Newsday - Labor shortages, Pandemic-driven innovation, and a Reflection on Cybersecurity

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Rick McElroy: One of the interesting trends that shook out this year from an attacker perspective is ransomware as a service, generally operated as a distributed model. You had a bunch of different groups trying to innovate, do their own things. That has started to centralize. There's some really savvy cyber criminals out there that are running a good business from their perspective, right? They have metrics, they have uptime, they have affiliate programs where they actually pay and have a local trust, so I think looking towards the future, you're now going to see a much more [00:00:30] centralized business model takeover, these as a service models that you've seen in previous years on the dark web.

Bill Russell: It's Newsday. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week in health IT. A channel dedicated to keeping health IT staff current and engaged.

Before we begin. I want to share an exciting announcement for This Week in Health IT. Starting in 2022, we're going to have four channels to bring our community more specialized content for your specific needs. The four channels are News, Community, Conference and The Academy. The News channel we'll have our Today and Newsday shows where we explore the news that is going to impact health IT. The Community channel is just that. A place where we come together [00:01:30] and collaborate. One of the distinctions of this channel is that we will have guest hosts from the industry and people that they invite to talk about the topics that we wrestle with every day. Things like clinical informatics, data security and the like.

Finally, this channel, the one you're listening to right now will become our Conference channel. The same great content you travel across the country to receive. We're going to be bringing to you right on this channel. This show will become Keynote, where we do our long form 50 minute interviews with industry leaders.

Rick McElroy: Yeah, thanks for having me.

Rick McElroy: Yeah. I've been doing information security for about almost 25 years now. So I started off in the nineties after I transitioned out of the Marine Corps. Predominantly focused on offensive testings. So did that for a bunch of commercial companies went over to Booz Allen, did that the department of defense and, and what I figured out on that journey is it's way too easy. We get an a hundred percent of the time and there weren't enough resources dedicated to the defensive side of the [00:03:30] problem. So from there, I started building security programs. Leading those, worked up to become a CISO. And I'm now focused on healthcare as a sector with security at VMware.

Bill Russell: They really do get in a hundred percent of the, this is the unspoken thing that goes on the, you know, every time we had an internal audit and they said, all right, we're gonna do some kind of penetration testing or we're going to do some sort of attack, simulated attacks come in onto your system.

Rick McElroy: I think it's a combination of both, right? So, so I mean, on the innovation and smartness scale, of course you have, you know, cyber warfare, which is occurring, which is really driving innovation in spaces and blind spots.

And so largely buying technology takes a little bit longer implementing technology takes a little bit longer and then of course doing the maintenance phase does as well. All with the right purpose in mind, by the way, which is patient safety and you know, driving those better outcomes. But that's the reality of what folks who are defending, you know, healthcare entities have to deal with.

We had the Scripp's breach, but that wasn't the only one. We had several breaches. I don't know if it was solar winds in this calendar year or was that the previous calendar?

Bill Russell: We had that. We had been an Azure vulnerability. I mean, there's a, there's a fair number of vulnerabilities this year. As you look back on 2021, what's your assessment of 2021? And what do you think we're going to take from it?

Rick McElroy: Yeah, I think, you know, if I was going to put everything in a nutshell that the attackers were doing, they're attempting to skate upstream of our supply system, right?

Bill Russell: You mean the 25 page document that I had to fill out?

There's a lot of funding coming around to modernize what we're doing from a cyber perspective. And I think all of that will be helpful. All that being said it's gonna be a long road and it's going to take us a while to get there. And so I think looking towards next year, look, one of the interesting trends that, that shook out this year from an attacker [00:07:00] perspective is ransomware as a service, generally operated as a distributed model. You had a bunch of different groups trying to innovate, do their own things. That has started to centralize.

Bill Russell: Wow. So we're looking at some challenging times even into next year. This is one of those things that it is vigilance. It is continuing increased sophistication over time.

And we're just gonna have to get sophisticated on the other side as well. Is there any way we could work better together? It seems like the cyber criminals are starting to work together or can we work better together?

Rick McElroy: Yeah, absolutely. I mean, look, I talked to Earl over it you know, Health ISAC all the time.

Yeah, so, so lots of movement. I think there, there is some good news. But we're going to have to look on the back end of all of that, about how we're doing this exchange in real time. And and ensuring that you know, patient information isn't being transmitted as part of those workflows and that type of thing. But I think I'm looking forward to what comes out of that cause I think it'll benefit everybody in this sector.

But, we'll go ahead and wade into it. So representatives from the VA faced concerns from legislators this past week around patient safety issues associated with the agencies,`` Cerner electronic health record monitorization initiatives. At the end of the day, the whole undertaking is about improving patient care said representative Debbie Wasserman Schultz, Democrat from Florida in a house of appropriations military construction veteran's affairs [00:09:30] and related agency subcommittee. Wow, man, they can name a subcommittee can't they? So there, there was a hearing. So Wasserman Schultz. I know that the VA's first rolled out its new EHR took place one year ago this month at the man grant staff VA medical center, which we've talked about on the show in Spokane Washington. The VA had initially planned to go live at 11 sites by the end of 2021.

Let's see, VA Deputy Secretary, Donald Remi took a determined stance ensuring and legislatures that he was taking responsibility for the progress, the success or failure of the program boils down to a partnership he said. Our handling of E H R M to date has failed to live up to the program's promise for our veterans and our providers.

And you know, and you get the picture, it just goes back and forth. And they talk about, you know, Remi explained that the agency has organized patient safety concerns in several domains, such as order management, administration of medicine, pharmacy, suicide, risk tracking, and documentation, identity referrals, [00:11:30] and consults roles, positions, privileges in ambulatory care.

When concerns arise, Remi said the agency categorizes them, examines them and make sure that they don't reoccur. And then Washington Schultz goes on to say, well, okay, but really how did this happen? Washington Schultz said, what specifically are you doing to prevent this in the future? You know, I'm going to let you go first. Cause I mean, I'm afraid I could go on a rant for 10 minutes, so I'll let you go first.

I think, look, this issue has been highlighted for the last 20 years in the, [00:12:30] in the veterans administration. And really what we know is if we can get to electronic records, if we can start to service people faster cause they can't even find a lot of our paperwork as it's sitting in boxes still. Right. So step one, let's start to address that issue.

And yes, to your point, we still have things that occur inside of healthcare. You know, lots of times records are mishandled. We're making a lot of mistakes in how we're doing that. We're sending data to the wrong entities. But encryption is in use right? Defense in-depth is in use at a minimum. Zero trust you know, it's become to shore.

Bill Russell: Yeah, I'll tell you EHR implementation is a massive change management effort and you are moving everybody's cheese. It's not, you're not just moving the clinician's cheese in the patient's shoes. You're moving the administrators and HIM and you're, you're moving everybody's cheese, including the check-in you name it, everybody's getting.

She'd be like, are you kidding me? They moved my office. They didn't tell me where it was going. You know, I don't know where the copier. That's what happens when you do an EMR implementation? That's one aspect of it. The other aspect of it is you have a thousand people that want [00:15:00] input into this process.

And so you sit down with one doctor and you say, okay, How would you like this to go? And they say, we want it to go this way, this way, this is what's in best interest of the patient. And then you go to another doctor and he essentially says the exact opposite, maybe not the exact opposite, but the opposite.

And sometimes you make concessions in your build to try to accommodate both. And you end up with junk because you really just need to pick one and do that. But if you do that, then the person who's getting interviewed for the new story is the physician who's like yeah, they listened to the physician and [00:16:00] graduated from that school.

Like they know anything about medicine. They should've listened to me cause I went to this school, which is much more prestigious than we know about med. I mean, yeah. I mean, this is, this is what, this is what is sort of at play here. So at the end of the day, the other reason they're behind the legislature slowed them down.

I've seen this from both sides. You know, you want to be seen representing your constituents and you want to be seen representing the veterans who are receiving care here. So you're obviously going to ask questions and you should ask questions. But at the end of the day it's hard to ask educated questions until you've actually really dug into what it takes to run a [00:17:00] hospital effectively.

So that wasn't as much of a rant as I thought I was going to do because these questions did [00:18:00]remind me of our EMR implementation. And I had to go in front of several groups of physicians who just grilled me for the better part of three, four hours.

I don't really have a question. That was it. That's just my, the end of my rant.

Rick McElroy: That was a good one.

Bill Russell: Thanks. Thanks. I appreciate it. Let's see, what do we, what do you want to do next? We can do the future of work or we can do the Mayo Clinic Google partnership, which what's direction? I'll let you choose.

Rick McElroy: The future of work.

Rick McElroy: Yeah, I've been remote for seven years, but really in airports for five of those and then at home for two yeah, so largely I Zoom away and, and do those things.

Recently got started getting back together with people in person, which is my preferred method of comms. Yeah. So I think from a family perspective I've really enjoyed the time home. I think from a professional's perspective we all seem a little burned out on Zoom. So I think people are looking, looking forward to getting back together

Rick McElroy: We have hotel officing, like in different cities. And then in Palo Alto, they have hotel offices for us if we need them.

We're being more productive. One of the things I have heard from people [00:20:00] is that the connection to the company, that the cultural connection to the company is not as strong as you would have in working in an office. And what they're finding is they're losing employees after like two phone calls from a recruiter.

You know, it's very difficult to build a culture. I mean, have you seen people build culture remotely well?

Rick McElroy: That's an interesting question. I mean, I've certainly had a lot of conversations around teams that have pivoted and tried to keep that culture. Right. Who felt like they had a strong culture.

And then of course the world changes around us. And, and so I think we've put some some stuff in place to try to keep the culture, right? Like, you know, whether it's painting sessions. You know, different sessions that are non-work related, right. And that type of stuff. So, so I think a strong culture can maintain it. Building and instilling that remotely is interesting.

Bill Russell: They go on to talk about the labor shortage. I assume in the space that you're in you're seeing the labor shortage?

So they're importing a lot of their cyber talent. The UK the same way. So, so I think there's a lot of initiatives globally to grow you know our own cyber professionals and get those in. And then certainly I think the US government has recognized that as well. You see grant money coming to underserved communities to try to get them into cyber lots of programs that transitioned veterans who were maybe in some other roles inside of the military and, and bring those folks in.

So to your point, very easy if I'm just switching a four by four square on a laptop to another four by four square at another company with a, with another logo. And so I think all of that stuff has created a little bit of soup of why some of the employees are leaving. And then why retention numbers are down too.

You know, normally they do every year they do a cycle and I guess the [00:23:30] uptick in inflation has been so great. And the concern of losing people has been so great that they're saying, look, we want to stay ahead of this thing. And oh, by the way, we will come back in six months when we normally in cycle and we will evaluate pay.

Well, we just took you know, we just took 5 million people out, including 3 million women. And I don't know the exact number of, of baby boomers that are retiring, but I, I have heard of doctors essentially saying look I mean, I'll come back after the pandemic, I'm going to hang up, hang it up for the next [00:24:30] two years pandemics done. I'll come back to practicing after that. I know that that's just some of our clinical listeners. They're like, oh, that's awful. But to others, they're like, man, I wish I could do that. Because this has been a ridiculously hard time to practice medicine over the last two years. So this battle for labor I think, is going to continue and cause us to be incredibly creative going into definitely going into next year.

Rick McElroy: A little bit, right. So, I kind of pre-date cyber. I don't want to say I predate cyber because information assurance. Yeah. Like, yeah, there just wasn't a lot of us going into the field, but, but I think a couple of things if you look at the talent that the department of defense has brought to bear on the problem through things [00:25:30] like Cybercom, the NSA, and of course the intelligence agencies. They were at the forefront of things like threat hunt.

And so I think secondarily, I would say in some ways, the transition and the cyber is a lot easier because the language remains the same. If I say to someone in the military red team, they know exactly, but that's the adversary. Word adversary and emulation, and me just say, blue team. They, they know what that means.

Those types of things, I think people just get practiced in the military. And so that's why you see so many of us, I think.

Rick McElroy: Yes. Yes. Simpler. Yeah.

So people get the care they expect and deserve. And after detailed process, the [00:28:00] team chose Google based on its talent and technology, as well as our shared vision for the future of healthcare. Google focuses on innovation and commitment to excellence. And so, all right, so now you have these two, I mean world renowned companies coming together. One seemingly with a phenomenal history and dataset and clinical processes and practices that are extremely well ahead of the curve with regard to the practice of medicine. And you [00:28:30] have the company with their data and their their skills to back it up. So he asked them if you could just skill Mayo clinics, partnership with Google down to one main goal, what would it be? This partnership will change how care is delivered and will help us grow as a healthcare organization.

We expect that we will see many new algorithms to improve care coming from the AI factory. So they're thinking about this as a platform, which makes sense to me, right? So they're, they're saying, okay, we've got this data that we're taking from this transactional system, which is the EHR, and Google's going to give us this, this cloud platform. And then we're going to build a [00:29:30] set of AI tools that are accessible by, I mean, at this point, the hundred people that have been given access within the Mayo team. But I imagine they're thinking about it from a security standpoint as well, and a privacy standpoint as well. How are we going to open these AI tools up to the broader community and that, thinking through the architecture really matters here doesn't it? I mean, from a privacy and a security standpoint, this, this becomes critical for the future.[00:30:00]

Rick McElroy: It's brutal and look you know, my technologist hat says, this is really cool and I bet you, there's a bunch of things we don't even know. We're going to be able to see from those datasets and bring an AI to bear on it.

Bill Russell: Yeah. So here's another Chris Ross quote here. So Mayo clinic cloud includes a repository of de-identified longitudinal patient records, which have been constructed with Google and our partner EnFrance, Mayo clinic platform discover product [00:31:30] line provides access to these high quality, comprehensive longitudinal de-identified patient data that few in the industry can offer the Mayo clinic platforms. Principle partner En Francxe's are ready. Using the data with life science companies and drug discovery. I heard John Halamka talk about this platform. It was really interesting. He said they can actually, he could have a, third-party provide them an algorithm and what'll happen is the algorithm, and think of it as in a container, the algorithm will be able to run [00:32:00] against the information in the container. But essentially there's a point of abstraction here where they never actually get access to the data. It's. So, although they're going to get is the results back.

And this is, I'm wondering if, I know that a lot of the cyber security issues for us are manmade. So it's human error ends up being a significant portion of them. You know, phishing attacks, those kinds of things. Misconfigurations and whatnot. But I'm wondering how much of it is, is architectural related.

Rick McElroy: Oh, absolutely. I mean, look, look, the technology exists to do it. Process exists to do it. Companies for ransomware attacks on a, on a daily basis and don't get hit. Some do. So it's so to your point are there a fundamental architecture? Yeah, absolutely. I mean, and I would comment and I hope no one in the audience takes offense to this.

Right. And I look, I've done it. When I, when I ran network devices, as part of, you know, the pressure from other teams to do it you know, a Mo shops that experienced in that. Right. And, and so I do think to get back to the human component, I think, look you know, [00:34:00] architecting it by design so that the humans can't actually access it.

Like that's a much better model, right? Because even if an attacker subverts the human that has access to the trans mutated data, that's non-production anyway, or somehow got access to the results of that data analysis. Well, they still don't have access to the data themselves because the humans don't, that's a much better way to architect a solution for misuse in mind, which I think is something that we missed during the application design phase.

Bill Russell: Rick, I appreciate your time. Appreciate you sharing your expertise with us. It's always a pleasure to sit down. I love the black background, black shirt, black coat. It makes me happy that you're on the good guy side and not the bad guy side. Yeah, because you sort of have a matrix feel to you when I'm looking at you. I'm, I'm a [00:35:00] little afraid actually.

Rick McElroy: That's perfect. Just a little, just a little, and then I smile and make jokes that.

Bill Russell: Yeah, I'll tell you it's not an exaggeration. Every time I was CIO and I had a conversation with somebody, they said, we're bringing in our experts.

What can we do because of the the story. I mean, there's stories that we hear and then there's stories that we don't hear and you're just, you just sort of shake your head like, wow. There are so many ways into, our network and we have to, and I remember the day that that they looked at me and said your thought process is wrong.

I need to know if they're moving data. I need to know, you know, they're like, yeah, now you're asking the right questions because this whole idea of we're going to build a castle, keep them out is that's kind of archaic at this point. They're going to find a way in.

Rick McElroy: Yep. Well, I think you've got some good advice.

Bill Russell: Yeah. Well, Hey, thank you. Thank you again for your time. Really appreciate it. And look forward to catching up again next year.