Newsday - Security Events, HCA/Google, and Waiting Room of the Future
Episode 4101st June 2021 • This Week Health: Conference • This Week Health
00:00:00 00:49:28

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this Week in Health It, it's Newsday. My name is Bill Russell, former Healthcare CIO for a 16 hospital system and creator of this week in Health IT at channel dedicated to keeping Health IT staff current and engaged. Today we are joined by Drexel Ford. Special thanks to Sirius Healthcare Health Lyrics and Worldwide Technology, who are our new state show sponsors for investing in our mission to develop the next generation of health IT leaders.

We set a goal for our show, and one of those goals for this year is to grow our YouTube followers. Uh, we have about 600 plus followers today on our YouTube channel. Why you might ask, because not only do we produce this show in video format, but we also produce four short video clips from each show that we do.

If you subscribe, you'll be notified when they go live. We produce, produce those clips just for you, the busy health IT professional. So go ahead and check that out. Common question I get is how do we determine who comes on this week in health it, to be honest, it started organically, it was just me inviting my peer network and after each show I would ask them, is there anyone else I should talk to?

And then the group, obviously the network group, larger and larger, and it helped us to expand our community. Of thought leaders and practitioners who could just share their, their wisdom and, and expertise with the community. But another way is that we receive emails from you saying, Hey, cover this topic.

Have this person on the show. And we really appreciate those submissions as well. You can go ahead and shoot an email to hello at this weekend, health it.com, and we'll go to the, to the entire team. We'll take a look at it, reach out to these people and, uh, see if there's a good fit to bring their knowledge and wisdom to the community as well.

Uh, we also launched today in health It a weekday daily show that is on today in health it.com. We look at one story each day and try to keep it to about 10 minutes or less. So it's really digestible. This is a great way for you to stay current. It's a great way for your team to stay current. In fact, if I were ACIO today, uh, I would have all my staff listening to today in health it so we could discuss it.

Agree with the content, disagree with the content. It is still a great way to get the conversation started, so check that out as well. Now onto today's show, today we are joined by Drex de Ford in your orange. Are you in your running outfit? What is that ? I don't know. I found it in my closet today and I was like, that's.

Probably been worn for a while, so I put it on go. I'm gonna record a show. It's gonna be for posterity. I want everyone to know that this is what I have. It's bright, it's colorful. It looks like a running outfit. Is it? It's a black diamond. The mountain climbing gear. It's layering gear. But it works great in Seattle, which we all have every, I have one of everything manufactured by anyone who has anything to do with hiking or mountain climbing.

I, I think as layering gear, the athletic sports apparel, people have targeted people over the age of 50. Stuff. So you know, I'm wearing my golf outfit that to look like an athlete. Of course I'm 15 to 20 pounds overweight, but you know, do so. And the other thing is we're both wearing our glasses showing that we're over 50.

Yeah, age is definitely a thing. Yeah. I can't tell you. We have an inside joke here at the house about the rare circumstances where we actually put on jeans or something like that. Now we refer to those as hard pants. So when I see my wife, I'm like, oh, you're wearing hard pants. Where are you going today?

Like, there must be something special going on 'cause you're not wearing athletic wear of some sort. My, my daughter showed me a commercial for extra gum. Have you seen this commercial yet? It might only be out on the internet. It's hysterical because the concept is everyone's been locked inside for a long time and people are in their, their coat with long beards and they haven't shaved and that stuff, and now people are starting to come out.

And one of the first things you're gonna need is extra gum. 'cause you're gonna get closer to people and that kind of stuff. . And you see people like breaking out into the, into the wilderness. They start sitting next to each other on park benches. Then the next thing you know, they're kissing and people break into a lobby of a new building and they, it's clearly an office building and they're kissing the ground in the office building.

I'm so happy to be back. I'm so happy to be in this marble lobby of this high rise. Building. I dunno. But it is. Yeah, it funny. And I think people feel like we're far away. I saw the number we're. Vaccinated, fully vaccinated, and I think that was the earlier this week. So yeah, I saw that nationally 50% of adults are fully vaccinated.

And, uh, in Seattle, our public health department just released a notification that said that 75% of adults in Seattle have had at least one shot. So, I mean, as you would expect, we're pretty compliant. We were one of the first cities to get hit with it, and so I think it was a. It's been a big deal for us for a very long time, and, uh, so people are very compliant here and I think before we break out the champagne and whatnot, we still have to figure out children.

Of course. I, I realize that the virus has not been as, I dunno, savage on kids under the age of 18 as it has been with older adults, but still it's a population that's at risk, even if it's a small percentage. And I, what do we have? Only one vaccine is approved for, and it's not even all the way down. It's like, uh, 12 to 18.

I don't think that's right. Mm-Hmm. . And so, yeah, we still have a, a population that's at risk that we, hopefully they'll keep making progress there and we'll see where it goes, which I hope so too. Which, which brings up we're, I mean, we're, we're getting closer to that point, and the, the conferences are, are, uh, going on.

I just recorded earlier today. I, I met with Karen Malone. Who's the head of global conferences for hims? Yeah. I don't care. We, we recorded a, uh, a real quick, what's going on? What are the preparations that are going on for HIMSS 21? And it's interesting because a, a bunch of this work they were preparing ahead of time.

They needed more room. They, they had maxed out every facility in the.

Concept. It's, it's perfect timing because now we're used to going into that exhibit hall that was, I mean, literally packed from end to the other. Yeah. And they plans spread. Make that a much, much better experience and that just lends itself well to this. And the health conference have also announced, uh mm-Hmm.

vaccination requirement. Mm-Hmm. , uh, to go to the conference. Any chance you're going to the conference? I will go to the HEMS conference this year. Yeah, we're going through a bunch of special procedures at CrowdStrike to get authorizations for travel and all of that. It's not a full blanket turn on event, so we're, we're having conversations internally about getting all of those approvals, but I absolutely believe that I will be at the HEMS conference this year.

Yeah. And I will be there as well. I have some, some sponsor commitments, so I was gonna be there anyway. I don't know. It's, I mean, it's great to see you on, on this piece of glass, but it would be nice to actually, you know, see how much weight you actually have put on. I dunno. I totally agree. I have a text group that I'm on with that are a bunch of CIOs and other friends of mine who are in health it, and I, I can't tell you how charged up that group is about going.

We refer to each other. Sort of confident, not confidential anymore. I'm gonna say it out loud as conference crashers. And so the Crashers group definitely have had a whole ramble going on about getting back to the big HIMSS conference just because, like you said, it's gonna be awesome to see your friends again.

See them in person. People can tell you that they're okay and you see them on video and they say that they're okay, but there's something about seeing a person looking 'em in the eye, and actually being able to do the check on 'em, right? And we all worry about our friends and our family. So especially when so many of our friends are spread across the country, they're not local to us.

They're people that we've met and made acquaintances with over years and years and years. So I'm looking forward to showing up and seeing as many friends as I can. I hate to pigeonhole you here, but you know, there's so many security stories. You're with CrowdStrike now. I don't like hold all these stories.

These have all really been happening over the. Of things. Obviously we had a significant VMware announcement this this past week because this show's gonna air on Tuesday. Happy Memorial Day, everybody, by the way. Yeah. The vulnerability, which was identified by VMware is a, is a pretty significant vulnerability.

So they ranked it a 9.8 out of 10, and they created a patch for it on Tuesday of last week. So it resides in vCenter server. And as we all know, a tool used for managing virtualization in large data centers. vCenter Server is used to administer VMware's, vSphere and ESXI host products, which by some rankings are the first and second most popular virtualization solutions on the market.

And one of the things that they talked about is immediately following these announcements, there's. That goes on in the internet of people looking for this vulnerability to either report on it or looking for this vulnerability to exploit it. Exploit it. Mm-hmm, . So it's a serious vulnerability. And once it gets announced.

It has to be patched very quickly. How do healthcare organizations make sure that they're patching every instance? I mean, this is in the cloud. The cloud runs on on VMware. Mm-Hmm. . VMware's sponsored too, by the way. Cloud runs on VMware data centers. It runs on VMware because it fundamentally changed how the data center operates.

It was such a, a huge. Operational benefit. So how do they make sure that all this stuff gets patched very quickly? There are, there are lots of tools out there that let you sort of explore your servers and endpoints and other devices to look for. Do you have all the lightest patches? How far behind are you, which ones are the most urgent for you to.

Engage with CrowdStrike certainly has tools like that. There are other tools like that too, but it is sort of culturally a thing that CIOs organizations have to build into their routines of you're gonna have patches now and. They're gonna come all the time. And that there are situations where you're gonna have applications or, or servers or other things where, or just situations going on with the operation of the organization where you can't apply a patch right away.

And if you can't apply a patch right away, then you have to come up with sort of mitigation for that compensating controls that lets you go ahead and protect that device or those devices as you . Sort of timeout when you're gonna put the patch on. There's a lot of testing sometimes that has to happen in these things too.

So you're absolutely right. The bad guys, the adversaries. This is absolutely an economy, right? When somebody like VMware or anyone announces that there's some kind of a, a weakness in an operating system or in an application. You may not realize that you're breached, but one of the things that if you're breached, there's somebody in there who's very quietly looking around to see if that's an exploit that they can use on you.

And if it is, they may not take advantage of it, but they, they, they may very well go to the dark web and auction that access. To somebody else who will come in and does the next part of the job. Right. It's crazy to me, the, the more, the longer I'm at CrowdStrike, the more I spend time with our threat intel team, the more shocked I am I think every day at the way adversaries work with each other as a team, as a vendor community, as a operator, community.

It's pretty amazing. I, I was talking to. I said, what do you attribute the growth of all this activity to? And without missing a beat, he said, cryptocurrency. Yeah. He said it created the economy for money to change hands. W we couldn't change hands, uh uh, untraceable money. Right, exactly. These amounts with any of the standard currencies that existed.

And cryptocurrency created an economy.

In every area, we're gonna have to think through the unintended consequences of cryptocurrency coming into the mainstream. Yeah, that's exactly what I was gonna say. Unintended consequences in everything that we do. I mean, I think that you and I have been healthcare executives for so many years that we know that every time we do something that we think is a good idea, I.

We know we're, we're positive. This is the thing that we need to do to solve a problem for a health system. That we always take a step back 'cause we've talked about this and go, now what could go wrong? Right? There's always an un unintended consequence and sometimes it's sort of unseeable. I mean, you just, who would've imagined, I'm sure somebody did imagine, but who would've imagined that

The concept of blockchain, which seemed to have so many good possibilities turned into a, uh, turned into cryptocurrency, which turned out to be the thing that allows ransomware to happen. It's, it's a great argument. I've, I've published a couple of things about it here recently, you know, tweeted a couple of things about here recently.

Yeah, it's definitely an issue. One of our standard operating procedures should be emergency patching. There's gonna be an announcement emergency. Six o'clock at night and we're gonna have to emergency patch a significant amount of our. Server. Server. So there should be an SOP around that, I would assume.

Sure. Yep. Absolutely. Have a process for that, who the teams are, have a fast track for change control. If there's some testing that needs to be done, have a process for that. I mean, it stinks, especially when. It's, uh, Memorial Day weekend, right? Or it's a holiday weekend or the weekend in general, it seems like we always wind up having something happen like that that is an emergency.

When, when's the last time you spent all night in a data center? Can you remember that last night? Last time I spent all night? Well, first of all, we don't do that anymore, right? So we don't go to the data center. I, I do. For me, it was in thousand 11. I spent the better part of. A data center. The team was trying to troubleshoot something.

I think I was more there for moral support at that point. Oh, I know, technical. Me, me too. I was, uh, I was a gopher. I remember it was a big storage array outage in the data center. And yeah, I was there for like, going to get breakfast and bring it back or a cooler of drinks or whatever I could do. Right? I mean, I just, I think that's, we've, we've had this discussion too.

It's just good leadership, right? You right. If everybody else is there, you should be there too. I mean, yeah, so it, it's, but it's a balance, right? It's a balance of solidarity from a leadership perspective. It's balance of solidarity. Hey, I'm in it with you. And hey, why does the CIO have to keep looking over our shoulder?

Or why does the leader have to keep looking over our shoulder? That's a tough balance. You really have to know your team well. You have to communicate well. Otherwise, they might feel like you're erring on the side of micromanaging them. Hey, we handle these things. We know how to do it. Or, Hey man, that's impressive that that person was there and they got us pizza and they, you know, encouraged us through the night and that kind of stuff.

It's an interesting leadership challenge. I was telling somebody about this, uh, the other day. One of the things I used to do at all Hands was the Clark Kent Award, and I would hand out glasses like Clark Kent glasses. The the reason being in most places that I've gone to. And taken over as ACIO. There are a lot of people that are working super hard, but very often they're scrambling.

I mean, they are in Superman mode all the time because something is breaking and they have to step in and fix it and get it back up and running. And that's fine except that, and I'll change my analogies here. Sometimes it turns out the firemen are also pyromaniac. They don't intend to be. It's just that they.

So busy, they never quite finish a job and that leaves behind a landmine that they're gonna step on later. That's gonna create another outage. So to switch back to my original analogy, we love people who go into Superman boat and do all that work and make sure that the organization can stay up and running as things break.

They can fix it and put it back in service. But what we really need as much as anything else, maybe more than anything else, or good old Clark Kent, who shows up to work every day. Dots, all the i's, crosses all the T's, create standard work, makes processes better, has continuous performance improvement as a way of sort of thinking about the way that they do their job.

Because when you have those people, you have very few or much less of a Superman opportunity. So Superman moment should be. The exception to the rule, not the rule. And in a lot of places I've seen Superman moments are the way that the organization works and it's just too much. It's too stressful. Yeah.

I'll give you the language that I used. 'cause when I went in as uh, CIO, uh, the last place I was ACIO, we, I essentially said we wanna do away with the superhero culture and we wanna go to more of the NASA culture. Which is, if you watch Apollo 13, it's not that there aren't heroes in that movie, but they're, they're, they work as a team.

You can't really name five people from Mission Control that brought that ship back or even landed the, the ship on the moon. But they functioned as a team. They knew what they were, their role was, and they performed that role to the best of their ability and whatnot. And every time I come in and they say, oh.

If you lose that person entire IT shop.

That's a problem. , I mean, yeah. And yeah. No, I was just gonna say, it's, it's funny that you say that because there's definitely every place again that I've ever been, I've had somebody say that about somebody in the shop. We can't look, don't lose that person. Like they don't get along with other people. But let's figure out how to give them a cube in the corner and like slide pizza, you know, under the door or whatever.

But, but we need to keep them. It usually turned out. There were lots of other problems around that individual and that when you finally decided that you were gonna rip off the bandaid and let the person go, people would pour out of the woodwork and say, oh my gosh, what took so long? That was terrible.

Tell me what I need to do. I'm happy to work overtime until we figure this out. When we get back off on our feet, from that person leaving, you get so much. Good credit, I think for doing the right thing ultimately, that it more than pays off there. There's always somebody though that's hoarding all the knowledge and they are indispensable.

And the reality is everything's connected to everything else. So the best teams. Don't have anybody who's indispensable. Yeah. They love to share knowledge. They're very transparent. They create good standard work that anybody can follow. And the power really is the collaboration, it's the teamwork. So we're gonna talk about scripts a little bit here.

Yeah. Maybe it was. I left in:

They were on diversionary procedures because they were diverting acute care cases and other cases. Two other facilities for the better part of two weeks. This story is actually from, let's see, seven days ago. So I'm not entirely sure they're through it yet. Yeah, from, from everything I hear, they're not through it yet, but they have some systems up and running again.

Now they're making progress, so that's good. This was a big deal if people weren't already await to the threat that ransomware has for health systems and larger health systems. I. Now, and you shared an article on your three x extracts. Three extracts. You're still doing three x extracts? I am. It has turned into maybe not quite three times a week, but there are still some really great stories.

We have several hundred people subscribed. I hate to just leave people hanging. So, yeah, I'll continue to do that, that project for a while and it, it's not, it's not only security stuff, so people are thinking, Hey, it's just security. Oh, sure. It's not, not by any stretch. You share a lot of different things, but you, you shared this story and I think the reason you shared the story was to talk about the takeaways more than the, the incident itself, because we don't really know enough about the incident yet to Sure.

That's to really That's right. Talk about other than it's, its ransomware and it took down a significant amount. Of the health system. So some of the key takeaways from this article were Adopt Zero Trust. So I had Vic Na, we talked Zero Trust. Why is Zero Trust important? I mean, I just think we've gotten to this point in the world of security that creating a situation where.

Everything is suspect and you need to make sure that whatever is connecting to your network or connecting to your network assets is challenged. And that for sure what it is and where it's coming from. I mean, there's, there's a lot of stuff that goes into the zero trust concept, but you know, for me it's the.

It's the two words. It's zero trust. I don't trust anything. Everything has to be challenged and and verified. And if somebody's working on really high-end important assets like your active directory or something like that, I. You don't just challenge them once. You may wanna challenge them every 30 minutes or something to make sure that you're very comfortable that this person who's doing this heavy duty stuff that could really damage your network, that this is really the person that you think they are.

So zero trust. Hugely important and, uh, a lot more to be written and a lot more to be done. Yeah. With Zero Trust, the, you know, educated employees on cyber hygiene, I have a episode coming up. We talk to the people over at Geisinger. They've been able to drop their phishing attack success rate within their organization by 50%.

What I'm hearing is that's still the number one way, is people giving up their credentials or giving, giving away their access. Through very sophisticated, sophisticated phishing attacks, but it's still the number one easy way to, to get in the front door. We think it's these really sophisticated things that people have written, but at the end of the day, you create a website that you know very similar.

It looks very similar. You send out an email, you take advantage of covid. Supply chain, whatever the hot item is of the day. That is the thing. There are brilliant technical writers who are writing , very convincing emails every day on whatever the hot topic of the day is, and sometimes it's also mined from whatever you're doing in social media if you're showing a, a real interest in something.

That can be a thing that they wind up writing an email that makes you a target of a, of a phishing scam. The one way too, I have a friend who is the CIO of healthcare organization, they have put together a program that ties a portion of managers bonuses to. The goodness or badness of their staff reacting to the phishing tests.

And so if my team is really good at it. I get the full bonus. If my team is really bad at it, I may lose that whole portion of the bonus. Now he, they haven't tied it to like a huge amount of money, but any portion of the bonus is motivating and it's created this situation where managers at the lowest level, I.

Talk every day to their staff about today might be the day for the phishing email. So make sure that you're, if you think that something's wrong, say something. And that's great culture. That's how you drive those numbers way, way down. Yeah. You, you need to create a security culture, patch, hardware and firmware.

Of course. You know, we had a pretty robust. Process for identifying hardware and firmware updates that needed to happen. I mean, the hardest area was, was biomed devices for us, because there were so many of them, and some of them you, you couldn't touch or Right. You broke. Right, right. And so we, we had to section them off the network and, and do all that.

Wonderful. And, and, and so I mean, I think that's a really good one, right? Because in healthcare there's lots of things like that. Not just it, and not just, uh, medical equipment and medical devices, but OT stuff, building operations systems and things like that. Plus we always seem to have some old application that runs on, you know, Microsoft, Bob or something that we can't quite get rid of for whatever reason.

Those things also need to be segmented too. So I will tell you the other sort of takeaway on that would be I. If you have a big flat network, and there's a lot of reasons that a lot of organizations do, you really should look very carefully about putting together a plan and a program to do segmentation and micro-segmentation because that creates another place where when a bad guy tries to move laterally, there's an opportunity that they're gonna, they're gonna trip on something and ring some bells and speed is.

That's all about catching the bad guy. If you can catch 'em quick and kick him out greatly reduces the amount of damage they can do. What direction? I, I always use security as the driver for application rationalization. I, I remember when I came in, we had like three applications that required dongles in the server, and I just sort of shook my head like, how old is that?

I, I, I, I, I don't even remember the last time we had that, but in healthcare, they exist. And we're looking at 800 applications and maybe even 50% more or whatever of instances of those applications, because you have the same application with multiple instances. It's the attack vectors too, too large, the surface is too large.

When are we in healthcare? Gonna see that? Just crunch that down to, I don't know, to, to half the number of apps. I, I almost think every health system should have as a goal to get to half the number of apps in the next five years. Yeah. I mean, in the spirit of everything is connected to everything else.

Security is also connected to everything. So if you have antiquated infrastructure. If you have a data center with older servers, if you have endpoints that have kind of aged out and you're running older operating systems on those things, the simpler you can make the environment. Like you talk about application rationalizations, fewer applications, and, and we both know having worked at big health systems, sometimes you have five applications that do almost exactly the same thing and they're just the personal preference of somebody in different departments and that

Requires you getting together and sort of clunking their heads together and say, let's pick one and kill off four. It's less maintenance, it's fewer analysts that we need to be able to manage those applications. And when we get down to one, it's much easier to secure instead of five. So you're right. It's not usually thought of as a security thing though, right?

This is where we get into sort of conversations about infrastructure upgrades and endpoint upgrades and printer upgrades and all those kinds of things. Security's a huge part of that. Simpler is easier. To secure. Yep. Absolutely. Yeah. There's a bunch of other things. They monitor applications and network for unusual behavior.

member we people. Back in, in:

And people just, I, you would think I had said something that was just completely insane because people were like, all the hands went up, like, I have a question. I have a question. How could you say that, that the cloud is so insecure and whatnot? I'm like, uh, well, because quite frankly, they're, they're just making greater investments in it than we are, and.

Better security people than we can. And, and that was my rationale is the cloud, I mean, in and of itself is no more secure than the on-prem data center. But I think it's those things. It's the investments, it is the, the sophistication of the architecture that they ramifications hacked.

All those things. I mean, so they're investing a significant amount of money to make sure that that doesn't happen. Yeah, yeah. No, I think your logic is good, right? That cloud services probably have better security than on-prem services. That's a terrible. Sort of generalization, but sort of, okay, let's just sort of say that that is probably true, especially when you compare, uh, small and mid-sized businesses who, um, maybe only have one or two IT people and they're doing their best to try to do it and security that it's probably true that, that the cloud has a, a better security posture.

But what happens in that? But, but it just doesn't guarantee anything because it doesn't guarantee anything. Because what happens in that sometimes is that you wind up with these situations like, like. Foundations and organizations that took donations, like health systems from, from donors, used to do that stuff all in house in their own local databases, and they managed the connections to those donors and they knew all about them and all those things.

A lung came Blackbaud, who took all that off their plate. Right. And it was great 'cause they could get away with a toss. Those servers, toss those analysts. They could buy software as a service in the cloud. But when Blackbaud was breached, we saw there were dozens of healthcare systems that had to report to the HHS Wall of shame and say that their data had been breached, not because their organization's network had been breached.

Because a third party vendor that they had created this deep relationship with had been breached. So it's again, unintended consequences. Back to kind of our earlier conversations, there are things that this seems like a really good idea, and honestly I think it's a much better idea than trying to, you know, do everything yourself, but.

There's things you have to think about and if you're just moving to the cloud, you're trying to move to AWS or Azure or something like that. It's a whole different set of skills than your on-premise folks have. And there's a lot of opportunities to mess that up and create a breach too. So think through it.

Yeah. Your cloud plan has to be very carefully sculpted. Yeah. We. We, I end up talking about layers with people a lot when talking about security because in, in reality, if I go to AWS, okay, they're gonna take care of these layers, but I could put a, I could put a website out there that's gonna get hacked within a week easily, right?

Because AWS doesn't protect the WordPress and above layer or whatever your content management system above layer is. They're protecting all this stuff down here and easily put a insecure application on tops. They're gonna get in and get whatever data you have out there. Yeah, I mean, I, you, you're right.

It's, there's, there's no shortage of places for humans to make a mistake that can result in a breach. And so the idea that you are relentlessly monitoring all of these things for behavior that seems ano anomalous, and then you're taking action on that becomes incredibly important. Are you, are you done talking about security?

I, I'm tired of talking about security. Sure. I know. It's like, it's what we talk about all the time. I'll tell you, I'm, I'm loving it right now. I mean, I am so immersed in it right now. It's so new to me, kind of continuing to, I learn and learn and learn every day about the stuff we are doing, and it's fascinating, but yeah, we should talk about something else.

Well, but you know, we need, we need heroes on the front lines of this. Some of the best and brightest coming out of, uh, school, coming out of the military and whatnot there. This is an, an interesting space to be in. Uh, it's, I I think it's challenging mentally. I mean, it's a constant game of chess detective work, if you like, puzzles.

I mean, it is very. Uh, meticulous, especially the threat hunters, the folks who are actually building good security programs, organizations. It's very detail oriented. Yeah. I think there are a lot of people who are really into it, and I. More and more coming. I think that's true. All right, let's hit this one because this is always interesting.

hospitals and:

Beyond that, the partnership is meant to empower physicians and nurses with deeper insights. Via 90,000 mobile devices already running software from HCAs, patient keeper and mobile heartbeat teams. It's important to note that H is not a an epic shop. They have some epic instances, but it's a very small piece of what they do.

They run the 186 hospitals primarily, I think they're the largest Meditech shop They are. They have almost their, I don't think it's almost have their own version of Meditech essentially. Essentially, yeah. And Patient Keeper was this, this system that sat on top of Meditech, which gave it a whole bunch of, of new capabilities.

And I think when things were not going the direction they wanted with patient keeper, HCA just bought it. So HCA actually owns patient keeper. Yeah, I, I remember Patient keeper, but it's been a while. It has, has been a while. Well, we were a Meditech shop at, at St. Joe's, so I looked into patient Keeper and it was pretty interesting.

So this is another one of those deals. Let me, let me read an excerpt from, let me see which article talks about this. Google and Wellc.

That's when Ascension went to Google and said, look, we wanna bring all of our records together and make it easier for our physicians and easier to do, uh, this kind of data work that's required across the system, especially in a, in a pandemic and, and with public health and whatnot. Then Mayo Clinic came out and signed a deal.

Then Providence, there was a, a period where, I mean, these deals were being signed pretty regularly, so Mayo did a deal with Google, Providence did a deal with Microsoft. And, and the big question is privacy. So HCA said Google isn't permitted to use the patient, identify identifiable information under the agreement.

Uh, Dr. Perlin said HCA patient records would be stripped of identifying information before being shared with Google data scientists, and that the hospital system would control access to the data terms of the deal weren't disclosed by May. John Halamka did a lot of speaking about how they, they were doing this at a much more sophisticated level.

Not only were they stripping the data, there was absolutely no way that Google could see a Mayo Clinic identifiable patient record, uh, but they were still getting the benefit of that. I share this story, I think it's an. I think it's a direction that we're gonna see more and more it's health systems tapping into advanced capabilities that we may not even have the ability to build onsite, even if we wanted to.

Yeah. No, I mean I, some of this too is, I. It's a good story of transparency, right? Because I think I remember when the first, uh, was it Ascension? I remember when the first story came out. Yeah. The world was horrified and everybody, bunch of, lots of people got really upset. And since then, more and more of these stories have emerged as sort of reassuring that this actually is a good idea.

And with folks like John Halamka. Telling this story, it's all about value. It's all about building things that are better for patients and families. This is the only way that we can probably really do it. We have to have these big numbers and they have to be in big computers, and we have to have super smart people looking at this and figuring out what these patterns are and.

Doing it in the cloud is, is really the only way to do it. And so I think you see more and more of that transparency and more and more of that good storytelling about why we're doing it, how it's gonna benefit the patient, which took a lot of the pressure off of, of health systems. Yeah. Well, I mean the thing that's different about Ascension, quite frankly, is they are sharing identifiable information.

The way that it was written, the access by Google is very limited in terms of them being able to actually access the record and really it's more of a technology play than anything else. Got it. So it's interesting this, but this one statement in this article sort of has me scratch in my head some consider the federal law outdated saying, and it's about essentially HIPAA saying that the pace with the technology sectors demand.

Michelle Melo, a Stanford University professor of Law and Medicine who focuses on health data privacy. I would love to have Michelle on the show because I think just I read the statement. I'm like, the federal law is outdated, saying the laws, protections kept pace with the technology sectors growing demand for patient data.

What about the patient's need for privacy? Privacy, yeah.

Tech sector. Tech sector can get access to more patient data. Yeah. Yeah. Things, you know, a lot of things have changed since some one was 99, 98. I don't remember when we got hipaa, but a lot of things have changed and undoubtedly there you, you went through it with a fine tooth comb. There's probably adjustments and changes that we should make.

I'm not arguing,

but the driver shouldn't be that. Tech organizations need access to patient data. I got I, yeah, let's, let's have Amazon, Microsoft, Google, sit, HIPAA.

Sit well with me. Let's see. Did, do you have time for one more story? Sure. Let's do it. All right. That's fine. Let's rethinking the waiting room. So I covered that earlier last week or earlier this week on the Today Show. It's an interesting concept. So Covid has essentially changed that. Well, it absolutely changed the waiting room for a period of time, right?

So safety was paramount scheduling. Uh, a lot of remote types of things. We adopted telehealth and whatnot. What do you think, I mean, let's just put on our dreaming hat, because I posted this out on social media and one of the first posts came back from Will Weeder who said, we have to eliminate the waiting room.

And that's, that's mirrored by other people in the industry who said, we need to eliminate the waiting room and everything that it stands for. But is that. Are we gonna get there? And I dream with me for like 10 years out from now. Mm-Hmm, . What, how would we minimize the waiting room? Or how would we enhance the way?

Because there's always a weight, right? So if, if my loved one is in critical care, I may have to sit somewhere in that hospital and, and wait. So we're not eliminate a waiting room. I wanna be near them and I may not be able to be in the room. So.

About when they say eliminate the waiting room, it's that waiting for the doctor and then going into the room and waiting for the I. I've now gone and I'm on the butcher paper, but I'm still waiting and I see them or seven minutes. And I think I just waited 45 minutes for a seven minute consultation.

Yeah. That's what we wanna eliminate. Yeah. What, what could that look like in a decade, do you think? Man, I, this is one of those things that, for me, as a Toyota production systems guy, the waste of weight is one of the seven deadly wastes. Right? The waste of weight is, I mean, it, it upsets the apple cart all over the place.

And what it means is that. If you have people waiting, queuing for a piece of work to be done, that the system that you've built. Has inefficiencies. And so there's always going to be, I think you're right, there are always going to be waiting rooms for folks who are, who are waiting for a surgery to happen to a patient and they are, they just wanna be at the hospital.

I. In case you know something terrible or great happens, they just wanna be close by that. That isn't the kind of waiting room that I think we're talking about. That's kind of a whatever. Circling an orbit. Waiting, waiting for a patient, something to happen to a patient. The waiting room you're talking about is exactly that.

Will you be able to show up just the nick as soon as you walk in? Somebody's there to greet you, take you right into the. The information that you have to fill out on paper today is done before you arrive. You only do it once. You don't do it every time you show up for your appointment. If you've done it in another part of the organization, that information is available to that appointment.

So that, that, just that one part, hugely maddening part for all of us, if that could go away, would be a huge win. But if you could get people to go right into the right, into the doctor's office, the doctor's waiting for you. She does. The exam asks you the questions. Helps you make sure that you've got your prescriptions, they know where your prescriptions are going.

They send them off, automatically ordered, so you can pick 'em up on your way home or maybe on your way out, depending on the, the, the way that the care facility is designed. I mean, I, those are the kinds of things that to me would be, that would be a huge win. Just walk right in and walk right in. Not have to stand around and wait for something.

David.

Will, will the home. I forget what the post was, but it was essentially at your doorstep. At your doorstep. Yeah. Yeah. So, so you saw that and and my comment to that was it, it depends whose time we're trying to save here. And I, I sort of like, I've own a a Tesla for a while now and it amazes me the amount of work they can do in my driveway.

They actually come out and fix my car in the driveway. Now there are some things where I've called in and said, Hey, I've got this problem. And they'll say, yeah, you gotta bring that one in. And, and, and I liken that to sort of healthcare and say, is there a situation where via telehealth we can say that's this, go to this location which has a, a less of a weight and it's more designed for this, or, sure that's this and you go over here, or you know what?

Stay in your house. You know, we're gonna, we'll either send you medications or we'll send you a person who's gonna come out and just do a basic blood pressure check. Grab your lab, grab your lab, take it with them, right? Instead of you coming in for this, well, where's your office? I'll meet you in the office.

Yeah. And your software updates for your Tesla is almost like the wellness person calling you regularly and making sure that . Have you been checking your blood pressure and or all the, all the stuff that you're supposed to do? It's kind of interesting. Yeah. Well, one of the most fascinating stories I read this year was Firefly Health raised a bunch more money.

Mm-Hmm. . And it's, Jonathan Bush's a new thing and actually, uh, somebody else is the CEO, but he's, he's chairman and he

talking about how on average. The clinician saw the patient within the Firefly Health system that they've designed, which is to eliminate all this waste that exists A 60, I think it was on average, 65 times last year, and I've said that to a couple people and they're like, what? Why would you see a physician or whatever, 65 times?

I'm like, well, first of all, it's not a physician. It's not always a physician by your healthcare provider. 65 times. Exactly. It could been an email becomes a have. I just don't, I don't think to call my health system or my doctor or whatever. I just go to Google , doctor, Google, and with, and with this, however, they've set it up within Firefly Health, and I'll have to have them on the show to have a conversation around this.

However they set it up, it's easy enough to just reach out and pinging a healthcare professional or a nutritionist or someone to that effect and say, Hey, I'm walking through the aisles. I'm thinking of buying this. I have diabetes. Is this a problem? , that's a touch. I mean, that's a touch with healthcare professional rather than I.

A day. So , but Google sends you to a hundred different places. These guys actually, it sounds like have a model of coordinated care. So I mean, just imagine if you were in the grocery store and just texting somebody that question and they were responding to you like it was your sister, the dietician, or your

Or your brother, the nurse, and you could trust it that much. That would be when dreaming, right? Yeah. An ideal world. That would be the situation that you would want people that you know are on your team to keep you in the game, keep you healthy and out pain. That would be ideal. It'd be awesome. Abso. Drex.

It's always fun to talk to you. I never know where we're gonna go with the conversation. I don't either, but, uh, I really appreciate you having me on. It's always a good time. Yeah, it's fantastic. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note.

Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show. It's, it's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google, overcast, which is what I use, uh, Spotify, Stitcher, you name it.

We're out there. They can find us. Go ahead, subscribe today, send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee.

Thanks for listening. That's all for now.

Chapters

Video

More from YouTube