This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
[00:00:00] This episode is brought to you by Island.
Today's healthcare staff needs safe, convenient, and dependable access to patient data across various applications. Island, the enterprise browser, simplifies and secures healthcare data acc ess. It's a new take on the most common application we use every day, the web browser, tailored for the unique demands of healthcare.
Clinicians can safely log in from any device to interact with HealthSystem applications and PHI. Built in last mile controls keep data where it belongs, so access is simple, data is safe, and patient care is smooth. Visit ThisWeekHealth. com slash Island to see Island for yourself.
Today on Unhack the News.
(Intro) make it easy for them to say yes to the rules. By making a part of the workflow. So it doesn't even seem unnatural.
They're still getting to use AI, but you're getting to have eyes on it and control over it.
Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for [00:01:00] some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.
. And now, this episode of Unhack the News.
(Main) Hey, everyone. I'm Drex, and this is Unhack the News. And one of my best friends is on the show with me today. I really love hanging out with him.
John Kirkman from Island. John, welcome to the show.
Thank you, Drex. you're one of my best friends, too. I was going
to say, is it okay if I say that you're one of my
It is. No, I think it's cute. No, I'm just kidding. Honestly, you're one of my favorites in the business and outside.
So happy you can tell me, you can, I'm proud to be your best friend.
Thanks. I appreciate it. We've been through a lot of stuff together. There's a lot of stuff going on in the news. We're going to hit a few news stories today. Are you sick of AI yet? Is AI still a thing that you talk about?
I'm not sick of it if it's [00:02:00] constrained within like a conversation we can do something about, but I'm sick of AI co opping.
The whole idea of anything compute is now AI, if that's what you're asking.
I don't even know if it needs to be anything. Compute is AI. Literally. I'm seeing things like, you know, my two. Brush and my vacuum cleaner have AI now. And I'm not sure that's exactly, no, I don't know. I don't think that's what it is.
I think they're just putting AI onto all kinds of stuff.
I agree. I don't know if I want AI telling my mom that I don't floss enough. I mean, there's got to be a limit here at some point, right? But yeah. Yeah.
So one of the stories from dark reading has to do with Employees, it's the title of it as employees enter sensitive data into Gen AI prompts far too often.
And this is one of those things that I feel like we talk about a lot. And I know people try to put policies up and they try to educate people about don't put sensitive data. And, you know, here's what sensitive data is. And, you know, there's always sometimes kind of a
[00:03:00] ated or whatever. Gen AI product is that you're using get sent to that prompt. And then once it goes into the prompt, obviously it's in the model. It's in the public domain. It's used and reused because it's used to train the model, and then It's a real challenge. Are you seeing some of the same thing?
how are you guys answering that issue?
would certainly say there's a good, there's a lot of great places for AI. I mean, particularly some of the, things that we're seeing in the EHR space, you know, amazing to see where you're actually affecting outcomes and you're taking empirical data and applying it to different problems.
I mean, there's so much in clinical where it is hyper relevant. without a doubt. When you start thinking about the enterprise at large and the types of data that flows around our organizations that are outside of clinical data, that's going to help, help people get better faster. There has to be some controls put in place.
I mean, there are standards that should be created and most people have some kind of level of standards they've created because, you know, the board wants to see that. But how enforceable is it? How are you doing it? So, one of the things [00:04:00] that I'm focused on in our space and our company is focused on and really enterprise browsers at large is the ability to sort of control that cut paste at the point of use of the data itself.
Like when it's happening, so how can we help direct, that to not be able to get pasted into a place you don't want it, or how can we define a large language model we want the corporation to use, and at the point of use of the data itself, it can only be used in that model. Or when those answers come back out, where can it be put back into your enterprise?
So think about the other way to let it junk in. Right. So there's a lot of controls, that are, you're able to do when you're kind of controlling the user interface, the data and how they're using AI to make sure you're controlling both what's coming in, what's going out. You should have. A strong practice around that, and you should have the technology to back that up in today's landscape.
So, you know, it's a big deal. We see it in everything from healthcare to public entities to all sorts of places where this gets really [00:05:00] important. And not to mention also even in the privacy world, that's a pretty popular topic. So no, I think it's a big deal. But we can't say no, like.
Very popular , in IT security to , just say no to stuff,
right?
It's not going to work, right? You start looking into researchers and they're not going to comply. So make it easy for them to say yes to the rules. By making a part of the workflow. So it doesn't even seem unnatural.
They're still getting to use AI, but you're getting to have eyes on it and control over it.
And they're not taking risks that they're not being paid to accept for the organization. Right? So they, they do these things. So, I mean, this is really interesting. I don't want to dive too far down into specifically what you do, but what you do this enterprise browser market to me has become a thing. I'm really excited about it. I love what you guys can do, but explain it to people, to others who don't know about enterprise browsers. Yeah, the technology feels like if you don't know about it and people start to explain it to you, it feels like magic.
Like there's no [00:06:00] way it can possibly work like that. , I had this previous to this other experience at a previous company when you explained to me what it was that that company was doing. And I was like, there's no way it works like that. Well, I had that same reaction when you went to Island can you give me kind of like the load that you talk about?
Like, oh, well, you can only go to certain places and cut and paste certain things. Sure. How can a browser manage that?
Just think about it like this. What's happened to date is we've taken a product, you know, a whole segment of browsers, that's consumer product. It was made to do a lot of things, but a lot of what it was done was to help to monetize, you know, the search results and all these types of things.
So there's a lot of stuff going on inside the browser that's not really germane to business, that actually just clouds things, right? So, what we're endeavoring to do now is, You have an enterprise class browser where instead of bolting on all these things like web filtering or ways to monitor whether it's bad DLP, signature in it or what have you, right?
Instead, what if we just built that [00:07:00] natively into the browser itself instead of having to talk to all these outside capabilities? And when you do that. It streamlines it for the user to where they don't even notice it, but it's solving for what the enterprise wants to do. So for instance, in your example of cut and paste, right?
Inside of an OS, it allows you to cut one thing one time and paste it somewhere else. One time goes in some clipboard. It, and there's not a lot of discernment about where it comes from or where it goes. That wasn't what they had in mind when they made that
right
feature.
Well, what if you were able to do things like, we'll just buffer the last 50 and we'll organize them in a way where you can use those clips over and over again to drive a workflow to go faster. So instead of somebody having to go and set up, set up a referral, what if it automatically populated all the data from into that form to do that referral?
That feeds things up for the practitioner. They don't even realize that, you know, it's happening in a sense, but we have the data. And we have the screen. They don't necessarily have, can we bring those together in a more efficient pattern? So that's the [00:08:00] idea of where you're actually just using that information in a way that drives and streamlines at the same time, since we're seeing it all well now, guess what?
We can log all that. We can look for patterns. We can look for problems. So that's the security side of it. So on one hand, you're making the life better. But on the other hand, you're actually monitoring what's going on. And on the third leg of the stool you can control what happens with that information.
That's the stuff. That's the cool thing. Because now people mostly make mistakes by accident. It's called a mistake, right? So. If you were able to intercepting that potential problem right when they were going to do it. Now you don't have to track a lot of things and go into other systems and do all this.
You're actually just solving it right at the use. And that's the idea of, that's why the browser is such a unique opportunity. It's at the point of use and it's right at the screen as it's showing up. So it's a really cool way to do it.
It is cool. Okay. Sorry. I kind of got a sidetrack, but thanks for the education.
It really does help. The next story healthcare is poised for robust [00:09:00] M and a activity in 2025. This comes from PwC. It just kind of continues to make the point that I think a lot of us know. And that is that, consolidation continues to happen in the market and it's apparently going to continue to happen in a big way, in 2025.
What are you seeing as you talk to customers or potential customers? I know you're, you're on the road all the time, talking to tons of folks. What do you hear about M& A and the challenges around M& A?
is going to continue. There's no question about it. And divestitures are one side of it.
That's also, you know, you have to, there's risk associated with that. So it's, not just, you know, the merger and acquisition, but the actual entity that's offloading that, that has to think about these things. And often, and, I'll make it, you know, anomalous here, but. There's a, there's a situation where a large health system was selling off some of their hospitals to a university based health system that's growing.
And the other one is, starting to pull some of those hospitals away from their system. But the challenge was for both of these guys. Now we've got the [00:10:00] new acquiring entity is trying to figure out how do I safely enable people to continue doing their jobs in their environment until we are able to harmonize our EHRs at some point in the future.
How can we give people access to something that, and they are not in our four walls? You know, inside of our enterprise yet,
and again, it does go both ways. There's people at the divesting health system who to access things in the new health system and vice versa from a business perspective, but from a.
Daily operations, frontline, taking care of patients perspective.
Absolutely. So think about this. If the browser is this workspace you go to and you click on the instance of the HR you're used to that you're using because you've been working here and you're going some place new you continue to still use it the way you were.
Right? And so it doesn't really look any different, but the risk to the new acquiring entity is mitigated because they're managing your browser, even though it's your asset and you're not in their network and you're on your own BYOD device, for instance, the acquiring entity can [00:11:00] still control that browser, just in the way I was describing to you a moment ago, without having to own that browser or that asset or anything else that's, that's the magic piece. That is surprising. So you can think about it both directions.
Yeah.
But it helps these companies come together because it's going to take time for them to actually harmonize, maybe on one instance, or maybe they don't have to ever do that.
Yeah.
And then you start to extrapolate that out to imagine all the attack surface and all the risks that you're acquiring when you acquire an entity, all of their third parties.
Yeah,
we don't know the hygiene of all the folks that they're connected to. Well, what if you're able to get your arms around all that? So, you know, when you are acquiring them that you're doing in a safe fashion, it is game changing it's a really strong use case for enterprise browser technology that is the same, whether it's a managed asset by your company or an unmanaged asset to a third party, be it an entity you're acquiring or one of their myriad third party connections.
, this makes sense to me from the business person in [00:12:00] me is sort of thinking through the like the reason that usually you're doing some kind of an acquisition or a merger is that you're trying to get to a business value. You have a plan for that. You want it to shrink down to be the shortest amount of time possible before I'm getting the value.
But a lot of times that's dependent on this big backend project of like merging networks together and merging applications together, or signing an MSA, and then figuring out how over the next nine months we get off the old, the divesting organizations. I mean, all of that takes a lot of time and a lot of effort and a lot of money, but you're kind of giving them a fast track to.
Make that happen. Get to that value. sooner. Interesting. That's it.
Yeah, it's accelerating the idea that you're trying to do and removing a lot of the risk. I mean, and in particular, like the example I was looking at a few minutes ago, they have a lot of things going on in the world that the health system is having to deal with and the complexity around all these connectivity.
So they're going to have to do lots of legal connections and they're going to have to do a [00:13:00] lot of other parts. If you could reduce some of noise on the IT side, it can help the whole organization just move forward faster.
Okay, one more story. This one actually, kind of on its face, doesn't have anything to do with healthcare.
I know that you run all of SLED at Island, and so I kind of put this one in here because there's sort of a Venn diagram for this. But this is about an attack that Has happened or maybe still is being sorted out, obviously in the education space. This is around elementary school, high school. And \ there's a company out there called Power School, and it's got in my head.
The power school breach is a lot like the change health care breach for health care. Everybody was using them didn't really know, you know, like, sometimes they did. Sometimes they didn't realize the whole breach that change had power school has the same effect or the same kind of issue, right? They. Are in feels like every school district they have millions of records on [00:14:00] students and faculty And it's just a crazy situation.
I know that you've read the article what's going through your head on it?
Yeah, I mean, I think it's not any different than what you were just talking about. What happens is the reach of these things gets staggering. that's what gets people's attention, right?
And so you mentioned change as an example, like what, how many things that impacted, right? So to be able to insulate yourself from that , is like job one first, of course. But if you start thinking about it's the interconnections between all the organizations where it starts to get super interesting so that one person's mistake can now ripple out and become everybody else's mistakes that's attached, right?
This is where having that control over the supply chain, meaning knowing who can and cannot have access, to the data that you want them to. This is the idea. Now, let's just look at it even in a very sort of altruistic, like it's just kind of wrong anyway, that they're going after, kids data, right?
So that's just bad anyway. But if you look at what [00:15:00] does to the brand reputation and to, , the confidence in the education system from the parents and all those things,, that's not unlike if you had a large healthcare breach, it's very similar cause it's very personal.
. When you're talking about children or education or families, so it's analogous. Now, there actually is probably some connective tissue also. So if you look at if education becomes this market to go after, you go after higher ed, higher ed and healthcare are very linked. Yeah. Very, very linked, particularly in the areas of research and places where we're trying to actually solve for problems in the future.
We're trying to modernize things. And if we were to then see a. traversing over and starting to really, you know, monkey around with health data, , this starts to get actually, pretty frightening. So it's all so interconnected, you know, that it does relate to one another. But I think in particular, it's that higher ed into healthcare and , you're, I mean, there you're trading EHR records and all these things as well.
And I think. Where we can be [00:16:00] diligent to deal with our third parties and really understanding the ripple effect. And your connectedness to everything else is super important. It's a diligence thing on all our parts, but there is technology to help the spread.
So that's the other piece.
It's interesting to think about one of your third party risk. Issues may very well be the local high school, the local elementary school. If you're a hospital, you may have a tele med installation over there. You know, you maybe doing kind of sick call you know, at those high schools, some some organizations provide or support the athletic trainers at those high schools.
And again, There's a connection there. And so, I mean, a lot of this, I wanted to bring this story up because of the challenge of third party risk, but the reality of like, everyone's connected to everyone else. And if you're a student or your faculty or you're the parents of a student, but you're probably getting letters about this breach right now and what it means and what you should do to protect yourself and protect your [00:17:00] kids.
It is a crazy world we live in right now.
Yeah, no, no doubt. But, I think we should just look at it like every other problem that we have to solve. We just have to kind of, you know, get honest about it, think about the new ways. There's new things coming all the time for solving for these. And, and there's a lot of innovative people inside of those education systems that are really trying to find a way.
So we just have to open, you know, the nice thing about the, the public sector in the education world is that they are open to conversations. So the good news is I think help will be on the way soon, hopefully. A
lot of those folks are built to learn, right? That's why they do.
Yeah,
exactly.
Hey, John, thanks for being on the show today. I really appreciate it. Anything I didn't ask you about today that you want to talk about? You're, you're going to VIVE. You're going to HIMMS. We'll see you there.
Yeah, yeah, definitely. Let's plug both of those events. I'm also be at IGL Disrupt.
You know, later in the spring as well. So they're doing really cool stuff with having, a secure bespoke OS for business, which fits right in with what we're up to. So you'll see us at Vive with them , actually showcasing something with [00:18:00] SHI on actually in the environment will be really cool.
We'll be hanging around with the dogs looking forward to seeing Cap in there.
of ours, obviously, so yeah.
Yeah, so no, we'll be in the mix with all those advice, so looking forward to that. HIMSS, of course disrupt, and then, you know, even going further, a little further out in the spring at Health ISAC.
So, hopefully I'll see some of you out there.
Cool. All right. Hey thanks for being on again. And our paths will cross very soon. I'll see you.
Sounds good. Take care.
.
Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.
Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.
As always, stay a little paranoid, and I'll see you [00:19:00] around campus.