This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Today on Newsday.

Part of our challenge has always been we have a cool technology.

Can we find some way to use it? Versus we have a problem, can we find some way to solve it? My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts

Now, let's jump right in.

(Main) Welcome to Newsday. I'm Sarah Richardson, and I have Drex DeFord joining me today as well. We're gonna cover a few topics that we think you might wanna know about, and also make sure we get a good mix of what's happening out there in the HIT universe. Thanks for joining me, Drex.

Hey,

it's always good to be here.

Hey, let's jump right into it. Let's talk about cyber attacks that are sparking credit downgrades at a couple of health systems.

It's a thing that's been happening for a while when you have a big [00:01:00] breach and it puts you into financial dire straits. The likely outcome of that is ultimately when you come around to bond time or bond rating time you'll get a downgrade and there's a story in Becker's that talks about polymer Palmer or Paler Health and Escondido and Frederick Health and Frederick Maryland, and the challenges that they've had after the breach.

During the breach. Cleaning up, taking care of tech debt, all that requires a bunch of additional expenses. And all of that has impacted their bond ratings.

So when I think about what this means for healthcare systems in general, there's a piece, specifically, the whole financial vulnerability piece to me feels like these lead to immediate operational disruptions, but also they have some long-term financial consequences, which, correct me if I'm wrong, increased costs for remediation and even revenue losses from delayed services.

What are you seeing out there?

Yeah, absolutely. When you [00:02:00] have patients who wind up having to put off services. That's bad for the patients. That's certainly bad for your billing systems, right? When you're offline and you have to delay making a claim. In some cases, you can get into this weird situation where the window closes on you

depending on how long you have to file a claim. With a particular insurance company, a particular carrier, you may lose the window, which means you may lose the money. And so it's all those kinds of things. I think now more than ever, probably people think through this and understand what their impacts are, but I think until you've been through one of these things or two of these things that you don't really understand all the little gotchas that are there that are built into the system to cause you even more pain than you imagined you would be able to suffer through a cyber attack.

Some of that pain to a degree is what regulatory scrutiny. What I find really interesting right now in our environment is that some of the [00:03:00] persistent cyber threats that have led to the proposals for stricter cybersecurity reg regulations, especially in healthcare, they're creating this space where new rules are enhancing measures among healthcare providers, and yet.

It still feels like our CISOs are inundated with keeping up with regulations and all these best practices. So is adding more regulation going to make us that much safer?

I think there's, opinions vary, right? We're from the government and we're here to help sometimes is not actually very helpful.

Having been somebody who was in the government for a long part of my career I think that you put these. Regulatory requirements into place, but you don't create any funding to support the adherence or the compliance with those regulations. You create pressure on a system that is already under a huge amount of strain.

Most health systems are working on. Super thin margins compared to for-profit companies and all that [00:04:00] just has unintended consequences. Ultimately, yes, the organization needs to be secure, or at least it needs to be this tall to ride the ride from a cybersecurity perspective.

But man, how you get there, how you create the funding to get there. Especially in rural hospitals and inner city hospitals, other organizations that are under a tremendous amount of strain, what are they not gonna do if they do cybersecurity? Does it mean that they're going to have to close the emergency department?

Does it mean that they're not going to repair the leak over the supply chain, storage, building what are they not gonna do? And these are all the, things that we wrestle with as we go through this. Kind of process of do we need more regulations, do regulations help? I think they help guide what good practice looks like.

It's the funding part that is probably the place where this is most likely to break down.

If you're doing the things you're supposed to be doing as a ciso, as an example, you're prioritizing cybersecurity [00:05:00] healthcare organizations behind you and understanding what that means for operations, for finances, for patient care, as an example.

What else do you do besides proactively making the right investments, training the team, collaborating with like peers, government agencies? What are some other proven things that work well? For CISOs when, to your point, you may be deciding if you're buying a patient bed, fixing a leak, or strengthening your security profile.

absolutely. The, other things that kind of work, I think are the things that are just. Good practices from an operational perspective. Do we have 160 security applications? Is there some way to consolidate those down to a more limited number? Do we have folks trained in all those things that we've bought?

Sometimes the things that you've inherited are not. The tools that you chose. They were chosen by the CISO two CISOs ago. We still have them. We still pay for them, but maybe we don't really use them or we don't use them at [00:06:00] capacity, like we use 25% of what the application can do. All those things are just good practices to go through.

Look at what you have, understand all of the tools that you have and how are you using them? And then in the spirit of everything's connected to everything else, it's not just about the applications that you use in security, but it's about all the other applications and the tech debt and the tech debt that isn't only tied to applications, but it's tied to infrastructure and tied to everything else that you have in the building, including building control systems and all these iot devices and medical devices too, can be.

Vectors for a cybersecurity problem and you need to understand what you have in that inventory, how you're managing it, how you're protecting it, and can you consolidate that? Can you simplify that environment? because simpler is always easier to secure. And that's just a good practice in general, I think for everyone.

Not just the CISO

app rationalization at the CISO level is a [00:07:00] key point. And yet we're not seeing a decrease in investment. Another story you and I found is Johnson and Johnson announcing a $55 billion investment in US healthcare. And it's over the next four years. What I really appreciate is it's manufacturing r and d and some technological advancements specific to biopharmaceuticals and medical technologies.

They're gonna open their first facility in North Carolina. That's gonna over 500 jobs. That's gonna focus on oncology, robotic surgery, next gen therapeutics. These things all eventually show up in your hospital, have to be protected, have to have infrastructure. Have to have sort of the automation and AI components.

They do create jobs. But what I find really interesting about all of this is that it's going to expand. It needs how you integrate with the EHR, how you think about your cloud and how you think about data-driven research and tools. But if we layer in that cyber and data perspective, what else is that gonna mean for healthcare IT leaders?

I look at the, that kind of an [00:08:00] investment, the kind of work that they're actually trying to do or that they are going to do. So the way that they produce and manufacture drugs today are through, the testing that they do on human animals as a giant group.

Humans respond well to this drug or poorly to this drug, or they respond well to this drug and it has these side effects. I think the investment they're trying to do here is to do things that are much more personalized, which means a couple of different things. One is you're gonna need more information from those patients to find out.

How they're made as individuals and what they actually really will respond to from a pharmacology perspective. And then how do you create custom drugs for that patient who has a specific kind of disease so that you can treat that disease? That's a lot of information, that's a lot of hyper-specific data on that patient and [00:09:00] on that drug.

Which means there's a lot of intellectual property stuff that needs to be protected there, but there's also a lot of personal, private, data that needs to be protected there. I think it's gonna be fascinating to see as we go through the next few years with ai, with a lot of the work that's happening on the pharma side, how we're going to create a situation where we protect the patient, we protect the data, and we protect that intellectual property, which is gonna be incredibly valuable.

So it's almost like a whole separate aspect of a job. You start to learn about, to your point. How do you protect intellectual property theft? How are you looking for vulnerabilities within AI models and thinking about zero trust architecture from the get go? Continuous monitoring of these different systems and blockchain coming back around as a.

Data integrity solution. Blockchain's one of those things that had a ton of hype when it was first introduced. You had the book right by Dawn Taps, Scott and others, and then it went away for [00:10:00] a bit and now it seems to be showing up again more and more. Drex. Is blockchain something that can be used effectively within these organizations for data integrity?

I think it's such a broad statement. You'd have to have a particular, what would the use case be? Yes, it absolutely has some application. I think there's probably some effort that goes into figuring out exactly what that is. Part of our challenge has always been we have a cool technology.

Can we find some way to use it? Versus we have a problem, can we find some way to solve it? There's other things that have propped up in the past that were really cool ideas, but for whatever reason, they didn't apply at the time. And I, so I think about things like personal health records, right?

Microsoft went through a PHR phase. Google went through a PHR phase. We all love the idea in theory, but it was obviously really. Hard to figure out how to take all the medical data for a patient and a lot of other data about [00:11:00] that patient and put it in a single place that the patient would be responsible to take care of.

We've progressed and with Ag agentic, ai, and maybe we're getting to the point we talk about personalized medicine, all the things you need to know about that individual, where they live, the food they eat, the exercise that they get, the travel that they do, and all the stuff that happens to them in a medical facility.

In reality is probably just a small portion of any medical information that you would have on an individual. Honestly, if you looked at them holistically, all of that could go into a PHR and maybe the patient could even have some kind of authority. Should have some kind of authority to manage that data, to use it in any other kind of research or, maybe I could sell that data, make money because I'm a really special, interesting.

Version of the human animal. And researchers want to use my data for their research. There's so many things I think that that have come and gone and maybe will come back. It's [00:12:00] interesting to see even cloud computing, right? If you think about cloud computing as just a big data center and a bunch of dumb terminals out on the end of the line.

We've come all the way back around to that

If you have all that personalized medicine, let's just say that, we're mapping all of our own genomic data, all of our own drug therapies. You may even need what quantum computing to handle some of that. And I think of just the amount of clinician training and even IT training on how to handle all those different parameters.

Yes, we're gonna get into more and more advanced medicine that comes with the cost as well, both from a human capital perspective as much as having the capital to do it in the first place.

Who's gonna ultimately pay for that? Who's gonna pay for all the tech? The folks, Johnson making a $55 billion investment.

They're not doing that out of the goodness of their heart. They're looking OROI eventually. And that means that they think somebody at some point's gonna pay repay them plus a ton of money for that investment. Where does that come from, and does that create even more of a [00:13:00] situation of the haves and the have nots when it comes to healthcare and healthcare delivery, especially in the US but around the world?

And we're seeing. From the next article we're covering venture capitalists focusing on AI to drive health tech growth. What I found super interesting was that overall health tech investment had dropped to 11.3 billion in 2024, which was the lowest since 2019. Started still struggling with IPO exits, acquisitions, and it makes small companies harder to scale.

AI is really becoming a key differentiator and either having proprietary driven data, having integration into workflows, or even thinking about the efficiency and ROI for health systems. we put our CIO hats back on, and if we're thinking about our ability for a startup, especially to focus on ai.

Back to what you said before, which one really provides value? Which one's solving a problem we've identified versus having the hype of trying to figure out where to put it. That's [00:14:00] gonna be a part of our overall strategy kate and I often talk about when we do the news, hey, if it's a pilot, tell somebody it's a pilot.

Otherwise, you have to figure out a way to make this thing scale, how to make it secure, and how to make it integrate with your systems. But I'm gonna throw it back to you again and say, from a cyber and risk perspective, what does this mean for us? And is automation as well. It's gonna have the impact on the workforce that allows us to have the humans to do the extra work to a degree that's being created by some of the problems we're actually solving.

That is a very good and very complicated question. I think that ultimately if we get down to solving the problem, that's probably the most important thing. What's the problem you own? We talk about that with our partners and a lot of our friends all the time. What's the problem you own in healthcare?

That means that we're doing a bunch of stuff probably in-house from a technology perspective and a cybersecurity [00:15:00] perspective. We're probably doing more stuff than ever before and we are now, but it's probably just going to get. Worse, better. We're gonna do more stuff with third parties and with partners.

That means we're really gonna rely on those third parties to also have their act together. When it comes to cybersecurity

[Mic bleed]

the way things are structured today, we're gonna have to look at their cybersecurity with them. We're gonna have to audit them. We're gonna have to document that we've taken a look and that we're comfortable with where they're at from a cybersecurity perspective, because if they have a breach.

Odds are still really good that we were on the hook for the breach because they were one of our partners and we gave them access to our data. So that's a big part of the challenge. I wanna say something about this pilot thing too. So you and I talk, you and I have talked about this a lot. If you're a partner and you're going into a healthcare organization, you wanna do a pilot.

But pilots, if you're in the healthcare organization, have a very distinct beginning and end. And then you make a decision about whether or not you're going on. A lot of organizations still [00:16:00] make the mistake of a pilot being kind of the way you get into the organization and we're just gonna run this application or this, whatever in this small little part of our hospital and that's where we're going to start.

That's not really a pilot. That's really. That's something else. Yeah that's, we are making a commitment to this. Pilots really have the beginning and end, and then we make a decision about, eh, are we really gonna do this? Are we not gonna do this? What did we learn from it?

How would we do it differently? It's supposed to help you get to the next step. And a lot of organizations don't do that, and when they do it, they don't do it well. From a cybersecurity perspective, either

That's the whole thing about governance really still being one of the biggest barriers. We hear AI adoption has challenges with data privacy, security, interoperability, skepticism. Half the time in our conversations at city tour dinners and summits, it comes back down to the governance aspect of what decisions to make, whether it's pilot or otherwise, but really the technologies to be considering.

And so why doesn't [00:17:00] governance get enough traction? When we think about barriers to things like adopting either these newer technologies being produced by people like j and j, or AI in general as a tool set within our health systems.

You just like to hear me lecture people about governance don't you

I interviewed you like seven years ago for my HIMSS podcast about governance, relentless prioritization, and it's still one of the most listened to episodes from that era

it is funny as we go around the country, we do city tour dinners all over the place, and I don't know how many we have done, but we're gonna do 40 this year across the country, plus all the summits where it also comes up all the time, and it is the built in weakness in healthcare, our inability to say no to things.

And lots of times the conversation comes around to something structured I have all these projects. How do you all get all of these projects done? And [00:18:00] this is where I'm very likely to say there's a lot of projects

you can't really do all of them. And I use this analogy about water in a bucket and and beautiful flowers.

Those projects are flowers that your end d users, your leaders want you to plant. They want the beautiful flowers. They think they look amazing and smell amazing. The problem is everyone wants their own flower and you only have so much water in the bucket. You can only water so many of those flowers to keep them alive and keep them beautiful.

And if you try to water all the flowers, they're all gonna die. You're gonna die because there's gonna be no water left in the bucket. So I've stretched the analogy probably too far, but it's about resource allocation and prioritization and saying yes to some things and actively saying no to other things so that you ultimately have the resources you need to get the things done that are most important to the organization.

And that's really hard in healthcare. Some of that's because the things below the line that you actively deprioritize also seem like [00:19:00] no-brainers, and you absolutely I should be doing that. But you've gotta make tough decisions and that's why you get paid the big

[Mic bleed]

Which we pause for because we all know that you don't go into healthcare to become the millionaire of the idea, per se.

I say that completely tongue in cheek.

Here's the thing though, and I appreciate Stanford and others who have put together essentially a checklist by which, even before a partner, a vendor solution can come in the door. I mean, Get to their governance process. For an example, you have to meet NIST

standards you have to be how compatible integrate with the EHR, have high trust, or even SOC two or other components, HIPAA compatibility, peer review, validation studies, proven ROI, case studies. All of those things can help you before you even get to the point of needing to make a decision about whether or not you bring it into the organization. but Drex II have to ask you, let's just go back to the million [00:20:00] dollar, perspective.

How sustainable is AI in our healthcare systems and how much of a bubble do we risk facing ourselves with? Similar to what happened with dotcoms and even telecom in the earlier two thousands.

[Mic bleed]

I think we have, so this is where you look at health systems across a spectrum here.

There are some health systems who are going to, deploy their own AI and build their own LLMs and run those and customize those and do all kinds of, amazing things with them. The vast majority of healthcare is gonna do what the vast majority of healthcare has probably always done, and that is they're going to buy commercial off the shelf products, whatever those ais are, or AI that's built into products that they already own.

And they might do some slight customization, but otherwise they're gonna run those LLMs and that's probably the best they're going to be able to do for most of them. They're gonna have to make some hard decisions about what they're gonna pay for, whether or not they're gonna allow that AI button to [00:21:00] be clicked in their organization or not.

Can they afford it? And then really figure out what do you do with the data. It can't just be there to be cool. It has to be there because it either. Brings additional revenue or it helps you cut cost.

So if we were to sum up most of our conversation today, it would be that you don't chase the trend that needs a problem to be solved.

Really look for some of those problems that already potentially have some. Partners or opportunities around them. Make sure you have cyber, make sure you have funding. Make sure you have some efficiencies and goodness sake, have governance in place from a data, ai and even project perspective. And if you're mature enough in your system, those are actually all happening, those governance models in one place.

That would be great. I think that's an ideal state to reach for sure.

And the ones listening that go, gosh, I've got three or four different governance committees. You gotta keep like herding those cats into a mix that allows you not to have two committees now have to [00:22:00] make a decision, which is elongates the decision making process.

And actually sometimes in those scenarios, you get to a point by the time you get to Yes, you don't even wanna do it anymore.

Yeah. You're already over it. Or you've found some other solution. These are the kinds of things that kind of immovable bureaucracy also creates its own unintended consequences of people figuring out how to work around it.

This is why we have probably not the right term 'cause people hate it, but that's why we have IT hobby shops. It's why we're going to have AI hobby shops. If you can't find the right way to get something approved through your organization, most people who are in healthcare, who are here in the interest of helping patients and families, will find ways to get their jobs done That may not be an approved way, and that may put you and the organization and your data at risk if something bad happens.

That's it for today's episode. You and I probably should do Newsday once in a while 'cause we have all these tidbits from our summits and our dinners and everything else we cover. We don't [00:23:00] get to do this very often.

It's true. There's a lot of market insights I think that come from us touring around the country and talking to health systems and other organizations large and small at city tour dinners.

So it's always a lot of fun. It's great to see folks and

man. We're loaded with a lot of brainpower too. Those folks are amazing,

it is. I love the things that we hear and the things we're able to help them solve. Always so much fun that would hang out with you. It's not in person virtually.

Certainly works too though. Thank you for joining me today.

Of course. I'll see you on the road next week.

Absolutely remember to share this podcast with a friend or a colleague. Use it as a foundation for daily or weekly discussions on the topics that are relevant to you and the industry. They can subscribe wherever you listen to podcasts.

Thanks for listening. That's all for now.

Thanks for listening to Newstay. There's a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. [00:24:00] com slash news.

Thanks for listening. That's all for now