This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
This episode is brought to you by Intraprise Health. Make cybersecurity a priority, not a headache. Cyberattacks put patients at risk and cost healthcare organizations millions.
But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable, and they feel little control over the safety of their patients, reputations, or bottom line. Intraprise Health brings together cybersecurity experts with over 100 years combined experience to offer a comprehensive suite of innovative software and services.
It helps leaders finally unlock a unified, human centric cybersecurity approach. With Intraprise Health, you can improve your cybersecurity posture, protect your patients, and simplify your employees lives. Visit thisweekhealth. com slash Intraprise dash health to find out more.
Today on Unhack the News.
George Pappas : And you think about it, how many hospitals they have, how many tens of thousands of devices, tens of thousands of employees, how many people work in every area that could be one click away from a cyber event.
Drex DeFord: Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.
. And now, this episode of Unhack the News.
(Main) Hey everyone, it's Drex, and this is Unhack the News. I'm really happy to have George Pappas from Enterprise Health back with me today, the CEO there. How you doing? Great, Drex. How about yourself? I'm fantastic and we have so many good stories to talk about.
You do such a good job. You're very homeworky for me. You're always thinking about this stuff ahead of time. And so we have some really cool and interesting stuff to talk about. I'm excited about it. You ready to get started? Yeah, sure. Okay, so there's an article from HIMSS Media, and it's about rural northeast health systems that are seeking more federal support for their rural health systems.
And it's Dartmouth and Maine Health and University of Vermont Health. They're big systems, but they continue to struggle, especially with the smaller hospitals. System, which in some cases are a lot, or most, or almost all of the hospitals that are in the systems is the whole healthcare system just too complicated to figure out how to make small rural healthcare organizations.
even marginally profitable or at least profitable enough to stay in business. What's going on here?
George Pappas : a lot of levels, layers to this issue, Drex. I think even in the article, one of the things that struck me, and I've seen this a lot now for probably the last 15 years, is that when an article says that the health system is the largest employer in the region.
And in many states,
Drex DeFord: that's the case. It's in almost every state. It's probably the case that a health system is one of the top two or three, if not the top employer in the state. Yeah.
George Pappas : But in these rural areas that used to have manufacturing base, other employment bases, I think what it tells you is you're going to have a patient census That doesn't look the way it did 40 years ago or 30 years ago.
And that really influences. What is the makeup of their patient load, how they're serving them. They have community responsibilities that they do really a wonderful job adhering to, the challenge, and these are large systems being all three of them range from, and I looked up some of the numbers before our call, from two plus billion net patient revenue at over three, which is sizable.
But if you look a little deeper into the economics, what you find is that Because of their Medicare, Medicaid patient percentage of patient stay days, that they're basically being reimbursed at one sixth of the rate for half of their patient stay days as private insurance. Now it's a sort of one of these dirty, well known secrets that private payers pay more, the federal government with states sets Medicaid, Medicare reimbursements low, and there's an ongoing political conversation about that.
But unfortunately what it says to a health system like this is half of your volume is going to be paid at below cost and one sixth the rate that you're being reimbursed for by private insurance, which is not even a hundred percent of the charge master rate. These hospitals have a real challenge navigating just their basic economics.
And if you look at their margin structures, all three of these systems, On an operating basis are running negative 15 to negative
17%. Now
they have assets, they're nonprofits, but you look at that big picture and you say, you've got to put as much wood behind the arrow for care delivery. We're going to shrink everything else as much as possible.
And there you go, right? There's even been some of the articles out and about in the writers talk about this sort of cybersecurity poverty line. Yeah. Which I thought was an interesting idea. Yeah. Interesting concept. But if you take a system of that complexity and that economic posture. And you think about it, how many hospitals they have, how many tens of thousands of devices, tens of thousands of employees, how many people work in every area that could be one click away from a cyber event.
You understand the combinatorial nature of the problem and the breadth and depth of what they have to try and protect themselves against. And it's a real challenge.
Yeah.
If you take that large rural system and then bring it down to a 25 bed critical access hospital, right? And you understand the dimensions of that challenge, it's even harder because they don't have the capacity or scale to handle it.
Drex DeFord: it is interesting because when you sit here and look through this article and you think about the list of problems that hospitals in general have, right? There's more demand, there's increasing cost, right? There's a focus like Relentless focus on figuring out how to manage expenses and recruit and retain Specialized staff, right?
That applies to the hospital, but that's the same set of problems We've been talking about in cybersecurity for a really long time and we're obviously reading the same articles because I've read the same article. I'm sure yesterday about the Cybersecurity poverty line, but there's also Then this sort of health system, poverty line, just, there are health systems who, yep, they're never going to make enough money to be able to be above the red line.
And they're really depending, or maybe almost over dependent on donations, the, their foundations those kinds of things. But I don't know if that's a, long term strategy for survival. That's what I worry about with those places.
George Pappas : And remember, if you think about the hospital system in addition to the staff, what is the age and state of their infrastructure, their technological infrastructure, enterprise software systems.
are by and large brittle, because they're extremely complex. There's a lot of new programming methods. There's a lot of new architectures with cloud based versions. But in the end, they're still very complicated. And in fact, it wasn't until recently that some very old database architectures at the center of The major EHR systems out there.
I might've been programming on them a while ago that is this old axiom that, new hardware comes and goes, old software goes into production every night. And so managing that in and of itself, and the cost of change, patch releases and everything else adds, a growing burden on these systems just to secure the base system.
The entry points, the user interfaces, everything else. So it's a pretty pervasive challenge.
Drex DeFord: Yeah. The tech debt, the architecture debt.
So many of these places, in healthcare, a lot of organizations, but healthcare in particular, just because you and I have been there for years this stuff has just been built and bought and put into place, one thing on top of the next thing, interfaced with the, the thing, three things ago.
It's very sensitive. It's not simple. That, that means that it's harder to run and obviously it's harder to secure.
And it seems to be that there's never the money to take a step back and take a deep breath and re architecture everything and figure out how to make it the way it should be, which would be simpler, easier to run, easier.
It's a big job. Yeah. Okay. we'll skip to the next article. In the HIPAA journal there's a pretty solid story about this idea of cyber fire drills and why they're an imperative. The author talks about how prevention clearly isn't working. Although you still have to do it, right?
You're preventing a lot of stuff with the prevention, but the bad guys are still getting through, orgs are still being breached. And the current problem is how well we do it or how well we don't do it when it comes to the emergency situation and how we deal with that, it gets into this analogy then around the cyber fire drill.
What'd you think about that article?
George Pappas : Yeah. I thought it was. Very practical. And the thing I appreciated about it, I think back to my previous company, Dr. First as a BAA, working with covered entities, we used to do desktop drills all the time, but that was more about a system outage or a unintentional disclosure.
of PHI that we were handling on behalf of one of our clients. The level of cybersecurity activity was not even, a flash in the pan compared to today. I think what the author's point here was is that it is a team sport and that, in so many cases, buying the tools, which you need the tools, you need endpoint detection, data loss prevention too, you need all that, but that's not enough.
And that really getting, and I think you used the words muscle memory, getting the company to be practiced at it is critical because you think about the old desktop exercises and you realize, wait a minute, this is a legal, public relations, consumer facing issue, as well as an entity, risk management issue.
Now, all those parameters have been multiplied by 10. Because the nature of a cyber incident, if an attacker has been in there for a while, you don't know the answer yet. People want the answers. Who says what to whom?
Drex DeFord: There are regulators asking questions. Liability stakes. There's insurance companies.
Long way
George Pappas : up. Exactly. So all of a sudden you have a team. Wait, who do I call? What do I do? What do I say? Then you have a cyber insurance carrier who's there on the side saying, all right, we're the hazmat crew, work with our clean it over here and let's do this and let's do that.
But then that might cover. Two thirds of what you have to do. There's a third of things you have to do that will not be covered with that entity and their coordination that you have to decide upon. So it was a really good article in terms of, it's not just about the technologies, about team coordination and team readiness, and this, like so many of the things in risk management, they tend to be swept under the rug because they're.
Scene is boring or prosaic. They're not really, I'll go by endpoint detection. Yeah, of course you need that, getting everyone in the leadership team to focus on this Not go crazy, but doing enough of it so that you're ready, It can pay, massive dividends.
Are you ready to get insider access to the latest health IT innovations? I'm Drex DeFord, and I want to personally invite you to one of our upcoming webinars, Fireside Chat, Cutting Edge Conversations with Top CMIOs, sponsored by Dr. First. This is your chance to hear directly from some of the brightest minds in health IT as they share groundbreaking insights.
from one of our 229 executive summits. We'll cover the transformative power of AI, strategies for optimizing healthcare operations, tackling physician burnout, and the latest in population health management. Don't miss this opportunity to Stay ahead of the curve and bring these cutting edge ideas back to your organization.
Register now at ThisWeekHealth. com slash Fireside Chat. That's Fireside dash chat. ThisWeekHealth. com slash Fireside dash chat. Thanks. See you there. like the analogy to, of, to taking care of the patient, right? Yeah. Preventative medicine and preventative cyber sort of analogy. You take care of patients, you keep them healthy. You keep them in a really good place, but patients are still going to be in car accidents. They're still going to have unanticipated, medical emergencies, heart attacks, and those kinds of things.
Drex DeFord: And we train and practice the medicine version of this when it comes to how do we take care of those patients who are in dire straits and show up in the emergency department. How do I take care of them, get them, through surgery, whatever they need as an inpatient, and then discharge them and get them back into the preventative part of the space.
That same methodology that same concept, With cybersecurity would definitely pay dividends. It is the challenge though of it's a much bigger thing. It's not just the emergency department as like the entry point, right? A lot of this , hospital wide, organization wide and multi-organ wide, as we saw with some of the recent incidents.
George Pappas : And even connect this to the, our first discussion, right? Yeah. 'cause what is the issue, right? And what is part of our job, even in Intraprise to do all those things manually. Takes money, time, and people. So flatten the cost curve, light up the kind of scale and leverage curve by approaching a combination of people and technology to scale those things and give you better visibility.
And ultimately have a unified way to see what you're dealing with, because when the time comes, you're going to need it. And, we, I've talked about this before with our clients because, they're in challenging financial straits and they certainly don't want to spend more than they feel they want to, but how much do they need to?
And we asked the question if you had an incident today, What would you do? And that's, it gets back to someone who's had a cardiac event, will be on the Pritkin diet and the treadmill the day after, the week before they're at McDonald's. It's really dealing with that issue and helping our clients understand how to get there, is an important part of what we try to do with the people we work with.
Drex DeFord: I'm figuring out where the most likely impact point is going to be right back to that risk conversation. This is the kind of exercise that you should be doing because it's most likely to be the thing that, will slip through the cracks or the thing that's most likely to happen. So you're better prepared for that.
In many cases, though, these exercises, this kind of work is good for you no matter what. Yeah. Even if it's not exactly that kind of an incident that exercising, that preparation, those tabletops, those, all those people know to call no matter what,
George Pappas : and I would actually tell you that the difference in the negative impact to patients, the potential liability, there's a difference in how you handle the incident,
whether you had a point detection, the nature of the penetration of the event, that's one thing, but how you handle it.
Has an impact on ultimately the impact on your entire health system, your patients, and your ultimate liability as an organization.
Drex DeFord: Yeah.
George Pappas : So
Drex DeFord: public relations part, the transparency to the staff, the more things that, you know, and that you've practiced how you're going to talk about can make a huge difference in the perception and the reality.
Of how you're coming back from a cyber emergency. there's another good article. This will be our last one. Because you and I, we get started on this sometimes. Yeah. One of the stories that I talked about in the two minute drill recently was about cyber insurance. It's a blog post from a guy named Walter Haydock, and he gets into a lot of great stuff in a really short blog post.
A lot of good, dude, there's a lot of juicy tidbits in there. I think it could be a whole series if you wanted to get into it. Cyber insurance, it's messy, it's complicated and the question becomes ultimately in the blog, is cyber liability insurance, even worth it? I think that's a I don't know that he really asked that question, but he does it in a rhetorical kind of way.
You, you seem to like that article when we had chatted about it briefly earlier. What was going through your head when you read it?
George Pappas : Yeah. as I listened to read through his step by step, life cycle journey, I thought it's a real vivid illustration of that.
We're still in the wild west. Cyber insurance, and it connect a lot of dots for me to efforts that have been out there because he was trying to be a Good consumer of the policy that he just purchased. Yeah, what did he realize? Wait a minute the incident response team. Are they owned by the carrier?
Is there some kind of other relationship? Can I get an NDA in place? What about getting everything prepared in advance and he's smart enough to realize that Minutes mean hours when something happens. So he's trying to put all this in place. And then he also referenced using a monitoring app of some sort that his carrier provided, which raised a really interesting question about, is that really the right way to go?
Cause they're underwriting you. There's a renewal in your underwriting policy. There's a lot of things, it's like the progressive insurance ads. We want to watch your driving habits and we'll then determine your rate next time around.
Drex DeFord: Yeah, I think there's a little more clarity to that, right?
If you're a really good driver and you never press on the brakes hard, it's okay to take the little thing and plug it into your car and then show them all the information, but. So that was interesting,
George Pappas : the other thing it really struck for me was Senator Warren was out in front of this a while ago.
He issued, I thought, a really good compendium back in late 22, because as he's a chair of the Senate Intelligence Committee, he looked across all the government agencies and said, look, cybersecurity is patient safety. Here are the issues. It was like a 25 or 30 page document. I'll be happy to send anybody who wants to.
Lincoln asked me, but he had a section in there on cyber insurance, and he really called out the fact that the volatility of the nature of these incidents really calls for some kind of a level expectation on the part of the carriers, and some kind of reinsurance also linked to, at a entity level, some kind of best practices safe harbor.
It made a lot of conceptual sense. And then the White House just recently issued a kind of systemic risk kind of catastrophic risk idea. The ideas have been out there, but the fact that they're not in place that I think also speaks to what the article really indicated, which was You don't really understand how your risk is being, rated.
What's the actuarial set of things you're using to determine what are the exclusions in the event something happens? What are the, I'll use the word pre existing conditions, right?
Drex DeFord: Absolutely.
George Pappas : And what about exclusions? And so the underwriters are trying to figure this out too. And then I think he even mentioned it, but this whole idea of what if it's a nation state attack, does that can then discounted because it's the war clause.
So there's a lot of things that have to be settled. And I think there's a proper role here for these sectors of the economy for the government to describe a backstop and describe a set of practices. All the carriers operating above that have a view to what is the max and what are the things that they really are going to.
work with their clients to be basically accountable for in terms of best practices.
Drex DeFord: I know, and I've talked about these in a lot of shows over the last few years, the whole challenge of what's covered and what's not covered. That part of the insurance world is still very much a baby compared to like hurricane loss insurance and that kind of stuff where the terms are in the policies and the terms have been litigated dozens or hundreds of times, there's tons of case law that explain what every individual single word in that policy really means.
So it's really, it's not easy to understand, but it is understandable compared to cyber liability insurance. And there's still a lot of. Like case law to be created. The language is different depending on the carriers, depending on the way that you've built. Yes, exactly. And so it is a really complicated situation.
We've still got a long way to go. And I think, if we think healthcare as an industry is complicated, insurance as an industry is also very complicated. And in both cases, it's super complicated to the consumer who's buying the stuff and trying to figure out how to use it.
Exactly. There is one more story and this is a great little sort of tale into it and we'll just hit this one real quick, but there's a story in the record that's also tied to the same issue. And it's about the White House and CISA working on a catastrophic cyber liability insurance sort of package.
So this is like one of those things that if there was a giant event, That affected a lot of insurance companies, cyber liability insurance companies at the same time. And they all had big claims to pay at the same time, trying to create something like a sort of a preemptive aid package. Let's take some time and think about it and write the legislation and put it together so that it's there and ready to go.
As opposed to what we often do, which is there's a big event and then we try to write emergency legislation to help solve the problem. And there's often a lot of. Oh, wasting that. Good idea. What do you think about that?
George Pappas : Yeah, I think you think about Senator Warner's concept and this concept, you could argue this gets into these discussions of moral hazard too, right?
Would this apply with the colonial pipeline? attack, or the
automobile dealer software system that was down in the last few months, change healthcare would certainly be a candidate for that. What rises that level? And does that backstop give the carriers and the actors Hey, it's really not my problem.
It's only my problem at a certain point. So there's a, this gets back to if you have done your job, your best practices cue cybersecurity performance goals, right? Cue these other things. Then if you've done those things, et cetera. Now I think you have a regime. And this is where NIST as a standard, if we're talking cross industry for a second, is more of a meta standard than a standard because it's a description of standards.
And, as a healthcare specialist in our company, we apply that to the healthcare business model, healthcare, IT, healthcare workflows. You'd have to do the same thing in these other industries to come up with a workable description of what are the cybersecurity performance goals or best practices.
I'm sure CISA has got to be looking at this because. The attack surfaces and all these things are, they're pervasive right now.
Drex DeFord: Sure, especially in, the critical access, the, the critical industries.
George Pappas : With some of those caveats, it's a good idea, but I still think the safe harbor idea with appropriate.
Verifiable goals. And in a lot of ways, this is where the healthcare sector coordinating council is going. With these CPGs, that's a multi year effort. The Biden administration already, in their budget proposal, took some allocation from the Medicare Trust Fund. Oh, by the way, less compensation in the hospitals, more economic pressure,
Drex DeFord: right?
Back to the first story. Has to
George Pappas : come from somewhere. But people are waking up to, we've got to do something about this. And, as long as you have. The practices tied to some kind of. Liability or safe harbor. I think that, it could be healthy because the downside risk of not doing it is going to keep the same level of volatility in the, really, the insurance coverage market that's hard for everybody to handle.
Drex DeFord: There's always the having spent 20 years of my working life in the federal government. As a military officer, there's always the part of me that I'm from the government and I'm here to help. There's always this part of me that worries about the unintended consequences, right? This sounds like a really good idea, but does it create some bizarre disincentive to do something that you should do often the problem is that we build the programs, we put, we write them in the law or we write them into regulation and we wind up using them and then we find the problem, but we have a hard time because the system isn't agile, have a hard time going back and correcting or recorrecting the regulations to try to take that vibration out of the engine or whatever it turns out to be.
I always worry about that part. And no, I agree. And clearly our system now is not really fast moving or problem oriented in many cases.
Yeah.
George Pappas : A lot of inertia against those things right now.
Drex DeFord: Hey, thanks so much for doing Unhack the News. I always appreciate it. It's always a good time with you.
You're so well read. You're into what's happening in the industry and cybersecurity. It's always great fun to have you on and I really appreciate you being on the show.
George Pappas : Thanks Drex. My pleasure.
Drex DeFord: Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you around campus.