This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Newsday: Navigating Ransomware Recovery and New Cybersecurity Standards with Jack Crowley

This episode is brought to you by Rackspace. The cloud is revolutionizing the way that healthcare organizations operate while delivering improved patient care, increased efficiency, and cost reductions. Cloud based healthcare solutions from Rackspace technology makes it easy for your organization to access patient and research data, collaborate with others on the continuum of care, and scale up or down as needed.

Rackspace Healthcare Cloud allows your organization to securely store, process, share, and analyze clinical information. Let their experts help you determine which private cloud or public cloud is ideal for your workloads. Check them out at ThisWeekHealth. com slash Rackspace.

Bill Russell: Today on Newsday.

Jack Crowley: So if someone owns every hospital within. 100 miles of where you live and there's an attack and they're all down, then what? So we need to be thinking well beyond just the horizon that's in front of us.

Bill Russell: My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts

Now, let's jump right in.

Sarah Richardson: Welcome to Newsday, where we have a chance to dive into the news with our partners. And I am thrilled to be joined today by Jack Crowley from Rackspace. Was able to spend some time with Rackspace at their first Healthcare Client Advisory Board meeting about two or three weeks ago.

And Jack was one of those people where we just jumped into every conversation possible from 80s cover band music to what's happening today in our world of healthcare and IT. Jack, how are you?

I

Jack Crowley: am great. I'd be better if it was Friday, but I'm good. Hey, we can pretend it's Friday. We can pretend it's Friday.

Sarah Richardson: We have a Friday night conversation, which with the two of us could be a little cheeky and fun regardless because we're known for our anecdotes of whether people want them or not, which is the best part about conversation. Love to hear though for the audience, tell us a little bit about what you do with Rackspace and just tell us what's happening in Rackspace right now.

Jack Crowley: Sure. So my name's like you said, Jack Crowley. I am the general manager of the healthcare business unit at Rackspace. So we have a Business unit that's focused really just on serving healthcare customers which can be providers, payers pharmacy, et cetera. It's not just providers or just payers.

So what rolls up to me would be product development. So I own the product roadmap. Also have project management, customer success, infrastructure operations, the EPIC, right? We have an EPIC team that does the ODBAs, ECSAs, et cetera. And then also in the famous words of one of my architects, other odds, bits and pieces that make the organization run.

Basically everything non account executive, non go to market sort of operations. So basically you have spare time at the end of the day. I do. It's, Hopefully playing guitar or golf. Yeah, exactly.

Sarah Richardson: So

what I love too, though, about spending time with y'all at Rackspace is understanding that you are the, behind Epic, the largest host provider for Epic as an organization.

And so that comes with a lot of responsibility. Obviously, these things are in the news quite often. What makes Rackspace the right partner, other than Epic, for organizations to think about hosting with you?

Jack Crowley: That's a great question. That's probably the question. And there's probably a couple of different ways to look at it.

I think, first and foremost when the team was built or started seven years ago there was an intent to hire people that had not just industry experience, but actually worked in hospitals, right? Had sat there and understood the impact of what they were working on, the culture and had appreciation for it.

All of them have worked at a provider and most of them worked there for a long amount of time. So the culture the cultural and like the foundation of the team is a big piece of that, because I think that resonates right with hospital CIOs, they want to feel like they have a team that understands.

What it means to manage their instance, right? And what uptime means, what resiliency means, etc. And then the, the other big thing I would say at a high level is When you look at like the public cloud you need some very talented individuals to go make all of that work and not just build it, but to operate it.

So there's the upscaling side of it too. So we're unique, I think, in that we offer, hosting platform for customers, but also. That Epic talent as well, in house. So you don't have to have a multi vendor solution, but I'm sure everyone loves working with multiple vendors to make stuff work, that's gotta be fun.

Sarah Richardson: It can be helpful in making sure that the, inside of the equation is keeping the other on us, but at the end of the day, that's very true. Yeah, but you do want some of those bigger partners. You think about, hey, so we just built it, now what? The hardest part is after it gets installed, regardless of what the solution may be.

And one of the things I love about you and your team is, you're in it with the customer all the time. You don't just bail after the implementation. It's a constant, ongoing relationship for optimization. The other thing, too, it's really key is you think about the key items, like what's happening in our government and some of the regulations that come forward, what we need to be thinking about in terms of risk and cyber and whatnot.

So let's jump in. Because there's no shortage of it, and you and I tend to gravitate towards the, hey, is this a good decision? And if it is a good decision, how do we either help make it better? Or what do we need to be thinking about separately? The first one we're going to cover today was the Weidenborner introducing a bill to set strong cybersecurity standards for American healthcare systems.

So I'll give a little bit of a summary on this one. They have said by saying, hey, we want strong cybersecurity standards for American healthcare system. It's mandating that the Department of Health and Human Services to enforce minimum cybersecurity standards for healthcare entities with enhanced penalties for violations.

It also provides funding for underserved hospitals to meet these standards. And this is coming in response to increasing cyber attacks on healthcare institutions, threatening patient data. and service disruptions. So Jack, tell me some thoughts around this. Are the key points of mandating standards a good thing?

It's removing caps on fines for HIPAA. It does provide funding for rural or low resource hospitals. It's got some additional accountability measures and to continue to address the threat of growing cyber attacks. That's a lot. What are some of your thoughts on this one?

Jack Crowley: A lot of thoughts, probably can't share all of them, but the first thing that comes to mind I think I can't remember the way you just said it, but I always feel like with the government, the cart can get a little bit before the horse, right?

We're talking about like self reporting and enforcing standards. What standards? To someone, and I would venture to guess, they'll say two factor, that's our minimum standard for, for user credentials or something. And it's, we joke about this talking about DR with the team I need a disaster recovery solution.

What does that mean? To solve for what? So the point being, it seems to me like there's some work here that needs to be done to get everyone on the same page on, the way we're going to look at standardizing certain things. So I'd say, Hey let's get a body together to go define, right?

What are good sets of standards, the government to go even enforce. And then I think the self report thing is interesting too. Especially talking about finding people right away, because. If your security is bad enough, you might not even know that you're being breached. So how can you self report if you don't know that you've had a breach or whatever, right?

I guess maybe they're saying once you do know. But again, I think there's lot of questions around how you would even start down this path before we get to let's just start finding people sort of mentality. So a couple of high level thoughts there.

Sarah Richardson: I want to chat about the increased accountability because it says that leaders are held accountable for cyber security failures.

At what point though, if you're falling, the compliance is mandatory, you're like, okay, I've checked all those boxes. My day to day operations are as secure as they can be, partially based on my funding or even my resourcing. So if you're held accountable for a cyber security failure, but you've done everything right, what's your recon on that?

Jack Crowley: I honestly don't know. That is interesting, right? Like you do everything you're supposed to. I'll tell you one thing, like just reading these articles, it made me like the first thing that came to my mind is I don't want to be in any of these seats. I don't want to be the person on the hook for some of these things.

It's not to say that I don't, or I'm afraid of being accountable. It's just that's a lot to take in. That's a lot to take in, I think. And. It just raises the question of, we kind of hope, I guess what we all hope that , what's going on behind the scenes, what a lot of people wouldn't see that are not in technology is they're hoping that people are doing the best things to secure their data, from top to bottom. And. My immediate response to the specific article was like, we're seeking sort of the minimal viable requirements, not like really addressing what I think are becoming the current and will be future challenges with preventing cyber attacks or responding to cyber attacks.

I don't know, how about you answer that one? That's a good one. I think you might be better for this one. I can tap some questions here.

Sarah Richardson: No, it was the same question I had, that whole okay I'm not entirely sure because sometimes the regulations are enforced by different groups or different entities.

I think back to the meaningful use days when even HIPAA, when it first came out, we did everything we were supposed to do. So we got either got the boxes checked or we got the reimbursement models that came in. The ongoing expense of some of those perspectives or some of those regulations became pretty arduous, became a lot more than we expected them to be.

So at some point, all that reimbursement or all that incentive money that you got was whittled away by keeping all of those things current. Doesn't mean we shouldn't be doing the right thing. It's making sure that we're having the right voice, whether that's through advocacy or different perspectives with our lawmakers.

Part of the healthcare journey that we're on, both as patients, providers, technologists, is How do we affect policy? How do we inform policy? I'd love to put out there just a thought for you. If, Jack, you just got elected into Washington. You're, you have a big role here. How do you bring the right oversight together?

When you think about how fractionalized some of these regulations are in a perfect world, what would some of that look like under your jurisdiction?

Jack Crowley: All right, reel it in, Jack. Reel it in right on this one. Reel it in. This is where the Reel it in. I think Pick up the sky on this one. I almost, I hate to go like way pie in the sky, right?

But to some degree, we have to have some sort of like reset in this country and get smart people back to the table. I'd like, fundamentally, right? No offense to anyone in Washington, but I'm not sure that the right people are in Washington today that can solve some of these problems. We need to find a way where the most intelligent minds in this country want to help solve these problems at that level.

And I don't think that they do anymore. Cause like I jokingly say, run when I'm elected, I don't want to be elected. Cause I don't want to deal with all the riffraff that comes with being elected in this country. But I think the first thing that I would do, like I said, is, I think there's been so much change in the past 10 to 15 years, like in technology, right?

It has been rapid change. Some of us, even those that are heavy technologists struggle to keep up. Like we're almost reaching this point where the amount of people that have, you know, like the traditional like full CTO like ability to speak to everything. Like I, those people have always blown my mind, but they can, they're going to blow my mind more because it's just becoming harder and harder to stay on top of, I think everything.

But I think. Getting, like you said it a second ago when we were talking about this was getting some definitions in place, et cetera, like we're way behind, I think we're way behind as a country on having an agreed upon like universal understanding of what even warrants, like a reportable attack. Let's start with defining some of these things so that we're all on the same page, because. I think it does feel very fragmented right now.

Sarah Richardson: It

absolutely is. I like the pie in the sky idea though, because when you start at the top with everything that, as it should be, and then just keep working through the menu of the things that make the most sense.

And to your point, it's not that politicians don't care. It's that. Their job is to regulate and to work through different things that they're informed by those that can make those differences. A lot of our colleagues go to Washington and talk about these things all the time. But you and I are saying, Hey, imagine if we hit a bit of a reset on some of these perspectives so that we're major, making sure we're measuring the right things, which takes us right into the next conversation, which is attacks.

Cyber attacks are dropping in nearly all sectors except. Healthcare, the world that we're responsible helping to maintain, 37 percent of providers take over a month to recover from ransomware. And while some of these Attacks have decreased in most sectors. 66 percent of healthcare organizations have been affected in the past year as well.

And it's particularly vulnerable due to the impact on obviously patient care and securing critical systems. So ransom demands are higher when backups are compromised, which is a pretty common conversation. We're at a four year high on this. So as you think about being both a patient and a practitioner in this case, patient safety, It's tacking directly your ability to provide patient care, long recovery times, just creating an entire mess under operational efficiencies.

It's always going to be a financial risk. Do you pay it or not? A lot of that conversation. And then the data security piece of they increase your legal and regulatory risk. But more than anything, it's the Disrupting critical medical systems, affecting healthcare delivery, etc. You get in so many personal perspectives on this one, I want to hear yours.

But I really do believe that the cost of your cyber insurance and the cost of the recovery, if you can have the right conversation with your organization, then spending the money to have Real time backups that can be, like, 15 minute snaps of everything. Doesn't matter. And then, do you have a place where you can thoughtfully recover it?

One of the things we talked about at your CAB, and it's not a commercial for Rackspace as much as it is of I gotta quarantine the bad stuff so that it can go be done for forensics, and then I gotta have a place to set up the new stuff. In all the experiences you've had and your perspectives on this one.

Tell me where you are.

Jack Crowley: One, I think the first question you said was like the personal element. It is really personal, right? So I'm a cancer survivor. I had cancer when I was 20 and I think about like how crazy it would be, to be a patient at hospital getting care and that, and like in my case and then you're going in for treatment and, when you're going through that stuff, you want to stay on schedule.

Like it's not fun. So you're I just, you don't want like that sort of disruption. None of us want to deal with that. So I think about. In a way, I guess I'm glad it was before some of this technology. I'm sure like the technology has advanced the way they could treat it, which is great.

But then like now we're dealing with all this sort of stuff, which is maybe an unforeseen piece of the puzzle. But then, I think when it comes to recovery I think everyone's understands this, right? Like in, technology, I think you made the right point, which is how do you go convey

this new cost that we're all going to have to incur to, because it's not going to be cheap, right? It's just not, it can't be because of just the raw size of things that we have to back up because right, traditionally we think of DR as Hey, there's a hole in the ground and DC one.

Now we're going to use DC two. In this case, DC two could be completely hosed because if they pose your active directory, you're in trouble. So I think like we've realized that now we have to find a way to get all the core services put in a safe place, backed up and inspected as well not just right.

Like your, your patient record database or something like that. It's a lot more than that. It seems like people have taken steps the last couple of years to air gap backups, which is great. That's a great first step. But again, now you have to think about what are the All of those other things that you need to be air gapping as well, maybe longer retention periods as well.

Is there some sort of a product like Dell's CyberSense that's inspecting that data, right? Looking for abnormalities as the data goes in and then having this whole other thing over here so that if there is an attack and if all of this stuff on your side has been brought to its knees, how can I recover in.

Another space. And I think you and I talked about it, the cab, that's just the technology side. Now we also have to think about the operational side inside the hospital, right? Like for those three days while we're getting our EHR back up or whatever else. Like how do we run the hospital on paper for three days without impacting patients or at least impacting as little as possible.

So that's when I gave you my great business pitch idea. Don't bring that back up about the airdrop nurses, right? But I think these are very complex things, right? It's good. We're all talking about them. I'm hopeful some of the things in the way we're looking at it, that Rackspace can help.

The challenge will just be trying to find a way, to, make a price point. That makes sense for a customer, or for anyone to execute on and then helping them collectively, probably all of us as technologists, how do we translate this to the business so that they understand, what this brand new expense on their P and L is.

Hey everyone, Drex DeFord here, and we have an exciting webinar on October 22nd at 1 p. m. Eastern. It's sponsored by CrowdStrike and AWS. We're diving into building a resilient healthcare system, cloud security strategies for today. With cloud breaches up 75 percent over the last year, healthcare systems can't afford to rely on outdated defenses.

So join us as industry experts share practical strategies to strengthen your cloud security posture and adopt zero trust and boost operational resilience. Don't miss it. Register now at thisweekhelp. com slash cloud security. That's thisweekhelp. com slash cloud dash security.

Sarah Richardson: First of all, it's rare that. Any team has one person who gets to just go only solve for this right now. There's usually 500 other things happening in the organization. And so imagine if, and we're going to go blue sky thinking, imagine if you have one person or a team that gets to solve for this equation.

Hey, we're going to have continuous backups and monitoring. Hey, we're going to make sure we can recover within three days maximum, just like FinTech. 72 hours, you're back up online. Because to me, it's a crime that a hospital can be down for 30 days. That's not a. But a crime to the hospital operators.

It's like, how is that even feasible in our world today? It's not, right? The truth is, it's not. It's not, and we've seen it happen. You ask any CTO, CIO, CISO, pick a person in the organization, you say, how many days can you be fully down before it becomes disruptive? And people say, one. You're going 7 or more, just the cost of that recovery.

And so now you're thinking, Hey, I need to go ask for 150 grand for an assessment. And the organization goes, Oh, that's really expensive. And that's this is the assessment. And you're like sure. And then here we have these great partners who can help us line all these things up. It takes a ton of energy and it takes a lot of effort and planning and financing to be able to say, Now do we believe we're secure enough because it might happen.

So this goes back to introduce a bill, having some incentives not only for getting there, but staying there is really important because it's not going to go. If I'm a threat actor in a foreign country and my full time job is I'm able to go ahead and write some of this code, or heck, I'm just a freelance coder that's being asked to write some scripts.

I don't know how they're going to be used. Maybe they're being used to hack into healthcare systems. Like just that understanding of. You can still do everything right. There is somebody a step ahead of you looking to do something wrong.

Jack Crowley: To some degree there always will be.

But that's the theme of all of these articles, and the concern that I would say I have going back to like, how do we get ahead in Washington if Jack was elected or whatever? I feel like we're at a point where think as Americans, maybe there's a cultural thing here that sometimes we struggle it's just the next best thing.

Like, how do we just get to the next step? And we're not thinking 10 steps ahead, or we're not thinking, Hey, we're two floors up now, where are we going from here? This is, I think this is a serious enough thing that like, there needs to be thinking of, it's not just get to the next best step, right? Like we need to be thinking about.

Again, 30 days of downtime from a cyber attack. Okay. We get it to three, we get it to one. Like we get, we have to be thinking ahead on this one because the truth is, I think it will only get. Worse, right? The numbers that you just stated from the other article paint a pretty bleak picture and, we didn't even touch on like in that article with the government, how they were, looking at funding some of these smaller regional hospitals, which is good to hear, but right.

We're also, hearing how many of these are folding into larger. Organizations, right? They're being acquired, which creates a whole problem temporarily. And then the net effect is on the back end of that, right? We're gonna have a situation where it looks like a lot of our data will be consolidated into, 5, 6, 7, 8, 10, 12, like however many very large systems.

And then, right? So the explosion radius of an attack is now much more significant, right? So if someone owns every hospital within. 100 miles of where you live or 200 miles and there's an attack and they're all down, then what? So there's a whole bunch of, like I said, like we need to be thinking well beyond just the horizon that's in front of us.

Sarah Richardson: So I totally agree to your point when you have the consolidation of X amount of facilities or systems and all the, and we've, so many of us have continued to consolidate to platforms with SAS providers. So you might have four or five major SAS organizations running 80 percent of your organization. And so in some cases you're like, this is great.

I'm not the one running the data center anymore. I have to run these other pieces. And yet what happens to that third party risk and how you partner effectively? Where's your data? How quickly can they recover it? How is it tied to other pieces? Just from certain things we've seen this year, I've had conversations with people who are like, Hey, we didn't actually know how to shut off our API for six hours because no one had ever documented it.

It worked until we needed it not to, or we ran out of triplicate forms when we had downtime because we needed to have, that was an interesting one.

Jack Crowley: I'd heard that too. Like we only have enough actual paper. Like for X amount of hours or time. That's something.

Sarah Richardson: I was back interviewing for a C position, CXO position in a healthcare system today, I would literally have this at the top of my questions that I was asking them as a candidate, what is your funding and resource capability for ransomware?

And you could go on from there. That alone would tell me, do I want to go and do a great turnaround plan and put all the most amazing technologies in place. If I can't recover them in a set period of time as part of the funding of that project because I've seen so many friends lives be disrupted as a patient and a practitioner by ransomware this year, or IRIS, FHIR.

Things that have happened to their third party providers. And in some cases it's been both. And wow, that's a tough one to be able to bring forward and say, I went into this career to do these things. And now these are the things I'm really dealing with. You want to be prepared for it. We're ready for it.

It's a matter of having the resource and capability to do a good job. Nobody shows up for work and wants to do a bad job every day.

Jack Crowley: No. And even the \ least motivated people. I don't think that's the case. So maybe in a future chat, you and I should talk about, you said something really interesting there, a good tidbit that's about asking certain questions during interviews.

And, tell a lot of friends, there's like the traditional. Oh, executives have it great. They get paid well and blah, blah, blah, like view of leadership and it's, my experience is it couldn't be further from the truth, right? It's such a tough position.

You're having to make decisions with all sorts of factors. And these are like huge ones that we're talking about today. And when you take a job or you're applying for a job, you don't know what you're walking into. You don't know what sort of things you're going to have to deal with.

There's some wisdom in there to help people be better positioned day one with a new job to know what they're walking into, I think.

Sarah Richardson: Let's remember at some point, It rolls uphill . Oh, always. It, and you're the accountable part. It rolls downhill, but it also rolls uphill. For sure. There's no, there's an inverse to that equation.

And yes, as you think about taking those next roles, the preparedness for anything in your career, it's really knowing what that's gonna mean for you, because what problem are you trying to solve as well? And hey, I'll be honest, like a good turnaround plan is a lot of fun. It comes with so many more implications than it used to that having the right partners and having the right conversations and having the right perspectives and at the end of the day the right funding makes all the difference in the world.

So if I wasn't to put my hat in the ring again, I'll be honest, I would want Rackspace as a partner only because I know you guys. I know who you are, what you are, what you do. That's important. It's not a commercial for you. And all, as much as it is, pick partners who have a wide breadth and depth and can bring your other partners to the table.

So if I have you and five other SaaS partners or hosting partners together in a room, I'm going to ask you all the same question. The power of having you all in the same room at the same time creates a very different landscape that can be much more fruitful for the organization and leadership across the continuum.

Jack Crowley: That's it. That's perfect right there, right? Surround yourself with people and organizations and partners that want to help. That's a way of thinking. I have to leave you this nugget though, right? I got to give you this. You're the thinking about taking a position. I'm over here saying how bad am I going to mess up the Panama solo this weekend if I take this new job?

Sarah Richardson: Cause I don't have time to practice. That's where my mind goes. So for those of you that have a chance to check out Aquanet on Instagram, that is the band that Jack gets to play in on the weekends. And I love that. Being able to do a really good job with Van Halen is a top of mind as well.

And you know what? It just goes back to You'll disappoint the Van Halen fans. You're in big trouble if you disappoint the Van Halen fans. It's game over. If you're prepared, you can pretty much handle anything. It's true. Tourism, or life and personal and professional. Jack, thank you so much for joining us.

Thank you for the partnership with Rackspace. Look forward to continued dialogue. especially as some of these things continue to unfold in our universe and always go back for a revisit. Three years from now, we'll be like, Hey, remember, we were talking about that and now this is happening. But at least when we're thinking about it, then we can help be part of the solution.

Bill Russell: Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Thanks for listening. That's all for now