Newsday - Senators Sound the Alarm on Privacy, Will HIPAA Finally be Updated?
Episode 17315th August 2022 • This Week Health: Newsroom • This Week Health
00:00:00 00:27:18

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

Because we're really good now at taking pieces and parts of data from lots of different places and putting them into a separate database and sometimes that's in the cloud, you can have even more juicy, delicious data problems because you've taken data out of systems and put 'em together into something that you wanna do analytics on. And so that can be super valuable to the bad guys.

It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health, a channel dedicated to keeping health IT staff current and engaged. Special thanks to CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst who are our Newsday show sponsors for investing in our mission to develop the next generation of health 📍 leaders.

All right. It's Newsday. And today we are joined by Drex Ford. Drex. Welcome back. Thank you. How's it going? Welcome back to the show and welcome back to the country.

Yeah. Thanks.

You just got back from a vacation. you're one of my, he friends. You do that kind of vacation where you actually you're healthier when you get back from the vacation than when you went out. So to get,

yeah. Yeah. We'll, we'll see. Right. I mean, it was a trip to Switzerland, so there was a lot of hiking and I mean, it was really sort of mostly based around hiking, but honestly, by the end of it, it became a lot based around the eating and the drinkings. So I'm not sure I came back healthier. I maybe I broke even which could be a goal just generally for vacation.

Well, just outta curiosity, we'll get to the news. There's a lot of interesting. Just outta curiosity. I don't even know what the stereotypes are. So Switzerland, chocolate, chocolate Swiss cheese.

Oh, cheese, cheese and chocolate.

Yeah. Yeah. Right. And wine really. There's some really great wine too. So, and beer really good beer actually.

Is there any protein in Switzerland? That's the question?

There's some great. There's some good beef. Yeah, good meat. And cause the cheese comes from the cows and then eventually it's good. The food was actually amazing. I don't think they're generally known for like great food, but for somebody like me who is a very. Basic food, drinking person. It was perfect.

I was gonna say if all you had was wine, cheese and chocolate you're gonna be one of those healthy guys who like just falls over someday. people are gonna be like, I don't know. He did like 30,000 steps a day. Just.

Yeah, he seemed perfectly fine.

n July four things to know in:

We could also talk about that. Number three, it research and consulting firm Gartner said current tech expenses will be driven by an anticipated. 806 billion in spending on software up 10% from last year. That's a big number. Gardner also said it expects spending on new servers by cloud providers to grow.

Wow, 16.6%. And they build out as they build out capacity in data centers. And experts say they do not expect a large decline in it budgets, but say cloud computing is one of the few areas where it spending is expected to outpace 20, 21, which one of those topics sort of hit you that as a topic you wanna talk about.

So, I mean, I think just the general purpose growth in cloud and healthcare, right? In a couple of different versions. One is certainly the software as a service part of this, like buying buying your software, but not kind of in the old fashioned way of buying the licenses and installing amount of server on premise and then offering 'em up to the year end users, but buying more of a subscription kind of service.

And we've been going down that path in healthcare, I think for a while, more and more and more as we become more, we, we more aggressively embrace digital health and digital other things, business operations and research operations. We've been going down that path, but I see more and more organizations too, that are actually starting.

If they're doing sort of development. Software applications or business intelligence kinds of things themselves. They're actually going to the cloud expanding their capabilities in the cloud. So they're going to AWS or Azure or other places and Google and and building out those services.

All of which is super interesting because it's from a CrowdStrike perspective, it's one of the places where we see. Organizations making a lot of mistakes mostly in configuration misconfigurations of the cloud that can cause some pretty serious breaches because it's just accidental stuff, but it can still leave you open.

Yeah. cloud security is an interesting interesting conversation, not necessarily in this article itself, but really understanding your data. Where your data resides, what kind of data where it's moving around? I find most health systems don't really have a great handle on their Phi.

Some of it might be sitting over here in SharePoint. Some of it might be sitting over here and that kind of stuff, some of it might be in business associates and not being monitored and that kind stuff. So that becomes an area. That whole idea of in motion at rest knowing how your data is moving around.

So, I mean, that's, that's a little concerning. I think we need some really good cloud architects and cloud security architects. I think those are two. Different titles. Now, if I thought about it, of people that are coming together to really architect the environment and then architect the security around that environment.

Yeah, for sure. The other part of this too. That's kind of interesting that you. Touched on there is this issue of third party risk management. And I just I'm actually will pretty short, we publish a blog on that, but it's the idea of the other supply chain problem, right? We normally think of health systems having.

There are centers of gravity around data that really needs to be protected in the operational systems like the EHR or supply chain system or a research system or something like that. But because we're really good now at sort of taking pieces and parts of data from lots of different places and putting them into a separate database, and sometimes that's in the cloud, you can have even more juicy, delicious data problems because you've taken data out of systems and put 'em together into something that you wanna do analytics on. And so that can be super valuable to to the bad guys, not only that, but when it comes to third parties. Yeah. A lot of our data now, either software as a service, or if you think back to a few years ago, the black bot breach data that winds up going into a third party application. And then when that third party is breached, you wind up having to report to the health and human services wall of shame, because it was your data that was breached, even though it really had nothing to do with your network being breached. These are all challenges to your point about where is all of our data and who, who actually has their hands on it. And a lot of surprises for a lot of health systems when. Those third party breaches occur.

Yeah. Let's, let's talk about this phrase though. Experts say they do not expect a large decline in it budgets. It used to be when we entered a recession and we could still argue that point. We don't need to much there's there's a decline in the economy.

how I come into healthcare in:

It's end of life, the vendor vendors saying we no longer support this stuff. And when it's 85%, you have to walk back into the board and go that money we didn't spend during the decline. We gotta spend it all. Like now I, I need and for us it was like a hundred million or so,

and you create this terrible sign, wave of investment that happens over time too cuz you have to spend a hundred million this year and then for the next three years you don't need to spend anything and then you need to spend a hundred million dollars again. Right. And it's like CFOs hate that unpredictability. They love. I wanna spend the same amount money every year. So I can like do all of my float, all my bonds and do all the stuff that I wanna do in a very predictable way.

I've been quoted as saying I like downturns. I like downturns cuz it gets us out of the. The steady rhythm of just spending money, spending money, spending money. And it gets us to focus in and to create efficiencies, right efficiencies, where they didn't exist before. So we look at automation in different areas that we looked at 'em before, and we look at ways to make our secure cybersecurity staff more effective than they've been before.

The answer isn't always, Hey, let's add five people cuz you can't continue to add five people, but in an economic downturn, there's just a hard. Right. So you're not gonna go above that. And so it creates creativity. How I describe it to people is some of the most creative people in the world are those people who, say a whole sentence on a license plate, right?

You read it and you just laugh. You're like, oh my gosh, they commuted so much with six letters. How did they do that? But the, but those boundaries. Are what really give us a, it really spurs our creativity. It's like, Hey, here's your parameters. Now go be as effective as you possibly can within those parameters.

So I'm kind of surprised. They say they don't expect spending to decrease. I hope it doesn't increase much or decreased much. In healthcare, I'm concerned that it will decrease at some health systems and that that'll put 'em behind the April.

Yeah. I I'm a Toyota lean production guy, as from across my career. And this idea of scarcity forces innovation to happen is a real thing. And maybe in some of these cases, the innovation that happens. Includes technology investments. And maybe that's why the budgets kind of wind up balancing out. They're gonna spend less in general.

They're gonna make fewer investments in general, but they're really gonna focus their investments. And it turns out more of those will be in technology than in other places. I don't know. I'm just guessing. 📍 📍 We'll get back to our show in just a bit. I'd love to have you join us next Thursday for our webinar, don't pay the ransom. Cyber threats are mounting everywhere, especially in healthcare leaders. Thomas Jefferson university health, as well as St. Luke's university health system and rubric are gonna join us to discuss solutions around protecting all healthcare data, even epic in operations on Azure. This webinar will be on Thursday, August 18th at 1:00 PM. Eastern time. You can register now at this week, health.com or by clicking on the registration link in the description below. Now back to our show. 📍 📍

All right. Next article, Senator sound the alarm on privacy. Call for HIPAA update. The risks to patients in a post Roe V. Wade world demand new protections. They say calling on HHS to amend the privacy rule, to ensure that information cannot be shared with law enforcement agencies, targeting individuals who seek an abortion to be honest with you, maybe that's the catalytic event, but HIPAA needed to be looked at didn't.

Yeah. I mean, I think it's a look, there's a lot of stuff that's happened since when did HIPAA come into existence? It must have been, I dunno, oh my gosh. Late nineties or something like that. Yeah. And, and there's been some updates along the way, but like most things the amount of technology capabilities that exist today that I invade.

Maybe the wrong word create opportunities for you to lose privacy have just expanded astronomically. And so they're probably, I mean, I'm, I'm totally with you. I think we've gotta look at HIPAA and I think that's why you see not just calls to review HIPAA, but you see. Many states on their own creating their own additional privacy rules because HIPAA doesn't go far enough or other privacy legislation doesn't go far enough nationally.

And so they start to do this on their own. It makes it really difficult for health systems, right? Because when you operate across states and now you have to comply with HIPAA, but you also have to comply with the California law and the New York law and the Texas law and GDPR it this whole privacy thing gets really messy, really.

Yeah. And in:

I think we need to come together and say how much protection should the, they had it. This is where GDPR came from. They had it in Europe, they had this debate and this conversation. And now we see GDPR. I think it's time for us to have this same conversation. I don't, I actually, I don't, I'm not sure what's holding it up.

Yeah. I think that there's always a There's always a contingent. I think of lobbyists that from the privacy perspective one group pulls one way and one group pulls the other and often that's what holds up the show. So yeah, that would be my guess

All right. Let's see, I love this. You sent me these links back and because you sent 'em back to me, they have all sorts of security on 'em. So I can't like click on them. This is great. Next article, how health systems CIOs are overcoming it, staffing challenges are you seeing because we covered, I don't know if it was you and I covered this story or not, but we saw a story on cybersecurity professionals leaving the profession and really struggling to keep those staff current are you seeing this the staffing be a significant C.

I think the staffing continues to be a challenge just because it feels like as you look into the future, there's never gonna be enough cybersecurity pros to cover the openings that exist in organizations, but there's also the same sense of burnout that I think a lot of nurses and doctors feel right now about just nobody cares about me. And I don't see any light at the end of the tunnel, and I need to make a change in my life. There are a lot of cybersecurity pros who are also having that same sort of feeling right now.

And I would just say, hang in there. I think it can get better over time, but I know a lot of folks are struggling with that. And then it's interesting to have conversations with health systems across the country around one of the things that I know that you talk to CIOs a lot about, and that is the models around.

Remote workers or do you need to be here or what are the models that are used and the way that's sort of opened up health systems to be able to hire people together, otherwise wouldn't be able to hire, but at the same time, it's created a situation where the guy who wants to live in Flint, Michigan, because his family is there.

Yeah. And he doesn't wanna move. He doesn't wanna go anywhere else that person's now sort of. Has a whole new way to grow their career that they didn't have before the pandemic in a lot of, in a lot of ways.

Let's talk about compensation. Let's talk about adjusting compensation. This is a conversation I tend to have with CIOs a lot, and they'll say to me HR doesn't understand what it costs to hire a cyber professional today, or they don't understand this, or they don't understand how inflation is changing people's expectation.

and regardless of the work remote work local, I really wanna focus on compensation. How do you work with HR to get those salaries adjusted to the point where you are competitive in the market?

there's some good tools that your HR folks can use that let you benchmark salaries across your region or your state or your locality that gives you some place to start. But then the follow on conversation is, do we wanna be below the benchmark? Do we need to be above the benchmark? Do we need to be at the seventies, fifth percentile or the 25th percentile? They're interested also in not creating this inflation. A role of salaries, but you know, on the other side of that is.

There aren't enough people to go around. We're gonna have to pay a good salary to be able to get them here. I have, I've definitely had CIOs tell me that they've hired CISOs, that they're paying more than they're paying themselves. Because that's the environment that we're in today. So working with your HR folks,

I'm getting re-certified as a CISO, seems to be the, the job that is in the highest demand right now. And you can see it also in the chimed CISO bootcamps. There's a lot of, lot of people going into those things. it's interesting. The first question is when's the last time you benchmarked when I'm talking to a CIO and they're like, Hey HR, we have these ranges and it's just, I, I can't hire people at this range.

I go, all right. So let's start with when's the last time you did the benchmark and sometimes I'll hear, well, it was five years ago. Well, if it was five years ago, you need to run your benchmarks a little, a little more often than five years ago, cuz clearly the cost for people has changed based on what's going on.

That's one number two. I always tell people you have to drive a strong relationship. Your HR department, period. I mean, you just, it cannot be, it can never become adversarial and I've seen it become adversarial, cuz it's like they don't wanna redo these things and I can't hire and they they're.

You just have to put all that aside there. How can we work together? How can we get around this? I've seen people rewrite jobs job descriptions in order to increase the the value of the job or actually stack jobs, which is not. Not my favorite, cuz you end up putting an awful lot on one person, but essentially they'll say, Hey, if I bring these two jobs together, this one makes 75 and this one makes 75.

Can I pay somebody 110? And they look at 'em and go, yeah, if you're gonna eliminate two jobs and hire one, that's one way to do it as well. There's a lot of different strategies, but what it really requires is a good working relationship with HR to to look through it. I don't think there's a problem on the entry level side. Do you.

I think that if you're, if you want to do the work around. Bringing in, and this is we also have this conversation all the time. Do you find somebody who has the right attitude and the right willingness to learn and kind of has the right basic skill set and you can kind of teach them your way and teach them the stuff you wanna know.

If you wanna go down that pathway. Then I think there are a lot of folks who want to learn, especially cybersecurity, but technology in general. But it does take a lot of work to do that as opposed to hiring a sort of a full up round individual who knows what they're doing. Those people are harder to find. On the other hand, they cost more and they're more in demand. So the guarantee they're gonna stay with you longer period of time. That's probably the downside of.

Yeah. So this is a good article. If you get a chance to look at it, how health systems CIOs are overcoming it, staffing challenges you have ed McAllister, CIO for U P M C. Who's never been on the show by the way. If anyone knows ed tell him he needs to come on the show. I mean, I know, I know ed, I could reach out to him, but just

would love to have one the show. This is a really good article. I mean, all of those CIOs have different. Approaches and different recommendations. So it's a, it's a good piece of work to look at it. Just see if you're doing these things.

Yeah. It's a good cross section. You have U P M C Pittsburgh. You have Philadelphia, you have West Virginia, Cincinnati Olathe, Kansas Columbus, Ohio. Well, Columbus, Ohio is an interesting one. We're not gonna talk about it in this show, but the Ohio health essentially outsourcing their it organization to Accenture was a topic for last week's show. I'm gonna, I'm gonna spare you that, cuz we only have like two minutes and let's end on something a little more fun. I, you're killing me with this these security links you sent back to me, this cracks me up.

Oh no. Which one are you trying to get to? I'm trying to remember the stories

I got it. Top 25 women leaders in health tech. Here you go. And I sort of wanna talk about this. We know some of these people so digital health and health tech companies it has the top 25. So when you see these lists from Beckers or whatever, I mean, what's your first thought when you see these lists? Not specifically on women, but it has. The top 100 CIOs to know. And when I found myself on that list I sort of looked at it at one point and went, why am I on this list? I mean, they have no idea who I am, no one's ever called me or talked to me or whatever. And it's based primarily on the system.

Yeah, man. Whew. I could probably get myself in trouble here. but there's definitely a click bait, I think aspect to these things. Just sort of generally speaking. When I see my name on a list, I'm going to repost this along with the I'm honored and this is a really cool list and it's humbling to be in.

Group of this group appears and those kinds of things. And so people who know me on LinkedIn are gonna click on the list and look for their names too. And so I think that gets a lot of the stuff that advertisers really like. Yeah. And so they publish a lot of these kinds of lists. I don't know necessarily the value there except. If you're new to the industry and you just are trying to figure out who's who sometimes those can be really good lists. So,

we're not gonna talk about the whole diversity equity inclusion. Let's talk specifically about women in health it and not necessarily health tech and let's acknowledge right from the start as two white guys. Middle-aged white guys talking about this. But you know, I was really encouraged. I had an event earlier this year. I was really encouraged that of the 13 people that were there, seven of 'em were women, healthcare CIOs. I'm not sure that represents a trend though, because I'm doing some additional events and they're the ratio of female CIOs to male CIOs is still significantly tilted it's almost, I, I mean, I can't even come up with the number, but it's gotta be one to 10 10 to one kind of ratio still at this point. I'm not sure why that is anymore. I at one point we could make the case. There weren't enough stem graduates, but I don't think the CIO role is a stem role anymore. And so I'm I'm a little curious as to why that's still the case. And will we see more of the CIO roles be filled by women moving forward?

Yeah, I'm curious too. I mean, I can tell you that there are way more women, way more minorities than. Probably ever before, when I think back to my very early first days of going to conferences like chime and there was maybe two women in the whole room that's changed pretty drastically.

I think the rolling out electronic health records and doing other things like that have also created a lot of opportunities for more women, dominated professions in healthcare, like nursing for those nurses to bridge over to EHR jobs, and then eventually into technology, leadership jobs like CIO gigs, but it's still not, I mean, it's just not enough.

It's still really imbalanced and you. You're right. We just, I think still have a ton of work to do. And I think the women that I've worked with and helped mentor that have grown into these, some of these jobs. Are terrific people. Terrific sort of representatives heroes to to others.

And I hope that continues to sort of draw in more and more women into the field. It's we, we definitely need that. The growth expansion and diversity, and some

of them might be looking just past health. It. To be honest, I'm looking at some of these top 25 that they have listed here. Head of operations, chief operating officers, chief operating officers, chief medical officers research, head of scientific research, head of corporate strategy. Some of them might just be looking past and going, why would I stop in health? It there's for sure. Really cool. Startup thing that's going on.

And I could be at the cutting edge of really transforming aspects of healthcare as we move forward. So yeah. Yeah, Drex, it's always a pleasure to catch up with you. I really appreciate the conversation. Appreciate the time. Thank you.

Same here. Great to see you. Hope our paths cross in person soon.

📍 Absolutely.

What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, I would have every one of my team members listening to show just like this one. It's conference level value every week. They can subscribe on our website thisweekhealth.com. They can also subscribe wherever they listen to podcasts. Apple, Google, Overcast. You get the picture. We are everywhere. Go ahead. Subscribe today. We want to thank our news day sponsors who are investing in our mission to develop the next generation of health leaders. Those are CrowdStrike, Proofpoint, Clearsense, MEDITECH, Cedars-Sinai Accelerator, Talkdesk and DrFirst. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube