This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Today on Newsday.

we get in there and we start these conversations and sometimes it becomes misery loves company, right? But we don't leave them there very long . It's okay. Yep. Thanks. Everybody has that problem. What are we doing about it?

So we can move off of that. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts

Now, let's jump right in.

(Main) All right. It's news day. And today it is. Wow. It's just like old times. It's Drex and I. Not all

day is all over again.

It's been a while since we've done this. Let's see if we remember how to do this. This could be fun.

Newsday, Drex. I think the story of the day. So we're recording this on Monday and I woke up today and the world is ablaze with this Deep Seek, the Chinese AI company upending [00:01:00] The stock market. So essentially the frenzy is just all about the fact that deep seek their AI assistant became the number one downloaded free app on Apple's iPhone store on Monday, propelled by curiosity about the chat GPT competitor.

And part of what's worrying us tech industry observers is the idea that the Chinese startup has caught up with the American companies at the forefront of generative AI. At a fraction of the cost. So they've been able to train these models. I don't see the exact number in this story, but I vaguely remember reading before I had 10 percent of the cost and the processing power.

So they're using low end. NVIDIA chips and the rest of these people are commercially

available. NVIDIA chips, not not released chips,

which is where a lot of

the training occurs today.

you and I, former CIOs, we have to expect this, right? This is par for the course.

We have this emerging space that's happening, you're going to have these competitors come in, do things a little different, shake things up. [00:02:00] this has been par for the course. I guess the only thing that's different is it's happening at such a fast pace.

I think back to whatever it was.

It seems like it was an eon ago, but it was really just a couple of years ago that we first started talking about generative AI. And since then, it has just been on fire. And then, of course, today's. Deep seek our one revelation definitely put us on an interesting path for a new discussion.

I think there's a lot of, announcements are easy and it's interesting to hear how they talk about it. I don't know. The devil's in the details. We don't really know what we don't know. But if all this turns out to be true, this idea of. They've been able to figure out how to do this at a very much reduced cost.

They've been able to turn up the capabilities, shorten the training period. There's something new and interesting going on here. And we've just seen another leap in generative AI because it's less power, apparently. They've been able to do all kinds of stuff with

this.

There's nothing bad about the announcement. If it was Anthropic Claude has just figured out a [00:03:00] way to do this. We'd be like, Oh, this is great, but it's China. It's a Chinese company. And so it's interesting to talk to you about it and get the security perspective.

it's the number one app download on Apple's, store right now, I've got to think that people within my healthcare system are downloading it and playing around with it.

Somebody's downloading it. Somebody's using it. It's certainly when tech like this comes along and like overnight.

Becomes a rock star people are going to use it. People are going to do things with it They probably shouldn't do they're not going to ask you as the executive leadership in your health care system whether or not they can do it They're going to do the we talked about it a little bit this weekend.

They're going to proceed until apprehended they're going to they're going to they're going to do this stuff and make their work easier and So ultimately it's a whole new thing, right? You're going to have to figure out how you're going to protect yourself from it, how you're going to protect your intellectual property from it.

And all this stuff is also [00:04:00] available to the bad guys. So there's nothing to say that they're not also using it and figuring out how to rev up better, bigger, more interesting attacks on healthcare and other critical infrastructure. Gen

is interesting to me because No, I have been using it to, and we have corporate licenses for two different models, actually.

And, we utilize it and we can turn on and off the security and that kind of stuff, as far as we know we're clicking the right buttons, we're configuring it correctly. But at the end of the day, I am taking now summarizing very quickly and that kind of stuff, just knowing what I know and knowing how people function.

The odds of a nurse or doctor or administrator or whatever who's saying, Oh, man, we've got this complex care patient. We've got all these PDFs and all these documents we just scanned in here. Let's get a summary. That's going on today. I can guarantee you that's going on today. And that's what I would be worried about as a CIO at my health system.

Guess [00:05:00] we'll start with the basic. If it's happening on our computers, we can stop that. Like we can protect against that.

Yeah. If it's on our machines, a lot of this has to do with. Starting with policy and training, telling people, not to do it and that it's a fireable offense or whatever the situation might be.

=, you'd start with training and policy.

I think if you build a pyramid of the things that you're going to do, at least some of it starts there because. The figuring out technically because these sites and these apps pop up left and right, and because you're allowing people to bring in personal devices where, you know, they may not be able to so easily ship documents over from one, from their work machine to a personal machine to be able to put it into Claude or into our one, whatever the case may be.

But you're still, there's still technology involved in how you build that out. So ultimately, if it becomes. You completely deploy enterprise browsers and use enterprise browsers to be able to play defense or if you have [00:06:00] other technology for that, but it becomes a lot of extra work, right? It's a whole new thing to essentially defend yourself against.

Yeah but it is a good for you.

Yeah.

next level we did policy training. Secure browsers. I think that's interesting because that is the problem. We're going out to the Internet. Most people don't know how to get out to the Internet except through the browser so that and the browser is the oldest piece of technology on that computer now in most hospitals that just, active director, I guess it's one of the older.

Pieces. But you know the browser has been around forever. The enterprise browser, though, is a new phenomenon for not really all that new, but they're making advances in health care talk a little bit about how that secures. Is that just you're setting policies within the browser itself?

Yeah, it's interesting. So most of us use, Safari or Chrome or these are commercial browsers that were meant for commercial purposes. And so they're used for lots and lots of different things. With enterprise browsers, you're [00:07:00] essentially building a custom browser just for your organization.

And in that browser build, you can create a whole. Ecosystem of rules about things you can and can't take screenshots of applications that you can get to or that you're not allowed to get to documents that if they come from here, . You can't move those documents to another drive or paste them into another tool.

And you can build all those rules into that enterprise browser. And then it also becomes really easy then to, with so many applications now that software as a service or even internally that really run as a browser, you sign up, you send a browser that's custom to build to bill. And Bill, you can put it on any machine that you want to put it on.

It's secure. You can only get to the things that you need to get to and you can only do the things that you're allowed to do on those applications or between those applications. And it becomes [00:08:00] an easier process to manage and secure. Compared to some of the stuff we do today, like with VDI, you're paying a lot of money for licenses.

You're building a ton of infrastructure. You have to run and manage and update that infrastructure. And a lot of it is still being offered on commercial browsers that have to be as much as you can doctor them up to work for you and a private business. Sort of environment.

Let's talk the build and buy thing here.

One of the interesting things about this announcement to me was you're now making it something that. A health system, or at least a larger health system with enough resources is looking at it going low cost and video browsers training methods are becoming easier. You could do it quicker, that kind of stuff.

It seems to me like the whole idea of building your own generative model and housing that internally and having it be trained well enough to do some [00:09:00] really interesting things. It may be just, it might be I'm on my tippy toes reaching for the top shelf right now, but it feels to me like It used to be so far away.

I'd have to think about a SpaceX rocket to get there for my health system. Now it's I'm standing, I'm like reaching for it. It's it's right there, Drex. If it just went that far to that far, how long before I'm sitting there going, yeah, let's spin up another. Tool and model and we'll run our, it, how much more secure is

that?

, I think a lot of the devil in the details around this is the issue of.

We're reporting on a Monday. It happened on Monday. Somebody's going to start playing with the tool and go, Oh my gosh, these answers are horrible. I don't know.

But I think that, in the grand scheme of things, a lot of it is the data. And how would you build your own generative AI tools to do certain things? Based on the data set that you're going to give it to use to train on and then to be able to actually answer questions on.

And for a lot of health care organizations, that's still really a [00:10:00] problem. And we have data, but we don't have a well organized. There's duplications of it. There's lots of challenges in our own data and how we use it today. I think, If you want to be on that path, the road starts with data governance, data cleanup, making sure that you've got everything in a good spot that also helps you from a security perspective, because now you've organized and prioritized and labeled and identified the things that you need to put more security protections on than less.

I don't really care about that, but I care a lot about this. So this is a process. Ultimately, I think all organizations need to go through, but. Some are further along than others.

You just hosted a 229 event for CISOs.

Yeah.

I assume the number one topic is still third party risk, but I wasn't in your room.

So what are we hearing right now?

There were some really great conversations in the room. Third party risk is certainly still a big issue and a big challenge. [00:11:00] I think there were a lot of discussions around mergers and acquisitions and the sort of challenges that. these people that go along with all of that work, it was just a great conversation between a lot of CISOs really at a lot of different levels, organizationally.

We had large IDNs and we had children's hospitals in there. And I think the reality of what came out of the room is that they all have. Even given different sizes, they all have very similar challenges and very similar problems. And so that need to connect and build a network and create that sort of alliance.

talk about it sometimes is we get in there and we start these conversations and sometimes it becomes misery loves company, right? But we don't leave them there very long from a moderator perspective. It's okay. Yep. Thanks. Everybody has that problem. What are we doing about it?

So we can move off of that. And then the reality of that in the room, some people are ahead of me and some people are behind me and the [00:12:00] people who are behind me, I need to spend some time helping to pull them up after the meeting, right? Pull them up the ladder, keep them from stubbing their toes on the things that I've learned because that part of my program is better and being able to turn around and say, Hey, Those people are ahead of me and I need for them to pull me up the ladder to where they are.

So this whole working together to make all the security programs better, it's a big part of this. And you can see naturally the mentor relationships that start to happen in the room and the friendships that happen in the room and it's and not just with the CSOs in the room, but with the partners in the room too.

It's amazing the amount of knowledge. Yeah. That the partners bring to the room because. The CISOs have been in one organization and the partners have been in 100 organizations in the last year. They've been able to see what good looks like and what terrible looks like in 100 different organizations.

So they bring good advice and guidance to the table to

I read an editorial, I don't remember if it was on the plane yesterday or this morning. Days start to [00:13:00] come together at this point, but the editorial talked about expect more M& A. Over the next 4 years. So new administration, new view towards healthcare or just merger and acquisition type things based on what you said, it sounds like they feel the same way that they're going to see some merger and acquisition activity.

As I was reading the article, I thought again, as a CIO, I would have a plan. I would have a plan to either acquire or be acquired and know that playbook looks like. And I talked to one CIO, one pretty savvy CIO. They do have a playbook. They have a playbook for acquiring it.

He said, I don't have one for being acquired because that would be defeatist. But he said, we have one for acquiring you guys to be honest with you. It wouldn't be hard to reverse engineer that if we get acquired, I'll just hand it to whoever acquired us and said, okay, we know what you're going to do.

We'll get y'all the information.

Yeah. A lot of it in the MNA space. I did a lot of it in my last CIO [00:14:00] job of the MNA work. Can be challenging because for a lot of organizations, sometimes this is a decision that's made by the business operators and the development people.

And then they show up to the CIO and the CISO and say, we've decided we're going to buy these guys. They need to be integrated within 90 days or something like that. It comes completely out of the blue. Now, when that happens it's your opportunity to spend more time with them and help them understand like doing an acquisition isn't acquiring your grandpa's group practice.

There's a lot more complicated than that these days. And here's 100 questions you should ask, because you could acquire something that's going to cost so much money to retrofit and make secure and resolve all their problems and issues that what you thought was a sweet deal is actually a terrible deal.

And so the I. T. team, the security team need to be involved. At the earliest stages of those M& A discussions so that they can help coach and teach the [00:15:00] leader of the negotiation. These are the things you need to be asking about. And then as you go into that,, you see those announcements that say we have a preliminary deal or, we're in the stages of talking about merging.

The letter of intent has always cracked me up. Letter of intent. There you go. It's literally like two pages. And you're going to bring two multi billion dollar organizations together,

right? But that does create then the opportunity to say, okay, we have a playbook These are the questions we want to ask so that we can help You the person making the deal, what the timeline is going to be, what the cost is going to be, where we've got challenges that are completely unresolved.

And again, once you get to that letter of intent stage to now, a lot of other people take interest, right? The state wants to see what's going on. You have to be really careful about what and how you communicate with each other so that there's not some collusion assumed. About , trying to make some kind of special deal behind the government's back.

And yeah. Yosemite stuff is really tricky and takes a lot of specialized attention. [00:16:00]

It is we'll have to do this more often. And I'll let you lead next time. I we're dancing and I lead, but man you're doing the two minute drill. You could easily just start throwing stories at me.

I would assume.

There is so much stuff that's going on and a lot of the stuff and security is just stuff that's happening generally in health care like that story. We are opened up with the R1 stuff. I'll talk about that in a 2 minute drill tomorrow, Tuesday. And it just everything's connected to everything else.

So everything that you talk about usually in your shows are things that they all have security ties. Really? Yeah.

I don't want to be the stereotype CIO. It's no, actually one of the more things I heard over the weekend is this whole concept of the CIOs don't even want to see a deal until it's been vetted through CISO.

And I thought, man, that would have saved me so much because I always had to like push it over there and say no, we got to go. And then the vendor would be like, oh my gosh, it's going to take another. Whatever. It's Hey, don't even bring it to my desk. Like just [00:17:00] assume you have to go through them first.

Yeah. I think we're just at this point now that anything that has anything to do with technology. And that really includes

biomed building

systems, right? Exactly. Or biomed equipment, management engineering, All those. tools that come in that have a technology component, you have to be this tall to ride the ride and this tall is you better go through some preliminary conversations with the CSOs and the security team to make sure that they at least can say, All right, good enough for now.

Go ahead and have some conversations. We'll get down to the details later. And obviously, if you're a security tool, then just, You're probably going to go to most CIOs who are going to say, have you met Joe? Or have you met Diane? And they're going to push you right back to the CISO.

Yeah, absolutely. Drex, great to catch up.

Always.

Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by [00:18:00] subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Thanks for listening. That's all for now