News Day – Quest Data Breach and Apple WWDC Health Announcements
Episode 9311th June 2019 • This Week Health: Conference • This Week Health
00:00:00 00:26:30

Share Episode

Transcripts

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Welcome to this week in Health IT News, where we look at as many stories as we can in 20 minutes or less that it will impact health. It, it's Tuesday Newsday, and here's what we have on tap. We're gonna talk about security quest and LabCorp get breached. We'll talk about what that means for us and what that means for the industry.

Uh, we will touch base on the, uh, C M S O N C, which we, uh, covered in pretty much detail last week. Talk about Walmart and, uh, blockchain and, uh, what . You have to talk about Apple, the Apple Watch, uh, and the Apple announcements at the, uh, worldwide Developer Conference. Apple is such a huge player in healthcare.

You've got to, uh, you've gotta touch on that and, uh, and I'm not being as sarcastic as it sounds. So, uh, my name is Bill Russell, recovering healthcare, c i o and creator of this week in Health. It a set of podcasts and videos dedicated to developing. The next generation of health IT leaders. This podcast is brought to you by health lyrics.

Every health system needs to do more with less. If that's your case, let's talk. Visit health lyrics.com to schedule your free consultation. Some of you who have have asked me how you can support the show, and if you wanna support the fastest growing podcast in the health IT space, here are five easy ways.

You can do it. First, you can share it with a peer. Second, follow our social accounts, LinkedIn, Twitter, and YouTube. Third, you can interact and repost our social media content. Fourth thing you do is just send me an email, shoot me, shoot me, feedback, questions, uh, comments of encouragement, whatever floats your boat.

You can also give me a, uh, guest recommendations. I'm always looking for those and really appreciate those. It's, uh, bill at this week in health it.com. And uh, the other way you can, uh, really support us is subscribe to our newsletter. And then when you get that newsletter, share it with your friends. So, um, yeah, let's just get to the news.

It's, uh, it's, you know, it's an exciting week actually. Anytime you talk about security, I think our, our listenership drops, uh, by 10% just because, uh, nobody really wants to talk about security, but we're gonna do it today. 'cause I, uh, you know, we have some, uh, some important stories. So we have, uh, . I'm gonna go to two different sources on this.

I'm gonna go to Healthcare IT News, which I'm gonna hit at least twice today. And, uh, one of my bleeping computer.com. Uh, the reason I went to that one is 'cause it has, uh, a bunch of details that the, uh, the other story did not have. So, you know, let's start there. Let's start with bleeping computer.com. Uh, let's see.

st,:

Again, indicative of the fact that a lot of times we don't even know these things are going on, there's, uh, already been 11 class action lawsuits against Quest and a handful, uh, I think are on their way for LabCorp. I don't see the exact numbers in here. Uh, nor do I think you care, so I'm just gonna keep moving.

st,:

The S E C report also says that the data that could be accessed during the breach includes financial information such as credit card numbers and bank account data, as well as medical and personal information like social security numbers. Uh, it says as of May 31st, 11.9 million people from Quest and same timeframe, 7.7 million users from, uh, from LabCorp.

So, um, You know, third party provider, third party billing provider opens up the record because their, uh, security is not as robust as Quest and LabCorp, uh, doesn't matter. They come in through, uh, through whatever door is offered to them. And, uh, that is the world of security. You're only as strong as your weakest link.

So, as you would imagine, so healthcare IT news grabs, its uh, you know, its security experts to, uh, comment on this. And uh, the first is David Finn from Synergist Deck, C y n e r G i s t e k. Um, said that with all breaches like this one, the cause is rarely one thing. We have recognized for over a year now, in fact.

ing with the target breach in:

Due to the many drivers is more hyper-connected frequently to smaller organizations, physician practices, labs, home care agencies that can always provide the same level, uh, that can't always provide the same level of, uh, security. So combine that with the existing security staffing shortage, coupled with the fact that many providers are in remote locations, which makes it even more difficult to staff.

He added. So how was the Quest diagnostic breach able to be pulled off rather easily? Fin contended? Wow. If this doesn't depress you, I don't know what does, but he just, he just piles on here. Uh, once you connect to another organization that is fairly simple to either intentionally or accidentally breach, attack or compromise each other, he explained your security can only be as good.

as who you share resources with. The problem is we do not think about how those connections can be used to do bad things. We need to shift our focus on how we think about data, who has access to it and how they use it and why? Uh, let's see. I think there's one more. Uh, two more. Let me, so, the Quest breach is yet another sign of the complexity, becoming the enemy of cybersecurity.

Said Josh. Josh Mayfield, director of Security Strategy at Absolute and endpoint Security Technology Vendor. It's not just that vendors' risk needs, uh, to level up, but we must also broaden our imagination. Broaden our imagination. Mayfield said. Most organizations have risk profiles and commitments with their vendors, especially those handling p h I and third party.

cation grew by three times in:

Uh, yeah. So, um, . Yeah, they piled on pretty good there. Of course, they're vendors and they wanna sell their services and, uh, one of the ways that security vendors sell their services is to scare the crap out of you. And they should be scaring the crap outta you, and it's the right thing to do. Um, you know, one of the, uh,

One of the things I, I, I forget where I heard this, but you know, the worst lies are the lies we tell ourselves. And the lies we tell ourselves in healthcare around security is, um, if nothing's going on, then nothing's going on. And that's just, uh, that's just a lie. Once they're in and they're able to get to your data, why tell the world that they can get to your data?

Why not just stay there and keep, um, keep ex exfiltrating that data, uh, for whatever purpose they have? So, uh, You know, actually I'll, I'll share a story here 'cause I think the story's story's relevant and, uh, It is, uh, when, when I was a c i O of a health system, I, uh, had, I had my, my team came to me and my team was pretty confident.

They were feeling, feeling pretty good about themselves and they said, you know, we're, we're probably at the best security posture we've ever been at. You know, we put the security, uh, framework in place three years ago. We've implemented this new technology, we have this new stuff. We're, we're, we're feeling pretty good.

And, uh, if nothing else, I know that pride comes before the fall. So, uh, I contacted a, uh, vendor, actually the vendor happened to be in my office. I said, Hey, out of outta curiosity, would you be willing to take this challenge? And the challenge was, I want you to break into our, our health system to break into the data, sort of a white hat kind of exercise.

And, uh, if you get in and you get to certain data elements that I , Sort of, uh, that I identified. I said, I will pay your fees. If you can't get to those things, I will not pay your fees. And, um, as you would imagine, they got in, they got in and they got to those data elements and it, it was just, it's one of those things that, that just drives home.

The fact that you are only as strong as your weakest link. And our weakest link is, we have 23,000 employees and they . Gave them their information. They gave them their user credentials, they gave them their secure, they gave 'em their passwords. So, you know, to a certain extent. Um, one of the things we learned there is there's no wall you can build.

If people are keep opening doors throughout the wall, there's no wall you can build to keep people out. So what you have to start to do is start to plan your security based on the fact that they are already in. That should be your working assumption. They are already in. So how are you going to determine where they are at on your network?

What data they're after, what data they're trying to exfiltrate, and the minute they try to exfiltrate that data, how do you stop them from moving it? So, uh, you know, that was, it's, it's, it's a balanced approach. Yes, you still need walls, but you also need to be able to, uh, identify what traffic's moving across your wire, uh, who's looking at that traffic and how, how it's, uh, being handled.

So, you know, so what's the so what on this, um, . Yeah. Gosh, there's so much. So many. So whats, I'm gonna have a security episode coming up here. I've already, uh, talked to some, uh, security experts. In fact, I'd like to have some more security experts on. So if you happen to know some, uh, feel free to reach out.

I'm merely looking for, uh, you know, people who really get it and really understand it. There's one of the things I'll say about security from this is, um, uh, it is complex. It's complex and it's hard. And you already know this. This is like, no duh. Consulting here. You know, it's hard and it's difficult, but the problem is we focus in on technology.

We think, Hey, we're gonna go to Israel, get this really cool technology, drop it in place, and it's gonna be the magic silver bullet that that takes care of everything. And the reality is it's not a technology problem, it's a process. It's a workflow, it's a, uh, you know, when you go in and ask your team.

Give me a list of all the people we're sharing data with and what data we're sharing with it, and it takes them longer than 15 minutes to come back with that information. There's a good chance you're breaching data. You should know where all your data's going. There should be a record of it. There should be a place to go to know who you're sharing it with and uh, how much they're sharing.

And there should be a record of. Uh, looking at those vendors that you're sharing the data with to, uh, identify what their security, uh, posture is. Uh, if, if you're giving them your data, you are responsible for that data as you're finding out here. So, um, I dunno, you know what, there's no the, there's no magic bullet that the, uh, you know, security is, uh, is gonna be continued to be a huge issue, uh, for us.

Um, . You know, it's, uh, it's difficult for healthcare. You know, invariably, you're short on either time, money, or focus. You don't have enough, uh, uh, focused energy towards security and you, you have to make compromises. And the minute you make compromises, it only takes, it only takes one mistake for them to get in.

So, uh, there is no compromise. You have to be diligent in this area, and if you can't do it, you gotta find somebody else to do it and then hold them accountable. And, uh, I think there should be, uh, there probably will be more outsourcing in this arena. We'll have to see what happens. Uh, okay, let's. But, you know, let's go to the Apple story.

I mean, that was, that was a downer. Let's go to the Apple story. And, you know, apple, uh, let's see. Uh, cnbc.com. Angelica Veto, uh, apple Watch will be able to track, uh, menstruation cycles and warn about possible hearing loss from loud noise. So, uh, apple launched some new apps. Lemme pull up the, uh, Thing here.

All right, so Apple unveiled a handful of new apps, a cycle tracker, and a hearing health app. Monday, uh, had its annual developer conference. Um, again, interesting, but, uh, not nothing, nothing earth shattering there. Um, they showed off, uh, new interfaces, new ways of looking at the data, showed off, uh, new long-term activity, trend tracking, uh, for your health, which, which I think is interesting.

Um, and let's see what else I got here. . I, I, you know, to be honest with you, I think some of the stuff, some of the, the bigger stuff was just last year, to be honest with you. I mean, they rolled out the, uh, the medical records for iPhone, which I think is interesting, and they continued to make progress there.

The, uh, uh, electrocardiogram was rolled out on the Apple Watch. That was, uh, uh, pretty interesting. I, I think the thing here is, uh, two things that I would highlight. First is Tim Cook. Tim Cook is, uh, had the hardest job in the world, um, really did have the hardest job in the world, uh, following Steve Jobs.

None, none of us would want that job. And, uh, he has been slow and steady wins the race kind of guy. Uh, not veering too far from the, um, uh, from the original game plan that, uh, Steve set out, um, but also, uh, executing, uh, flawlessly in some areas. Well, it's interesting now because what , what he has done, which I think is brilliant, is he looked at the compe, uh, competitive landscape and he said, okay, our competitor is Google.

And he said, how do we position ourselves against Google? He may or may not have thought it this way. I'm just saying the, the outcome is brilliant. Uh, how do you position yourself against Google? Well, the way you position yourself against Google, who makes all their money on data, your data, your data that they get from your, your surfing history, from your phone, from tracking apps, they, they just track.

They track, track the crap outta you. They know everywhere you're at. And, um, . And he says, Hey, I know how to beat a company like that. What we're gonna do is we're gonna focus in on, uh, privacy and security. Mostly privacy. Your data is your data. And I think because he has done that, he's created a, a, a distinct competitive advantage over Google and that I trust Apple now more with my health data than I trust Google with my health data because I don't know what Google's gonna do with it.

I know they can do really cool things. And I'm excited about the things that Google can do with it. But until they can really get their arms around this privacy thing, first of all, I think they're gonna get dinged by the government. And second of all, uh, I, I, I don't want 'em playing with my data. I would rather have the, uh, data in Apple's hands who's saying to me, Hey, if you wanna share it with a study, share it with a study.

If you want to share it with a, um, with a health broker of some kind that can make heads or tails of my health data, then go ahead and do that. So I like his approach. I think it's great. And I, you know, he, uh, there's a good quote in here. So Apple, uh, apple has made health one of his top priority, c e o, Tim Cook's telling CNBC's Jim Cramer in January that Apple is focused on democratizing healthcare, and he thinks healthcare will be Apple's greatest contribution to mankind.

The company's commitment showed Monday at its annual event highlighting software updates. So the, you know, the first thing is I think the security and privacy is just, Foundational to their movement. The second is I think they're democratizing health. I think they are uniquely positioned to be the platform that takes the health record out of Epic and out of Cerner and out of Allscripts and out of Meditech, and moves it in onto the phone, onto the patient, uh, or, or into a, a device that the patient is carrying around.

Now, I understand the limitations of that. I don't need. Emails telling me, bill, you don't understand the limitations. I understand the limitations, but I also understand the power of it as well. If I can get a majority of the health systems sharing their medical record with that Apple device, I now have a carrier that I can, that is going to be with me.

And I am the constant at the point of care. I am the constant at my point of care, I am the one. So if I have my medical record, that's the best scenario and Apple's going to be able to, um, to enable that. I think the other thing is around, uh, privacy updates. Uh, let's see. Most notable among privacy updates is the new sign-on with the Apple button, A single sign-on function that lets user authenticate their identity using their apple id.

Uh, it's a little distinct from, uh, Google and others, Google, Facebook, and others in that, uh, again, they're not tracking you. They're not tracking you and they're actually on your side. They're helping you to spoof the, the various, uh, entities that you're logging into so that your, uh, your data remains yours and that your location remains yours and you only share the data that you wanna share.

So I. Apple. You know, apple is doing a lot of the right things to foundationally be ready to be, uh, a mechanism to transfer to democratize healthcare, as they say. Um, not that they're going to deliver healthcare, but that they are going to free that data and make the, uh, the individual, the . Patient, the center of the, uh, healthcare experience and hopefully drive accountability and all those things that physicians are frustrated with.

You know, you tell somebody to diet and they don't diet, um, maybe Apple will have somewhat of an answer, if not their ecosystem of, uh, developers, uh, may have that. So again, uh, I, I like what Apple's doing. I think it's, uh, I think it could be a game changer. So something to keep an eye on. Uh, let's see. Next story, uh, himss, uh, I, I'll, I'll go brief on this.

So, HIMSS responded to the O M C C M S, uh, announcements. Um, uh, request for comments around their, uh, data sharing and, uh, 21st Century cures and, uh, interoperability. Uh, Stuff, let's just call it stuff. Uh, Mike Millard Healthcare IT News. I'm not even gonna go into this in too much detail. Uh, the bottom line is, uh, HIMSS agrees with everybody else, uh, but was much more supportive in their language, to be honest with you.

I, I found it, uh, very distinct from the, the chime announcement, the HYS announcement. Um, Was, uh, really strongly supportive of, of the a p I move. They were strongly supportive of data sharing, of calling out, uh, blockers. They were, they were supportive of all the, uh, elements of the initiative. And they, um, again, but, but I think Chime was too, but they were, uh, but HIMSS was just a little bit more over the top on it.

And then the other thing is, uh, again, the Hims and Chime both agree that, uh, there's some gaps. There's some gaps in the language, there's some gaps in the timeline. Uh, so some of those things. But I think what you felt, uh, what I felt from Chime was they represent . They represent the people who are gonna have to implement this.

So they were like, Hey, slowed down there, slowed down there. Azar Verma, it's . This is a lot of work. I don't think you understand what's going on here. Uh, whereas himss, uh, may represent a little different group and they're, they're like, Hey, this is good for healthcare. We like this. Uh, let's keep this thing moving forward.

So, um, you know, I, I think the, so what here is, generally speaking, I think everyone agrees this is the right thing to do, and, uh, there is, you know, growing support for what CIMA Verma and Secretary Azar are doing. Uh, just maybe not the speed they're doing it and maybe, uh, clean up the language a little bit.

Um, so let's see. Uh, Walmart joins Meta ledger, blockchain based pharma tracking group. Mike Millard Healthcare IT News. Um, gosh, blockchain, I, so I did a podcast just this past week with, uh, Charlie Lo Heed, c e o of actual, who's a, uh, blockchain entrepreneur and a friend who, um, Did, uh, the Explorers start up, which sold to I B M and he was a, uh, one of the founding members of that.

And, uh, just a fascinating conversation around, around blockchain. I think the thing I liked about the conversation, and that's last Friday's episode, if you get a chance, go back and, uh, listen to that. I, I, I think the thing I loved about it was I'm like, give us the Blockchain 1 0 1 and Charlie just goes, it's a database bill.

I mean, at the end of the day, it has some unique features. It's distributed, immutable records, smart contracts, that's, you know, a couple other things in it. But at the end of the day, it's a database. It has a little different characteristics that we're used to. So, um, it's funny, when he got done talking about it, I thought, You know what?

This is gonna move faster than I think it's gonna move. 'cause we already know databases. We understand databases. We've gotta get used to some new aspects of it. But for the most part, we, we sort of get it. We, we sort of know it. So here's what, here's, uh, what's happened. So the retailer, uh, Walmart joins other big players such as AmerisourceBergen, McKesson, and Pfizer, in an effort to use distributed ledger technology for medication safety, integrity.

Uh, the news first reported by . Bitcoin and blockchain website. CoinDesk signifies that health and life sciences uses, uh, use cases for blockchain are continuing to gain momentum, some of the largest corporations putting resources into building out new applications of technology. Uh, it's distributed, it's decentralized, and the data is private.

Explained Chronicled, c e o, Suzanne Somerville, in a statement. Even though Chronicled is providing the technology industry users operate the software themselves. Um, let's see. Pharmaceuticals aren't the only area where Walmart is interested in the safety possibilities of blockchain. In recent pilot with I B M, the retail behemoth explored how to decent, how its decentralized.

Nature could assist in food safety by tracking the often complex. . Providence of produce international, internationally complex providence of produce internationally. Wow. Mike Millard. Good words are good. Uh, words. I'm not sure I'd put those together. That's a, that's a tongue twister. Anyway. Bottom line on this is, uh, yeah, blockchain is gaining momentum.

Uh, you know, I've talked to some, uh, CIOs that are, uh, a little leery of it. They're, you know, it, it, it was hitting, its, uh, its hype cycle, uh, peak, but I think this one peaked pretty quick, and it's, uh, getting to realistic solutions, uh, pretty rapidly. So, uh, . Uh, I think the, so what here is understand it. Get out there, understand blockchain, look at the solutions, don't be afraid of it.

Figure it out. If you have the wherewithal and the resources, get some people within your organization playing with it. Um, because that's what we do early on. We play with the technology until we sort of figure it out. Uh, you know, get some education on it, um, and, uh, see where it makes sense. It's just like any other technology.

Blockchain in and of itself is a database. A database can be used in a lot of different areas, but it has distinct qualities like the smart contracts, like the immutable record, uh, the distributed nature makes it, uh, interesting for, for things like, um, uh, you know, physician credentialing and other things that we talked about with Charlie.

So, um, the other thing I haven't seen much of, and I'm sure somebody will email me and say, I, I, I'm not looking hard enough, is, uh, You know, blockchain for the medical record, essentially what I talked about earlier with Apple becoming that, um, that, uh, transport for the medical record between locations, I still think that blockchain holds a lot of promise for, uh, HIEs and, um, and the ability to, uh, have my record be, uh, mine.

To be honest with you, to not have it be stuck in the, uh, various E H R technologies, but to be free of those technologies and in my hands. So, let's see, let's see what time we got here. Uh, you know what I'm gonna. I'm gonna close up, I'm gonna make it quick 'cause this is actually a vacation day for me, since my, uh, daughter's graduating this week from high school.

So my youngest is graduating from, uh, high school and moving on, and, uh, I took a couple days off. So, as I said last Friday, uh, Charlie Lowe, you're gonna wanna check that out. Um, We're quickly approaching our, uh, hundredth episode and we're planning something special. So you're gonna wanna check that out.

Uh, it'll be in the next couple of weeks. Mark your calendar this Friday. Eric Yo Blanca of Stanford, uh, joins me. And, uh, good conversation scheduled. We're gonna talk architecture, uh, we'll get into some of the sexier things of innovation on top of architecture, but, uh, I, I sort of wanna talk about the foundational elements which make innovation possible.

Uh, and we're making arrangements for, uh, some exciting shows. Nasser, Nazami and, uh, Dr. Steven Klasko are gonna do a joint interview from Jefferson Health, uh, Jeff Johnson from Banner, uh, Andy Crowder Scripps, and others. If you want to hear from someone that hasn't been on the show, just drop me a line at Bill at this week in health it.com and let's see what we can do.

This show is a production of this week in Health It. For more great content, you can check out our website at this week in health it.com or the YouTube channel at this week in health it.com/video. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube