From Imprivata to Tausight with David Ting CTO and Founder
Episode 43827th August 2021 • This Week Health: Conference • This Week Health
00:00:00 00:51:34

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Today, on this week in health, it, it's not a matter of if you'll have a cyber incident, it's a matter of when and more importantly, how do you get back to business.

Thanks for joining us on this Week in Health IT Influence. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping health IT staff current. And engaged. Special thanks to our influence show sponsors Sirius Healthcare and Health lyrics for choosing to invest in our mission to develop the next generation of health IT leaders.

If you wanna be a part of our mission, you can become a show sponsor as well. The first step. It's to send an email to partner at this week in health it.com. Your response to clip notes has been incredible, and why wouldn't it be you helped create it? Clip notes is an email we send out 24 hours after each episode airs, and it has a summary of what we talked about, bullet points of the key notes in the show and for video clips.

So you can just click on those and watch different segments that our team pulls out that we think really captures the essence of the conversation. It's simple to sign up. You just go to this week, health.com, click on subscribe. It's a great way for you to stay current. It's a great way for your team to stay current and a great foundation for you and your team to have conversations.

So go ahead and get signed up today. We have a special treat. We have David Tang, the chief Technology officer and founder of Tao Site. Good morning, David. Welcome to the show. Good morning, bill. Thank you for having me. Well, I'm looking forward to this conversation. This is actually the first time we've met, although I'm a huge user of technology that you were a part of founding at at St.

Joe's, you were the CTO and Co-founder of Imprivata. We had Imprivata everywhere within our environment. It was pretty much central to our singlet tap in. Clinical enterprise. So I'm really looking forward to this. I'm actually technology.

Well, thank you. Always flattered by people who say we put your system in and, uh, clinicians love it. I think that's what gives me the joy is watching friends of mine that say, oh, we put your system in and it saves me all this time. I have personal friends that are physicians that are using it. Well, I'll tell you what I.

I think we're gonna start with the current and work our our way back to the past, because I think the number one question people wanna know is tau. So let's start there. What's the challenge that you envision that is. Sure. So I see healthcare IT systems as truly a mission critical infrastructure. And having worked in infrastructure for my entire life, one of the things I really look for is how do IT managers understand what goes on across their system?

How do they get to know what's happening on their infrastructure? How do they manage, how can they see what's going on in real time and, and how could that help them? Create a better system. So we chose Tao site. Tao is the Greek letter that's used in math for statistical correlation. How do you get statistical data from across your entire infrastructure to say, how consistent can I make my infrastructure?

And how precise can that be? Because that's, to me, having visibility, having insight. Having the ability to compare both in, across all your endpoints, across all your uh users, across all your apps. That's the basis for how you build true in, uh, reliable infrastructures. Infrastructures that are safe, infrastructures that can deliver the kind of performance you want and the kind of security you want.

Wow. As you're talking about that, I sort of have chills because I remember being ACIO, we had what you just described, we have 15 to 20 tools that provided a snapshot into different pieces of what was going on across the network, what was going on with our PHI, with our PII, with our, uh, EHR. So we created a dashboard that pulled all that together, but it a lot of different systems.

A learning system at, at all? Is that the direction you're heading with this? You, you basically just said my story. What I recognized was in healthcare, the clinical workflow in digital health is all around patient records. You, you count on digital records, you make it available, you make sure that the clinicians can get to it.

How do you start the defense of your system? How do you gain the visibility into the PHI, the the medical record environment, how it's used, where it's moving to, how it's secured, who's using it, what applications are using it? How do you gain that visibility across all your endpoints, across time, across your clinicians?

So you focus on securing the workflow and then transcend that to what does the technical infrastructure need to do to support that? So changing the perspective from one of purely defending and, and managing your technical infrastructure to managing what's critical in your operations, in your business is the change that we believe.

What makes it so hard? What makes healthcare data so hard and what makes healthcare so hard to secure? I mean, we just had some very public, um, challenges. So one of the things, so, um, PHI is everywhere. PHI is the basis by which healthcare runs. Healthcare is late to the digitization game. Every other industry started digitizing decades earlier.

orce that was put together in:

And one of the things that came out was healthcare, unlike the other verticals, is hyperconnected. It is basically an environment that's extremely difficult to secure because there's no physical barriers to the, the machines themselves. Your patient rooms have computers. You have computers out in the hallway.

You have machines everywhere. You have a higher endpoint to user than any other industry. You have workers that . Want to access that information from inside the organizational walls, to their clinics, to their home. So you have information that's going out everywhere in this decentralized healthcare delivery system.

So the thing that you can't secure is the information, where it goes, how it's being used, and PHI patient records are generated contemporaneously anytime a doctor or a nurse sits down or, or a business office. Puts together a note. You have P-H-I-P-H-I is not just centralized in your large EMR or your lab systems or your imaging systems.

It's everywhere. It's pervasive and it goes everywhere. So what you wanna do is to start to look at what are the systems that deal with the PHI? How can I gain visibility into finding it, locating how it's being accessed, how it's being secured, how it's being, uh, encrypted. Where's it moving to? What applications use it?

What's the integrity of the applications? Do I know every aspect of that application? Do I know the DLLs that this application's loading? Do I know what the underlying . System, network connections, physical devices that are connected to all my endpoints. Hey, can I correlate all that data using ai? Can I use modern data science to correlate that data around how PHI is being used in that clinical workflow?

So you can do this without having to have teams of people scouring multiple tools trying to aggregate that view. Around how clinicians. Access their PHI. So it's a much more integrated inside out view. We call it, start with the data, start with how the clinicians use it in their workflow, and then move that down to the technical infrastructure.

So I wanna be able to tell ACIO, here's what your PHI looks like. Here's how it's encrypted, here's how it's being generated. Here's all the unsecured data that you, you might have on some endpoint. Oh, by the way, those drives that you . Are supposed to be encrypted. We'll verify that. So it's a zero trust model as well.

Oh, by the way, your machines might have deviations in terms of the patching level of certain apps or certain operating systems, or it might have different drivers. How do we help you? The CIO. Understand the complexities without having a whole team of specialists look at multiple tools to try to correlate them back to what's really happening on my system.

So to me, it's like watching this, were a power system. I would wanna know, where's the voltage going, where's the juice? And in healthcare, to me, the juice is your digital records. It's interesting 'cause uh, as you're talking, I, I just keep having flashbacks. And I remember when one of the consultants came in and said, your approach is wrong.

You need to assume they're already in your network. And I was like, I started pushing back and, and she looked at me and she said, all right, you draw me the edge of your network. And I was at a health system. I'm sitting there going, well, it's here. And she goes, okay. What about your partners that are handling all the, the data around supply chain and potentially some payers and those kind of things?

I'm like, okay, we'll extend it around there. She goes, okay, what about your physicians that work at home? I'm like, alright, we'll extend it there. Okay. What about your medical devices that are monitoring these home-based patients and, and before long, she's like, you can't even draw the edge of your network.

How are you gonna tell me that you're gonna secure that edge? You almost have to assume they're gonna be in. She goes, what're talking about, but we didn't have great tools around. How is the data being used? Who is accessing, what device does that device have the the right to actually access a biomed device?

Mm-Hmm. , or would it make absolutely no sense for.

Visibility at that level because the question you raised is, what makes healthcare so difficult is because, first of all, that edge is totally diffused. There is no hard edge. It is at every point where a clinician accesses the information. Look at, review a history, make a procedure change, make a treatment, change anytime, or create a, the note to hand off to somebody else.

New phis being generated. Are created. What you really need to know is how can we see that kind of movement? How can we see that level of activity and all the edge points and. Convey them back into a central place where you can aggregate that data and and, and put it into one pane of glass that focuses on what are the real issues that you need to worry about, which is, and you go back to the HPE, the guidelines that they have to say, figure out how you're protecting your data.

Figure out how you're protecting your systems. Figure out how you're protecting your workflow. And if there's one thing that the cybersecurity task force worried about, it was . It's not a matter of if you'll have a cyber incident, it's a matter of when, and more importantly, how do you get back to business?

How do you continue operations knowing that everything, the, the cyber blast radius has been contained, that you know that your system is back to a operational status recovery in this modern world, . Is, is as important as detection and is it as important as protecting? And so we wanna make our tools have the ability to give you visibility, help you understand what's going on, help you figure out where are my assets that I need to, to defend, figure out what's changing on my system.

Help you respond and recover. Yeah. What about the business associates? That was always one of those things that was in the back of my mind. All were doing, uh, transactions with, they're, they're taking some of the data to do work that they're doing. Is it possible to extend this kind of framework across even the business associates?

So what you brought up is the fact that your security, your edge. Extends outside of your firewall. And so what you need to do is to leverage the cloud and cloud-hosted solutions that you can allow your partners to deploy. So why would I send or work with you if I can't verify that the endpoint that you're using to connect to me.

To handle my data is securable. How can I allow a clinician to work at her clinic if I can't verify that her machines in her clinic, that is her property. But this connecting to my system is securable or has the integrity I need to handle my PHI or my records, and how do I extend that model? So we built our solution to be a SaaS deployed product.

Where the technology can be, the service that we drop in on the endpoints are managed out of the cloud. And so the data can be aggregated from any place where you mandate, gee, you should, you need to have this cow site service running on your endpoint before I'll allow you to exchange data with me. So business associates, we would expect them to conform so you know what they're doing, you know how well they can secure how

PI going out there is secured or whether they have very lax policies or protection. You're presenting at himss coming up with Aaron Mary, who's been on the show a couple times. He's one of the most articulate CIOs that I've come across. He's one of the few people I, I don't send any questions ahead of time or whatever, and it's, he just.

Why is a a holistic framework important for ACIO or for a health system? Because I think the complexity of the system has gotten to the point where you require so many specialists, you require so many different disparate tools. My goal is to say, how can we help? Build you in healthcare, a specific tool build just for healthcare.

It's not designed to be manned by multiple user specialists, and it's focusing on what you really need to worry about, which is, how can I secure my workflow, starting with my patient records, my systems that allow the clinicians to access that data. And so you work from the data out. Manage the security of the data.

Understand where it is on all your endpoints. Understand the environment that of applications that use it, understand the privileges and use by the clinicians to say and, and understand the sessions that they connect to. So I always tell people, unlike the rest of the other industries. Clinicians don't have just one machine.

They have every machine. They have access on every machine. You and I have a handful of machines that we work on. This is a typical of all knowledge workers. Healthcare is totally different. They use every machine. So what you really need to do is to figure out, how do I track what that clinician actually does across multiple endpoints?

Flip the equation around. So you're looking at. The perspective from the clinician's perspective, what does she do from the moment she leaves her clinic to to come to my hospital? What are the machines that she uses? What are the machines she uses when she goes home? What's the total aggregate view? And today, I challenge you to find a machine, a system that can do that for you.

Be that clinician centric, be data centric. Then work from that point out to say, what's the security level? As opposed to, gee, I've got tools that monitor the endpoints on all these machines. I have no idea how to correlate them to the user. I'm gonna go to the question that, uh, you've done this before.

You were co-founder of Imprivata and the CTO as well. I'm gonna ask you the question I asked before we started the interview, which is, why not retire ? I mean, co co-founder of IMP did quite well, so, so why not retire? So one of the enjoyable things I had was talking to a lot of CIOs and I recognized the complexities of the healthcare system.

I recognized the line that when you've seen one healthcare system, you've seen one healthcare system. Yeah. I recognize that it is not an easy environment to secure, and it's not one where conventional tools can do the job. It's one where you need multiple tools, and Aaron and I have had many conversations about this.

We wanted to do in starting Taite was how do we build a focus tool just for healthcare that worries about securing your clinical workflow, but taking into consideration all the other things that you'd need to to do. Our goal is not replace all your tools. Our goal is to give you a better perspective and managing.

How you secure clinical workflow, starting with understanding where your PHI data is, how it's secured, how it's being used, where it's moving to, and the ecosystem around that. PHI. How do I defend all your applications? You know, frankly, I tell people if my Amazon music applications is compromised on my system by rogue software, I really don't care.

In a, in a healthcare setting, if there's a piece of software that's supposed to be touching PHI and it is compromised, I want to know about it immediately. If there's a system that can be compromised that will affect the availability of that machine, I need . PHI is being used and the clinicians using, I want to be alerted and I want to be a deal with it from that perspective.

ings, WannaCry hits in May of:

And I had also European customers who got hit by WannaCry who said, we are helpless. We watched our screens turn red and we didn't even know what happened. And we went on the overhead pager and told the staff to unplug. Just power off the computers as fast as they could. To me, that was an indication that as an infrastructure, we didn't have the right tools.

We didn't have situational awareness that would give somebody alert that says, machines are running, there are processes running on our machines that you guys don't know about. There are things that are compromising the availability of the environment. We also saw tons of breaches. Applications that were exfiltrating, PHI data.

Well, why couldn't you see those? How does the 80 million records slide out of a, a healthcare system site unseen? If they were in paper records, I calculated that if every patient record weighed a four ounces in a jacket, it would be couple hundred thousand pounds of, of paper you had to exfiltrate, and yet people steal them.

It's electronic. There's no mass. I wanted to, to say, how do we do this better? How do we create a better tool for healthcare? And, and the team that we recruited and are all people from the healthcare industry, they all have the same passion. And when you get a bunch of people like Aaron and, and other folks telling you, Hey, this is the right thing to do.

You go, yeah, this is newer technologies available, things that weren't available even five years ago. We talk about the advanced uses of machine learning. We talk about the power of the cloud, we talk about the analytics capabilities. We talk about IOT. Technology and the ability to transfer information compactly mostly we talk about the increase in computing power that we have on the endpoint, and the ability now to deploy AI right to the edge.

So ability to run AI right at the endpoint to do things that you couldn't do even five years ago. TensorFlow, all the technologies that we have today are just far more advanced than what we had. Um. Certainly five, six years ago. And so the culmination of all that basically said, you can't retire. Besides my, um, I basically sat around and my wife said, you gotta do something

That's, that's the most common story, by the way, for serial entrepreneurs. It's like they're sitting there and, and their family's going, okay, are you ready to start the next, even if it's a lemonade stand? We did, we did the four month break and it's dead of winter. And I'm reading, I'm catching up on new technologies and I'm going, wow, this is really cool.

But the advances in machine learning, which years ago when I was in grad school, I did a lot of machine vision and now the technology and the computing power is so much more advanced. And you say . How do we deal with the shortage of cybersecurity experts? How do we imbue a lot of their intel into the machine learning algorithms?

How do we apply that so that we can do better? We can help sift out the unknown and hence the name, Cal site. Yeah. Is there a metric that scares you the most? I mean, the metric I recently heard that scares me the most about healthcare. The average time that somebody is on your network before it's recognized, it's something like 60 days or something to that effect actually longer than that, and the Verizon breach report will tell you that the majority of the people, CIOs, who are asked, do you know if you have an advanced persistent threat, will say, I have no idea, because I don't know what's running across all my endpoints.

And so the fact that you can have something sitting there. Lurking without your knowledge running in a privileged mode. Those are things that you need to worry about. Those are the things that will take you down. And, and that's the things that, so computer systems are incredibly complex and every endpoint has thousands of settings that can affect its performance.

It has hundreds and hundreds of processes that run now, and you cannot track that. In any way, shape or form by hand, just keeping up with what happens on one machine as updates are applied as you new softwares installed, there's just no way you can sift through that 24 7 at every activity across all your endpoints, thousands of endpoints.

You multiply that and all of a sudden you are into the millions and millions of data points. And so the only way and and skilled teams. We'll sift through a handful. You wanna have the ability of AI at the end points, as well as AI at the cloud to help you digest that data. So sifting through changes is what you really want to focus on.

And so it comes back to how do I keep a, a consistent system? How do I make sure my system doesn't deviate from what I believe it should have? I, I'll tell you the most common thing. We have these cyber professionals come in, they scare the, the jabbers out of you as. And then they walk out and I think the question they ask is, did we get their attention?

And what I wanted to say is, you had my attention before you walked in here. I, I'm already scared. What I want is a solution to this and not what's going on. Yeah. It's, it's kind of crazy. So you've done the co-founder thing before. Now you're the founder of Tao site. What makes it easier to do The second one?

Is it.

I think this, it starts out with, you have all the contacts, right? You have all the prior knowledge, you have all the credibility that you didn't have before. So the North American Venture Association basically actually has some statistics that reflect that the ability for a entrepreneur to succeed, where I think the is over a hundred million dollars.

It's like 18% if you. If you start out the first time, if you failed the first time and you come back and do a second time, your probability goes, your percentage of success goes up to like 21%. I. If you succeeded on your first attempt, your second one probability, something like 35%, your chance of success, which is substantially higher right than than 18 or 20%, and the reasons they give for that is due to.

The fact that other people are more willing to help you because you had that glow. You have the aura. And I have to tell you, the people we've met in healthcare have been tremendous. They've been very supportive. They've been willing to contribute their expertise, their time, just listening to your ideas and basically pointing out the gaps.

That I found really helpful when we came in, when Imprivado, when we went into healthcare, there were a handful of people who really helped me, who basically took me by the hand and said, you don't know much about healthcare. You might know things about security, but let me teach you what goes on really in healthcare and that.

The experience has been really helpful. I mean, Impravada has been in healthcare for probably 15, 16 years at this point, and I was there for at least 12 years of that, where we understand what goes on in healthcare. We understand also the, the technology that's in healthcare. So when you combine all those two things together, you have a lot more credibility with, with the investors.

It's much easier to get started. It's much easier to recruit the team that will help you. Yeah, the money, the teams, the conversations with clients. But I, but just from the outside listening to that, one of the things that you had is, uh, a willingness to listen and to be humble. Some technologists come into healthcare.

I mean, not to call anybody out, but IBM Watson sort of comes to, to mind as I think about this, but they come into healthcare loud and proud, like, we're gonna solve all your problems. Path to success. Healthcare is willing to help you as long as you come in there and say, okay, help me to understand the world you live in, and you know, we're gonna bring our expertise to bear around that.

I think it's a partnership. I think I, I would never go into an environment where I say, I have a perfect solution for you. I'm willing to go in and say, I have a lot to learn from you. I also can show you what technology can do because of our focus. The, the fact that we put together a team that has very specialized, you know, skills in cybersecurity, machine learning, uh, uh, agent IOT designs, user, user interface designs.

We wanna help. Build this thing together, and I always talk about collaborative design. Our goal is to help healthcare build the tool that they need. I don't operate a hospital system, people like you do. So I'm looking for your help with, uh, your input and your help to help drive what we do. We're on the technology side.

We are deep into the nuts and bolts, but we want it to be applicable to healthcare. So what you look as, as humility is, is our willingness to learn, our willingness to try, and our willingness to ask for help. So you're focused on healthcare, but it sounds like your tool could be applied, uh, across other industries if if you really just tweak.

Cool set of investors who are focused both in healthcare, healthcare tech, as well as cybersecurity and healthcare tech, and they're basically saying. It's the common mistake for startups to say, I can boil the ocean feed and take that straw and have that narrow perspective and win in one focus market.

Yeah. And then branch out, succeed first, then branch out. Don't try to boil the ocean and say, I can succeed in pharma, in legal, in business. I go, we, that's a recipe we don't wanna follow. So you served as an appointee to. , HHS Cybersecurity Task Force. So that's another lens at which we look at healthcare through that regulatory government lens.

What did you learn from looking at healthcare through that lens of, of that task? It was interesting. We got briefed by all the specialists in the various verticals. The attempt at first was Why can't healthcare as a a information based business. Just adopt financial services, best practices. And so that was the obvious one.

Why isn't it same as energy, which has similar manu or manufacturing, precision manufacturing. Why can't it be like pharma? And what you end up with is, uh, a conclusion that healthcare is totally different than any of the other one has facets of, of financial services you have. Value in the information.

You have facets of manufacturing. You have facets of, uh, other critical . Sectors. The differences are the things that we pointed out. Higher ratio of endpoints to users higher than any other industry. The lack of physical protection, because your systems are all out in the open. In a hospital. You can walk up to it practically, uh, a computer connected to the network.

In any patient's room these days, you can find them in the hallways. The, the fact that. Your clinicians work everywhere. They're not confined to the perimeter of your hospital. And then finally, they interconnected the number of physical devices that are connected to your endpoints and the number of special devices that are hooked into your network.

Makes it a extremely challenging environment. And so all of a sudden it was the awareness. None of the needs are being met because this is a complex problem that's not being solved using . Technologies and, and approaches that are used in other verticals. And so while there are commonalities from firewalls, endpoint detects, endpoint detect and respond av, what's different?

You, you know, David, I, I'd go one step further and say we talk about healthcare like it's one homogenous thing, but the reality is I just interviewed a health system that has a 50 beds. I interview health systems that have a hundred hospitals, and so the, you have critical access. You have rural versus urban, you have access to cyber resources.

The budgets are different, the talent's different. The just implementing a frameworks is so different. I would think from the government standpoint, you're just looking at it going. Can we just get an agreement on a framework to approach this and get adoption across healthcare? Well, that was, that was the conclusion of the first cybersecurity task force, which is adopt this cybersecurity framework as a model for how to approach.

Securing your system, and that starts out with inventory, all the assets that you believe are critical to your workflow. Well, if I inventoried that, it would be the, the patient records, the applications, the endpoints that you need to deliver your workflow. The second piece is figure out how they're protected.

How do you secure the data? Is it encrypted? Does it have proper access control? Are your application secured? Who has owner and access rights to modify those? The third aspect is. Track or detect and re uh, changes in your system. Well, how are you gonna do that? You don't even know if there's a piece of rogue software sitting on your endpoint and it would take you 60 days to to find it.

Is that gonna be sufficient or do you need something that's closer to real time? Yeah, if you don't have that, how do you even begin to respond to the challenges of software that gets exfiltrated, applications that get compromised, row software that that worms, its way across multiple endpoints. You need to have visibility into what's going on across your system in order for you to respond.

And then when you do get compromised and you do have an incident. How do you know you closed down all secondary potentials for secondary attacks? How do you know the first one wasn't just a ploy to deploy deeper other agents? So why does it take so long to recover after an incident? It's because you have to scrub every system to say, are there things that I didn't know about that were planted by that first

Wave of attack that implanted deeper agents, modified more software on my system that I didn't know about. How do I know there wasn't something lingering? So the whole model for the framework that you talk about is how do you approach it in a systematic way? And I think the, the guidelines that are used are rigorous.

It requires a whole rethinking of how we do this as opposed to just try to secure the perimeter, just try to secure the network, which is a, to me, a good technological approach for securing the hardware and the, the systems. You really need to do to secure and, and have visibility to what's changing on your system and where's the data and what are the things that impact my workflow?

So it goes all the way back in healthcare to the clinician. What did they touch? What did they interact with? Where do they do this across all the endpoints? And do I have visibility from that perspective? And can I do this across time and across all the endpoints and, and do it in an integrated fashion?

Not trying to pull logs from multiple machines and try to do this ginormous blend and do this frankly in, in pseudo real time. None of this, gee, I had an incident. Let me go and pull the logs and see if I can sift them together. Wish you were around back when I was CIO. That's all this gray hair and this receding hairline is, is somewhat from cybersecurity.

I remember asking for you, you started with get an inventory of all your systems and I started with that and I ended up four different reports and they were all different. And I'm like, uh oh, okay. What's the single point of truth? And they're like, that's a great question. I. Which one of these do I believe?

I'm not really sure. And the, the numbers in, in fairness to the team, the numbers do change. We close down wings. We open up wings. There's new devices being brought online. There's, uh, devices that are in closets that get brought online from time to time. Then you have physicians who are going to their homes doing reach from homes and those kind of things.

And it is a dynamic environment. I mean, just knowing your inventory is is not easy. Exactly. So I always tell people the IT system is a living, breathing organism. It changes, it evolves. Things are added, things are removed, things are altered. It's a living, breathing beast. And, and that's how you have to look at it.

But you have to have visibility into what goes on across all these no, across all your endpoints. And you have to have it in an integrated fashion where you're not trying to sift through the data yourself. You're getting the insight. And what I wanna do is to leverage the best of ml, not in a big data kind of way, but in a very targeted manner where we take the best of cybersecurity knowledge and apply it and say, how do we take the know-how of people with cybersecurity healthcare expertise and apply it?

These things can apply to the small critical care hospitals as, as much as they can apply to a, a large IDNI would think your, I I would know your strategy doesn't depend on timing, but your timing would appear to be really good with the, the scripts, sky Lakes, uh, st large. Some of those recent attacks, I would imagine that the conversation has moved to the executive level, so there's a lot of exposure there.

Not an easy thing

everybody.

Solution like yours to the market? I would think, well, it's all about timing. We basically approach the problem not from a gee, these bad things are gonna happen. We approached it from the perspective that this industry needs a better set of tools to help manage the concerns that we talked about. And the technologies are right.

The the know-How is there the need is there, so how do we bring together a tool, a team that can build covid in some ways has helped sharpen our focus. It also changed the perspective in the sense that decentralized healthcare, we've had people working at home, all of a sudden we've had people getting a, I always tell the story, my two doc dental practice during Covid.

Gets compromised, gets ransomware. I go back for my dental cleaning after he opens up, he's there cleaning my teeth. And he's like, do you know anything about ransomware by any chance? I'm going, . You know how they they talk to you while they're, they're doing some procedure in your mouth? And I go, yes, thumb up.

Uh, I do. And then he says, we got compromised. We're two dog practice. Why would they attack us and ask for, for dollars? And I said, they're doing the same thing we're doing. They're working from home and they're finding every target they can find. I said, things didn't change. And so during this interval, we're a virtual company, so we basically went back to saying, okay, let's close down our office and, and focus working at home and, and, and live on Zoom like we do today.

The focus and the change in perspective from our CIOs has been, boy, do we need this even more now, as our docs are working in multiple places at their homes and their multiple, uh, offices that they might have. This is a, a changed world and as decentralized healthcare pushes care and, and clinical access further and further from centralized provider organizations out of the purview of your CIO manages the likes to manage the inside the firewall.

We're seeing this as a problem that's gonna be even larger, uh, over time. Do they scale the demands based on a. I would imagine, how much Bitcoin are you asking for at that point? He, he said I had to look up what the Bitcoin was. I had to go and empty, sign up and buy a Bitcoin, uh, with my credit card to pay these people off.

And so I said, this is awful. And I said. What happened, and he said, we had one XP machine that was used to hook up to our dental film scanner, which phone home to get updates. I said, XP machines. He said, no. The application phone home left the tunnel open and they came back in through it and compromised my entire set of machines.

I said, well, at least you figured it out. And he said, yeah, after I paid somebody to come in to clean it up, I found out how they got in, but he said, this is just like two he said. We're we're just a tiny little suburban dental practice, and so I use that as a gauge to say how many other. Potential targets are out there.

How do we help them secure the fact that we left the port open? You have an application that left that leaves the A port listening for outside traffic. I mean, he said, I had no clue these applications were even running. On this machine looking for updates. And I said, that's the problem you guys were dealing with.

No visibility. No visibility. So I'm gonna get, I'm gonna go off the beaten path towards the end of this interview, and, uh, someone with your experience, I, I wanna tap into, we, we have a fair amount of students who follow the podcast. And I, I, I just thought I'd throw this question in for them when I was gonna school.

They used to say, learn computers, learn a programming language, that kinda stuff back in the day. What would you say to those who are really getting ready to go into school, maybe undergraduate or looking for a focus now that they're in school to, to take them into their career? If they're looking at technology at this point?

Wow. That's a, that's a good question. I mentor a lot of entrepreneurs, both in school as well as startup companies, and it's the same characteristic, but you look for, you wanna get into a field where you can leverage your entrepreneurial skills. And so to me it is about understanding. Does your school have an entrepreneurial program?

You can, you can get into, are there things that lead up to it? It could be in anything from pharma to biotech to ml data science to computers. I mean, I think we're at the beginning of, uh, a huge wave of change because of data science. I think anything has relevance in how you analyze large amounts of data.

So the benefit of what happened in, in the past 30 years is we digitized the world. Everything now is available. Everything from, you know, your, your ancestry.com, uh, record of your grandparents' immigration to some countries now digital and available. What we now have is an explosion of data and the availability of the data.

We don't have the manpower to review all that data. So data science now has all of a sudden taken, uh, a huge leap forward. And I think the ability to leverage and understanding the math, the science behind data analysis is gonna drive what we do next. That. The AI model. I hate to use the word AI because it's really an extension of just better data science and being able to see the insight from the noise of the data.

So to me, if I were going to school, I would basically team that up. I would make sure I have a good background in understanding how to analyze large amounts of data, and also couple it with the practicality of whatever . Other field you, you choose, whether it's engineering, science or, or medicine or even arts and literature.

I mean, I, I have a friend who's using AI to analyze pictures to see if their paintings are fraudulent or have been repainted. Uh, so there's all kinds of ways that data science is changing, how technology can apply to different fields. So do you see yourself as an entrepreneur first? And, uh, technologist.

Second, one of the ways you started the answer to that question is study entrepreneurship and, and obviously data science was a big part of that answer as well, because just the future of the next 30 plus years, we've digitized everything. The amount of data's growing so rapidly that there's just huge opportunity there, but you'd actually study entrepreneurship.

I would, I started out as a technologist. I started out working in research labs, so technology is always in my DNA. I look for new technologies I under, I try to understand how they can be applied and what's their applicability to specific problems. But if it just stops there and, and my fascination with technology, with what it can do, it doesn't apply to.

Solving real world problems. I think the era of the large research labs is gone. I think the whole model for how technology gets ingrained into our everyday lives is through entrepreneurs that take the risk to take technology, to try to solve a problem, to solve it, and make sure that there's a business model behind it.

To me, that's how technology, uh, gets curated and pushed into the world. It's no longer going to come out of the large, large corporations that have the traditional r and d groups. I think those RD groups are gonna leverage the output of these smaller entrepreneurs that can take advantage of new science, new approaches.

Take the risk. I always tell these kids. Take a risk. Life's too short, right? I mean, you, you know it . Yeah. Well, I, I look for people who basically can say, I understand the science. I understand what could be done. Now I need to figure out how do I succeed as an entrepreneur to take that? I. Curate it, cultivate it, and make it into something that can succeed on its own.

Otherwise, it sits on, I mean, I wrote papers and I did research and they were great as papers and articles that you can stick into a journal. It was only when I started building products for people that I go, this is what I wanna do. This is seeing the results of cool technology being put into the hands of people.

We built display systems for the first generation of CAD system. We saw digital . Technology applied in photography, in everything from photography to law enforcement. It was only in healthcare that I said, okay, the problem here is the workflow. How do we streamline authentication workflows? Again, it's curating the technologies to solve a problem and, and the end result of streamlining that clinical workflows, which you saw at St.

Joe's. Doctors loved it. So my theme here is go out and take the risk, you know, understand how entrepreneurs work. How does that model apply? How do you take an idea? How do you formulate it? How do you test it? How do you go out and seek the funding that you need and how do you organically or inorganically grow this so that you can basically take that little idea, blow oxygen on it, and watch it glow and, and turn it into a fire, and hopefully you turn into a raging field where it is burning and you're conquering the market that you want.

That is how I believe innovation occurs. It's going to occur in the next 30 years. I'm gonna, I'm gonna close the interview with this question and it's one of those little, gimme your report on the world and all it's within it, but I, I've been asking leaders in healthcare this question and it is, what do you think the lasting impact of the pandemic on healthcare from a technology perspective will be?

I think it's the adoption and the acceptance of. It's the adoption of use of technology to do non in-person care. I think within the first week of the lockdown in Massachusetts, I had a physical scheduled where the doctor calls up and says, we could cancel this, or I can do this on a virtual. I said, why don't we do this virtually?

And we were trying to set up, he said, our organization isn't set up yet. For any kind of televisit. I said, I could give you a a Google meet and I'm comfortable disclosing anything over the Google meet if you want. He said, I've never done this before. So I called him on my phone to walk him through how to set up Google Meet On his end.

I sent him an invite and he, we did the physical over it, he said. He said if it found out, they'll say, oh, you're not allowed to use Google Meet. And I said, I will sign whatever you need to validate that I'm comfortable with this technology. 'cause you're not sharing anything. I'm not sharing anything that's persistent to me.

That was the first of many the, the second time I had a physical, he had it all set up on his system. And I said, that's the evolution that over the first . One year of Covid, we went through, it's our adoption, our acceptance. He said, oh, I'm really comfortable. I'm doing all these visits now from home and all these are quote, wellness visits anyway, so we can wait for the in-person physical until after, you know, vaccination or whatever.

d well, I'll tell you back in:

In:

eality is we could do this in:

Did things like you're talking about with the easing of restrictions. Correct. I had one CI tell me, there was a group of doctors that said, we're never gonna do telehealth no matter what, and then Covid hit, they asked him for the technology, gave him the technology. Next thing he knew, they were quoted in an article and in the local newspaper as what a great thing telehealth was and how they appreciated how they connect with him.

He goes, that would've never happened in my lifetime if it weren't for the pandemic. And I think a lot of clinicians who had reservations about it were forced into it. Yeah. I think their adoption was basically, okay, I have no other means except to adopt this. Let me make the best of it. Thinking that it would only be three, six months maybe, and it turned out to be, what, a year and a half, two years.

And a lot of 'em still do this. It's pretty exciting. Thank you for the interview, by the way. I'm really excited with the stuff that you're doing. Hopefully you'll keep more CIOs from receding hair lines and, and gray hair by giving them that, that visibility across the entire enterprise. I think this is, this is exciting.

We're very happy with, uh, our approach and, and we'd love to share more with you later on. But, uh, thank you for your. What a great discussion. If you know of someone that might benefit from our channel, from these kinds of discussions, please forward them a note. Perhaps your team, your staff. I know if I were ACIO today, I would have every one of my team members listening to this show.

It's it's conference level value every week. They can subscribe on our website this week, health.com, or they can go wherever you listen to podcasts. Apple, Google. . Overcast, which is what I use, uh, Spotify, Stitcher, you name it. We're out there. They can find us. Go ahead, subscribe today. Send a note to someone and have them subscribe as well.

We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hillrom, Starbridge advisors, Aruba and McAfee. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube