This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Welcome to this week in Health IT News, where we look at the news which will impact health it. This is another field report where we talk to the leaders from health systems on the front lines. My name is Bill Russell Healthcare, CIO, coach and creator of this week in Health. It a set of podcasts, videos, and collaboration events dedicated to developing the next generation of health leaders.
As you know, we stepped up production over the last three weeks and Sirius Healthcare has stepped up to sponsor and support this week in Health it. I wanna thank them for sharing our passion to capture and share the experience, stories, and wisdom of the industry during this crisis today. Drex De Ford conducts the field report for this week in health.
It. Special thanks to Drex for helping us to cover more ground during this time. If your system would like to participate in a field report, please shoot me a note. And, uh, easiest way to do that is by email bill at this week, health it com. Now onto today's report. Hey everyone, and welcome to this Week in Health it.
I'm Drex Deford CI Securities Chief, chief Health Strategist and President at Drexel Innovation Network. Today we're with Mitch Parker. Uh, Mitch is the executive director in CISO at Indiana University Health. Uh, welcome to this week in Health It, and thanks for being with us, Mitch. I know that you guys are crazy busy.
Thank you very much for having me, for sure. Um, I'm just gonna hit a few questions. We're gonna try to keep it short 'cause I know you gotta get right back in the ball game, but, uh, but, but let me start with, what are you seeing with regard to threat activity during the pandemic? I'll be very clear about this is that we've seen an uptick like everyone else in spearfishing attacks, Uhhuh
That has been the major focus that we've observed. Huge amount of domains being registered to look like C Ovid 19. Also, we're seeing a number of attacks about fake donations and a lot of donation scammers. I've even personally been contacted by someone offering me surgical masks. I'm sure at a pretty high markup, uh, two or three times I've gotten emails like that too.
What I mean are, are you, are you getting emails from folks on the staff who are kind of saying, you know, well, what is this? Is this real or not real? Or are you just kind of blanketing everybody regularly with some updates? Well, we blanket everyone regularly. I mean, that's just what we do. Obviously we've had to up our game a little bit with what's going on, and also with a huge amount of people working from home.
But in general, I mean, just in the industry, everyone's been getting these emails, talking about how much they've been, everyone's been getting these emails and talking about how much they're just getting slammed. Yeah, with scan emails. Yeah. Yeah, for sure. Any other specific threats you're keeping an eye on?
Any other things you were thinking about or worried about? Like everyone else? I'm just worried about criminals using this, uh, as an opportunity to take advantage of threats to organizations to make their mark. Yeah. Yeah. Um, there's a lot of activity right now, a lot of stuff happening in health. It, um.
How have you been able to keep security integrated into the process? You know, how do you balance the, we have to be responsive versus we have to be secure and manage the risk. What's your, what's your approach to that? The truth is we've done a lot of work in pre-qualifying a number of solutions that we already had.
So it went to the point, and I had this discussion earlier, earlier today, about being able to pull solutions off of the shelf that we could use to say, okay. You need a solution. We have something here. This is what we recommend, this is what works. And we've had to be very flexible and cut down our time to evaluate solutions.
So it doesn't mean we don't evaluate them, it means that we do it on a much shorter timeframe. Uhhuh than we used to do. Are, are there things you leave out of the process to cut down the timeframe or you're really just brute forcing it? Pretty much brute forcing it. Mm-Hmm. . Because I can tell you a lot of our vendors have been very good about providing good security documentation and attestations online.
Yeah. We've been utilizing a number of those. Yeah. Yeah. So I'll give you an example. I did a contract for someone last week and we're able to cut through it because it turns out the platforms they were using were already ISO certified. So you were able to just pull that data, pull those documents down, and use those for all the reference questions that you probably would've bludgeoned them with otherwise.
Yes. And the other part of it is, is they needed to have a line in their contract about support and I was able to use the ISO certification, craft some language and got it past our lawyers and theirs. Great, fantastic. And usually that takes about a week or two to do because Well, lawyers and it took us 48 hours to get that turnaround.
That's awesome. That's terrific to hear. Hey, there's a lot of new stuff that's, um, that's been rolling out and it sounds like you're mostly trying to focus on stuff that you already have contracts with, stuff you already have in house, um, but zoom more personal devices. You're, you undoubtedly have pushed a bunch of people to go work at home.
How are you dealing with that? How are you dealing with all that sort of new world order of what's happening right now? I. So the big challenge was with telemedicine. Hmm. Because we have to give good guidance to people that are using these new solutions because OCR relax their enforcements. Right? And so we had to reiterate to people, this isn't saying, Hey, you can go use free Zoom.
This is, you've gotta enter into these relationships as if you were going be getting ABA with them. Not enforce if you don't have one. Not enfor, if you haven't done a third party vendor risk assessment and. We want you to anticipate getting that BAA and doing the groundwork. Just get it out on the ground now.
Mm-Hmm. . Mm-Hmm. . So we've had to provide that level of guidance. I did some work with John Lin, put up an article on healthcare it today, specifically referencing what providers needed to do. Because the first thing that happened is InfoSec Twitter lit up saying, Hey, look, OCR says you don't need security on telemedicine.
Yeah. Which was not the case. And then we were a little bit unconventional about talking about what applications can be used because realistically, there's some vendors out there that are never gonna enter into ABAA. Like I don't anticipate signal entering into ABAA to use their app and telemedicine.
However, um, I feel a lot better about using signal for telemedicine than I do some of the other apps out there. Yeah. Yeah. It's kind of, it's gonna be interesting to kind of see what happens as we get into this a little bit further. Um, will they continue to extend? I'll ask you, what do you think? Will they continue to extend these sort of waivers?
Or at some point will they start to set dates about now you have to come back into compliance and how will all that work? I think they're gonna set dates for coming back into compliance. They've been good about setting dates lately. Take a look, for example, at the 21st Century Cures Act, final Rule, they're gonna set dates when this is over to say, this is a date by which you need ABAA for your telemedicine solution.
However, what I think is gonna happen is that they're gonna expand the list of applications you can use to be more than just CC HIT certified. I think you're gonna start seeing more common platforms approved for telemedicine. Yeah, because there's ones out there that are pretty simple that you can use that happen to have things like high trusts, certifications such as Microsoft teams.
Right? Right. So I think that's where we're going. How about the work from home stuff? Is that keeping you up at night? Have you done, have you had to do anything different or interesting to support more folks at home? I think the issues with issues are not with technology as much as they are with the logistics of taking a huge workforce that has never worked from home and getting 'em to work from home in two weeks.
Yeah. What a challenge. Huh? Because, uh, because for, if you think about it, the biggest challenge we have with work from home for doctors was the second we rolled out EMRs. Because every doctor had the chart at home at nights, right? Because I remember my big challenge, remote access wasn't my last job when I was at Temple Health, they rolled out the EMR that shall not be named for outpatient.
And the next thing you know, I had 250 doctors going to be going. Hey Mitch, how do I get Citrix set up? I need to chart at nights. Yeah. And so I think for doctors, we already had it pretty well nailed down because of EMRs, but it's the rest of the workforce that isn't, is that isn't the medical staff that has to adapt, and that's where we need a lot more handholding.
However, it's out of the bag now and I don't, and I think when you take a look at costs in healthcare. If I tell any CFO out there, I can save you 20% because if I have half the staff work from home, I don't have to build real estate or I can take real estate that people are in now and repurpose it for patient care.
I. Any CFO's gonna look at you and go, are you crazy? Yeah, we're gonna work from home. Yeah. Yeah. I think it's funny. I was talking to somebody the other day and they were saying, I don't know how we're gonna get everybody to come back, how we're gonna get everybody to come back from a telemedicine world and from a work from home world.
And then that was quickly followed by, and I don't know that we want to bring them all back, you know? So thoughts about that. And that that's the truth. You take a look at where things are going. In healthcare, the curve is going between inpatient and outpatient, where in a few years we're gonna have more outpatient than inpatient, and so therefore.
You're gonna have less of a demand for inpatient space and more of an emphasis on getting people back in the community get and monitoring them at home. Right. I think this current crisis, what it's done is it's moved that time period up significantly, I'd say at least two to three years. And I think also when you take a look at what hospitals are spending on new facilities, I mean, it's a lot of money.
It's some of the most expensive property in the world, right? I mean, inpatient facilities per square foot is massively expensive. So maybe we've come up with a, another way to solve that problem. I think realistically, you have to think of it is something I learned from, uh, CISO at another institution few years ago.
You reserved the hospitals for the sickest of the sick, right? And found there ways to care for those who don't, who don't need it, don't need that fulling patient stay. And I think what's gonna end up happening is, is that we're gonna leverage IoT and we're gonna leverage. Hospital command center model that Hopkins pioneered, and we're gonna use that to take care of patients and it'll take care of a lot of, a lot of them and that command center model are gonna expand to outpatients.
Mm-Hmm. , we're gonna do a lot more monitoring for compliance at home and inpatients. That's never gonna go away, but it's going to change. We're gonna have less of it. And anyone, and I've read the reports from some of the big four firms, everyone forecasts less in patient pets. That's gonna happen also with medical offices.
Office space is expensive. I wanna use every single solitary inch of that building for patient care to maximize those costs. Yeah. If I have someone working remotely and use that space for patient care, my revenue for square foot goes up. Yeah. If I don't have to. Put in for a cube farm or other office space, because again, somebody office space out there, some of my peers at academic health systems on the East Coast, that's the most expensive office space in the world you're talking about.
Definitely, definitely. The health system doesn't have the revenue of the management consulting company that's leasing space in the same building. Right, right. So, hey, uh, sorry, go ahead. Go, go ahead. I'm, oh, that's, I was gonna, I was gonna ask you, uh. Uh, real quickly about any, any best practices to other stuff that you've come up with, that you've implemented, uh, from a cyber perspective over the last few weeks that you'd like to share with, uh, folks who are listening?
I think the biggest thing you can think of is to get in place, a program to do, to do threat intel. My advice to every organization ISAC has, has free memberships. I saw you post that on the other. Yes. Yeah. Thanks. Um, any, anything I didn't ask you about that you wanna add? No, I'm, I'm good. Thank you very much.
Okay. Hey, uh, I really appreciate you being here again. I know you're super busy, crazy busy. Thanks for being on and, uh, we'll catch up with you again soon. Absolutely. Thank you so much, Trex. Have yourself a great day. You too. That's all for this show. Special thanks to our channel sponsors, VMware Starbridge advisors, Galen healthcare health lyrics, and pro talent advisors for choosing to invest in developing the next generation of health leaders.
If you wanna support the fastest growing podcast in the health IT space, the best way to do that is to share it with a peer. Send an email dmm, whatever you do. You can also follow us on social media. Uh, you know, subscribe to our YouTube channel. There's a lot of different ways you can support us, but share it with the peer is the best.
Uh, please chip back often as we'll be dropping many more shows, uh, until we flatten the curve across the country. Thanks for listening. That's all for now.