June 1, 2021: It’s Newsday with Drex DeFord and Bill. 50% of US adults are now fully vaccinated. HIMSS 21 are preparing for their Vegas conference. Data centers around the world are concerned with a remote code vulnerability in a widely used VMware product. The Scripps Health website remains down more than two weeks after a malware attack. Google and HCA have struck a deal to develop tools to improve medical care, as privacy concerns arise. And COVID-19 accelerated changes to all aspects of the waiting room, including whether to have one at all.
Newsday – Security Events, HCA/Google, and Waiting Room of the Future
Episode 410: Transcript – June 1, 2021
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] Bill Russell: [00:00:00] Welcome to This Week in Health IT. It’s Newsday. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged.
[00:00:17]Today we are joined by Drex DeFord. Special thanks to Sirius Healthcare, Health Lyrics and World Wide Technology who are Newsday show sponsors for investing in our mission to develop the next generation of health IT leaders. [00:00:30] We set a goal for our show. And one of those goals for this year is to grow our YouTube followers. We have about 600 plus followers today on our YouTube channel. Why you might ask? Because not only do we produce this show in video format but we also produce four short video clips from each show that we do. If you subscribe, you’ll be notified when they go live. We produced those clips just for you the busy health IT professionals. So go ahead and check that out.
[00:00:57]Common question I get is how do we determine who comes on [00:01:00] This Week in Health IT? To be honest, it started organically. It was just me inviting my peer network. And after each show I’d asked them, is there anyone else I should talk to and then the group, obviously the network group larger and larger and it helped us to expand our community of thought leaders and practitioners who could just share their wisdom and expertise with the community. But another way is that we receive emails from you hey, cover this topic, have this person on the show. And we really appreciate those submissions as well. You can go ahead and shoot an email to [00:01:30] [email protected] It will go to the entire team. We’ll take a look at it, reach out to these people and see if there’s a good fit to bring their knowledge and wisdom to the community as well. We also launched Today in Health IT. A weekday daily show that is on todayinhealth it.com. We look at one story each day and try to keep it to about 10 minutes or less. So it’s really digestible. This is a great way for you to stay current. It’s a great way for your team to stay current. In fact, if I were a CIO today, I would have all my [00:02:00] staff listening to Today in Health IT so we could discuss it. Agree with the content, disagree with the content it is still a great way to get the conversation started. So check that out as well. Now onto today’s show.
[00:02:11] Today we are joined by Drex DeFord. In your orange. Are you in your running outfit? what is that?
[00:02:19] Drex DeFord: [00:02:19] I don’t know. I found it in my closet today and it was like, that’s probably not been worn for a while. So put it on.
[00:02:27] Bill Russell: [00:02:27] I’m going to record a show. It’s going be [00:02:30] captured for posterity. I want everyone to know that this is what I have.
[00:02:32] Drex DeFord: [00:02:32] It’s bright. It’s colorful.
[00:02:34] Bill Russell: [00:02:34] It looks like a running outfit. Is it?
[00:02:36] Drex DeFord: [00:02:36] It’s a black diamond. mountain climbing gear. It’s laring gear, but it works great in Seattle, which we all have every, I have one of everything manufactured by anyone who has anything to do with hiking or mountain climbing,
[00:02:53] Bill Russell: [00:02:53] The athletic sports apparel people have targeted people over the age of 50 with [00:03:00] stuff. So I’m wearing my golf outfit, that kind of stuff, trying to look like an athlete. Of course, I’m 15 to 20 pounds overweight, but you know, I look the part, like they it actually do something. And the other thing is we’re both wearing our glasses, showing that we’re over 50.
[00:03:14] Drex DeFord: [00:03:14] Yeah. Age is definitely a thing. Yeah. I can’t tell you. We have an inside joke here at the house about the rare circumstances where we actually put on jeans or something like that now. We refer to those as hard pants. So when I see my wife, I’m like, oh, you’re wearing hard pants. [00:03:30] Where are you going today? Like there must be something special going on cause you’re not wearing athletic wear of some sort.
[00:03:37] Bill Russell: [00:03:37] My daughter showed me a commercial for Extra gum. Have you seen this commercial yet? I think so it might only be out on the internet. It’s hysterical because the concept is everyone has been locked inside for a long time and people are in there, their coats with long beards and they haven’t shaved and that kind of stuff.
[00:03:54] And now people are starting to come out. And one of the first things you’re gonna need is Extra gum cause you’re gonna get closer [00:04:00] to people and that kind of stuff. And you see people like breaking out into the, into the wilderness. They start sitting next to each other on park benches.
[00:04:07] Then the next thing you know, they’re kissing and people break into a lobby of a new building and they, it’s clearly an office building and they’re kissing the ground in the office, but
[00:04:16] Drex DeFord: [00:04:16] I am so happy to be back.
[00:04:18] Bill Russell: [00:04:18] I’m so happy to be in this marble lobby of this high rise building out of the. But it is, it is funny. And I think people feel like we’re not far [00:04:30] away. I saw the number we’re over 50% fully vaccinated. And I think that was earlier this week.
[00:04:37] Drex DeFord: [00:04:37] I saw that nationally 50% of adults are fully vaccinated. And in Seattle, our public health department just released a notification that said that 75% of adults in Seattle have had at least one shot.
[00:04:52] So, I mean, as you would expect, we’re pretty compliant. We were one of the first cities to get hit with it. And [00:05:00] so I think it was a it’s been a big deal for us for a very long time. And so people are very compliant here.
[00:05:08]Bill Russell: [00:05:08] I think before we break out the champagne or whatnot, we still have to figure out children of course. I realized that the virus has not been as I don’t know savage on kids under the age of 18 as it has been with older adults, but still it’s a population that’s at risk, even if it’s a small percentage. And I would, we have only one vaccine is approved [00:05:30] for, and it’s not even all the way down.
[00:05:31] It’s like 12 to 18 is I don’t think that’s right. And so, yeah, we still have a population that’s at risk that we hopefully they’ll, keep making progress there and we’ll see where it goes.
[00:05:43] Drex DeFord: [00:05:43] I hope so, too.
[00:05:43] Bill Russell: [00:05:43] Which, which brings up where, I mean, we’re getting closer to that point and the the conferences are, are going on. I just recorded earlier today. I met with Karen Malone, who is the head of global conferences for HIMSS.
[00:05:59] Drex DeFord: [00:05:59] Yeah I know [00:06:00] Karen.
[00:06:00] Bill Russell: [00:06:00] We recorded a a real quick. What’s going on? What are the preparations that are going on for HIMSS21. And it’s interesting because a bunch of this work, they were preparing ahead of time. They needed more room. They had maxed out every facility in the country that they tried to go to right. Or rooms. So they went to this campus concept and they had started the planning for this campus concept. And it’s perfect timing because now w we’re used to going into that exhibit hall, that was. [00:06:30] I mean, literally packed from one end to the other and they already had plans to really spread that out and make that a much much better experience. And that just lends itself well to this and the health conference have also announced a vaccination requirement to go to the conference. Any chance you’re going to the conference.
[00:06:52] Drex DeFord: [00:06:52] I will go to the HIMSS conference this year. Yeah. We’re going through a bunch of special procedures at CrowdStrike to get authorizations for travel and [00:07:00] all of that. It’s not a full blanket turn on event. So we’re we’re having conversations internally about getting all of those approvals, but I absolutely believe that I will be at HIMSS conference this year.
[00:07:11]Bill Russell: [00:07:11] Yeah, and I will be there as well. I have some some sponsor commitments, so I was going to be there anyway, but I’m really looking forward to it. I don’t know. I mean, it’s great to see you on this piece of glass, but it would be nice to actually see how much weight you actually have put on. I don’t know.
[00:07:28] Drex DeFord: [00:07:28] I totally agree. I have a [00:07:30] text group that I’m on with that are a bunch of CIO’s and other friends of mine who are in health IT and I can’t tell you how charged up that group is about going. We refer to each other sort of competent and not confidential anymore I’m was going to say it out loud as conference crashers. And so the Crashers group definitely have had a whole ramble going on about getting back to the big HIMSS conference. Just because like you said, it’s going to be awesome to see your [00:08:00] friends again, see them in person. People can tell you that they’re okay and you see them on video and they say that they’re okay, but there’s something about seeing a person.
[00:08:10] Looking them in the eye and actually being able to do the check on them. Right. And we all worry about our friends and our family. So especially when so many of our friends are spread across the country. They’re not local to us. There are people that we’ve met and made acquaintances with over a years and years and years. So I’m looking forward to [00:08:30] showing up and seeing as many friends as I can.
[00:08:31]Bill Russell: [00:08:31] I hate to pigeonhole you here, but you know there’s so many security stories. You’re with CrowdStrike now. and I don’t like hold all these stories. These have all really been happening over the last two or three weeks of, of things.
[00:08:45] Obviously we had a significant VMware announcement this this past week, cause this show’s going to air on Tuesday happy Memorial day, everybody, by the way. Yeah. The vulnerability, which was identified by VMware [00:09:00] is a is a pretty significant vulnerability. So they ranked at a 9.8 out of 10 and they created a patch for it on Tuesday of last week.
[00:09:10] So it resides in V-Center server. And as we all know, a tool use for managing virtualization in large data centers, V-Center server is used to administer VMware, vSphere and ESX host products, which by some rankings are the first and second most popular virtualization solutions on the market. And one of the things that they [00:09:30] talked about is immediately following these announcements there’s a rash of activity that goes on in the internet of people looking for this vulnerability to either report on it or looking for this vulnerability to exploit it. So it’s a serious vulnerability and once it gets announced, it has to be patched very quickly. How do healthcare organizations make sure that they’re patching every instance?
[00:09:56]I mean, this is in the cloud. The cloud runs on [00:10:00] VMware, VMware spotter too, by the way. Cloud runs on VMware data centers. It runs on VMware because it fundamentally changed how the data center operates. It was such a huge operational benefit. So how do they make sure that all this stuff gets patched very quickly?
[00:10:17]Drex DeFord: [00:10:17] There are there are lots of tools out there that let you sort of explore your servers and endpoints and other devices to look for. Do you have all the latest [00:10:30] patches how far behind are you, which ones are the most urgent for you to sort of engage with CrowdStrike’s from last tools like that?
[00:10:39] There are other tools like that too, but it is sort of culturally a thing that. CEO’s organizations have to build into their routines of you’re going to have patches now and they’re going to come all the time and that there are situations where you’re going to have applications or, or servers or other things where, [00:11:00] or just situations going on with the operation of the organization where you can’t apply a patch right away.
[00:11:05] And if you can’t apply a patch right away, then you have to come up with. Sort of mitigation for that compensating controls that let you go ahead and protect that device or those devices as you. Sort of timeout when you’re going to put the patch on there’s a lot of testing. Sometimes it has to happen in these things too.
[00:11:23] So you’re absolutely right. The bad guys, the adversaries, this is absolutely an [00:11:30] economy, right. When somebody like VMware anyone announces that there’s some kind of a weakness in an operating system or in an application You may not realize that you’re breached, but one of the things that if you’re breached there, there’s somebody in there who’s very quietly looking around to see if that’s an exploit that they can use on you.
[00:11:51] And if it is, they may not take advantage of it, but they merit. They may very well go to the dark web and auction that [00:12:00] access. To somebody else who will come in and does the next part of the job, right? It’s crazy to me, the more, the longer I’m at CrowdStrike, the more I spend time with our threat Intel team.
[00:12:12]The more shocked I am, I think every day at the way adversaries work with each other as a team, as a vendor community, as a operator community. It’s pretty amazing.
[00:12:26]Bill Russell: [00:12:26] I was talking to a CISO and I said, [00:12:30] what do you attribute the growth of all this activity to and without missing a beat, he said, cryptocurrency.
[00:12:36] Yeah. He said it created the economy for money to change hands. We couldn’t change hands,
[00:12:42] Drex DeFord: [00:12:42] Untraceable money.
[00:12:44] Bill Russell: [00:12:44] Exactly. These amounts with any of the standard currencies that existed cryptocurrency just created an economy for this? Just not to say the cryptocurrency is bad, but it’s one of those things that in every area we’re going to have to think through the [00:13:00] unintended consequences of cryptocurrency coming into the mainstream.
[00:13:05] Drex DeFord: [00:13:05] Yeah, that’s exactly what I was going to say. Unintended consequences in everything that we do. I mean, I think that you and I have been healthcare executives for so many years that we know that every time we do something that we think is a good idea. That we know w we’re positive this is the thing that we need to do to solve a problem for a health system that we always take a step back.
[00:13:28] Cause we’ve talked about this and go [00:13:30] now what could go wrong? Right. There’s always an unintended consequences. And sometimes it’s sort of unseeable. I mean, you just, who would have imagined I’m sure somebody did imagine, but who would have imagined that the concept of blockchain, which seemed to have so many good possibilities turned into a turned into cryptocurrency which turned out to be the thing that allows ransomware to happen.
[00:13:54] It’s it’s a great argument. I’ve published a couple of things about it here recently [00:14:00] tweeted a couple of things about here recently. it’s definitely an issue.
[00:14:03]Bill Russell: [00:14:03] One of our standard operating procedures should be emergency patching. There’s going to be an emergency patch. Six o’clock at night and we’re going to have to emergency patch a significant amount of our servers. And so there should be an SOP around that.
[00:14:17] Drex DeFord: [00:14:17] Sure. Yep. Absolutely. Have a process for that. Who the teams are. Have a fast track for change control. If there’s some testing that needs to be done have a process for that. I mean, it stinks. Especially [00:14:30] when it’s a Memorial day weekend, right.
[00:14:33] Or it’s a holiday weekend or the weekend in general. It seems like we always wind up having something happen like that. That is an emergence.
[00:14:42] Bill Russell: [00:14:42] When’s the last time you spent all night in a data center. Can you remember that
[00:14:47] Drex DeFord: [00:14:47] Last time, last time I spent all my
[00:14:49] Bill Russell: [00:14:49] First of all we don’t do that anymore. Right. So we don’t go to the data center. I do. For me it was in 2011. I spent the better part of an [00:15:00] entire night in a data center as the team was trying to troubleshoot something. I think I was more there for moral support at that point. My, oh, I know technical supoort.
[00:15:09] Drex DeFord: [00:15:09] Me too. I was a, I was a gopher.
[00:15:11] I remember it was a big storage array outage in the data center. And yeah, I was there for like going to get breakfast and bring it back or a cooler of drinks or whatever I could do. Right. I mean, I just, I think [00:15:30] that’s we’ve we’ve had this discussion, so it’s just good leadership, right.
[00:15:34] If everybody else is there, you should be there too. I mean,
[00:15:36] Bill Russell: [00:15:36] Yes, but it’s a balance, right? It’s a balance of solidarity from a leadership perspective. It’s about balance of solidarity. Hey, I’m in it with you and. Hey, why does the CIO have to keep looking over our shoulder? Or why does the leader have to keep looking over our shoulder?
[00:15:51]That’s a tough balance. You really have to know your team well. You have to communicate well. Otherwise they might feel like you’re erring on the side of micromanaging them. Hey, we handle these [00:16:00] things. We know how to do it, or, Hey man, that’s impressive that that person was there and they got us pizza and they encouraged us through the night. That kind of stuff, it’s an interesting leadership challenge.
[00:16:11]Drex DeFord: [00:16:11] I was telling somebody about this the other day. One of the things I used to do at all hands was the Clark Kent award. And I would hand out glasses like Clark, Kent glasses, the reason being in most places that I’ve gone to.
[00:16:26] And taken over as a CIO. There are a lot of people that are [00:16:30] working super hard, but very often they’re scrambling. I mean, they are in Superman mode all the time because something is breaking and they have to step in and fix it and get it back up and running. And that’s fine, except that in change my analogies here.
[00:16:45] Sometimes it turns out the firemen are also pyromaniac. They don’t intend to be. It’s just that they. Are so busy, they never quite finish a job. And that leaves behind a landmine that they’re going to step on later. That’s going to create another [00:17:00] outage. So to switch back to my original analogy, we love people who go into Superman boat and do all that work and make sure that the organization can stay up and running as things break, they can fix it and put it back in service. But what we really need as much as anything else, maybe more than anything else are good old Clark Kent who shows up to work every day, dots all the I’s crosses, all the T’s create standard work makes processes better has [00:17:30] continuous performance improvement as a way of sort of thinking about the way that they do their job.
[00:17:34] Because when you have those people, you have very few or much less of a Superman opportunity. So Superman moment should be the exception to the rule, not the rule and a lot of places. I’ve seen Superman moments are the way that the organization works and it’s just too much. It’s too stressful.
[00:17:58] Bill Russell: [00:17:58] Yeah. I’ll give you the language [00:18:00] that I use because when I went in as a CIO, the last place I was a CIO, we I essentially said, we want to do away with the super hero culture. And we want to go to more of the NASA culture, which is if you watch Apollo 13, it’s not that there aren’t heroes in that movie, but they’re there.
[00:18:22] They work as a team. You can’t really name five people from mission control that brought that ship back, or even landed the ship [00:18:30] on the moon. But they functioned as a team. They knew what they were their role was and they perform that role to the best of their ability and whatnot.
[00:18:37] And every time I come in and they say, oh, you can’t lose that person. If you lose that person, our entire it shop is going to go down and I’m like, All right. Well that’s a problem. Yeah, yeah,
[00:18:51] Drex DeFord: [00:18:51] Yeah. I was just going to say it’s, it’s funny that you say that because there’s definitely every place again that I’ve ever been,, I’ve had somebody say [00:19:00] that about somebody in the shop. We can’t let don’t lose that person. Like they don’t get along with other people, but let’s figure out how to give them a cube in the corner and like slide pizza under the door or whatever but, but we need to keep them and. It usually turned out.
[00:19:18] There were lots of other problems around that individual. And that when you finally decided that you were going to rip off the bandaid and let the person go, people would pour out of the woodwork and say, oh my gosh, what took so long? That was terrible. [00:19:30] Tell me what I need to do. I’m happy to work over time until we figure this out and we get back off the, on our feet from that person leaving, you get so much Good credit, I think for doing the right thing, ultimately that it more than pays off there.
[00:19:48] There’s always somebody though that’s hoarding all the knowledge and they are indispensable and the reality is everything’s connected to everything else. So the best teams don’t have anybody who’s [00:20:00] indispensable. They love to share knowledge. They’re very transparent. They create good standard work that anybody can follow. And the power really is. The collaboration. It’s the teamwork.
[00:20:14] Bill Russell: [00:20:14] So we’re going to talk about Scripps a little bit here. You haven’t been at Scripps. When were you at scripts? Two decades ago?
[00:20:23] Drex DeFord: [00:20:23] Yeah, maybe it was I left in 2008. Okay. So not my fault. No, [00:20:30] no.
[00:20:30] Bill Russell: [00:20:30] Well, I w I wasn’t going there as much as to say you have no insider knowledge on this that, that I know of. But I do want to talk about it. It’s one of the larger health systems that have, has really succumbed to a ransomware attack, at least at the level that really brought a system to its knees. They were on diversionary procedures, they were diverting acute care cases and other cases to other facilities [00:21:00] for the better part of two weeks.
[00:21:01]This story is actually from let’s see, seven days ago. So I’m not entirely sure they’re through it yet.
[00:21:07] Drex DeFord: [00:21:07] Yeah from everything I hear, they’re not through it yet, but they have some systems up and running again. Now they’re making progress, so that’s good.
[00:21:15]Bill Russell: [00:21:15] This was a big deal. If people weren’t already awake to the threat that ransomware has for health systems and larger house systems, I think they are now. And you shared an article [00:21:30] on your 3XDrex. You’re still doing 3XDrex?
[00:21:34] Drex DeFord: [00:21:34] I am. It has turned into maybe not quite three times a week but there are still some really great stories. We have several hundred people subscribed. I hate to just leave people hanging. So yeah, I’ll continue to do that.
[00:21:47] Bill Russell: [00:21:47] It’s not, it’s not only security stuff. So people are thinking, Hey, it’s just, you’re sure it’s not, not by any stretch. You share a lot of different things, but you shared this story and I think. The reason you shared the story was to talk about the [00:22:00] takeaways more than the the incident itself. Cause we don’t really know enough about the incident yet to really talking about other than it’s ransomware and it took down a significant amount of the of the health system.
[00:22:13]So some of the key takeaways from this article were adopt zero trust. So I had Vik Nagjee on, we talked zero trust. Why is zero trust important?
[00:22:26] Drex DeFord: [00:22:26] I mean, I just think we’ve gotten to this point in the [00:22:30] world of cybersecurity, that creating a situation where. Everything is suspect. And you need to make sure that whatever is connecting to your network or connecting to your network assets is challenged and that for sure what it is and where it’s coming from.
[00:22:48] I mean, there’s, there’s a lot of stuff that goes into the zero trust concept, but you know, for me, it’s the, it’s the two words. It’s zero trust. I don’t [00:23:00] trust anything. Everything has to be challenged and verified. And if somebody is working on really high end important assets, like your active directory or something like that.
[00:23:12] You don’t just challenge them once you may want to challenge them every 30 minutes or something, to make sure that you’re very comfortable that this person who’s doing this heavy duty stuff that could really damage your network, that this is really the person that you think they are. So zero trust, [00:23:30] hugely important, and a lot more to be written and a lot more to be done in zero trust.
[00:23:35] Bill Russell: [00:23:35] The know educating employees on cyber hygiene. I have a episode coming up. We talked to the people over at Geisinger and they’ve been able to drop their phishing attacks success rate within their organization by 50%. What I’m hearing is that still the number one way it’s people giving up their credentials or giving, giving away their access through very sophisticated phishing attacks, but that’s [00:24:00] still the number one easy way to get in the front door. We think it’s these really sophisticated things that people have written, but at the end of the day, you create a website that you know is very similar. It looks very similar to send out an email you take advantage of COVID, supply chain,
[00:24:17] Drex DeFord: [00:24:17] Whatever the hot item is of the day. That is the thing. There are brilliant technical writers who are writing very convincing emails every day and whatever the hot topic of the day is. [00:24:30] And sometimes it’s also mined from whatever you’re doing in social media. If you’re showing a real interest in something that can be a thing that they wind up writing an email that makes you a target of a phishing scam. The one way to, I have a friend who is the CIO of a healthcare organization. They have put together a program that ties a portion of manager’s bonuses to. The goodness or [00:25:00] badness of their staff reacting to the phishing tests.
[00:25:04] And so if my team is really good at it, I get the full bonus of my team is really bad at it. I may lose that whole portion of the bonus now. He, they haven’t tied it to like a huge amount of money, but any portion of the bonus is motivating. And it’s created this situation where managers at the lowest level talk every day to their staff about today might be the day for the phishing [00:25:30] emails.
[00:25:30] So make sure that you’re if you think that something’s wrong, say something and that’s great culture. That’s how you drive those numbers way, way down.
[00:25:39] Bill Russell: [00:25:39] Yeah. You, you need to create a security culture. Patch hardware and firmware. We had a pretty robust process for identifying hardware and firmware updates that needed to happen.
[00:25:53] I mean, the hardest area was biomed devices for us because there were so many of them and some of them you [00:26:00] couldn’t touch or you broke them. Right. And so we had to section them off the network and all that wonderful.
[00:26:08] Drex DeFord: [00:26:08] And so, I mean, I think that’s a really good one, right? Because in healthcare, there’s lots of things like that. Not just IT and not just the medical equipment and medical devices but OT stuff, building operation systems and things like that. Plus, we always seem to have some old application that runs on you know Microsoft Bob, or something that we can’t quite get rid of for whatever [00:26:30] reason, those things also need to be segmented too.
[00:26:32] So I will tell you the other sort of takeaway on that would be. If you have a big flat network, and there’s a lot of reasons that a lot of organizations do, you really should look very carefully about putting together a plan and a program to do segmentation. And micro-segmentation because that creates another place where when a bad guy tries to move laterally there’s an opportunity that they’re gonna, they’re [00:27:00] going to trip on something and ringing some bells and speed is.
[00:27:05] That’s all about catching the bad guy. If you can catch them quick and kick them out, greatly reduces the amount of damage they can do
[00:27:13] Bill Russell: [00:27:13] Drex I always use security as the driver for application rationalization. I remember when I came in, we had like three applications that required dongles in the server.
[00:27:22] And I just sort of shook my head, like how old is that? I don’t even remember the last time we had that, but in [00:27:30] healthcare they exist. And we’re looking at 800 applications and maybe even 50% more or whatever of instances of those applications, because you have the same application with multiple instances.
[00:27:43]It’s the attack vectors too large, the surface is too large. When are we in healthcare gonna see that and just just crunch that down to, I don’t know, to half the number of apps. I almost think every health system should have as a [00:28:00] goal to get to half the number of apps in the next five years.
[00:28:02] Drex DeFord: [00:28:02] Yeah. I mean, in the spirit of everything is connected to everything else, security is also connected to everything. So if you have antiquated infrastructure if you have a data center with older servers, if you have end points that have kind of aged out and you’re running older operating systems on those things, the simpler you can make the environment, like you talk about application rationalizations, fewer applications.
[00:28:26] And we both know having worked at big health system. [00:28:30] Sometimes you have. Five applications that do almost exactly the same thing. And they’re just the personal preference of somebody in different departments and that requires you getting together and sort of clunking their heads together and say, let’s pick one and kill off four.
[00:28:42] It’s less maintenance. It’s fewer analysts that we need to be able to manage those applications. And when we get down to one, it’s much easier to secure instead of five. So you’re right. It’s not usually thought of as a security thing, though. Right? This is where we get [00:29:00] into sort of conversations about infrastructure upgrades and end point upgrades and printer upgrades and all those kinds of things. Security is a huge part of that simpler is easier to secure.
[00:29:12] Bill Russell: [00:29:12] Yep, absolutely. There’s a bunch of other things and monitor applications and network for unusual behavior. Ensure employees, cyber credentials are retired at the time of their departure. And to the extent that you could automate that that’s awesome.
[00:29:27] If the data centers compromised that are moving to a [00:29:30] secure cloud environment I remember we people back into 2011, I was speaking at a conference and I said security will be the reason that health systems move to the cloud. And people just, you would think I had said something that was just completely insane because people were like, all the hands went up.
[00:29:50] Like I have a question, I have a question. It’s like, how can you say that, that the cloud is sown secure and whatnot. I’m like, well, because quite frankly, they’re just making [00:30:00] greater investments in it than we are. And they can hire better security people than we can. And that was my rationale. Is the cloud, I mean, in and of itself, there’s no more secure than the on-prem data center, but I think it’s those things. It’s the investments. It is the the sophistication of the architecture that they put together. It is the ramifications. If Google gets hacked, if [00:30:30] Amazon web services gets hacked all those things.
[00:30:33] I mean, so they are investing a significant amount of money to make sure that that doesn’t happen.
[00:30:37] Drex DeFord: [00:30:37] Yeah. Yeah, no, I think your logic is good, right. That cloud services probably have better security than on-prem services. That’s a terrible. Sort of generalization, but sort of, okay. Let’s just sort of say that that is probably true, especially when you compare small and mid-sized businesses who maybe only have one or two, it [00:31:00] people, and they’re doing their best to try to do it and security that it’s probably true that, that the cloud has a better security posture. Well, what happens in that,
[00:31:11] Bill Russell: [00:31:11] But it just doesn’t guarantee anything because
[00:31:12] Drex DeFord: [00:31:12] It doesn’t guarantee anything because what happens in that sometimes is that you wind up with these situations like like foundations and organizations that took donations, like health systems from from donors used to do that stuff all in house, in their [00:31:30] own local databases.
[00:31:31] And they manage the connections to those donors and they knew all about them and all those things. Along came Blackbaud who took all that off their plate. Right. And it was great because they could get away with a toss of the servers, toss, those analysts. They could buy software as a service in the cloud, but when Blackbaud was breached, we saw there were dozens of healthcare systems that had to report to the HHS wall of shame and say that their data had been breached.
[00:31:57] Not because their organization’s network had [00:32:00] been breached, but because of third party vendor that they had created this. Deep relationship with had been breached. So it’s again, unintended consequences back to kind of our earlier conversations. There are things that this seems like a really good idea.
[00:32:15] And honestly, I think it’s a much better idea than trying to do everything yourself, but There’s things you have to think about. And if you’re just moving to the cloud, you’re trying to move to AWS or Azure or something like that. So a [00:32:30] whole different set of skills than your on premise folks have.
[00:32:33] And there’s a lot of opportunities to mess that up and create a breach too. So think through it, your cloud plan has to be very carefully sculpted.
[00:32:44] Bill Russell: [00:32:44] Yeah, we I ended up talking about layers with people a lot when talking about security, because in reality, if I go to AWS, okay, they’re going to take care of these layers, but I could put a, I could put a website out there that’s going to get hacked within a week easily. Right? [00:33:00] Because AWS doesn’t protect the WordPress and above layer or whatever your content management system and above layer is. They’re protecting all this stuff down here and you can easily put a insecure application on top of AWS and they’re going to get in there and get whatever data you have out there.
[00:33:16] Drex DeFord: [00:33:16] Yeah. I mean, you’re right. It’s there, there’s no shortage of places for humans to make a mistake that can result in a breach. And so the idea that [00:33:30] you’re. Relentlessly monitoring all of these things for behavior that seems a non anomalous, and then you’re taking action on that becomes incredibly important.
[00:33:40] Bill Russell: [00:33:40] All right. Are you, are you done talking about security? I’m tired of talking about security.
[00:33:44] Drex DeFord: [00:33:44] Sure. I know. That’s like someone we talk about all the time. I’ll tell ya. I’m loving it right now. I mean, I am so immersed in it right now. It’s so new to me kind of continuing to, I learn and learn and learn every day about the stuff we’re doing and [00:34:00] it’s, fascinating, but yeah, we should talk about,
[00:34:03] Bill Russell: [00:34:03] But you know, we need, we need heroes on the front lines of this and I think we are going to attract some of the best and brightest coming out of a school coming out of the military and whatnot there, this is an interesting space to be in. I it’s I think it’s challenging. Mentally, I mean, it’s a constant game of chess.
[00:34:24] Drex DeFord: [00:34:24] Detective work, if you like puzzles. I mean, it is very [00:34:30] meticulous, especially the threat hunters, the folks who are actually building good security programs or organizations it’s very detail oriented. Yeah. I think there are a lot of people who are really into it and And more and more coming. I think that’s true.
[00:34:47] Bill Russell: [00:34:47] All right. Let’s hit this one, cause this is always interesting. ACA enters new partnership with Google cloud. Okay. So the partnership between the cloud giant and national based HCA, which with [00:35:00] 186 hospitals and 2000 ambulatory sites nationwide is aimed at building next generation operational models focused on actionable insights and improve workflows. According to the health system officials, the goal is to build and refine new workflows and innovate clinical decision support to improve quality, safety and efficiency. Beyond that, the partnership has meant to empower physicians and nurses with deeper insights via 90,000 mobile devices already running software from HCAs patient keeper [00:35:30] and mobile heartbeat teams. It’s important to note that HCA is not an epic shop and they have some Epic instances, but it’s a very small piece of what they do. They run the 186 hospitals, primarily as the largest Meditech shop.
[00:35:45] Drex DeFord: [00:35:45] They are, they have almost there, I don’t think it’s almost have their own version of Meditech essentially,
[00:35:51] Bill Russell: [00:35:51] Essentially. Yeah. Patient keeper was this system that sat on top of that attack, which gave it a whole bunch of new [00:36:00] capabilities. And I think when things were not going the direction they wanted with patient keeper, HCA just bought it. So HCA actually owns patient keeper.
[00:36:09] Drex DeFord: [00:36:09] Yeah. I remember patient keeper, but it’s been awhile.
[00:36:15] Bill Russell: [00:36:15] Well we were a Meditech shop at Saint Joseph. I looked into patient paper and it was pretty interesting. So this is another one of those deals. Let me, let me read an excerpt from, let me see which article talks about this. Google and Ascension’s well, we know that Google and Ascension story cause we talked about [00:36:30] that. Nightingale that came out in wall street journal that’s when Ascension went to Google and said, look, we want to bring all of our records together and make it easier for our physicians and easier to do this kind of data work that’s required across the system, especially in a pandemic and with public health and whatnot.
[00:36:49] Then Mayo clinic came out and signed a deal. Then Providence, there was a period where. I mean, these deals were being signed pretty regularly. So Mayo did a deal with Google Providence did the deal with [00:37:00] Microsoft and and the big there’s privacy. So HCA said Google isn’t permitted to use the patient identical identifiable information under the agreement.
[00:37:12] Kerlin said ACA patient records would be stripped of identifying information before being shared with Google data scientists and that the hospital system would control access to the data. In terms of the deal work disclosed by the companies. And it’s interesting before Mayo did this, John Halamka [00:37:30] did a lot of speaking about how they are.
[00:37:33] They were doing this at a much more sophisticated level. Not only were they stripping the data, there was absolutely no way that Google could see a Mayo clinic, identifiable patient record, but they were getting the benefit of that. I shared this story because I think it’s an interesting story.
[00:37:50] And I think it’s a direction that we’re going to see more and more it’s health systems tapping into advanced capabilities that we may not even [00:38:00] have the ability to build onsite, even if we wanted to.
[00:38:02] Drex DeFord: [00:38:02] Yeah, no, I mean some of this too is. It’s a good story of transparency, right? Cause I think I remember when the first was it Ascension?. I remember when the first story came out, the world was horrified and everybody, bunch of, lots of people got really upset. And since then more and more of these stories have emerged. As sort of reassuring that this actually is a good idea. And [00:38:30] with folks like John Halamka telling this story, it’s all about value.
[00:38:34] It’s all about building things that are better for patients and families. This is the only way that we can probably really do it. We have to have these big numbers and have to be in big computers and we have to have super smart people looking at this and figuring out what these patterns are. And doing it in the cloud is really the only way to do it. And so I think you see more and more of that transparency and more and more of that good [00:39:00] storytelling about why we’re doing it, how it’s going to benefit the patient which took a lot of the pressure off of of health systems.
[00:39:06] Bill Russell: [00:39:06] Yeah. Well, I mean the thing that’s different about Ascension quite frankly, is they are sharing identifiable information. But the way that it was written the access by Google is very limited in terms of them being able to actually access the record. And really it’s more of a technology play than anything else.
[00:39:24] Got it. So it’s interesting this. But this one statement in this article sorta has we [00:39:30] scratched my head. Some consider the federal law outdated saying and it was talking about essentially Pippa saying that the law’s protections and having kept pace with the technology sectors, growing demand for patient data said Michelle Mello, a Stanford university, professor of law and medicine who focuses on health data privacy. I would love to have Michelle on the show because I think it just, I read the statement on like the federal law is outdated saying the law protections haven’t kept pace with the technology sector is growing demand for patient data. [00:40:00] What about the patient’s need for privacy?
[00:40:04] Since when are we writing the laws so that the, the tech sector can get access to more patient data?
[00:40:13] Drex DeFord: [00:40:13] Yeah. Yeah. Things. Yeah. A lot of things have changed since some one was 99, 98. I don’t remember when we got HIPAA, but a lot of things have changed and adaptively there. If you went through it with a fine tooth comb, there’s probably [00:40:30] adjustments and changes.
[00:40:31] Bill Russell: [00:40:31] I’m not arguing. It’s not outdated. It really does need to be, we need to re-look at it.
[00:40:36] Drex DeFord: [00:40:36] But the driver shouldn’t be that the tech organizations need access to patient data. I got it. Got it. Yeah. Yeah.
[00:40:42] Bill Russell: [00:40:42] Lets just have Amazon, Microsoft, Google sit down and write the new HIPAA law. Yeah, it doesn’t, it doesn’t sit well with me. Let’s see. Do you have time for one more story?
[00:40:56] Let’s do it. Alright. Rethinking the [00:41:00] waiting room. So I covered that earlier last week or earlier this week on the today’s show. Iit’s an interesting concept. So COVID has essentially changed that it absolutely changed the waiting room for a period of time.
[00:41:15] Right. So safety was paramount. We adopted a lot of scheduling things and a lot of, a lot of remote types things we adopted telehealth and whatnot. What do you think? I mean, let’s just put on our dreaming hat. [00:41:30] Cause I posted this on social media and one of the first posts came back from Lou Reeder who said we have to eliminate the waiting room.
[00:41:36]And that’s, that’s mirrored by other people in the industry who said we need to eliminate the waiting room and everything that it stands for, but is that possible? Are we going to get there? And I dream with me for like, 10 years out from now, how would we minimize the waiting room?
[00:41:57] Or how would we enhance the wait? [00:42:00] Cause there’s always a wait. Right? So if, if my loved one is in critical care, I may have to sit somewhere in that hospital and wait. So we’re not going to eliminate a waiting room. I want to be near them and I may not be able to be in the room. So we have to design areas where families can hang out.
[00:42:17] And those kinds of things, I think what a lot of people. Are thinking about when they say eliminate the waiting room, it’s that waiting for the doctor and then going into the room and waiting for the [00:42:30] I, I’ve now gone and I’m sitting on the culture paper, but I’m still waiting and I see them and I only see them for six or seven minutes.
[00:42:37] And I’d say I just waited 45 minutes for a seven minute consultation. Yeah. That’s what we want to eliminate. What could that look like in a decade? Do you think.
[00:42:46] Drex DeFord: [00:42:46] Man, I this is one of those things that for me as a Toyota production systems guy, the waste of wait is one of the seven deadly wastes, right?
[00:42:56] The waste of wait is, I mean it, it upsets the [00:43:00] apple cart all over the place. And what it means is that. If you have people waiting queuing for a piece of work to be done, that the system that you’ve built. Has inefficiencies. And so there’s always going to be, I think you’re right. There are always going to be waiting rooms for folks who are, who are waiting for a surgery to happen to a patient. And they are, they just want to be at the hospital in case something terrible or [00:43:30] great happens. They just want to be close by that, that isn’t the kind of waiting room that I think we’re talking about. That’s kind of a. Whatever, circling an orbit, waiting waiting for a patient, something happened to a patient. The waiting room you’re talking about is exactly that. Will you be able to show up just the nick, as soon as you walk in, somebody’s there to greet you, take you right into the room. The information that you have to fill out on paper today is done before you arrive.
[00:43:58] You only do it once you don’t do it [00:44:00] every time you show up for your appointment. If you’ve done it in another part of the organization, that information is available to that appointment. So that, that just that one part. Hugely maddening part for all of us, if that could go away would be a huge win.
[00:44:14] But if you could get people to go right into the right into the doctor’s office, the doctor’s waiting for you. She does the exam asks you the questions helps you make sure that you’ve got your prescriptions. They [00:44:30] know where your prescriptions are going. They send them off automatically ordered.
[00:44:33] So you can pick them up on your way home, or maybe on your way out, depending on the. The way that the care facility is designed. I mean, those are the kinds of things that to me would be, that would be a huge win, just walk right in and walk, right in, not have to stand around and wait for something.
[00:44:50]Bill Russell: [00:44:50] David Chou posted something this morning, which was interesting just about what will the home, I forget what the post was, but it was essentially at your doorstep, [00:45:00] at your doorstep. Yeah. So you saw that And my comment to that was it depends whose time we’re trying to save here. And I sorta like. I’ve owned a Tesla for a while now, and it amazes me the amount of work they can do in my driveway. They actually come out and fix my car in the driveway. Now there are some things where I’ve called in and said, Hey, I’ve got this problem. And they’ll say, yeah, you got to bring that one in.
[00:45:27]And I liken that to sort of healthcare and [00:45:30] say is there a situation where via telehealth, we can say, that’s this go to this location, which has a less of a weight and is more designed for this or this. And you go over here or you don’t stay in your house. Yeah, we’re gonna, we’ll either send you medications or we’ll send you a person who’s going to come out and just do a basic blood pressure check, grabbing your lab,
[00:45:54] Drex DeFord: [00:45:54] grab your lab, take it with them, right. Instead of you coming in for this, where’s your office, I’ll meet you in the [00:46:00] office and your software updates for your Tesla is almost like the wellness person calling you regularly and making sure that have you been checking your blood pressure and are all the all this stuff that you’re supposed to do? It’s kind of interesting. Yeah.
[00:46:13] Bill Russell: [00:46:13] Well, one of the most fascinating stories I read this year was Firefly health, raised a bunch more money and it’s Jonathan bushes new thing. And actually somebody else is the CEO, but he’s he’s chairman and he was founder. And [00:46:30] he he was talking about how, on average, the clinician saw the patient within the Firefly health system that they’ve designed, which is to eliminate all this waste that exists 60, I think it was on average 65 times last year.
[00:46:46] And I’ve sent that to a couple of people and they’re like, what, why would you see a physician or whatever, 65 times? I’m like, well, first of all, it’s not a physician. And it’s not always a physician
[00:46:57] Drex DeFord: [00:46:57] by your healthcare provider, 65 [00:47:00] times. Exactly And it could have been an email.
[00:47:02]Bill Russell: [00:47:02] And it becomes a question of I have health questions all the time. I just don’t, I don’t think to call my health system or my doctor or whatever. I just go to Google
[00:47:12] Drex DeFord: [00:47:12] Dr. Google
[00:47:14] Bill Russell: [00:47:14] with this however, they’ve set it up within Firefly health and I’ll have to have them on the show to have a conversation around this. How are they set it up? It’s easy enough to just reach out and ping a healthcare professional or a nutritionist or someone to that effect and say, Hey, I’m [00:47:30] walking through the aisles.
[00:47:30] I’m thinking of buying this. I have diabetes. Is this a problem? And that’s a touch. I mean, that’s a touch with the healthcare professional rather than I guess, going to Google. And not that I don’t trust me because I had clearly rule, I talk to Google. 20 times a day. So
[00:47:50] Drex DeFord: [00:47:50] for Google, for you to a hundred different places, these guys actually it sounds like have a model of coordinated care. So, I mean, it just imagine if you were in the grocery store and [00:48:00] just texting somebody, that question, they were responding to, you. Like it was your sister, the dietician or your your brother, the nurse you could trust that that much, that would be when w dreaming right. And ideal world, that would be the situation that you would want, people that you know are on your team to keep you in the game, keep you healthy and out of pain. That would be ideal. Would be awesome.
[00:48:28] Bill Russell: [00:48:28] Absolutely. Drex it’s [00:48:30] always fun to talk to you. I never know where we’re going to go with the conversation.
[00:48:32] Drex DeFord: [00:48:32] I don’t either but I really appreciate you having me on it’s always a good time.
[00:48:36] Bill Russell: [00:48:36] Yeah, it’s fantastic.
[00:48:38]What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to this show. It’s conference level value every week. They can subscribe on our website thisweekhealth.com or they can go wherever you listen to podcasts, [00:49:00] Apple, Google, Overcast, which is what I use, Spotify, Stitcher. You name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, StarBridge Advisers, Aruba and McAfee. Thanks for listening. That’s all for now.