal.

I mean, I think there are a lot of things that have happened as we went through this. You know, as we are still going through this first wave of COVID, we bought [00:32:00] medical equipment and put it on the network, maybe about all of the stuff that we were supposed to do to, to make that happen. I think we connected the new suppliers because we were desperate for, you know, PPE and other things.

And maybe we did that without hitting all of our gates. Hopefully what happened in healthcare is that, and I have a high level list of those, but hopefully what happened in healthcare is that they, they kept good track of it, any place that they made exceptions and they’ve gone back in and, you know, resolved those [00:32:30] exceptions to the rule but I, I, I wonder about that because of some of the data that I’m starting to see in the. Wall of shame report. I referred to earlier 

Bill Russell: Wall of shame. So for our listeners, the wall of shame is? 

Drex DeFord:  So HHS, asks healthcare providers to report to them. if they have a breach of more than 500, patient IDs, patient information, and, that data goes on to, [00:33:00] it has an official name and I. can’t think of it right now. I just refer to it as the wall of shame. If you Google HHS wall of shame, you’ll find it. And it basically lists out all the organizations. It talks about the number of, you know, what, what the breach was about how many records were compromised, whether it was a hacking incident or a loss of data or something, you know, stolen data or something like that. and it’s a, it’s really interesting because then those are, those are the kinds of things that [00:33:30] trigger those inspections that you definitely don’t want those visits from the government that you definitely don’t want. So, you know, stay off the wall of shame, but there are plenty of people up there are plenty of organizations out there. 

Bill Russell: Okay. You said a majority of these are human error. 

Drex DeFord: You know, the, so the answer is, it depends on how you define that. So you could even say hacking its that it’s a lot of those probably work human error or somebody fat fingered, something and you know, left a [00:34:00] port open that. that an organization got attacked through, or, they opened an email that, you know, they got fished, which then allowed ransomware in that’s human error. And some of these are literally the kinds of things. Exactly what I think you’re thinking of, which is, Oh, we put that spreadsheet with a thousand. You know, patients in our research, project, on what we thought was a common drive, but it turned out that that drive was exposed to the internet and Google trawled that drive. and now that [00:34:30] information is available on the internet. So all of those things ultimately kind of come back. 

Bill Russell: Do you know what I put in the category of, human error, human error? the, the reality is those ports being open, you know, it’s, it’s interesting. Because I have somebody on the show who I have on the show,  Nebraska Medicine, and we were talking about architecture.

Cause I’m horrible with names. I apologize. The, we were talking about architecture and how they were, they were, looking at, [00:35:00] utilizing VMware on, in front of Epic and the reason they were doing that was because it closed down like a couple of hundred ports that were open by funneling it through there. And they’re like, and I just looked at it like, Hey, you know, those couple of hundred ports all represent an opportunity for somebody to come in that door. And I think that’s one of the things we,  intelligent design architecture, architecture is a thing we need good architects who [00:35:30] are looking at things like, Hey, How many ports do we really need to have open?

A lot of times what happens is people install the server and just assume, Hey, these ports are open because this application needs it. And in reality, that’s not the case at all. Yeah. Yeah. You can just shut those things down. So yeah. 

Drex DeFord: A lot of organizations don’t have standards designed for, you know, when you build a server, these are all the things you turn off, and then you only turn on the things that are needed and I mean, you, you know, we could go into a whole cybersecurity [00:36:00] diatribe here but …

Bill Russell: That’s one of the reasons I love having you on here. So, you know, I’ll just jump to the last story. We’re getting close to the end here. Major health orgs create national patient identifier coalition,

You know, it’s, it’s interesting. And I, and I’ve, I’ve gone off on rants on this before. So if you’ve got a patient ID, and I think the site says it all because when you go there, it’s [00:36:30] not an SSL site. So on Chrome, it says not secure patient ID now. And I think that is starting right there. Starting right there.

Just sort of says it all. And you know, at the bottom of it, founding members, AHIMA ,Chime, HIMSS, Intermountain, Premiere, they all should know better. There should not be a site like this that says not yet secure patient ID. Now with any, if my brand were on there, I would be embarrassed. Yeah. And you know what it leads to the [00:37:00] problem.

And the problem on this is not that patient, that, that, that a national patient identifier is bad in its intention, but we haven’t shown our ability to secure the patient record. We haven’t shown our ability to share the patient record effectively. I haven’t, you know, we, we really need to rethink our approach to this and I still can.

I will still. I will have this debate with anyone who wants to come on the show, the patient should be the carrier of the entire health record by law. They’re the only [00:37:30] constant at the point of care. they should be given the entire record electronically and you know, what else? if the health system doesn’t provide the entire patient record, I think there should be a little bit. button on the app that they push. And it’s a direct link to ONC that says, I just visited this health system. They gave me my data. It didn’t go into my app correctly. It puts stuff in the wrong places, it, whatever. And you know, and then they should get fine. You know, we’ve had about 20 years to get this right.

And we haven’t done it. And I don’t think we deserve another two decades and there’s just too [00:38:00] much at risk. And we have proven that the, the patient. Or an individual can be a good carrier of information from point to point to point. It’s very possible to do. And it’s, it’s probably the, I, in my mind, it is the best method to make sure that their health record gets from one location to the next.  That’s their natural patient ID. I’m curious. I’ll let you have the last word on this. Since I went on a  rant.

Drex DeFord: You clearly have an opinion about [00:38:30] this, you know, I, and I don’t necessarily think it’s wrong. Right? I I’ve been, kind of yelling from the rooftops since I was a. Air force second Lieutenant that we need a single patient ID.

We spend way much time, way too much time reconciling patient records and our own EHR, not having all the information that we need because we don’t get data from other electronic health records or from other health systems or from other sort of. You know, odd, casual visits that a patient may do to a minute clinic or something like that.

So, you [00:39:00] know, the, the, the, the data doesn’t flow, and I don’t know that that’s solved with a single patient ID, but I’ve always felt like having some kind of an ID that you can attach everything to. Gives you the opportunity to make that happen? I’m with you. I think, you  know, Google and Microsoft and others just may have been too early on a personal health record to make it work.

It was super complicated. The technology was complicated. How do you get data out from an electronic health record and into a personal [00:39:30] health record was too complicated, but I think we’re maybe at a point. Where a personal health record could be the right way to go. And not only could you take information from lots of different health systems into your own personal health record, you then have the opportunity as an individual to be able to make decisions about what studies you may want to participate in.

And perhaps you could even make a little money on the side by sharing your information with those studies and participating in those studies. It puts control of your [00:40:00] data. Where it belongs, which is with the patient. And, I think that this whole idea requires like walking to the other side of the room and looking at the electronic health record, with a completely different view of the world.

Bill Russell: Yeah, well, that’s going to be all for this week, Drex. Thanks again for coming on the show. 3xDrex. If you haven’t  signed up ourr eight four eight four eight text DREX to four eight, four eight frame, get signed up. A Special thanks to our sponsors vMware, Starbridge Advisors, Galen Healthcare, Health Lyrics, [00:40:30] Sirius Healthcare and Pro Talent Advisors for choosing to invest in developing the next generation of health leaders. This show is a production of this week in health IT. For more great content. check out the website or the YouTube channel. If you want to support the show, share it with a peer. Please step back. We’re going to continue to dropping three shows a week, Tuesday, Wednesday, and Friday. Thanks for listening. That’s all for now. 

Play Video