This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on Newsday.

  That's why health care security is where health care security is at because we really haven't had any forcing mechanism like finance has had Sarbanes Oxley and the SEC, you know just mandating prescribing these type of or technologies or countermeasures for cyber security.

My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time.  Newsday discusses the breaking news in healthcare with industry experts and 📍 we want to give a big thanks to our Newsday partners, ClearSense, HealthLink Advisors, Order, SureTest, and TauCite.

Now, let's jump right in. All right, it's Newsday, and we have a gaggle of people here today. In fact, if you're watching on, that's what I'm calling you guys, a gaggle. I'm in gallery view, and you can see all three of us. Drex DeFord, Wes Wright is here as well. Wes is sporting the Order shirt, and I appreciate that, because this is your first time on it?

It is my first first joint This Week in Health order conversation. And really this gaggle this gaggle type conversation as well.

the other thing is it's the first time Directions Forward is on as a member of the This Week Health community and president of the 229 risk and security community.

Drex, welcome to the show. Now, with the two of you, I should just be able to hang up and the two of you take over from here, I would think, but Hey, just in keeping with what we do here since Wes, this is your first time with Order on the Show. When I do a Newsday show, and it's the first time I ask you, tell us about order.

What does order do? What problem do you solve in healthcare? And oh yeah. What do people contact you for?

Yeah. And thanks for asking that question, bill. 'cause I'm really trying to change if people think about order, I want to change the perception of order. think of us in a biomedical equipment, thought phase, and yeah, we need this for security and that kind of thing. But really, bottom line is, ORDR is a connected asset visibility platform. And all those words means, I can see everything on your network. Not just your PCs and your Macs and your printers and No, but I can see all your cameras, your HVAC stuff, anything that's just operational OT tech.

I can't tell you how many Teslas we found hooked up to people's networks. Everything on the network. That's what we do we're launching a new product. It's in a field called Chasm. C A S M. Another Gartner made up kind of thing. But we can get to that kind of fidelity now in a matter of hours, so we don't even have to go in the closets anymore.

we use all the data and it's funny, CrowdStrike's a big one. We use all the data from the APIs of the tools that you're already running. And we suck all the data from them, and then we have our Border Correlation Engine in the background that dedupes everything and says, hey, CrowdStrike, you call this device this, but this other device, you call it this, and you call it this, and we in the background go, okay, here's what this device is.

So now you have this single source of truth for Everything connected to the network. So now the CISO can look in there and say, okay, how many pieces of equipment, how many devices do I have that are capable of running CrowdStrike? And how many aren't running CrowdStrike?

And that is just a click of a button. when I was in that chair, I'd have to go ask the

CrowdStrike person. That's where I was going to go with this. I remember the Coming into health care, I came from outside of health care, came into health care, and I'm like, hey, I need an inventory, which is a pretty common question outside of health care.

I need an inventory, and you get that inventory. And it's plus or minus, I don't know, half percent, 1 percent at the most. And then in health care, they're like, hey, here's your inventory. It's plus or minus 10%. I was like, Plus or minus 10%. That's a big freaking delta when you're talking that many machines.

Drex, was that your experience too back in the day? We

gotta, hey Drex, you gotta tell them about the David Grant story, man. that reported survey, dude.

So there was a when Wes and I were worked together at David Graham Medical Center when we were in the Air Force, and so there was this massive inventory.

When we showed up, there was this massive inventory discrepancy. And a lot of it was just stuff that had been thrown away or had been disposed of properly, but it hadn't been documented properly. And so just the whole idea of like, how do you find this stuff? And, The advancements that you guys have made at order that I think is pretty interesting too is I could look on my network and I could see something was that this particular IP address, but I didn't know what it was.

And it might have some signal on what it is, but it's Greek. It's I have no idea what it really is. So the engine that you guys have built that actually fingerprint all this stuff is really cool because it comes back and it actually says. It's this kind of a medical device from this manufacturer and it's running this operating system and it all like a ton of detail, right?

Which is amazing because if you have to do something to it, you actually have some inkling about how to go find it. Oh yeah,

and with the proper type of deployment with the Order Software Inventory Collector, I can tell you, Down to the patch level, what a device. And this is just clicking through. Click.

Okay,

this device This is just not fair. When I was the CIO, we used to I know, right? I feel like that old person. We used to have to walk around and go to the department and find the device and write And it

had a little tag on it, usually in the bottom or in the back of the device that had a number on it that you had to type into a spreadsheet.

I

do remember the asset tags and stuff. is a tough group. This is a short show. So this is about 20 25 minutes. That's

the bottom line. Connected asset, whole enterprise connected asset visibility in 24 hours. That's

it, Bill. That's sensational. with this group, it's easy to talk about security and with Drex on the team now. Our com news site is loaded with cybersecurity stories, so if you're interested in that, we've got a ton. I'm going to give you guys the option. We have top 10 CIO priorities. That's non security related.

We could talk about NSA. Admits to buying internet browsing data. We can talk about any of the other stories you wanna talk about which one of those has the most interest to you?

Actually I'm not that interested in any of those stories. . Alright.

Alright. What have you got? What do you wanna talk about?

We're big soapbox and the opportunity to be on here with, big soapbox thing that we've been talking about since, I think the first recorded instance was in Somewhere around there. It is the progress that we seem to be making on some kind of, and Drex doesn't like this term, but like it because everybody knows what it means. Some kind of cybersecurity meaningful use program.

that's what I'm saying is that's when I think Drex has an email to me or vice versa that we talk about, hey, this meaningful use money, it's eight or 18 something. We've got to do something from a meaningful use perspective from a security perspective because we're installing this big risk surface.

you referring to the New York law that's starting to move through? Is that's the story you want to talk about? would love to talk about that. Let's keep in mind that meaningful use is not spoken about with. endearing terms when you're walking through the halls of health care.

Let's start with why is that and what do we need to avoid? If the federal government decides to take up what New York is leading on and do this on a federal level, like what did we do wrong with Meaningful Use V1?

I think the biggest mistake that the federal government made, and Lord knows they make a lot of them, was the same kind of mistake every IT person has made at some point in their career.

it felt like the government, the federal government did meaningful use to us instead of doing it with us that's what it felt like to me. I was a level down from that. Drex CTO at the time all this stuff happened.

But that's what it felt like. One, and so I think that there's a lot of chagrin from that. And two, we were making people do stuff that they didn't want to do. Doctors didn't want to move to a digital environment or they would have done it already. there's a probably a lot of animus built up just because, that program forced people to do things they otherwise might have chosen not to do.

So I think that's why there's a lot of And a lot of people think, oh that was a big waste of money. I don't necessarily agree with that, but I think it's more the force people to do things they didn't want to do. Drex, you

look

The government put 40 5 percent EHR penetration to 95 percent EHR penetration over the next 5 years. A lot of that was the documentation piece, Wes, as you say, that doctors and other providers really hated to do because they felt like they had been turned into secretaries and they had to type all this stuff in and they were clicking hundreds of times to get through a single visit.

So all of that left a bad taste. I think there was also the situation of unintended consequences, right? We spent 40 billion, we deployed electronic health records. None of that 40 billion was designated for cyber security. And so the unintended consequence of meaningful use was As Wes talked about this attack surface expansion and suddenly all of our records are online.

They're not necessarily well protected. We used to have weeks to be able to recover from something if something bad happened and the further we got into this up until today, now we're addicted to the technology and we can't actually provide health care without that technology being available. Folks that I know who went to med school now tell me when their organizations are in the middle of a breach, The conversations are like, I feel really unsafe, right?

I've never, when I went through med school, we had electronic health records. So I don't know how to do this without They don't

know

where the prescription pad is, let alone what to do with a prescription

pad. I just had this conversation with somebody and they said we had an outage. And we didn't realize our young physicians have never been trained on paper documentation.

I'm like, yeah, that makes sense. 📍     In the ever evolving world of health IT, staying updated isn't just an option. It's essential. Welcome to This Week Health, your daily dose of news, podcasts, and expert commentary.

Designed specifically for healthcare professionals like yourself. Discover the future of health IT news with This Week Health. Our new news aggregation process brings you the most relevant, hand picked stories from the world of health IT. Curated by experts, summarized for clarity, and delivered directly to you.

No more sifting through irrelevant news, just pure, focused content to keep you informed and ahead. Don't be left behind. Start your day with insight at the intersection of technology and healthcare. This Week Health. Where information inspires innovation. Increase

📍

said, but the two things you need to remember, he goes, one is that five to 95%. He goes from that perspective, it's a success. And he said the oh gosh, I forget the other thing he said about it. But the but at the end of the day, would healthcare have gone from five to 95 percent no,

we wouldn't have.

Not without the incentives, right? the other part of this, I would say, is perfect is the enemy of good. there's been a huge amount of progress in a really short period of time, comparatively. The incentives allowed us to do that. And the things that we remember about most of our experiences are the negative part of the journey.

Not necessarily the great part of the journey or the great outcomes that have happened. We talk about unintended consequences. I talk a lot about, obviously, cybersecurity and the impact that came from meaningful use. But yeah, we have all kinds of capabilities we can't even imagine having unless providers are on our electronic health

record.

This AI

has just exploded. Without meaningful use, it would have been a dud. There would have been no healthcare participation in this AI rush without

meaningful use. Every now and then, I'll be in a conversation with a doctor, and they'll say, this technology hasn't done anything for healthcare, and I'll just say, Vioxx.

And I'll say, what are you talking about? I'm like, look Vioxx was found because somebody was analyzing the data, literally analyzing the data up in Massachusetts. And they said, look at this trend. This is a problem. Like people are going into cardiac arrest and whatever, when we give them this drug.

And that's the kind of insights. And that was a very basic level early on in the process. But that's what we get today. We can do stuff digitally with the data. I start the conversation there to say, is it the same, like if the federal government all of a sudden jumps in and says, look.

The attacks are too significant. The infrastructure is too important. We have to do a meaningful use. They will call it something else. Hopefully, they will call it something else. We have to do meaningful use for cyber security. New York is already getting there. They're essentially saying, look, we want to protect our population.

And part of that is making sure that our health systems can't get hacked. And our health systems are properly protecting the medical record and the privacy and security of the medical record. Therefore, we are going to set aside, not only are we going to require, we're going to set aside some money for those health systems who can't afford it.

Let's assume the federal government does that. you're now sitting at that table. What do you want to make sure gets heard before we sign that into legislation? So I, one of the things I can

tell you that's already happened that was announced last week was that these CPGs were announced, these standards recommended standards for cybersecurity from the federal government, from HHS.

And so those standards are out there now. There's a bunch of information. I published a bunch of stuff last week on LinkedIn about this, as did a lot of other folks. So the CPGs are out They're interesting. They're voluntary, right? And they're in a lot of cases, they're pretty basic.

And so when you think about the old meaningful use stuff, there was a requirement to do these things in your electronic health. And if you were this tall to ride the ride in phase one, you got a certain amount of money. And when you got the next couple of things done, you moved it into phase two and you got some additional money.

I don't know how the structure of this will be. And I don't think We have a day that it's going to be another 40 billion program intended for cybersecurity, but we can't agree about anything in the federal government right now. So I think there's a lot of wrestling probably around the dollars, but I think the potential exists for some kind of incentives and states like New York doing it now and the federal government may very well do it.

I think you've got to also think about making those programs very flexible because the adversary changes, threats change all of that stuff continues to evolve, and so you can't lock these things

in. can't be waterfall, it has to be agile. We have to be able to adapt. What do you get out of it?

So we're putting you at that table, Wes. That should be interesting. I'm looking forward to you sitting at that table with the senators and others that are putting this legislation together. What are you telling them?

Yeah like Drex said having the CPGs released that's super cool.

Eric and the 405D folks are really making a big push too. The one thing I would like to see the Senators not forget is out of the gate enforcement mechanism. We carry it in a stick. I think we should show the stick right at the beginning of the exercise and say if you don't meet this, then this is the stick.

to me,

That's why health care security is where health care security is at because we really haven't had any forcing mechanism like finance has had Sarbanes Oxley and the SEC, you know just mandating prescribing these type of or technologies or countermeasures for cyber security.

And if you don't follow them, you get real no kidding fines. And that kind of thing. So Senators, don't forget some kind of mechanism like that for healthcare.

I definitely see, the potential for a stick in here, the, the incentive part of it is actually just complicated in and of itself, because for a lot of organizations in the old Meaningful Use days around EHRs some are more advanced than others already.

And so there's a question, I think, over is there a means test or something about who gets dollars and who doesn't as part of this program? A stick part of it, Pretty clearly could be attached to Medicare and Medicaid claims, because for most organizations, that's, 50 percent of their claims to 90 percent of their claims could be Medicare or Medicaid claims.

And so somehow tying it into that, you must be this tall to file a claim, or you only get this percentage of a claim if you're not there, or here's an additional payment. in that claim, because you are this tall. There could be a lot, there's a lot of ways to you know, nothing against cats, but there's a lot of ways to skin the cat on that.

Oh my gosh. Or herd

them. You have to herd them before you skin them, Drex.

You guys are killing me. unfortunately, I think I'm gonna have the last word on this. get to do this more often, because Order is a partner of This Week Health, so get a couple more times to do this. would want to say, if I'm sitting across the center of Warner, I would say, look, AI and cybersecurity will be the number one driver of consolidation, M& A, and health systems going out of business in the next 10 years.

The cost of AI, the dramatic impact of operational efficiency has the ability to help and has the ability to hinder just in terms of cost. If you see the cost models that are rolling across CIOs desks right now of, Hey, it's just 50 per month per user, 50 per doctor per month, whatever kind of stuff.

And I'm just hearing these CIOs go, yeah, we need to do AI, but don't know how we do AI. I think that will drive us to economies. Cybersecurity is another one of those where they don't do it correctly, what will happen is the large organizations will take advantage of it, take the money that's given to them, and do cybersecurity well.

The others will still not be able to keep up, and we will start penalizing them, we will start doing those kind of things. The unintended consequences, you almost need to start with them. What do we want to make sure that does not happen? We don't want to close down our safety net hospitals. We don't want to close down our rural hospitals.

and we're doing this at a time where, look, I'm not saying you don't give money to the large health systems. UPMC just announced this week their first loss in 20 years the Intermountain announced a 1 percent operating margin. And if you really know the industry, that's significantly below where they have operated for a long time.

So the large health systems. From a financial standpoint, or almost at the same point, everybody else is. I don't know, I'm worried about the unintended consequences here of this. think we're smart enough to come up with the right approach to make it agile and to do all those things. But I think we need to think through the business ramifications.

last words? Maintenance

tests. think that would be good, too. Like you said, it's UPMC may not need a whole bunch. came from a loss, but they've already got a bunch of money, and so

we don't need to One loss in 20 years isn't going to kill them. that what I hear you saying?

Right,

but, that community hospital, don't have any cash to buy all this. I think there's probably some kind of means test in there, but we've got the framework from Meaningful Use. And that's the only reason I call it cybersecurity and Meaningful Use, because there is a framework out there that we can tweak.

Absolutely. Gentlemen, I'm looking forward to doing this more often. This is fantastic. I appreciate you coming on the show. Wes, thanks for coming on. Drex, always great to see you.

And it's going to be an exciting time, that's for sure.

It could be fun too. Yeah I'm sure it'll be fun if we're doing it together.

All right, that's all for now.

  Thanks for listening to Newsday. There's a lot happening in our industry and while Newsday covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Big thanks to our Newsday sponsors and partners, ClearSense, HealthLink Advisors, Order, Shortest, and TauCite. You can learn more about these great partners at thisweekealth. com slash partners. Thanks for listening. That's all for now