Vik Nagjee discusses Zero Trust for Health IT
Episode 1082nd August 2019 • This Week Health: Conference • This Week Health
00:00:00 00:41:36

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this week at Health It influence where we discuss the influence of technology on health with the people who are making it happen. My name is Bill Russell, recovering healthcare, c i o, and creator of this week in health. It a set of podcasts and videos. . Dedicated to developing the next generation of health IT leaders.

This podcast is brought to you by health lyrics. You know, professional athletes hire coaches for every aspect of their life to ensure top performance. Healthcare technology is much more important, let yet many leaders choose to go it alone. Uh, you don't have to contact health lyrics today for a free discussion about how a coach might help you.

Visit health lyrics.com to schedule your free consultation. If you wanna support the fastest growing podcast in the health IT space, here are five easy ways. You can do it. You can share it with the peer, you can share our social media posts, you can follow our social accounts, LinkedIn, Twitter, YouTube.

Send me feedback. I love your feedback, bill at this week, health it.com. And, uh, you can subscribe to our newsletter on the website. Uh, one last thing before we get to our guest. Uh, we have two new services to tell you about. The, uh, the first one is really answering the question of, do you have anyone who is investing in your career?

Um, but what if I were to tell you that industry leaders have been amassing great insights to share with you on a weekly basis? . For the last 18 months, we launched this week Health, uh, insights just for those who want to progress in their career. Here's what it is. It's a short snippet from the show, uh, where the CIOs, C M o, CMIOs CEOs and others, uh, share some great insight.

And then I come back on at the end and answer the question of, so what, turning it from a, a thought exercise to something that you can apply in your, uh, life in your career today. Visit this week, health.com/insights and sign up today to receive two insights a week designed to help you progress in your career.

Uh, you know, I'm really excited. I'm gonna announce another service and, uh, you know, this is a, this, this service is actually a result of a conversation I've been having with, uh, a couple of CIOs. And I said, you know, we have all this great content. How can we use it, uh, to further our mission to develop the next generation of health IT leaders?

And they said, uh, you know what would be great if we had something to kick off staff meetings, either their staff meetings or to give to their directors, uh, to kick off their staff meetings that would, that would facilitate conversation and expose people to new thoughts and ideas. And, uh, after a discussion I said, Hey, what if we did, almost similar to what I just said, you know, we take, uh, these short snippets from these, uh, from insights from the show over the last 18 months and we, uh, produce maybe a three minute video.

And we provide the, the, the, uh, the leaders of the staff meeting with, uh, a couple of questions that will just get the conversation started. And they said, man, that would be great. Why don't you produce that? And so, um, so I'm really excited that we're gonna be launching this in the next two weeks. This is actually a pre-announcement.

I'm gonna give you a U R L anyway, it's not, you can't get to it from our site navigation, but if you go to this week, health.com/staff meeting you or, and your staff can start to sign up today. And what you'll receive is a, uh, a staff meeting email once a week that will have a five minute video and a couple of questions that can expose your team to some new thinking and, uh, uh, really get the conversation started with those questions.

Uh, I hope you enjoy it. I'm really excited to launch it and, uh, love your feedback on it as we get going. Uh, okay. Today I am joined by returning guest, Vic Naji, head of Managed services for Sirius Computer. Uh, we spoke at HIMSS and I received such great back feedback from our listeners. . Uh, from you that I reached out to him to have him back on the show.

I hope you enjoy our conversation. Good morning, Zach, and welcome to the show. Good morning, Bella. Thanks for having me. Well, you know, the, the last time was, uh, very well received and it was a, we just completely geeked out, talked about infrastructure, talked about cloud, talked about microservices, and, uh, and it seems like, uh, the, the audience wants to hear more about that.

So I'm, I'm looking forward to it. Um, so what kind of, what kind of things are you working on? Are you working on anything interesting right now? Yes, I am actually. And thanks for having me back. I just wanted to, Point of clarification. Um, I am responsible for the technology for our managed services group.

Uh, we have a, we have a, a, a corporate c t o. Great guy, Chris Ervo. You should reach out to him and have a chat with him at some point. But just wanted to make that point of clarification. So I spend, I spend my time swift between the managed services group and our healthcare team. We have, we have a, we have a few good things cooking at the moment.

Um, my interest in focus, bill, as you know, as as you said, we geeked out, uh, is very specifically around infrastructure and the impact of infrastructure and technology on sort of this, this next generation of healthcare, uh, around being able to drive. You know, uh, digital innovations and improvements in quality care and drive the prices down of healthcare and improve, uh, all sorts of sort of patient experience, physician experience, and so on.

So, um, I take all of those things and try to figure out, you know, how do we, how do we create a good baseline? And for me, sort of, it all comes back to the infrastructure, right? Because, you know, we have this whole bag of things that we've, that we've had and we've been carrying along and we've bring along with us, you know, our E H R or all of these other applications.

We can't just say goodbye to those. So we to, you know, take care of those and we have to have an eye to the infrastructure is really the glue. Brings everything together for me. That's great. So, uh, c t o of the managed services side, and you're, you're also, uh, focused in on, on healthcare. So I, you know, I'm not trying to get you in trouble with the rest of the organization, so managed services, so you have, um, Uh, you, you have a service that you guys are offering to healthcare.

Uh, at what levels are, are you doing, uh, application outsourcing, you doing just infrastructure outsourcing? You doing, uh, you know, what, what kind of managed services, uh, in, in terms of the stack are you doing? Yeah, it, it's a really, really interesting space to be in, you know, especially in healthcare, right?

So, . I'll, I'll describe to you a couple different things that we're doing and that we have been doing for years and years and years across various industries and, and, and, uh, and, and, uh, focus areas. So we, we are very good with infrastructure and so we've been doing things like managing place, hosted infrastructure, uh, for, for several years.

In fact, our pedigree and our background, and we still, the, the biggest part of our business at the moment is around, uh, is around the mainframe. So a lot of financial sector, uh, clients, et cetera. And so we, we come in and we provide these. We also provide hosting services as you, as you would imagine. But what we do in healthcare is a little bit different, right?

Because healthcare, you really have to understand kind of your ecosystem , uh, I know everybody says Yeah, well, you know, it's just another, it's just another vertical, but it really, it's not, uh, um, and, and so what I, what I qualify there is that we sort of offer a platform, it's infrastructure as a service or application as a service or application.

It's, uh, PAs because at the end of the day, it's the best, um, uh, uh, technology and infrastructure that you wanna deploy for your environment, uh, and all of the care and feeding that goes with that, including lifecycle management, refreshing, making sure your performance, uh, uh, metrics are met or exceeded.

So on. So, so, so that's what we have and we have a very unique, um, uh, value proposition specifically for clients that are, uh, uh, that are Epic customers. So customers that are running Epic. And, you know, given my background and, and sort of my continued relationship with Epic, um, what we've done is we've created a, uh, a platform as a service offering that contains, you know, let's just say it's a five year term.

Over those five years. Essentially what the client ends up getting is that they can say, I don't care about what goes in. I don't care about how it's run. I just want you to guarantee the outcomes, true outcomes for me, performance and availability, and that's it. And so what we do is we take that and we take all the best practices from Epic and we create this very nice bespoke environment for the client that can run in client's data centers to maximize their existing investment.

Or it could run somewhere else. It doesn't matter. Like if you don't like your data center, I'm happy to run it somewhere else. But here's the beauty of it. It's a five-year term that then gets turned into a very utility cloud-like model. And I know some people don't like that term cloud-like, but I'm gonna use it anyways.

It's a very utility model, which basically says, look, we are going to turn this into a K P I That matches very nicely to what your Epic environment is, which is essentially how many concurrent users per hour you have. So what we're gonna end up doing is we're gonna turn this into a model that says, this is your price per user per hour for the next five years, and it's flat and it's fixed.

So if you do m and a right, and you go out and you acquire a new hospital and bring them in and you have to add a thousand net new users, you know exactly what that's gonna cost you from an OPEX standpoint, and we take care of all of the care and feeding the upgrades, the refreshes, et cetera, et cetera.

So that's what, you know, that's, that's one area of what we're building out and then there's a whole bunch of other, other things. Cool. So, uh, you know, our topics for today are gonna be infrastructure and security. Um, it's interesting to me that you, you say, you know, people still don't like the utility cloud, uh, kind of model.

Um, uh, you know, why, why is that? Do people just don't understand it, or is it too, uh, I, I, I don't understand why people are still, uh, balking on cloud at this point, or at least the terminology. Well, so there's two different things, right? So there's the cloud thing and then there's the utility thing. And I think the utility thing is, is sort of easier to grasp, uh, in terms of why there's, there's still a little bit of friction.

I think it all comes back to the legacy, uh, or, or, or the, the really, the legacy way that we have gone, gone about financing things within healthcare. So you talk to, you know, 10 CFOs, they're, it, it's a good chance in healthcare, it's a good chance that a lot of them, eight, nine of them would say that they're budgeting process is still very CapEx oriented.

Right. And so to shift from there to an opex basis on the basis of how, of how the IT department is funded. It is a process. It's a journey. It's happening. It's just not that easy today to say, I'm gonna take all these capital intensive dollars that I've been spending over the years, and instead turn this into a very operational, you know, uh, uh, uh, focus.

Now what's driving that and what's driving it to be easier is not the cloud conversation, but it's the cloud-like conversation for your own data center and for your infrastructure and applications, simply because there are applications out there. I'm not gonna name any names, . There are applications out there that very closely hug Moore's Law, which basically says that as you keep this application going and you do your upgrades like regular, you know, on a regular basis every year or every year and a half, you are going to have to refresh your infrastructure roughly every 18 to 24 months.

And that's a big lift and you're not gonna get any residual value out of it. So what's the point in capitalizing? It just doesn't make any sense. So that is what's driving a lot of these conversations today and, and, and that then allows us to be really good stewards for the client. Say, Hey, let's look at what else might.

In the cloud world with all the awesome stuff the hyperscalers are doing. Like look at Dr. Cosgrove, right? He goes up there, he goes, and he's an advisor with Google. He talks about all these amazing things that can happen, but there's a gap, right? There's a gap between where we are today and where we can get to, and that's, that's what I really want to dedicate the next part of my career to, is like helping people.

Close that gap and get there. Yeah. It's, it's interesting when, when, I think part of the challenge is when we talk about cloud, we, we talk about it like it's one thing and it's, it's not, you know, there's, uh, there's application as a service. You have your, your workdays and your, uh, and, and your office 360 fives and other things.

You have, uh, platform as a service. You have your Azure out there, you have your a w s. You have, uh, infrastructure as a service, which is, you know, again, another completely different model. And, uh, you know, when you talk about, uh, Dr. Cosgrove and, and some of the things that Google and Amazon and the services that you can get, you have a whole set of suite of services that are out there that you need to tap into.

And if, if you are gonna tap into them, you need to do things with your data to get there. And we sort of talk about 'em like they're the. You know, it's, it's cloud, it's in this one bucket, but that one bucket is, is five different things. It's like healthcare. When we talk about healthcare, like it's one monolithic thing and it's not.

It's, uh, as I'm fond of saying, you know, healthcare is a hundred businesses tied up into one umbrella called healthcare. And that's what makes it so complex. People think, well, why can't we get healthcare? Right? Well get what? Right? I mean, get, uh, you know, Dentistry, right. Get, uh, orthopedics right. Get, um, you know, get labor and delivery, right?

Each one has their own workflow. Each one has their own complexity. Each one has their own set of technologies. Uh, and it has some similarities, but for the most part, it is a hundred different businesses under one umbrella. And I think that's what, what, what makes cloud a little, uh, confusing to people. I agree with you in terms of the financial model.

Um, I, I've, I've had conversations with CFOs and they look at it and they go, um, You know, it, it doesn't look like I'm saving money. And it's like, well, it depends what you're trying to do. If you're trying to save money, we can put models together that save you money. But at the end of the day, if you're trying to do apples to apples, Hey, this is what we're doing today in our internal environment, and this is we're gonna do the same thing in our external environment, then yeah, you're not gonna save money.

You, you need to really rethink and re-architect how you're gonna do things, which is where, how we get to you. You're, you're an architect. You, you look at things and, and you try to. Rethink how healthcare does 'em today. So, um, you know, I sent you a list of a couple topics. We're gonna start with security 'cause security's foundational to everything.

You came back to me and said, uh, you know, you'd like to talk about Zero Trust. Help give us a baseline. Help us to understand what Zero trust is, and we'll go from there. Yeah. So it's really, it's a really, I think it's a really exciting time to be, be in. He, every year is an exciting time to be in healthcare, really

Um, but, but what's really special about now is that what I've seen, and, and I saw this at the, at the Cleveland Clinic, right where I served as the interim c t o last year, uh, where the CISO there, uh, gentleman by the name of Bogar, he came over from Blue Cross Blue Shield, right? So we're seeing some CISOs come into healthcare from external fields.

They come in and they look at the state of the state and they're like, oh my goodness, what is going on here? Right. We're, we're flat, we're wide open. Okay. From a, from a, from a network perspective, from an onboarding perspective, and there's a good reason why we got there. So, so they come in and it's not just Bogar, there's like a bunch of other people that are, that are in, in the same, in the same shoes.

this thing has existed since:

And and the basic, the premise is super simple. Never trust, always verify, and the story, right? You bring something on to the network and if it doesn't meet or exceed certain criteria, It's completely black hole. It's put away to the side where you could go do something with it. Now let's just think about that for a second, right?

Without getting into the technologies of how that happens, the knacks, the micro-segmentation, any of that stuff. Let's just think about the impact on healthcare. So we have an environment which has. Are on the network, and then it has internet of things, and then it has internet of medical things. So these are things that are attached to other things which are attached to people, right?

So you can't take and start black polling these things and then you're gonna impact patient care. You're gonna impact a bunch of stuff. So what's been the easiest over the last, you know, five, six years as these internet of things or internet of medical things have just exploded within healthcare. He is, and, and I don't mean to offend anybody, I'm guilty of this as well, is the head in the sand approach, right?

To say, look, we've had this a certain way for so long, let's just keep going and let's keep protecting the perimeter. If we protect the perimeter well enough, you know, we should be fine. Right? Then there's all of this theory, which is all real. I mean, these are, these are actual studies, right? That show that your perimeter defense is pretty much not worth anything these days, right?

If you talk to Wes Wright, right from Imprivata, great guy, good friend of mine, he'll tell you that the perimeter is you, right? The person, the individual is the perimeter. And that's really where we need to get to. Um, and so, so you start looking at this whole thing, it's like, okay, how do you bring this concept of zero trust, which has a, a, a capability maturity model That's way beyond anything that we have in healthcare organizations today.

How do you bring this whole trust, never trust, always verify approach to healthcare. So that's where we kind of find ourselves today. Is that, yeah. No, that's great. So that's a, that's a, that's a overview in terms of, um, You know, always or never trust, always verify, uh, is, is, uh, is the framework. And then you end up with a, a, a core set of technologies underneath that, that support that.

Uh, it's interesting because for, for a while there, uh, let's call it, uh, in the two thousands, um, you know, we were all, we were all trying to simplify our networks. And that's, you know, one of the things we talk about is simplification of the architecture. And we were all trying to simplify our networks, which meant, you know, flattening 'em out, making 'em easier.

And then security professionals would come in and look at us and go, What'd you do, ? Well, we simplified the, simplified the network. They're like, oh, don't simplify the network. You just simplified it for everybody, including the people who are coming in . Um, so, uh, and, and so this, this does take us sort of, uh, you know, we do wanna build some complexity in here.

We want build micro-segmentation around, uh, especially around key resources. Uh, we wanna log things, we wanna track those things. Give us an idea of what. The technology stack might look like around zero trust. Yeah. So I, I, I will, I will say something here that I, I, I think that instead of saying that we want to build complexity, I think what we want to build is frameworks and some rigor is what we want to build rather than building complexity.

And, and you're absolutely right. There's two approaches, right? So the one approach is like, oh my goodness, I need to rush out and make this. So super secure. Uh, and, and, and the risk there obviously is a, you've just made your most valuable asset, which is your network, which everything resides on and runs on.

Uh, very fragile. And then b is, as you're doing this, you're most likely going to spend a lot of money doing it, and you're very likely that you're going to end up breaking, you know, breaking things to the point where now it's more open than it was before. So we'll leave that aside. But I think that, and, and, and so this is, so this is really the key in the heart of it, right?

So there are frameworks that exist that tell you some technologies, as you mentioned, that. Uh, in that ecosystem, right? So it all starts from the network and we'll just step through some of these simplistically, right? And then I'll talk a little bit about how I feel organizations ought to go about this.

Um, so at the heart of the network, there's sort of a control plane, right, which is called many different things. A lot of folks call 'em a NAC network access control, which basically ease the brains of the network that tell you what should and shouldn't be on the network. And then what is the network?

Then there's a definition of the network. And the network, instead of being this one flat, wide, open thing, ought to be in this model, ought to be, uh, different segments or containers that have liked things in each container. Right? And the whole principle is, is that you have designed your entire environment.

To say that like things can talk to like things, when there's conversations that have to happen across those containers, then there's a very well-defined protocol and process and path that's followed across those containers. That's essentially micro-segmentation, right? So the NAC decides what is on and off the network.

So it's basically the authoritative measure that says, I ain't going to go in and enforce. Any policies that are put in place, the containers themselves are part of a micro-segmentation policy. And then you can then start to say, okay, I am going to now expand the, the layers of the onion, if you will, and go out towards more towards the perimeter and then start working with things like next generation firewalls to say, I, I'm going to dynamically write rules and rewrite rules as I need to when I start to see behavior that's occurring within my environment that I don't expect to occur.

So it's a very dynamic process, self-learning, self-healing type process with the trick really being that I need to be able to have a very good, uh, understanding across the environment to say what is, uh, what's normal, what is expected? How do I bring assets onto my environment? How do they connect to the network and, and, and where do they sit within the network?

And on and on and on and on. So there's like a lot of hygiene related things that you have. So before I hand it back to one here is. , and this is another reason why I decided to sort of start focusing on this whole Zero trust aspect, right? A is because I think that it's absolutely wonderful. I think we absolutely need it, and the time's, right?

Because the technologies exist to us to do that. B and again, I'm not gonna name any names, . There are, there are several, um, several organizations out there. That are very focused on going out and having healthcare provider organizations spend a significant amount of time and resources and they hand them sort of a, a, a document, which is this fat right.

Big book that says, this is what zero trust means, and this is what your world should look like. See you later. And they leave. Right? And that really bugs me. That bugs me because that's like not helping anybody, right? So, so what we wanna do is we wanna say, okay, let's just understand this. Let's create this in concentric circles.

Let's really figure out what the, what the, the, the highest risk area in terms of cybersecurity is in your environment. And let's go address. The risks there by, by totally implementing zero trust for that particular area and then starting concentric circles and go out and it's actionable. It's something you can actually see and feel.

Right. And the one more thing I'll tell you there and then I'll hand it back to you, is that as we start going further out and, and Zero Trust is getting big in healthcare now, there's like, as of last count, there's 19 startups in this particular space focused on zero trust in healthcare that are now going and taking up all of the available bandwidth for CISOs and CTOs and healthcare provider organizations.

And saying, Hey, pick me. Pick me. Right? And then the challenge is that they go in and they say, I'm gonna do A P O C, right? And the p o C is around being able to do discovery, and they discover that there's 40 infusion pumps that are massively critically vulnerable. And they turn that into a report and give it to the CISO and the CISO's like, what do I do with this now?

I have no processes in place. I have nothing to deal with. How do I actually take and do something with this? So stop the p o c. Let me go. Let me go figure out how to fix this and then we'll come back. There's another sort of semi head in the sand approach. Well, there's so much to jump off of. Um, I'm gonna try to keep us on, uh, track there.

I mean, the, the fact that yes, there are , there are a gillion, uh, security plays out in healthcare right now and uh, and I was noticing that. You know, 7, 6, 7 years ago that there was a, a just growing number and that number is just shooting through the roof. Part of that is there, it is. Uh, well part of that is the need for it.

Uh, second is there's always money to be made whenever there's fear, uncertainty, and doubt. Uh, third is the board has finally come around to the need for security. And so they're pushing things that they don't necessarily understand. Some do. Uh, typically there's one, uh, security conscious person on the board who has a technology background and they say, okay, you're, you're the person we trust on security.

Um, I've been in those board meetings where really you're talking to one person even though there's 10 people in the room, uh, talking about security. 'cause there's only one person that's really grasping some of the things you're talking about. Um, but let's, let's jump back. Uh, I wanna stay on zero trust real quick.

The, uh, you know, west Wright would say identity is new perimeter. And because, you know, your people are, your, your, um, your, your biggest vulnerability, it's your biggest attack vector. If you have, you know, 30,000 employees scattered around the world, uh, that's, that's the attack vector that they're going to use.

So if identity is new perimeter, Then it becomes important. Part of zero trust is, uh, looking at activity across the wire. So it's logging and it's actively monitoring the, the things that are going across the wire and then, um, dynamically changing your network and whatnot based on what's going across the wire, because we know that, uh, you know that.

And again, that's your biggest vulnerability. Uh, when I had, uh, pen testing and, and those kind of things, uh, in, in our environment, I always allowed them to do social engineering. And invariably we had a lot of really good things set up across the board. And social engineering, we failed every time because people just hand over their security credentials.

So, uh, talk to us about how Zero trust addresses, uh, identity and the per, uh, the, you know, as the perimeter, uh, for securing individuals accessing your, uh, environment. Yeah. That, that's a, that's . Absolutely. Um, I, I'm gonna defer back to this really great model that I've seen, um, where, where the Mayo Clinic is actually working on this model.

They've talked about this publicly, uh, so I, I feel fine talking about this a little bit, but essentially what they're doing is that they're putting, they don't call it the Zero Trust framework, but it is the Zero Trust framework, and they're working towards this, across their entire enterprise. So they have like this list of.

Um, things, right? Uh, people is one of those things. Uh, then there's, you know, end user devices. There's medical, uh, devices, there's all sorts of other stuff, uh, on the server store, et cetera. There's all these things which are essentially assets or sources, right? Um, and what they're doing is that they're putting together this entire framework that includes identity access management.

Im a very robust p k I process to make sure that. Systems are authoritatively allowed or disallowed on the network and on the environment, uh, from onboarding to offboarding, the entire life cycle of, of those systems. Um, and uh, and, and then there's, you know, there's a few other, there's a few other areas there that they've sort of brought together.

So bottom line really is, is that, you know, as you said, I think the biggest place for us to start, I think that there's two things that come together. One is discovery. Right. You have to know what's on your network and, and you, and there's a lot of tools out there that help you with discovery. Some are better than others.

Um, but essentially just pick a path, figure out how you're gonna do this discovery. However, you also have to do the second thing hand in glove. And this was part of one of your questions sort of. Into there is around I T S M, right? The whole concept of being able to bring and build your C M D B and be able to say, okay, what does my source of truth look like?

I have many sources of records. I need to be able to build a source of truth, and it cannot be static. It's just like your network, it's a living, bringing thing, so you need to keep it. Keep it reconciled. You need to be able to say, here are all my cis, here are the attributes for each of these cis. And every time something changes in my environment, I have some process.

So I might have a, a holding tank to say, oh look, I've noticed some differences based on my C M D B, what's going on? Then I have a process to go reconcile it and say, okay, these things were added to the whole old iMac process. Right. Um, and, and you say, okay, I have been able to find these things. I've added them, some have been moved, some of them removed, some of them changed, whatever.

And then reconcile your C MDB on a, on an ongoing fashion. And where those two come together is the ongoing discovery of what's on my network, which is the authoritative, sort of without any question as to what is on my network. And your C M D V sort of bring in both of these things together to help you be able to build out now a zero trust framework.

To even know where to start, like how do you build these containers and what belongs in each of these containers? Yeah. The, uh, to, to be honest with you, , where does it start? It starts back further and when you said the word C M D B, you lost half our listeners. And the reason we lost half their listeners, it's not that they don't know what A C M D B is.

But, um, I don't know what your experience was, is as you go out there and talk to healthcare organizations, but, uh, at best, their C M B B is dated. Uh, at worst it doesn't exist. And, uh, I would say, uh, you know, that's been a majority. A majority either don't have one. Uh, it's bad data. They haven't really figured it out.

They haven't kept it up to date. Um, And so if you're gonna start by saying, Hey, your C M B B needs to be accurate, and that's gonna be the source of truth for what's on your network, they're gonna look at you and go, uh, all right, well we got a lot of work to go to do before we even start this. Mm-hmm.

this project. Um, so what is it, what are we talking about? I mean, how long does it take from the time you go in there and you sort of do an analysis and say, okay, we've, we've got a lot work to do. Uh, till they're, they feel fairly secure about what they have. So there's, so go back to your question, right. I, I, I would venture a guess that a vast majority, like 80%, 90%, either don't have one or have one that's been, that's super dated, right?

There are a few, again, on the basis of Yeah. CTOs and CIOs coming in from different . Verticals different, you know, different parts of the world, different parts of our world, uh, or outside of our world that have sort of been working on this hygiene of C M D V on the basis of it T SS m. Right. So ITIL and IT T S M is something that is getting more and more prevalent.

So we have a starting point, at least across many organizations. I mean, how many organizations have gone out, for example, and bought ServiceNow? Right. And what are they doing with it? Well, they're doing very rudimentary service desk at the moment. But the investment that they've made, even if they've invested in I T S M, the investment that they've made is significantly beyond in terms of value compared to what they're using it for.

So the good news there is, is that there's an investment that we can sort of take advantage of Now to your second question. It's a long process, man. It's not, it's not something that somebody's gonna go in and be like, here you go. There are ways to do it. Again, this is part of the simplicity thing that I believe in, right?

There are ways to do it to get some quicker, more immediate results, but that is going to, you're just gonna shoot yourself in your foot over and over again. It's like a, it's like my six year old running around, you know, the outside with a fork in his hand. It's like, no, please don't do that. That's just not idea.

And so, so it, you know, it's like, okay, how do we go about this in a methodical fashion? Right? And this is, again, part of the thing, bill that really drives me nuts is that you have. Vendors, OEMs, ISVs, all coming at, you know, the CIOs, the CTOs, the CISOs and saying, Hey, my thing's the best thing. Even though their thing might be the best thing.

It's like this small little thing in this big picture, right? So my thing's the best, I have the best knack. What am I gonna do with the NAC if I don't have a good process to understand A, what's on my network and B catalog thing? Right, right. And so, so it's a journey, you know, and, and we could go back and forth on this 'cause, you know, there's, there's people that are coming in and they essentially say, Hey, there's a technology solution to your problem.

Just go ahead and get ServiceNow. Then there's people who come in and go, Hey, if you just do ITIL across the board, you're gonna be in good shape. I've seen people get wrapped around the axle on itil, uh, over and over again. Um, And, uh, you know, you have people coming. I mean, there's a lot of different ways that people will come at healthcare and say, Hey, if you get the, if you build out an act, you're in good shape.

If you build out ServiceNow, you're in good shape. If you build out the cmdv, you're in good shape. And each one of those is a component of it. Um, but here's, here's the other reality. As much as boards are saying, Hey, this is important, they're not funding it. Um, and I'll, I'll say it so you don't have to say it, but they're not funding it.

You know, so they put ServiceNow in and they, and they allocate one person to it. Oh, we put this technology and we put one person around it. It's like, no, no, that's not a one person project. That's like a, that's like an entire IT project, and you have to pull in a lot of resources and so that the price tag keeps going up, and then eventually you're sitting in front of people going, well, what did we really get for ServiceNow?

It's a great tool. By the way, I'm, I'm not knocking ServiceNow. I think it's a phenomenal tool. It's an expensive tool and it's an expensive tool to run. Uh, you know, it's not just one person, it's multiple people and it's, there's multiple modules and things that it can do. So if you're gonna get the most out, it's a lot like, um, uh, uh, like salesforce.com.

Healthcare organizations go out and get salesforce.com and they think, oh, we got salesforce.com, we've got the best marketing tool in the world. Well great. Now you have to like put 10 people around it so that you can actually get something out of it. And they go, what do you mean 10 people? That's ongoing cost of X and y and plus it's the cloud.

I'm paying for it every year, every month, every year. So that becomes very expensive. And that's how people are sort of looking at, uh, ServiceNow. They're saying, what have I gotten for this? It seems like the cost keeps going up. Um, so if ServiceNow isn't integrated into a, I don't want this to be about ServiceNow, it's, it's more about, um, our, we're not funding this, right.

And we're not thinking about the funding. Right. It's number one. But the second question I want to ask you is, how much is enough? I mean, 'cause you and I both know if, uh, we had a five tier, uh, model for security that we were measuring and we were shooting for the third level. We weren't shooting for five.

'cause five was like n s a kind of, we're gonna keep 'em out. And we just looked at the price tag and said, uh, no Moss, we can't do it. We can't do it and still be a healthcare organization. Um, one you had to get off of one. 'cause one was like, Hey, come on in . Um, and, uh, you know, it, there was actually, to be honest with you, there were some areas we were looking at for.

But for the most part, we were, we were happy with getting to three, knowing full well that there was, there was still some risk in, in terms of vulnerability. So how much do we spend, how much do we ask for? And how much, you know, should we buy ServiceNow if we know we can't put the people behind it? Yeah.

Uh, again, you know, like, just like you, I, I think ServiceNow is a fantastic, fantastic platform. It has a lot of amazing capabilities, but. But it's one of those where you're exactly right. It's just not been, it's been funded like a project. Right. And it was funded like a project and you bring, bring it on, and then you get stuck with it and fine.

So, so there's a couple different things that I've seen, right? So, so I really think, and then this goes back to the days when I was on, you know, and part of an o e em, right? So I had to figure out who was, you know, who's, what are my personas? Who am I going after? How am I gonna actually sell value for this particular thing?

And the, the, the, the fud aspect of it is one part of it, but there's the reality of it is that, look, our, our world is just turned upside down on the basis of this Internet of Things thing. Let's not even talk about five G. 'cause when that gets here, that's like, we're gonna get quadruple turned around, right?

Because people haven't even started thinking about what all is possible. Simply because it's just such a concept at the moment, and as soon as it becomes real, man, I'm telling you this is gonna take off. Right. Um, but you know, it's just, it's about, it's about sort of getting a little bit more, uh, basic and a little bit simpler.

So from a funding standpoint, you're absolutely correct. I think the way to do this is, number one, is to have a very good low barrier to entry from a consulting perspective to. This is the end goal. The end goal is you're gonna get a lot more secure, but guess what? There's gonna be a lot of really good things along the way.

For example, for your C F O and your C O O, You're gonna get a really good handle and daily, weekly, monthly reports on utilization for these very expensive assets that you have deployed. Are you interested? Absolutely. I'm interested, right? And can I move some of my scanners from this locale to this locale simply on the basis of utilization and, and you just get that as part of this whole thing, right?

So that's one aspect. The other aspect is around obviously the security thing, but there's a really good amount of hygiene along the way. I mean, you can wrap this around so many different ways, right? Around clinical variation management, around clinical utilization, and say, where are my IV pumps? I can go down into B L E and R F I D.

I can do all this sorts of stuff. But it comes down to what is the journey and what is the process, and how can I take bite-sized chunks out this. This is why a lot of things fail. It's like somebody comes in, bill and says, here you go. This is where you need to get to, and this is the price tag. You know, some of them will say, here's where you need to get to see you later.

The others will say, here's where you need to get to. Here's the price tag to do all of this. We've gotta be a little bit more realistic, right? Because remember, we have to keep the lights on. Keeping the lights on costs us X amount of money per month and per year. So we've gotta, you know, slowly build on this.

That's why, again, it's, it's a journey. But you're absolutely right. It's not just one thing and it's gotta have a mindset. You need to have at least one executive champion. 'cause you cannot be talking, I mean, the directors are mostly on board. They get it, they get that this is the right thing to do, but they're like, dude, how can I look?

I have this budget, I have to keep the lights on. Where am I? You know, what am I gonna do? So this has to be an executive sponsorship and a multi-month, if not multi-year journey. To get there. Yeah. And you, you do realize, like the, the next episode I'll have somebody on who's gonna say, Hey, this is the thing that healthcare absolutely needs to do,

And then the next episode, I'm gonna have somebody go on this is, you know, uh, you know, around data, around, um, around E M R optimization, around, I mean, there's so many, this is the challenge of being a c I O. It's, it's prioritizing these things to say all. Uh, you know, what, what can we do and what, uh, what can we do?

We're, we're actually at our half hour limit. Here's what I'm gonna do with you. What I'm, I've started to do, which is I'm gonna close up the show. I'm gonna keep asking you questions. We're gonna record 'em and put 'em out on our, uh, YouTube channel. Um, Just because our listeners have asked me to try to keep it close to 30 minutes, you and I could talk for another hour and we're probably gonna talk for another half hour.

So we'll see what we can do here. Uh, so you know, Vic, thanks for coming on the show. Um, again, great discussion. Anything you wanna leave our listeners with a way to follow you or, or something to that effect? Yeah, I'm on, uh, uh, I'm on LinkedIn. Please find me on LinkedIn. Uh, I'm on Twitter. Uh, we'll, we'll provide the handle over to Bill so that he can actually bill you have it.

Um, and, uh, you know, I, I just think that simplicity is key. I think we just want to make sure that we always go back to. Simplifying our environment so that we can continue to drive these innovations in data or digital or what have you. Thanks for having me, bill. Yeah, and we're gonna, that's the questions I'm gonna ask you after I close up here about, uh, experience as a service and simplifying the architecture.

But we'll come back there in a, in a couple seconds. So, uh, please come back every Friday for more great interviews with influencers. And don't forget, every Tuesday we take a look at the news. Which is impacting health it. This shows a production of this week in Health It. For more great content, you can check out our website at this week, health it.com, or the YouTube channel at this week in health it com slash video.

Thanks for listening. That's all for now.

Chapters

Video

More from YouTube