July 19, 2021: It’s Newsday with Drex DeFord and Bill. Rather than making a multimillion-dollar investment to deploy a new EHR, Woman’s Hospital in Louisiana is seeking potential partners that would instead let the hospital connect to their Epic system. Dollar General hires a Chief Medical Officer. Jeff Costlow, deputy CISO at ExtraHop offers a comprehensive tip sheet to help ease the daunting task of talking cybersecurity with health system leadership. And what started as a surge in criminal activity during the early days of the pandemic has now developed into a full-blown crisis. Why does healthcare keep falling prey to ransomware and other cyberattacks?
OPEN NOW! HRSA Announces New Loan Repayment Program for Behavioral Health Providers – Apply to the Substance Use Disorder Treatment and Recovery Loan Repayment Program.Every day you’re using skills to help end substance use disorders (SUD) within your community. The Health Resources and Services Administration is here to help you with the new STAR LRP (Substance Use Disorder Treatment and Recovery Loan Repayment Program). Pay off your school loans with up to $250,000 from the STAR LRP in exchange for six years of full-time service at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff and many others trained in substance use disorder treatment are encouraged to apply. Applications are open until Thursday, July 22, 2021 at 7:30 p.m. ET.
Newsday – Navigating EHR Affiliation, Rural Health, and CISO Board Topics
Episode 426: Transcript – July 19, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: [00:00:00] Welcome to This Week in Health IT. It’s Newsday. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged.
[00:00:18]Special thanks to Sirius Healthcare, Health Lyrics and World Wide Technology who are Newsday show sponsors for investing in our mission to develop the next generation of health IT leaders. We set a goal for our show. And one of those [00:00:30] goals for this year is to grow our YouTube followers. We have about 600 plus followers today on our YouTube channel. Why you might ask? Because not only do we produce this show in video format but we also produce four short video clips from each show that we do. If you subscribe, you’ll be notified when they go live. We produced those clips just for you the busy health IT professionals. So go ahead and check that out. A common question I get is how do we determine who comes on This Week in Health IT? To be honest, it started [00:01:00] organically. It was just me inviting my peer network. And after each show I’d ask them, is there anyone else I should talk to. The network group larger and larger and it helped us to expand our community of thought leaders and practitioners who could just share their wisdom and expertise with the community. But another way is that we receive emails from you saying hey, cover this topic, have this person on the show. And we really appreciate those submissions as well. You can go ahead and shoot an email to [email protected] We’ll take a look at it and see if there’s a good fit to [00:01:30] bring their knowledge and wisdom to the community as well.
[00:01:32] It is Newsday and we have a lot of stuff on tap for you today. We’ve got investments are going through the roof. We’ve got some cybersecurity stories. We’ve got Dollar General hiring a COO, Epic implementation affiliate. There’s just so much going on and I am glad to have Drex DeFord in here to make sense of it all .The man who’s going to help me make sense of all of this. This is, this is a big, big Newsweek for us.
[00:01:59] Drex DeFord: [00:01:59] So much [00:02:00] stuff, so much stuff going on, man. I always look forward to the days we get to do Newsweek together. And it always seems like the world conspires to give us a lots of good stuff to talk about when we both get on.
[00:02:12] Bill Russell: [00:02:12] You know, I, I have an ongoing dream. You’re going to analyze my dream. My ongoing dream here is that I wake up one morning and there’s no new story that I can do a Today show for. And I always wake up and I’m wondering, is there going to be something relevant to talk about in health? It, cause [00:02:30] I’m, I’m now up to like 140 shows on the today show and I’m thinking, oh my gosh, every day I have to do one of these is there going to be a day where I get up and like, there’s nothing to talk about, right. That doesn’t, I haven’t had that problem yet.
[00:02:42] Drex DeFord: [00:02:42] I think we aspire to that day. The day when everything is quiet and then you can get on and. Everything was quiet today. It’s a short show.
[00:02:52] Bill Russell: [00:02:52] Yeah it’s a short show.
[00:02:53] Drex DeFord: [00:02:53] I don’t think that’s coming anytime soon.
[00:02:55] Bill Russell: [00:02:55] Yeah, I don’t, I don’t think it is either. Well, let’s, let’s get to the news. Well before we get to the news, let’s get [00:03:00] to a major announcement in the industry. Frank Nydam moves over to Tausight. Frank has been a, he’s been on the show and he’s been a huge proponent of the show and I really appreciate him. Moving to Tulsa. That’s a big deal. I mean, he was Frank from VMware for all those years.
[00:03:19] Drex DeFord: [00:03:19] He’s a great friend. We spent a lot of time together at CHIME through CHIME, but you know, other than that too. Yeah, it’s it’s really [00:03:30] interesting when somebody has been at a place that long that their personal branding winds up really being intertwined with the company branding.
[00:03:37] Because when you think of VMware you think of Frank and vice versa. So I mean, congratulations to him. I think it’s an awesome transition. And I’m sure he will do amazing stuff because that’s just how Frank is.
[00:03:52] Yeah. And
[00:03:54] Bill Russell: [00:03:54] and if people are probably listening to this, having the same question in the back of their head, which is what is Tausight.
[00:04:00] [00:03:59] And don’t worry, Frank and I have already been talking, we’re going to have the founder of the organization and the technology is really, really interesting. We’ll have their founder on the show. We’ll talk about the technology and give everybody an update on it. But again, same congratulations to Frank on making that move.
[00:04:17] Where. Gosh, where do you want to start? Do you want to start cybersecurity or is that too easy for you. I mean, you’ve done.
[00:04:26] Drex DeFord: [00:04:26] I don’t know if it’s easy for me.
[00:04:27]Bill Russell: [00:04:27] How many calls today have you done where all you’ve done [00:04:30] is talke about cybersecurity?
[00:04:31] Drex DeFord: [00:04:31] I did a let’s see, I’ve done a a customer call a client site presentation. I did an in-house presentation to our team. I did a webinar with I don’t know if I can say who I’ll say I did a webinar with Netskope and Sirius. And then I did a webinar with Citrix and and now I’m here with you. So I’m surprised my voice is holding out, but it’s really been one of those days.
[00:04:59] And [00:05:00] it’s just, I mean, it’s the reality of the world we live in right now. There’s a lot to be talked about and worked on when it comes to cybersecurity.
[00:05:08] Bill Russell: [00:05:08] There is. So here’s what we’re going to do. We’re not going to start with cybersecurity. We’re going to get to it. Cause there’s, there’s a couple of good stories in here, but let’s, let’s start with the one that I’m really curious about. Louisiana hospitals. $200 million Epic EHR implementation by seeking affiliation. The organization looked at it and said $200 million to implement Epic. We can’t do it. It’s [00:05:30] 165 bed hospital. It’s women’s hospital out of the Baton Rouge, Louisiana. And they had the same kind of conversations, I think that happened in a lot of these smaller health systems, which is like $200 million. It’s just way too much money. And we got to do something. So they’re going to do an affiliation. My guess is it’s going to be Community Connect, but I don’t know. But you know, as I see this, I’m surprised this doesn’t happen more [00:06:00] often at this point. I mean, do you think this is going to be a trend moving forward?
[00:06:05] Drex DeFord: [00:06:05] I, I don’t know that it’s not a trend kind of already. There are a lot of organizations have gone through the process of the due diligence of deciding on a new electronic health record and decide that the functionality that they might want, for example is Epic.
[00:06:20] And then they start to look at the, okay, am I going to host it? Am I going to remote host it? Or am I going to try to take advantage of somebody else’s Epic [00:06:30] installation? And then there are a lot of big organizations across the country now who have big Community Connect installations.
[00:06:35] And they have they have a lot of happy customers. I think the hard part for those organizations is the conversion from I’m running my own epic EHR and my effort as a help desk organization is best effort to signing up Community Connect sites and then realizing that they put themselves in a position to be a vendor and they have to have SLS and they have to be able to do all the things like [00:07:00] Manage order sets and a lot of other governance, things that go with these Community Connect arrangements.
[00:07:07] So I don’t know that it’s a, I mean, it’s definitely not a new thing, but I think more and more organizations are going to add that to their list of things that they consider when they’re looking at new EHR.
[00:07:18] Bill Russell: [00:07:18] It’s about what can go wrong here, specifically around epic EHR because there’s very high profile ones that have failed the Hoag Hospital and out of Newport beach had [00:07:30] an Epic implementation, Community Connect implementation with Providence. And that one has failed in the headlines and Hoag now, essentially walking away and doing it. Now you’re talking a hospital, that’s actually a system, three hospital system with a lot of partners in that, in that marketplace.
[00:07:51] It’s also one of the wealthiest places in the country. I mean, people from all over Southern California go to Hoag to have their babies because all the rooms [00:08:00] have a view of of the Pacific Ocean and no better place to have a baby than Hoag hospital is what I’ve heard having, having lived there.
[00:08:10] So they have phenomenal payer mix, phenomenal philanthropy as well. They’ve a ton of money. So the reason they went in that direction, Was because they were on a, I have to remember what they were on, my gosh, but it was, it was a half implemented system and they decided, you know what, we’re [00:08:30] going to go in the Epic direction.
[00:08:32] And because the partnership with St Joe’s in Southern California has gone through, they decided to have a conversation with was Providence. And they said, yeah, we’re going to go in this direction. But the things that can go wrong are that conversation that, that word you just used, which is governance. Right. Cause you don’t, you’re a renter in that situation, you are, there’s a landlord and you’re not the landlord. And there’s this whole governance aspect that goes into this that [00:09:00] sometimes, sometimes doesn’t work out the way you think it should. Like we should have more say in the order sets, we don’t like the way you practice medicine.
[00:09:08] I mean, those kinds of conversations, when you do an internal implementation we don’t doctors sitting across from each other saying, where’d you get your degree. But now you’re having those across systems and it becomes really hard to keep those, keep those together. Doesn’t it?
[00:09:26] Drex DeFord: [00:09:26] Yeah. It’s I mean this [00:09:30] there’s certainly it is logically easier to go down the Community Connect path. There’s a lot of, yeah gotchas in the community connect path. And I would definitely encourage. There are plenty of consulting firms who do really good work now around helping organizations are going down the Community Connect path think through and negotiate. These, all these kinds of terms and conditions around how this is gonna work and what the SLS are going to be and what their governance processes [00:10:00] are and how they get to participate.
[00:10:01] So I would say you can certainly go out on your own and try to do that, but sometimes things get a lot left out of the contract that time, that way, when you find somebody who’s done it, dozens of times, They’re going to light you up on a bunch of stuff that you may not think of on your own. So get some help. It’s just the right way the thing to do.
[00:10:19] Bill Russell: [00:10:19] But on the flip side, if you’re the smaller system, you’re just looking at it going, look, this is a, this is a bridge too far, $200 million for this. We need a new ERP system as well. We [00:10:30] need cybersecurity is all of a sudden jumped up in costs of what we’re going to need.
[00:10:34] And they’re just looking at it, going 200 bed hospital. We don’t generate enough revenue to pay for the it infrastructure anymore and make no mistake in the Epic implementation and some of the other things we’re talking about, these, these are expensive upgrades. And my guess is if we walked into women’s hospital today, we would look at the EHR system and it would be pretty antiquated for them to be considering the $200 million implementation at this [00:11:00] point.
[00:11:00]So there is a benefit. You just have to walk through it correctly and eyes wide, open negotiate correctly. Make sure that your voice is going to be heard at the table and all those kinds of things. It’s, it’s an interesting play.
[00:11:13] Drex DeFord: [00:11:13] Yeah. I mean, may make sure that you’re covered. This sort of changes everything, right. Instead of a bunch of capital investments to buy infrastructure, to be able to run this stuff on your own, you’re making a conversion. Even if it’s not in actual dollars, if this is the first time you’re doing it, you’re making a conversion [00:11:30] to Op X. You’re probably going to pay, you’re going to start paying subscription kind of feeds for epic community connect. You may pay for ultimately Lawson. If you’re buying other. I mean, this is the way of the world right now. It feels like where we’re headed. A lot of, as a service kinds of things, especially for smaller and mid-sized organizations who want to plug in and have EHR electricity come out or have cybersecurity electricity come out, they just want to pay for it.
[00:11:58] They want to know their cover. They want to know [00:12:00] they have good service. And they realize that it’s really hard in small town, Louisiana to buy that stuff, install it, hire a team, train them, keep them there, not lose them. Always have open positions in all of these areas. So we see a big move for those organizations toward, as a service kinds of capability.
[00:12:23] Bill Russell: [00:12:23] Yeah. And we used to always talk about it as a utility to our organization and they got it. Like every time [00:12:30] you plug into an outlet, you expect power to come through that outlet.
[00:12:33] Drex DeFord: [00:12:33] I don’t run my own water mill or my own wind turbine. I’m buying it from utility. That’s what they’re looking for.
[00:12:42] Bill Russell: [00:12:42] And another time, we can have the conversation around moving from Capitol to OPEX because quite frankly, I had to have a lot of conversations. We made that transition. Back when I was at St. Joseph and we had, I have a lot of conversations because at the point you’re making that transition. You have to reorient [00:13:00] the CFO around that because it’s, it’s just a different way of accounting for it differently.
[00:13:06] Drex DeFord: [00:13:06] It has a multi-year impact too. Right. So things like when and how do we float bonds and what do we say in those bond issuances? Right. It changes a lot of the CFO’s world. And so you really have to, in the spirit of collaboration, you’ve got to get everybody on board or maybe it doesn’t work the way that you think.
[00:13:24]Bill Russell: [00:13:24] We’ll get back to our show in just one moment. Every day you’re using your skills to help end [00:13:30] substance use disorders within your community. The Health Resources and Services Administration is here to help you with the new STAR LRP program, which is substance use disorder treatment and recovery loan repayment program.
[00:13:44] Pay off your school loan with up to $250,000 from the STAR LRP in exchange for six years of full-time service at an approved facility. Behavioral health clinicians, paraprofessionals, clinical support staff, and many others trained in [00:14:00] substance use disorder treatment are encouraged to apply.
[00:14:02] Applications are open until Thursday, July 22nd, 2021 at 7:30 PM Eastern time, which is right around the corner. To learn more and apply to join the STAR LRP. You can use the link in our show notes or visit bhw.hrsa.gov to learn more. That’s bhw as in behavioral health workforce dot HRSA.gov. Now [00:14:30] back to our show.
[00:14:30] Yeah. So let me give you the next story. So Lee Milligan sent this to me early last last week, I think he said, this is huge. And I looked at the title and I thought, I can’t believe he thinks this is huge. And then I read the story and I thought this is huge. Dollar General hires, Chief Medical Officer, boosts healthcare items in the stores.
[00:14:49]It’s as simple as it sounds. They hired a CMO and the COO is came from McKinsey I believe. Yeah. Came from McKinsey, [00:15:00] Dr. Albert Woo. Some of the first things they’re doing is they’re taking out some, some things in the aisles and they are actually putting in refrigerators, some local produce, some better produce, and those kinds of things, they’re just selling healthier options to that community.
[00:15:16] But I think the thing that makes this powerful, much more so than a Walmart or CVS announcement is the location of these stores, right? There’s 17,400 Dollar General stores. And if you drove from where I’m [00:15:30] at in Southwest Florida to Orlando, you’d pass about 30 of them. Sure. And they are you’re driving, you see a combine or an orange field to the left, and then all of a sudden you come across small town America.
[00:15:44] Right. And there’s the Dollar General right in the middle there and there. And it really is, Hey, do I get my groceries from the gas station? Or do I get it from Dollar General? Sure. I mean, it is almost that kind of trade off.
[00:15:58] Drex DeFord: [00:15:58] Sure. I mean, [00:16:00] especially places that are in food deserts like that, where there isn’t a grocery store and literally driving to a grocery store is a multi hour trip in many of those communities. It takes me two hours to get to the city that has a grocery store with fresh food. And so people don’t do that. They make the other decision, which is go to a fast food restaurant, buy processed food and all of those things lead to heart disease and obesity and all of that stuff.
[00:16:30] [00:16:29] So, I mean, I’m with Lee, this is a big deal. This is a big announcement. And I think that if, if they do it right, it could really change, it could change eating options, which also ultimately impacts long-term health for those communities.
[00:16:44] Bill Russell: [00:16:44] So they also did some stuff during the pandemic. They did COVID tests at the Dollar General stores. One of the things we know is that vaccination rates are low amongst the population that that would be around these locations. If you were, let’s say [00:17:00] a large, let’s say you’re Orlando health, right. You’re surrounded by rural population.
[00:17:05] I know people might not understand geography, but around Orlando on either side, it’s just rural for about an hour or two. In every direction, north, south, east, and west, until you get to Tampa, till you get to the space coast and till you really get to Fort Lauderdale, Miami, that kind of area. So you, you literally have two hours surrounded by rural.
[00:17:28] Are you thinking hey [00:17:30] this is a good potential partnership. And now I finally have somebody to talk to. I can talk to a Chief Medical Officer who understands my industry.
[00:17:39] Drex DeFord: [00:17:39] Yeah, I think that’s a great, I mean, that’s definitely how I would be thinking. Having outposts in these areas, maybe set up talking to that CMO about what are our telemedicine options or something that we could do so that we can see people with really minor things, write [00:18:00] prescriptions, do this stuff to sort of take care of them. But if there’s something more complicated, we want them to refer to our hospital. So the devil is in the details, there’s a lot of stuff that could come from this, but I would definitely be looking at those Dollar General stores as potential outposts to expand the reach of my health system.
[00:18:17] Bill Russell: [00:18:17] 17,400
[00:18:19] Drex DeFord: [00:18:19] 17,400 stores. It’s amazing when I saw the number and then you start to see them. There are some things online you can go look at too, and it shows you like where they are [00:18:30] and it’s, it is pretty incredible. You don’t really think about how, how they cover that rural segment of our population, but they really do cover a lot of rural territory.
[00:18:46] Bill Russell: [00:18:46] Yeah. So the fresh produce is in 1300 stores that will expand this year to 10,000 of those stores. So obviously they’ve negotiated the supply chain and they’ve got that all worked out. It’s really, really interesting to me [00:19:00] and they’re growing their number of stores as well. This is a, by the way, a very profitable organization in and of itself selling what they sell at a Dollar General Store because they sell at rates that are, I think I saw it in this story and the numbers sort of took me back. They had their discounts versus like a CVS or other, but it was like a 20% lower
[00:19:29] Drex DeFord: [00:19:29] Dollar [00:19:30] General is stealing market share. Dollar General prices tend to be 40% cheaper than drugstores, 20% cheaper than grocery stores and inline with mass market retailers.
[00:19:39] Bill Russell: [00:19:39] Wow.
[00:19:40] Drex DeFord: [00:19:40] Yeah right.
[00:19:42] Bill Russell: [00:19:42] That’s that’s impressive.
[00:19:44] Drex DeFord: [00:19:44] And look, I’ll tell you like you Dollar General store and you don’t think much about that. I mean, because in rural communities you might think, oh, well it’s a Dollar General store. It’s not that sophisticated. But look, if you’re pulling that off, there’s got to be some pretty sophisticated analytics behind [00:20:00] what you’re buying, how much you can buy, how do you move it to all of those locations and get it on shelves so that you can buy it at a price that you can sell it at a lower price.
[00:20:09] I mean, there’s a lot of math here, right? There’s a lot of there’s a lot of Abacus work going into to figuring out how to make this.
[00:20:17] Bill Russell: [00:20:17] Yeah. I mean, to get those kinds of margins to get that kind of, of discount and whatnot, let’s not underestimate that. I mean, you’re talking, these stores are they negotiating on pennies.
[00:20:27] And the volumes they’re talking about, they’re competing with [00:20:30] stores that have really big volumes as well. So their, their buyers, their supply chain is really well thought out.
[00:20:37] Drex DeFord: [00:20:37] It’s also about figuring out this stuff that actually will sell in those stores and not accidentally blowing a bunch of cash buying stuff that nobody wants to buy in those stores. So, right,
[00:20:47] Bill Russell: [00:20:47] Right, right. Ready to talk about cybersecurity again.
[00:20:50] Drex DeFord: [00:20:50] Sure. Let’s do it. Let’s do it.
[00:20:51] Bill Russell: [00:20:51] I know you did all day. Let’s see. Yeah. So there’s, there’s two stories here and I thought both were interesting. And I wanted to talk to you about them. One was [00:21:00] a deputy CISO for extra op in Seattle, Jeff Costlow gives some things to consider if you’re going to go talk to your board. If a CISO is going to talk to their board about cybersecurity and the other is why healthcare keeps falling prey to ransomware and other cyber. Which one do you want to tackle first?
[00:21:17] Drex DeFord: [00:21:17] Let’s start with Jeff Costlow. ExtraHop is a company based here in Seattle. I may have been the first healthcare customer for ExtraHop back in, I don’t know, 2008 or 2009 when they [00:21:30] rode in and saved my bacon with their network detection response capabilities. And they were, they were a customer when I was an independent consultant and I really liked them.
[00:21:40] And I don’t know Jeff, but I mean, I’m reading this article, like all those things ring true. He did a really good job.
[00:21:46] Bill Russell: [00:21:46] Yeah. He’s speaking at HIMSS. This is from a healthcare IT news,which right now is just the HIMSS megaphone.
[00:21:53] Drex DeFord: [00:21:53] Exactly.
[00:21:54] Bill Russell: [00:21:54] So he’s speaking at HIMSS. So they’re, they’re setting up. And this is the topic of his [00:22:00] conversation. He’s going to be talking about if you’re a CISO, getting ready to go in and talk to the board what are some things that you’re going to do? He prefaces this. I’m going to go straight to the, what are you doing in the conversation, but he does have some interesting things in terms of setting up your framework and whatnot.
[00:22:16] All right. So you’re getting ready to go in and talk to your board. And you’re a CISO. He says, number one, know your audiencwe. That’s absolutely true. Not all boards are made the same. I know our board really only had [00:22:30] one technology person per se on it. And that technology person was incredibly savvy and was like the spokesperson for the entire board.
[00:22:39] But it didn’t mean that we didn’t have to really be very clear and very basic about some of the things we were doing. We couldn’t just speak to that one person on the board because our subcommittee of the board. That handled security. We had to bring everyone along. We couldn’t just speak to that one person.
[00:22:58] And actually he was phenomenal cause he [00:23:00] helped to bring the rest of the board along as well. So you’d have to know that audience. Have you seen, I assume most boards today have somebody who understands cybersecurity?
[00:23:10] Drex DeFord: [00:23:10] I think so if they, if they don’t have somebody on the board, they probably have somebody on one of the subcommittees of the board, like audit and compliance.
[00:23:22] And so somewhere in there, there is an external resource that understands cyber security and you’re right. [00:23:30] I mean, I think cyber security for so many years led with fear, uncertainty and doubt. Scaring people into buying stuff for cybersecurity because, oh my gosh, what will happen to us if we don’t?
[00:23:41] And I think the transition that has occurred, he talks about leading with resilience and managing fear is that yeah, of course, you’re going to be afraid of what might happen. Nobody wants to be in the newspaper. Nobody wants to be the person with the microphone shoved in their face, but really the story has to be now I think and based on what [00:24:00] he’s saying, I think he thinks that we’ve created this situation in healthcare now where you can’t provide modern healthcare without digital health. Without the tools that we have EHR and DRPs and the thousand other applications that many of us run, which runs on, has to run on relatively modern networks and is connected to the internet because we’re doing a bunch of this stuff, as we talked about earlier as a service.
[00:24:25] And when you get all of that put together, You have to be really thoughtful about what happens [00:24:30] if we go down? What happens if we go offline? And so you have to talk about it and think about it from the perspective of resilience. If we’re down for one day, what does it cost us? If we’re down for 30 days what does it cost us?
[00:24:45] And what are the things we can do to make sure that if something happens that we go offline, we can come back as quickly as possible to deliver great care to our patients and families, because that’s what they’re all about.
[00:24:55] Bill Russell: [00:24:55] I think the only thing this article doesn’t address from where I sit is [00:25:00] I found that one of the mistakes people make, when they go to a board, as they, they take a posture of telling and the board is really a collaborative group. They’re on your side, they’re in inside, and they will help you to think through things. So we talked about risks. We educated them on risk. We educated them on the gaps. And he has both of those things in here. You talk about the risk, you talk about the gaps. And then we talked to them about the cost of filling those gaps.
[00:25:26] We talked about the complexity of filling those gaps, and then they [00:25:30] helped through the conversation, helped us to really determine what’s the most important risk to the organization. And they would, a lot of times help us to understand, oh, okay. We thought this was the biggest risk. And they would say, no, no, this is much more of a risk for us because of this, this and this.
[00:25:46] Because they quite frankly, even as the CIO and CISO of the organization, sometimes they have a bigger picture because they’re sitting in the entire board meeting and they’re going, oh look, no, our next five-year [00:26:00] strategy is based on this being right. And you have to make sure that this gets protected because that’s the future of the organization.
[00:26:08] And we’re focused on the a hundred year old hospital and making sure that all that runs fine. And they’re going, no, no, no, no shore up that gap first and then do these things. And so I think it’s the approach that I would, if I were coaching somebody and I have coach CIO’s on, this is you have to understand there’s a certain presentation you give to the board where you are [00:26:30] telling, and then there’s other presentations to the board where they are a collaborative partner and you walk in there with, Hey, here’s. I’m going to tee these things up and I want to have a conversation with you around it.
[00:26:42] Drex DeFord: [00:26:42] I like that. I mean, I think that’s great advice and guidance, right? Like you said, they’re worried about the hospital and they’re on the board and they want to make sure that that hospital that’s been around for a hundred years survives, but they also set out in the community.
[00:26:55] And so they have a different perspective on what kind of a [00:27:00] cornerstone, that organization is for the community. So they think about the hospital in a different way. And it really is a great opportunity to get that perspective from people who don’t work in the organization, because we have a tendency to think a lot about compliance and are we going to meet all the rules and all those things, they just have a different view of the world. And it’s a very valuable view.
[00:27:18] Bill Russell: [00:27:18] So Drex how do I, it’s one of the things is advocate for resources and I call that closing the sale, asking for the sale. And there are times where you’re there and you’re just like, look, we need money. We need this. But [00:27:30] I’m often reminded of my data team. My data interoperability team. Every year they’d come to me and say, I need 15 more people.
[00:27:37] And it got to be a joke in my head. I’m like, I know they’re going to submit their budget. They’re going to ask for 15 more people. And cybersecurity can almost get the same rep, right? Every time you go into the board, you’re like, we need another 5 million. We need another 3 million , we need another 2 million.
[00:27:49] What’s the best way to sort of tee this up and to ask for resources or to ask for the sale of, Hey, we need to fund this. We need more money around this.
[00:28:00] [00:27:59] Drex DeFord: [00:27:59] Yeah, well, I mean, you’re, I think you’re coaching earlier to CIOs into boards makes a lot of sense here and has a great tie in, and that is what is the risk tolerance of the organization and what are they willing to accept and what are they not willing to accept and then mapping your requirements to that and making sure that you have a good tie.
[00:28:18] You said you wanted to do this. This is what you were really clear where the priorities, then this is what we think we need to be able to do that. And we know that because, and this is the other part of the job that we all [00:28:30] have as healthcare executives, and that is making sure that we’re doing the best we can and showing every day that we’re doing the best we can to be good stewards of the dollars that we’re given.
[00:28:41] So if you can find different ways to allocate dollars that we’ve been given for one thing, but we found a less expensive way to do that thing with another vendor or with another product then we do that. And we talk about it and then we show how we’ve transitioned those unspent dollars to fill other gaps that the board has said is [00:29:00] important.
[00:29:00] So this mapping to gaps is incredibly important. And just showing that you’re a good steward every day builds a lot of trust for those healthcare executives that do that
[00:29:10] Bill Russell: [00:29:10] His last item here is build a roadmap to success. Do you fin d that it’s important to have, I dunno, is it a three-year roadmap cause one of the things I’m saying to my clients right now is cybersecurity is front and center. You could probably get more money this year, then you’re going to be able to get in future years, [00:29:30] just because of what has happened in some of the health systems that have been pretty public and because of the nature, right. It takes them down for 30 days or more, and their state laws. So you’re probably gonna be able to money.
[00:29:42] And that’s one aspect. And then the second aspect I’m talking to them about is that you already had probably two or three years of cyber security plans that you probably need to shrink those up because you have an opportunity to here to fill some gaps. The threat is [00:30:00] really high. I mean, threat levels high right now, given the vulnerabilities and what’s happened and we’ll get into the next story of some things that I think still exists within healthcare that we have to address.
[00:30:11]Do you find that having that roadmap to fill in those gaps is important and having a timeline on it?
[00:30:23] Drex DeFord: [00:30:23] I think timelines are important from the perspective of they actually cause you to do work in a particular period of time. But when you don’t know if you’re [00:30:30] going to get money, what you need to create is a a strong program, a strong priority list. And and prove again and again and again that you can execute on it. And then it’s actually closing gaps and it’s actually removing risk and making the organization more secure. And if he can do that again and again, and again, then they start to build trust in this roadmap that you create. And whatever the dollars are that you’re going to get this year, you can go through that list and draw a line and say, we’re going to do all the things above the line [00:31:00] really, really well. And here’s the gaps that remain for the things on the roadmap that are below the line. And we’re all clear here. You’re accepting that risk, right? And then you execute the daylights out of the stuff above the line.
[00:31:13] And when it comes to the next thing on the, on the list. You ask for more money, you asked for more resources. You’ve proved that you’ve been a good steward and you’re likely to be able to with that program development so.
[00:31:25] Bill Russell: [00:31:25] All right, let’s hit the next story. So why healthcare keeps falling prey to ransomware and other [00:31:30] cyber attacks? And what is it? 1, 2, 3, 6, 6 items, really. First one being electronic health records in expanded attack surface. So it’s interesting that he calls out electronic health record. And the expanding attack surface, I would say it’s the electronic health record is a part of the expanding attack surface.
[00:31:51] We’ve talked about this before the attack surfaces pretty significant at this point. I mean, you have biomed devices, you have digital [00:32:00] health strategies. You have hospital at home strategies. Now coming into play, you have patient generated data. There’s the, the attack surface has gotten pretty broad at this point.
[00:32:11] Drex DeFord: [00:32:11] Sure. And you have third-party risk management programs, all of this as a service work, that’s going on. We went through the pandemic and we did a lot of other things, too, right, we sent on Tuesday, nobody could work from home and on Thursday we sent 6,000 people to work from home.
[00:32:27]Telehealth blew up. We added medical [00:32:30] equipment maybe didn’t close the all the processes that we usually have adding medical equipment during the pandemic, we brought in a ton of travelers and maybe we didn’t train them as well as we should train them.
[00:32:42] So the threat, the threat surface definitely has grown and continued to grow. And I think part of the work now is. Going back and fixing the things that maybe we took a little bit of a shortcut on during the pandemic to, to, and I think there’s [00:33:00] ways to do that if you do it well to actually get back to a place where you were better before, than before when you, before the start of the pandemic.
[00:33:09] Bill Russell: [00:33:09] So early on, there was an easing of restrictions from the regulatory bodies around certain aspects of technology. Really around telehealth right. They were saying, Hey, we’re going to relax some of these guidelines and what not. Have we gotten to the point now from a safety standpoint, that those things should really should go fall back or have they already fallen [00:33:30] back that it’s Hey look, all these guidelines are back in place and we need to shore up.
[00:33:35] Cybersecurity has now become more of a priority than making sure that we can do telehealth because we don’t, we don’t really have a lot of hotspots right now around COVID-19. I would assume all those security things are now front and center.
[00:33:50]Drex DeFord: [00:33:50] A lot of the, a lot of the security relaxation, it’s not really security, relaxation. It was, it was really a lot of privacy relaxation [00:34:00] around using things like zoom or other tools to do telehealth. Right. And a lot of that was just the realization at the time. Again everybody. Right. We got to take care of patients and families, and you can’t bring them all to the building so how are we going to do that?
[00:34:15] And they relaxed a bunch of rules to let organizations be able to do that. Now, I think what happened in the meantime is that organizations may have opened up and use a bunch of those tools for telehealth, but as they got to the point of sort of realizing like, We’re going to do more telehealth than we [00:34:30] ever did before.
[00:34:30] And this looks like a thing that’s probably going to stick around, maybe not at the level that it was at the height of the pandemic, but this is a new way for us to deliver care. And that’s just how it’s going to be that I think they on their own have continued to sort of say, we’re going to stop you using this.
[00:34:45] We’re going to start using this. And we’re going to consolidate tools because they turned a whole bunch of stuff on it. Just like they did and all the other areas during the pandemic and now they’re starting to go back and reconcile their decisions [00:35:00] and that’s some of what’s going on now.
[00:35:01] Some of the, one of the things that really still twerks me off a little bit is the the being able to practice medicine across state lines, and there’s still, there are states now who are pulling those rules back, but kind of for awhile there said, we’re not going to enforce those rules.
[00:35:17] If you’re doing telehealth visits there were some exceptions that were created in the regulations that would allow doctors to practice medicine and cross state time state line. Some of those are being pulled back now, and there’s a [00:35:30] big movement that has been going on for a while. It just says, why can’t, if they’re doing telehealth visits, why can’t doctors just have a 50 state license to be able to do that kind of care?
[00:35:44]Bill Russell: [00:35:44] I’m with you. I asked the question of Dr. Joseph Kvedar who’s American Telemedicine Association. And he said he supports the state’s limitations on practicing across state lines.
[00:35:58] And I was like, I would think if [00:36:00] anyone was going to tell me this this needs to go. This is from a day gone by. It would have been him and he didn’t. And so and I’ve since talked to some doctors and they do support it. They support it for some, I’m not sure I fully understand it. Except there are some risks that came up prior to having those things in place. And you and I are both are not physicians. So I’ll save that for another conversation.
[00:36:27] Drex DeFord: [00:36:27] Sounds good. I mean, Dr. [00:36:30] Joe, I’ve heard him speak in many different forums and he’s a logical guy. I’m sure that he has reasons for that.
[00:36:37] Bill Russell: [00:36:37] Logical guy, head of the ATA and Harvard professor. I’m thinking he’s thought through it a little bit.
[00:36:43] Drex DeFord: [00:36:43] I’m thinkng he’s spent some time thinking about it.
[00:36:46] Bill Russell: [00:36:46] But let me ask you this. This is right in your wheelhouse. Unpatched systems and legacy devices. Legacy devices. It’s hard to do anything about it. You need money to take care of that. I mean, you can section them off of whatnot. Unpatched systems though I want to talk about. [00:37:00] Well we had th this is just feels to me like it’s laziness around process.
[00:37:05] Everything that has an IP address needs to be patched at some. At some interval, some given time. And so anytime we put a new device in, we had a process that was added to our normal it operations to make sure that we were checking and patching all their systems. And that was like, that was blocking and tackling one-on-one.
[00:37:26] And I felt like we did that pretty well. [00:37:30] And that was back in 20, 2012, 20 13. He listed as one of the reasons we are still falling prey and I’m not going to act like, I don’t think it’s the case. I think it’s the case. I’m just wondering. Why we’re not ahead of this yet.
[00:37:48] Drex DeFord: [00:37:48] I know. I, yeah. I mean, how many times did you see me say or post when a new vulnerability is is issued. Patch your junk. Patch your junk. Patch your [00:38:00] junk. But realistically, I also understand that sometimes that even if you have a really good type process, The reasons that you can’t patch things and there’s reasons that you can’t patch things really quickly and that is because you need to take it through some kind of a testing process, right? So you do the patch on Tuesday and it might take you depending on how many people you have working in the QA section, it might take you a week or more to get through some sort of a testing process to make sure that you don’t break some [00:38:30] clinical workflow because you decided to patch a system.
[00:38:32] And I don’t mean medical equipment. I just mean. Something that is in the clinic that is a PC that runs a particular application. That’s unique to that clinic, which ties to the legacy conversation, right? Because the application that runs on that PC in that clinic might also be some really old thing that doesn’t like security patches on the operating system then you really have to consider. Do we upgrade that? Do we [00:39:00] replace it? Do we do it, do something else? And so when you can’t patch systems, you have to think of something else which you’re compensating control. You’re gonna firewall that thing off and do some other, protected in some other way, but it’s complicated. I mean, I know it sounds easy. I say it patch your junk, but it’s not as easy as you think.
[00:39:17] Bill Russell: [00:39:17] Well, there’s also an architecture conversation to have here. We all know dev test prod is the way to go, but when you get into the practical conversations around, all right, we’re buying a new age [00:39:30] EHR system.
[00:39:30] We need a test environment and a production environment. That costs money. It takes time to set that up. It takes time to keep that. synced up so that you have essentially the same environment. So if you’re going to do testing in the test environment, it really does mirror what’s going on in the production environment.
[00:39:49] And so there’s a whole workflow that needs to go around that in order to do that effectively. And that’s where I sit back and I go, yeah, there’s a cost to doing it. Right. I was at [00:40:00] a large health system. We had a fairly sizable. And we still can do everything right. We rarely had a dev environment. We had tests and prod, but not with all of our systems, only.
[00:40:11] Drex DeFord: [00:40:11] Not all of your systems.
[00:40:13] Bill Russell: [00:40:13] Only, only certain systems. I was going to say only on key systems, but that wasn’t true either.
[00:40:18]Drex DeFord: [00:40:18] I definitely can relate. Yeah, you would love to say that it was the top 10 key systems that you had test environments for, that were mirrored up with your ..
[00:40:27] Bill Russell: [00:40:27] We did not have a test, no [00:40:30] test system for our PAC system. It was just, it was just too costly, but we had, we did for our EHR system. Anyway. Hey, next thing on here, I laughed flat networks. We’ve talked about this. I used to be a zealot for flat networks because it’s simplified everything. And then you security people came in and said, what are you doing? And I’m like, oh yeah, this is bad. Flat networks are bad. Why are flat networks bad?
[00:41:00] [00:41:00] Drex DeFord: [00:41:00] Well, flat networks are bad. I mean, look, flat networks are good and bad, right? Flat networks are great. If what you’re trying to do is keep the environment really, really simple. It makes sure that everything can connect to everything else on that network without trying to traverse some kind of a firewall or doing something weird makes it real easy to troubleshoot.
[00:41:17] Does all kinds of other things. But all the good stuff that it does is also really good stuff for bad guys. So once I’ve compromised, once I have credentials and I’ve compromised an account, or I mean you’re AD or [00:41:30] somewhere else. Then once I move laterally, I I realized pretty quickly as a bad guy, like, oh yeah, it’s a flat network.
[00:41:38] I can get to everything. And those keys, those accounts are really valuable on the black market, because if you can tell others that I can sell you access to a network that has this many nodes on the network and it’s flat and you don’t have to fight you don’t have to go around worrying about ringing alarm bells.
[00:41:58] Those become really, really [00:42:00] valuable. So there’s also the opposite end of this, too. Of course you want to segment your network. You want to do some of that kind of work, but you can. Right. It makes everybody crazy trying to run things on that network. So it’s about finding balance and not just having just a big flat network.
[00:42:17] Bill Russell: [00:42:17] Yeah. So third party security rescue we touched on earlier uptime concerns and prioritizing security. I would think that every health system in the country is prioritizing security. If you’re having trouble with that, [00:42:30] I’ve done. I dunno, about 12 shows in the last two months. On security. Just take any one. Karl West and I talking about the sky lakes, medical center is one, I just talked to a Vik Nagjee last week on.
[00:42:45] Drex DeFord: [00:42:45] He did great.
[00:42:46] Bill Russell: [00:42:46] Yeah. He’s doing some Interesting stuff on helping organizations to think through the recovery. And he, he brought some stuff up that I had not thought about. The time on your network sometimes since people have been on your [00:43:00] networks for a month or two months, and so your backup systems they’ll just infiltrate until your backup systems are essentially compromised. And so when you go to restore there, they’re right back in.
[00:43:14] Drex DeFord: [00:43:14] They’re really smart. I mean, this this idea of. We think about this very, I think in a linear way, right? The hacker who somehow compromises credentials and gets into my network, then immediately [00:43:30] fires off ransomware and causes chaos.
[00:43:32] But realistically there’s a whole economy built around this. So there’s a bunch of bad guys to simplify. It kind of, there’s a bunch of bad guys who really specialize in compromising the credentials to be able to get into the network. And once they have that, they go to the black market and they auction that piece off.
[00:43:51] The buyer of that comes to that network. And they are really, really good at very carefully scoping out your network and [00:44:00] not setting off any alarms, figuring out where all the crown jewels are and then they back out and they sell those credentials with all of that Intel on the black market to another group of bad guys who come in and go, okay, now that we have all this Lex let’s exfiltrate some data from those crown jewels so that we know that we’ve got them because the double extortion thing is real, right. We’re going to ask you for ransomware. If you don’t pay it, we’re going to release a bunch of data and you’re going to pay for it in a different way. So the double extortion thing is real, [00:44:30] and then they may actually take some of that information and sell it and get on the black market to people who specialize in blowing up ransomware and doing the negotiation.
[00:44:39] And so you think of this as kind of like one bad guy who has all these skills, but it really is sort of like a conglomeration of a mafia of cybersecurity criminals, who kind of figure out how to, how they divided and conquered how they’ve specialized their skills. So that the thing they do really well [00:45:00] is benefits everybody who’s involved in the process.
[00:45:03] Bill Russell: [00:45:03] Wow. You’re, you’re starting to, I remember that when my internal auditor used to bring their cybersecurity people in, I used to, I used to go home and I’d like look over my shoulder and I’d be worried about
[00:45:16] Drex DeFord: [00:45:16] Hug my dog and cry.
[00:45:18] Bill Russell: [00:45:18] Like, oh my gosh, this is so hard. I mean, everybody and their brother wants all the stuff that’s behind my firewall. And it just felt like they’re, [00:45:30] they’re really, well-funded. They’re really smart. And you think, well these are people in a garage. They might be people in a garage, but they’re really well-educated and they really understand how the systems work and there, and now what you’re telling me is essentially they’re connected.
[00:45:46]There’s a whole connected I mean, they’re connected economically, but they’re also connected by specialty. It’s I’m going to hand, I’m going to do my specialty and hand it off to you. You’re going to do your specialty and hand it off to the next person.
[00:45:59] Drex DeFord: [00:45:59] Right. And in the [00:46:00] end, I mean, there may be no money that’s exchanged for these deals, for these selling credentials, selling the crown jewel information, all of that, that may all be, we all want to make sure that we’re connected to the guy or the lady who is really good at setting off ransomware and then collecting, right, because we may not get paid until we get a cut of that final deal. That may be the relationship that you’ve built. [00:46:30] So it’s crazy, man. It’s amazing and scary. And not not to scare folks. I mean, that’s, that’s the reality.
[00:46:40] Bill Russell: [00:46:40] That’s the world we live in. I mean, you can bury your head in and that used to be a strategy. I remember talking to somebody and they’re like, look, my health system is so small. They don’t want to get in. I’m like no anonymity is not a strategy and head in the sand is not a strategy.
[00:46:54] Drex DeFord: [00:46:54] I don’t think it’s a thing you can do anymore because look, [00:47:00] healthcare is critical infrastructure and just like pipelines and just like meat packing plants. And you go right down the line. Healthcare is critical infrastructure. And if we’re indeed, perhaps collateral damage and some kind of proxy war that’s going on right now. It’s not about you. It’s about a lot of organizations like us and how taking us down could affect the critical infrastructure of the [00:47:30] country. So don’t, don’t think about this so personally or so organization centric, right? You may be one in the domino chain of the thing that the bad guys are really trying to create the cause or get to.
[00:47:46] Bill Russell: [00:47:46] Yeah, the story I tell people to not take it personally is the same exact email that went to Sky Lakes, went to St. Lawrence health system in New York. It’s like, they didn’t, they didn’t distinguish by state. It’s not red state blue state. It’s [00:48:00] not, it’s not large systems, small systems. They just shot that email out to a bunch of health systems, the ones who clicked on it, they said, all right, these are the ones who are going to go to work.
[00:48:08] Drex DeFord: [00:48:08] Thats why they call it phishing.
[00:48:10] Bill Russell: [00:48:10] Yep. Yeah. Just throw your nets out there. Well, Drex, I I always love talking to you. I mean, I’m a little scared I’m going to go hug my kids and my wife when I leave here. But I really appreciate it. I appreciate you coming on the show and again, another great conversation. Thanks a lot.
[00:48:28] Drex DeFord: [00:48:28] My pleasure. I always enjoy [00:48:30] being on and take care everyone. I’ll catch you all again soon.
[00:48:33]What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It’s conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. [00:49:00] We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That’s all for now.