We’ve heard trust but verify. Zero trust takes it to the next level, don’t trust anyone and verify. This model is becoming more prevalent in health IT. Vik Nagjee joins us to discuss how Health IT is implementing.
Bill Russell: 00:00 Welcome to this week in health it influence where we discussed the influence of technology on health with people who are making it happen. We are the fastest growing podcast in the health it space. My name is Bill Russell. Recovering healthcare CIO and creator of this week in health it, a set of podcasts and videos dedicated to developing the next generation of health it leaders. This podcast is brought to you by health lyrics, health it. Do you need to do more with less? We’ve been in your shoes. We know where to look. Let’s talk visit healthlyrics.com to schedule your free consultation. If you’re enjoying the show and want to support, our mission to develop the next generation of health it leaders. There’s five quick ways you can do that. share it with a peer shared on social media. Follow our social accounts, linkedin, Twitter, Youtube. Send me feedback and questions and recommend recommendations.
Bill Russell: 00:53 You can do that @billatthisweekinhealthit.com or you can subscribe to our newsletter on the website. So let’s get to it. So today we’re joined by Vik Nagjee. The a CTO for Sirius computer solutions for a second visit to the show. We actually touched base, uh, during the Himss show a good morning Vik and welcome to the show.
Vik Nagjee: 01:13 Good Morning Bill. Thanks for having me.
Bill Russell: 01:15 Well, you know that the last time was a very well received and it was a, we just completely geeked out, talked about infrastructure, talked about cloud, talked about microservices and uh, and it seems like a, the audience wants to hear more about that, so I’m looking forward to it. Um, so what kind of, what kind of things are you working on now? Are you working on anything interesting right now?
Vik Nagjee: 01:40 Yes, I am actually. And thanks for having me back. I just wanted that point of clarification. Um, I am responsible for the technology for our manage services group. Uh, we have, uh, we have a corporate CTO, Great Guy Chris Mierzwa, you should reach out to him and have a chat with him at some point, but just wanting to make that point of clarification. So I spend, I spend my time split between the minute services group and our healthcare team. Um, and we have, we have, uh, we have a few good things cooking at the moment. Um, my interest in focus is bill, you know, as, as he said, we geeked out, uh, is very specifically around infrastructure and the impact of infrastructure and technology on sort of as this next generation of healthcare, uh, around being able to drive, um, you know, uh, digital innovations and improvements in quality and care and drive the prices down of health care and approved, uh, all sorts of sort of patient experience, physician experience and so on.
Vik Nagjee: 02:36 So, um, I take all of those things and try to figure out how do we, how do we create a good baseline? And for me sort of, it all comes back to the infrastructure, right? Because, you know, we have this whole bag of things that we’ve, that we’ve had and we’ve been carrying them along and we bring along with us, you know, our Ehr, all of these other applications, we can just say goodbye to those. So we did take care of those and we have to have an eye to the future. So that infrastructure is really the glue that kind of brings everything together for me.
Bill Russell: 03:07 That’s great. So a CTO of the managed services side, and you’re, you’re also a focus in on healthcare. So I, you know, I’m not trying to get you in trouble with the rest of the organization. So managed services, so you have, um, uh, you, you have a service that you guys are offering to healthcare. Uh, and what levels are you doing a application outsourcing you doing just infrastructure outsourcing you doing, uh, you know, what, what kind of managed services, uh, in, in terms of the stack. Are you doing?
Vik Nagjee: 03:37 Yeah, it’s a really, really interesting space to be in, you know, especially in healthcare. Right. So I’ll, I’ll describe to you a couple of different things that we’re doing and that we have been doing for years and years and years across various industries and, and uh, and, and, uh, focus areas. So we, we are very good with infrastructure and so we’ve been doing things like managing plays, hosted infrastructure, uh, for, for several years. I, in fact, our pedigree and our background and we still, the biggest part of our business at the moment is around, uh, is around the mainframe. Uh, so a lot of financial sector, uh, clients, et Cetera. And so we, we come in and we provide these managing place, uh, services. Uh, we also provide hosting services as you, as you would imagine. But what we do in healthcare is a little bit different, right?
Vik Nagjee: 04:24 Because health care, you really have to understand kind of your ecosystem. Uh, I’d all, everybody says, yeah, well, you know, it’s just another, it’s just another vertical, but it really is not. Um, um, and so what I, what I qualify there is that we sort of offer a platform as a service. It’s a, it’s a little bit different than infrastructure as a service or application as a service or managed application. It’s a pass because at the end of the day, it’s the best, um, and uh, technology and infrastructure that you want to deploy for your environment. Uh, and all of the care and feeding that goes with that, including lifecycle management, refreshing, making sure your performance, uh, metrics are met or exceeded and so on. So, so, so that’s what we have. And we have a very unique, um, uh, value proposition specifically for clients that are, uh, that are epic customers.
Vik Nagjee: 05:17 So customers that are running epic. And you know, given my background and, and sort of my continued relationship with Epic, um, what we’ve done is we’ve created a, a, a platform as a service offering that could change, you know, let’s just say it’s a five year term over those five years, essentially, what a client ends up getting is that they can say, I don’t care about what goes in. I don’t care about how it’s run. I just want you to guarantee two outcomes for me, performance and availability. And that’s it. And so what we do is we take that, we take all of the best practices from epic and we create this very nice be spoken environment for the client that can run in the client’s data centers to maximize their existing investments or it could run somewhere else. It doesn’t matter.
Vik Nagjee: 06:03 Like if you don’t like your data center and happy to run it somewhere else. But here’s the beauty of it. It’s a five year term that then gets turned into a very utility cloudlike model. And I know some people don’t like that term cloudlike but I’m going to use it anyways. It’s a very utility model is basically says, look, we are going to turn this into a KPI that matches very nicely to what your Epic environment is, which is essentially how many concurrent users per hour you have. So what are we going to end up doing is we’re going to turn this into a model that says this is your price for computer user, per hour for the next five years. And it’s flat and it’s fixed. So if you do an m and a right and you go out on, you’re acquiring your hospital and bring them in and you have to add a thousand net new users, you know exactly what that’s going to cost you from an optic standpoint. And we take care of all of the care and feeding the upgrades, the refreshes, etc. Etc. So that’s what, you know, that’s, that’s one area of what we’re building out. And then there’s a whole bunch of others, other things.
Bill Russell: 06:58 Cool. So, uh, you know, our topics for today are going to be infrastructure and security. Um, it’s interesting to me that you, you say, you know, people still don’t like the utility cloud, uh, kind of model. Um, uh, you know, why, why is that? Do people just don’t understand it or is it too, uh, I, I don’t understand why people are still a balking on cloud at this point, or at least the terminology.
Vik Nagjee: 07:22 Well, so there’s two different things, right? So there’s the cloud thing, and then there’s the utility thing. And I think the utility thing is, it’s sort of easier to grasp in terms of why there’s, there’s still a little bit of friction. I think it all comes back to the legacy or the really the legacy way that we have gone, gone about financing things within healthcare. So when you talked to, you know, 10 CFOs there, it’s a good chance in healthcare. It’s a good chance that a lot of them, eight, nine of them would say that their budgeting process is still very cap ex oriented. Right. And so to shift from there to an op x basis on the basis of how the it department is funded is a process. It’s a journey. It’s happening. It’s just not that easy today to say, I’m going to take all these capital intensive dollars that I’ve been spending over the years and instead turned this into a very operational, you know, uh, a focus.
Vik Nagjee: 08:15 Now what’s driving that and what’s driving it to be easier is not the cloud conversation, but it’s the cloud like conversation for your own data center and for your infrastructure and applications. Simply because there are applications out there. I’m not going to name any names. There are applications out there that very closely hug Moore’s law, which basically says that as you keep this application going and you do your own upgrades, you’re like regular, you know, on a regular basis, every year, every year and a half, you’re going to have to refresh your infrastructure roughly every 18 to 24 months. And that’s a big lift and you’re not going to get any residual value out of it. So what’s the point in capitalizing just doesn’t make sense. So that is what’s driving a lot of these conversations today. And, and, and that then allows us to be really good stewards for the clients.
Vik Nagjee: 09:04 Say, Hey, let’s look at what else might you be able to take advantage of in the cloud world with all the awesome stuff to hyperspace scalers is doing. Like, look at t doctor Cosgrove, right? He goes up there, he goes and he’s an advisor would Google it talks about all these amazing things that can happen, but there’s a gap, right? There’s a gap between where we are today and where we can get to. And that’s, that’s what I really want to dedicate the next part of my career too is like helping people close that gap and get there.
Bill Russell: 09:32 Yeah. It’s interesting when I think part of the challenges when we talk about cloud, we’ve talked about it like it’s one thing and it’s, it’s not, you know, there’s, uh, there’s application as a service. You have your, your workdays and your, uh, and your office three 65 and other things. You have a platform as a service. You have your Azure out there, you have your AWS, you have a infrastructure as a service, which is, you know, again, another completely different model. And a, you know, when you talk about a doctor, Cosgrove and, and some of the things that Google and Amazon and the services that you can get, you have a whole set of suite of services that are out there that you need to tap into. And if you are going to tap into them, you need to do things with your data to get there.
Bill Russell: 10:12 And we sort of talk about them like they’re the same, you know, it’s, it’s cloud, it’s in this one bucket. But that one bucket is, is five different things. It’s like healthcare, what we talked about healthcare. Like it’s one monolithic thing and it’s not, it’s, uh, as I’m fond of saying, you know, healthcare is 100 businesses tied up into one umbrella called healthcare. And that’s what makes it so complex. People think, well, why can’t we get healthcare? Right? Well, get what right. I mean get, uh, you know, dentistry, right? Get a orthopedics right at, um, you know, get labor and delivery, right? Each one has their own workflow. Each one has her own complexity. Each one has their own set of technologies. Uh, and it has some similarities, but for the most part it is a hundred different businesses under one umbrella. And I think that’s what, what, what makes cloud a little confusing to people?
Bill Russell: 11:01 I agree with you in terms of the financial model. Um, I, I’ve, I’ve had conversations with CFOs and they look at it and they go, um, you know, it, it doesn’t look like I’m saving money. And it’s like, well, it depends what you’re trying to do. If you’re trying to save money, we can put models together that save you money. But at the end of the day, if you’re trying to do apples to apples, hey, this is what we’re doing today in our internal environment and this is, we’re going to do the same thing in our external environment, then yeah, you’re not going to save money. You need to really rethink and re architect how you’re going to do things, which is we’re how we get to you. You’re, you’re an architect, you, you look at things and, and you try to rethink how healthcare done today. So, um, you know, I sent you a list of a couple of topics. We’re going to start with security because security is foundational to everything. You came back to me and said, uh, you know, you’d like to talk about zero trust, get help, give us baseline, help us to understand what zero trust is and we’ll go from there.
Vik Nagjee: 11:57 Yeah. So it’s really, it’s a really, I think it’s a really exciting time to be being held. Every year is an exciting time to be in healthcare. Really. Um, but, but what’s really special about now is that what I’ve seen, and I saw this at the, at the Cleveland Clinic right where I served as the interim CTO last year, uh, where the CSO there, uh, doing a little bit the name of [inaudible], he came over from Blue Cross Blue Shield, right? So we’re seeing some CSOS coming into healthcare from external fields and they come in and they look at the state of the state and they were like, oh my goodness, what is going on here? Right? We’re, we’re flat. We’re wide open. Okay. From a, from a, from a network perspective, from an onboarding perspective. And there’s a good reason why we got there.
Vik Nagjee: 12:43 So they come in and it’s not just moved or there’s like a bunch of other people that are, that are in the same, in the same shoes. They have a lot of experience from different fields and they come in and like, why haven’t we embraced zero trust? So the first question was, what is zero trust? Never heard of it and healthcare. And so then you start doing some research and this things existed since 2010 is when Forster coined it, right? And, and the basic premise is super simple, never trust, always verify end of story, right? You’re bring something onto the network and if it doesn’t meet or exceed certain criteria, it’s completely black hole. It’s put away to the side where you can go do something with it. Now let’s just think about that for a second, right? Without getting into the technologies of how that happens, the Nax, the micro segmentation, any of that stuff.
Vik Nagjee: 13:32 Let’s just think about the impact on healthcare. So we have an environment which has things that are on the network and then it has internet of things and then it has internet of medical things. But these are things that are attached to other things which are attached to people, right? Cause then you can’t take and start black polling these things and then you’re going to impact patient care. You’re going to impact a whole bunch of stuff. So what’s been the easiest over the last, you know, five, six years as these internet of things or Internet of medical things have just exploded within healthcare is, and I don’t mean to offend anybody, I’m guilty of this as well, is the head in the sand approach, right? To say, look, we’ve had this a certain way for so long, let’s just keep going and let’s keep protecting the perimeter.
Vik Nagjee: 14:17 We protect the perimeter well enough, you know, we should be fine, right? And then there’s all of this theory, which is all real. I mean these are, these are actual studies, right? The show that your perimeter defense is pretty much not worth anything these days, right? If you talk to Wes Wright. From Imprivata, great guy, good friend of mine, he’ll tell you that the perimeter is you, right? The person, the individual as the perimeter. And that’s really where we need to get to. Um, and so, so you started looking at this whole thing. It’s like, okay, how do you bring this concept of zero trust, which has a capability, maturity model that’s way beyond anything that we have in health care organizations today. How do you bring this whole trust? Never Trust, always verify approach to health care. So that’s where we kind of find ourselves today that,
Bill Russell: 15:08 yeah, no, that’s great. So that’s a, that’s a, that’s a good overview in terms of, um, you know, always or never trust, always verify, uh, is, is, uh, is the framework and then you end up with a, a, a core set of technologies underneath that, that support that. Uh, it’s interesting because for awhile there, uh, let’s call it a, in the two thousands, um, you know, we were all, we were all trying to simplify our networks and that’s, you know, one of the things we talk about simplification of the architecture and we were all trying to simplify our networks, which meant, you know, flattening them out, making them easier. And then security professionals who come in and look at us and go, what’d you do? Well, we simplified the, simplified the network. They’re like, oh, don’t simplify the network. You just simplified it for everybody, including the people who are coming in. Um, so, uh, so this, this does take us sort of a, you know, we do want to build some complexity in here. We want to build micro segmentation around especially around key resources. Uh, we went to log things. We want to attract those things. Give us an idea of what the technology stack might look like around zero trust.
Vik Nagjee: 16:18 Yeah. So I, I will, I will say something here that I, I think that instead of saying that we want to build complexity, I think what we want to build in frameworks and some rigor is what we want to build rather than building complexity. And you’re absolutely right. There’s two approaches, right? So the one approach is like, oh my goodness, I need to rush out and make this so super secure. Uh, and, and, and the risk there obviously as a, you’ve just made your most valuable asset, which is your network, which everything resides on and runs on a very fragile. And then B is as you’re doing this, you’re most likely going to spend a lot of money doing it. And you’re very likely that you’re going to end up breaking, you know, bringing things to the point where now it’s more open than it was before.
Vik Nagjee: 17:02 So we’ll leave that aside. But I think that, and so this is, so this is really the key in the heart of it, right? So there are frameworks that exist that tell you how to get the zero trust. And there’s some technologies, as you mentioned, that lived, uh, in that ecosystem, right? So it all starts from the network and we’ll just step through some of these simplistically, right? And then I’ll talk a little bit about how I feel organizations ought to go about this. Um, so at the heart of the network, there’s sort of a control plane, right? Which is called many different things. A lot of folks call them a NAC network access control, which basically is the brains of the network that tell you what should and shouldn’t be on the network. And then what is the network? And there’s a definition of the network and the network instead of being this one flat wide open thing ought to be, this model ought to be a different segments or containers that have liked things in each container, right?
Vik Nagjee: 17:57 And the whole principle is is that you have designed your entire environment to say that like things can talk to like things when there’s conversations that have to happen across those containers and there’s a very well defined protocol and process and path that’s followed across those containers. That’s essentially micro segmentation, right? So the NAC decides what is on and off the network. So it’s basically the authoritative measure that says, I ain’t going to go in and enforce any policies that are put in place. The containers themselves are part of a microsegmentation policy and then you can then start to say, okay, I am going to now expand the layers of the onion, if you will, and go out towards more towards the perimeter and then start working with things like next generation firewalls to say, I ain’t going to dynamically write rules and rewrite rules as I need to when I start to see behavior.
Vik Nagjee: 18:53 That’s occurring within my environment that I don’t expect to occur. So it’s a very dynamic process, self learning, self healing type process with the trick really being that I need to be able to have a very good, uh, understanding across the environment to say what is, uh, what’s normal, what is expected? How do I bring assets onto my environment? How do they connect to the network and, and where do they sit within the network, uh, and on and on and on and off. So there for like a lot of hygiene related things and you have to answer. So before I handed back to you, the one thing that I’m going to say here is that, and this is another reason why I decided to sort of start focusing on this whole zero trust aspect right day is cause I think that it’s absolutely wonderful. I think we absolutely need it and the times right?
Vik Nagjee: 19:42 Because the technologies exist to allow us to do that be, and again, I’m not going to name any names. There are, there are several, um, several organizations out there that are very focused on going out and having healthcare provider organizations spend a significant amount of time and resources and they hand them sort of a document, which is this fat right? Big Book that says this is what zero trust means and this is what your worlds look like. See you later. And they leave, right? And that really bugs me. That bugs me because that’s like not helping anybody, right? So, so what we want to do is we want to say, okay, let’s just understand this. Let’s create this and concentric circles. Let’s really figure out what the, what the, the, the highest risk area in terms of cybersecurity is in your environment and lets go address the risks there.
Vik Nagjee: 20:37 by Totally implementing zero trust for that particular area. And then started in concentric circles and go out. And it’s actionable. It’s something you can actually see and feel. Right? And the one more thing I will tell you there and Then i’ll hand it back to you is that as we start going further out and zero trust is getting big in healthcare now there’s like as of last count was 19 startups in this particular space focused on zero trust in healthcare that are now going and taking up all of the available bandwidth or CSOS and CTOS and healthcare provider organizations and say, Hey, pick me, pick me. Right? And then the challenges that they go in and they say, I’m going to do a POC, and the POC is around being able to do discovery and they discovered that there’s 40 infusion pumps that are massively critically vulnerable and they turned that into a report and give it to the CSO and the CSOS like, what do I do with this now? I have no processes in place, I have nothing to deal with, right? How do I actually take a do something with this or stop the Poc, let me go, let me go figure out how to fix this, and then we’ll come back. There’s another sort of semi head in the sand approach.
Bill Russell: 21:48 Wow. There’s so much to jump off of. Um, I’m going to try to keep us on track there. I mean the fact that yes, there are, there are Jillian security plays out in healthcare right now and uh, and I was noticing that, you know, seven, six, seven years ago that there was just growing number and that number is just shooting through the roof. Part of that is, there it is. Uh, well part of that is the need for it. A second is there’s always money to be made whenever there’s fear, uncertainty and doubt. A third is the board has finally come around to the need for security and so they’re pushing things that they don’t necessarily understand. Some do a, typically there’s one, uh, security conscious person on the board who has a technology background and they say, okay, you’re, you’re the person we trust on security.
Bill Russell: 22:39 Um, I’ve been in those board meetings where really you’re talking to one person, even though there’s 10 people in the room, uh, talking about security because there’s only one person that’s really grasping some of the things you’re talking about. Um, but let’s, let’s jump back. I want to stay on zero trust real quick. The, uh, Wes Wright would say identity is the new perimeter and because you know, your people are your, your, uh, your, your biggest vulnerability, it’s your biggest attack vector. If you have, you know, 30,000 employees are scattered around the world, uh, that’s, that’s the attack vector that they’re going to use. So if identity is the new perimeter, then it becomes important. Part of zero trust is, uh, looking at activity across the wire. So it’s logging and it’s actively monitoring that, the things that are going across the wire and then, um, dynamically changing your network and whatnot based on what’s going across the wire. Because we know that, uh, you know that again, that’s your biggest vulnerability. Uh, when I had a pen testing and those kinds of things, uh, in, in our environment, I always allowed them to do social engineering. And invariably we, a lot of really good things set up across the board and social engineering, we failed every time because people just hand over their security credentials. So, uh, talk to us about how zero trust addresses a identity and the, uh, the, you know, as the perimeter, uh, for securing individuals accessing your, uh, environment.
Vik Nagjee: 24:06 Yeah, absolutely. Um, I know I’m going to refer back to this really great model that I’ve seen. Um, what, where Mayo Clinic is actually working on this model. They’ve talked about this publicly. Uh, so I feel fine talking about this a little bit, but essentially what they’re doing is that they’re putting, they don’t call it the zero trust framework, but it is the zero trust framework and they’re working towards this across their entire enterprise. So they have like this list of, um, themes, right? Uh, people is one of those things. Uh, then there’s, you know, end user devices as medical devices. There’s all sorts of other stuff on those servers or et cetera. There’s all these things which are essentially assets or sources, right? Um, and what they’re doing is that they’re putting together this entire framework that includes identity access management. and a very robust PKI process to make sure that systems are authoritatively allowed or disallowed on the network and on the environment, uh, from onboarding to offboarding the entire life cycle of, of those systems.
Vik Nagjee: 25:14 Um, and uh, and then there’s, you know, there’s a few other, there’s a few other areas there that being sort of brought together. So bottom line really is, is that, you know, as you said, I think the biggest place for us to start, I think that there’s two things that come together. One is discovery, right? You have to know what’s on your network and, and you, and there’s a lot of tools out there that help you with discovery. Some are better than others. Um, but essentially just take a path, figure out how you’re going to do this discovery, however you also have to do the second thing hand in glove. And this was part of one of your questions, sort of leading into there is around itsm, right? The whole concept of being able to bring and build your CMDB and be able to say, okay, what does my source of truth look like?
Vik Nagjee: 26:01 I have many sources of records. I need you to be able to build a source of truth and it cannot be static. It’s just like your network. It’s a living, breathing thing. So you need to keep it, you know, keep it reconciled. You need to be able to say, here are all my cis or the attributes for each of these. And every time something changes in my environment, I have some process. So I might have a holding tank to say, Oh look, I’ve noticed some differences based on my CMDB, what’s going on. And I have a process to go reconcile it and say, okay, these things were added to the whole old Imac process. Right. Um, and, and you say, okay, I have been able to find these things. I’ve added them, some of them and moved some of the removed, some of them changed, whatever. And then reconcile your CMDB a on an ongoing fashion and where those two come together as the ongoing discovery of what’s on my network, which is the authoritative sort of without any question as to what is on my network. Uh, and your CMDB sort of bring in both of these things together to help you be able to build out now a zero trust framework, even know where to start. Like, how do you build these containers and what belongs in each of these.
Bill Russell: 27:09 The, uh, to be honest with you, where does it start? The search back further? And when you said the word Cmbb, you lost half our listeners. And the reason we’ve lost half their listeners is not that they don’t know what a CMDB is, but, um, I don’t know what your experience with is as you go out there and talk to healthcare organizations. But, uh, at best they’re CMDB is dated. Uh, at worst it doesn’t exist. And, uh, I would say, you know, that’s been a majority. A majority either don’t have one. Uh, it’s bad data. They haven’t really figured it out. They haven’t kept it up to date. Um, and so if you’re going to start by saying, hey, your CMDB needs to be accurate and that’s going to be the source of truth for what’s on your network, they’re going to look at you and go, uh, all right, well we’ve got a lot of work to go to do before we start this project. Um, so what does, what are we talking about? I mean, how long does it take from the time you go in there and you sort of do an analysis and say, okay, we’ve, we’ve got a lot of work to do. Uh, till there they feel fairly secure about what they have.
Vik Nagjee: 28:17 So go back to your question, right. I, I would venture a guess that a vast majority, like 80%, 90% either don’t have one or have one that’s been, that’s super dated, right? There are a few, again on the basis of yeah, Ctos at CIO is coming in from different verticals, different, you know, different parts of the world, different parts of our world, uh, or outside of our world that has sort of been working on this hygiene of CMDB on the basis of itsm. Right. So I tell in itsm, is something that is getting more and more prevalent. So we have a starting point, at least across many organizations. I mean how many organizations have gone out for example, in bought service now. Right? And what are they doing with that? Well, they’re doing very rudimentary service desk at the moment, but the investment that they’ve made, even if they’ve invested in itsm, the investment that they’ve made is significantly beyond in terms of value compared to what they’re using your course.
Vik Nagjee: 29:13 So the good news there is that there’s an investment that we could sort of take advantage of. Now that it’s your second question, it’s a long process, man. It’s not, it’s not something that somebody is going to go in and be like, here you go. There are ways to do it. Again, this is part of the simplicity thing that I believe in, right? There are ways to do it to get some quick, quicker, more immediate results, but that is going to sh you’re just going to shoot yourself in your foot over and over again. It’s like a, it’s like my six year old running around, you know, the outside with a fork in his hand, right? It’s like, no, please don’t do that. That’s just not a good idea. And so, so, you know, it’s like, okay, how do we go about this in a methodical fashion?
Vik Nagjee: 29:55 Right? And this is again, part of the they bill that really drives me nuts is that you have vendors, OEMs, ISBs all coming at, you know, the CIO, the CTO is the CSOS and saying, Hey, my thing’s the best thing, even though their thing might be the best thing. It’s like the small little thing in this big picture, right? So my thing is the best I have the best NAC, what am I going to do with the NAC if I don’t have a good process? Do understand a what’s on my network and be cataloged. Right, right. And so, so it’s a journey
Bill Russell: 30:31 know, and we can go back and forth on this because you know, there’s, there’s people that are coming in and they essentially say, hey, there’s a technology solution to your problem. Just go ahead and get service now. Then there’s people who come in and go, hey, if you just do, I tell across the board you’re going to be in good shape. And I’ve seen people get wrapped around the axle on Itel, uh, over and over again. Um, and uh, you know, you have people coming. I mean, there’s a lot of different ways that people will come at healthcare and say, Hey, if you get the, if you build out an accurate in good shape, if you build out service now, you’re in good shape. If you build out the CMDB or shape in each one of those is a component of it. Um, but here’s, here’s the other reality.
Bill Russell: 31:05 As much as boards are saying, Hey, this is important, they’re not funding it. Um, and I’ll, I’ll say it so you don’t have to say it, but they’re not funding it. And so the other thing that happens is the, uh, you know, so they put service now in and they, they allocate one person to it. We put this technology and we put one person around it. It’s like, no, no, no, that’s not a one person project. That’s like a, that’s like an entire it project. Yeah. And you have to pull in a lot of resources and so that the price tag keeps going up. And then eventually you’re sitting in front of people going, well, what did we really get for service? Now it’s a great tool, by the way. I’m, I’m not knocking service now. I think it’s a phenomenal tool. It’s an expensive tool and it’s an expensive tool to run a, you know, it’s not just one person, it’s multiple people.
Bill Russell: 31:51 And there’s multiple modules and things that it can do. So if you’re going to get the most out, it’s a lot like, uh, uh, like salesforce.com healthcare organizations go out and get salesforce.com and I think, oh, we’ve got salesforce icon, we’ve got the best marketing tool in the world. Well, great. Now you have to like put 10 people around it so that you can actually get something out of it. And they go, what do you mean 10 people that’s ongoing cost of x and y and plus it’s the clouds. I’m paying for it every year, every month, every year. So that becomes very expensive. And that’s how people are sort of looking at a service now they’re saying, what have I gotten for this? It seems like the cost keeps going up. Um, so service now is an integrated into a, I don’t want this to be about service now.
Bill Russell: 32:33 It’s, it’s more about, um, art. We’re not funding this. Right? And we’re not thinking about the funding, right? It’s number one. But the second question I want to ask you is how much is enough? I mean, cause you and I both know if we had a five tier model for security that we were measuring and we were shooting for the third level, we weren’t shooting for five because five was like NSA Kinda, we’re going to keep him out. And we just looked at the price tag and said, no mass, we can’t do it. We can’t do it and still be a health care organization. Um, one you had to get off of one because one was like, hey, come on in. Um, and uh, you know, there was actually, to be honest with you, there were some areas we were looking at four, but for the most part we were, we were happy with getting to three, knowing full well that there was, there were still some risk in terms of vulnerability. So how much do we spend, how much do we ask for and how much, you know, should we buy service now if we know we can’t put the people behind it?
Vik Nagjee: 33:33 Yeah. Uh, again, you know, like just like you, I think service now is a fantastic, fantastic platform. It has a lot of amazing capabilities. But, but it’s one of those where you’re exactly right. It’s just not been, it’s been funded like a project. Right? And it was funded like a project and you bring bringing on and then you get stuck with it. Fine. So, so there’s a couple of different things that I’ve seen, right? So, so I really think, and this goes back to the days when I was on, you know, and part of an Oem, right? So I had to figure out who was, you know, who’s one of my personas, what am I going after? How am I going to actually sell value for this particular thing? And the, the, the, the flood aspect of it is one part of it. But there’s the reality of it is that look our world has just turned upside down on the basis of this is getting ahead of things.
Vik Nagjee: 34:24 Let’s not even talking about five g. Cause when that gets here, that’s like we’re going to get quadruple turnaround, right? Because people haven’t even started thinking about what all is possible simply because it’s just such a concept at the moment. And as soon as it becomes real, man, I’m telling you this is going to take off. Right. Um, but you know, it’s just, it’s about, it’s about sort of getting a little bit more basic, a little bit simpler. So from a funding standpoint, you’re absolutely correct. I think the way to do this is number one, is to have it very good, low barrier to entry from a consulting perspective to come in and say, look, this is the end goal. The end goal is you’re going to get a lot more secure, but guess what? They’re going to be a lot of really good things along the way.
Vik Nagjee: 35:08 For example, for your CFO and your COO, you’re going to get a really good handle and daily, weekly, monthly reports on utilization for these very expensive assets that you have deployed. Are you interested? Absolutely. I’m interested in and if I moved some of my scanners from this locale to this locale simply on the basis of utilization. And you just get that as part of this whole thing, right? So that’s one aspect. The other aspects around obviously the security thing, but there’s a really good amount of hygiene along the way. I mean, you can wrap this around, show many different ways, right around clinical variation management around critical utilization and say, where are my IB pops? I can go down into ble and RFID. I can do all this sorts of stuff. But it comes down to what is the journey and what is the process and how can I take bite sized chunks out of this thing to get there.
Vik Nagjee: 36:05 This is why a lot of things fail is like somebody comes in and bill and says, here you go. This is where you need to get to. And this is the price tag. You know, some of them will say, here’s what you need to get to see later. The others will say, here’s what you need to get to and here’s the price tag. Do all of this. We’ve got to be a little bit more realistic, right? Because remember, we have to keep the lights on. Keeping the lights on, costs us x amount of money per month and per year. And so we’ve got, uh, you know, slowly build on this. That’s why, again, is, it’s a journey, but you’re absolutely right. It’s not just one thing. And it’s got to have a mindset. You need to have at least one executive champion because you cannot be talking. I mean, the directors are mostly onboard. They get it, they get that this is the right thing to do, but they’re like, dude, how can I look? I have this budget, I have to keep the lights on. Where am I? What am I going to do? So this has to be an executive sponsorship and a multi month, if not multi year journey to get there.
Bill Russell: 37:02 Yeah. And you, you do realize like the, the next episode I’ll have somebody on who’s going to say, hey, this is the thing that health care absolutely needs to do. And then the next episode, I’m gonna have something go on. This is, you know, uh, you know, around data, around, um, around EMR optimization around, I mean, there’s so many. This is the challenge of being a CIO. It’s prioritizing these things to say, all right, uh, you know, what, what can we do and what, uh, what can’t we do? We’re, we’re actually at our half hour limit. Here’s why I’m going to do with you what I’m, I’ve started to do, which is I’m going to close up the show. I’m going to keep asking you questions. We’re going to record them and put them out on our youtube channel. Um, but just because our listeners have asked me to try to keep it close to 30 minutes with you and I could talk for another hour and we’re probably going to talk for another half hour, so we’ll see what we can do here. Uh, so, you know, Vic, thanks for coming on the show. Uh, uh, again, great discussion and anything you want to leave our listeners with a way to follow you or, or something to that effect.
Vik Nagjee: 37:59 Yeah, I’m on, I’m on Linkedin. Please find me on linkedin. I’m on Twitter. Um, we’ll, we’ll provide the handle over to bill so that you can actually bill, you have it. Um, and uh, you know, I just think that simplicity is key. I think we just want to make sure that we always go back to simplifying our environments so that we can continue to drive these innovations and data or digital or what have you. Thanks for having me.
Bill Russell: 38:24 Yeah, and we’re good. That’s the questions I’m going to ask you after I close up here about experience as a service and simplifying the architecture. But we’ll come back there a in a couple seconds. So, uh, please come back every Friday more great interviews with influencers, and don’t forget every Tuesday we take a look at the news, which is impacting health it. This show is a production of this week in health it for more great content. And you can check out our website @thisweekinhealthit.com or the youtube channel at this weekinhealthit.com/video thanks for listening. That’s all for now.
We’ve heard trust but verify. Zero trust takes it to the next level, don’t trust anyone and verify. This model is becoming more prevalent in health IT. Vik Nagjee joins us to discuss how Health IT is implementing.