This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Newsday: IT Expecting 18% Hiring Cut and Innovating Access in the AI World with Bill Willis

[00:00:00] Today's episode is brought to you by IDMWORKS. Healthcare organizations face growing cybersecurity threats and complex identity management challenges that put patient data and operations at risk.

Since 2004, IDMWORKS has been delivering world class identity and access management solutions that build resilience, ensure compliance, and protect what matters most with vendor neutral expertise and a proven methodology. IDMWORKS has helped thousands of organizations streamline IAM while maintaining the highest security standards.

Learn more at this week. health.com/IDMWORKS.

I'm Bill Russell, creator of this week Health, where our mission is to transform healthcare one connection at a time. Welcome to Newsday, breaking Down the Health it headlines that matter most. Let's jump into the news.

Bill Russell: Alright, it's Newsday, and today we are [00:01:00] joined by an illustrious panel here we have Sarah Richardson of course, always Drex DeFord the incomparable Drex DeFord and Bill Willis.

Bill with IDM Works. Bill, what is your title? You have a really great resume here. I'm looking at your LinkedIn profile.

Bill Willis: Yeah, the gray hair really is real, I have to say. So yeah, I I've been at the identity industry space for my whole career. I had the privilege of building one of the first products in the identity industry if anybody's ever used the IBM product, I'm the inventor in founder of that, and it's been my life's work and compassion ever since that to try and make the world a better and safer place.

So, yeah, great to be here and see you guys again.

Bill Russell: I'm looking forward to the conversation. We're gonna kick off with uh, scarcity story. So it leaders expecting 18% hiring reduction in the next two years. This is a study that was done by NASH squared slash Harvey Nash Digital Leadership Report.

It's a pretty extensive report. I just pulled up the PDF and took a look at it. It was published today, and Becker's covered it today. Some of the things [00:02:00] that it says, obviously the headline says a lot in and of itself, and we could just talk about that it leaders expecting 18% reduction in hiring.

But here's some other things I'd like to throw out for you guys for consideration and discussion. 62% are more likely to hire a candidate with generative AI skills, but less software development experience. 58% say skill shortage prevents them from keeping up with the pace of change. 48% are experiencing an AI skill

scarcity. 48% have a net zero target. For hiring and people leaving. 44% are expecting an IT tech headcount increase, which is hard to believe. 35% expect an IT budget increase in the next 12 months. 25% of their tech teams are female. 13% are extremely or very well prepared for the demands of ai. And 14% of their annual revenue is spent on tech.

Bill, since you're the guest, any of those numbers sort of jump [00:03:00] out at you or surprise you. I would like to know what the N is on this study, but it looks pretty comprehensive.

Bill Willis: You know, there's some mixed messages in there, right?

It's like we do see that machine learning, I mean, it's the overarching. Artificial intelligence, but machine learning the backbone of this thing is getting adoption at the C-suite level. They actually see the power it can do. In what I do, there's a very simple question that the C leaders wanna know.

It's like, who has access to what in the global 5,000, regardless of industry, there are thousands of applications and the, just the enormity of that. Means that you cannot do it by hand and do it well, and so it just doesn't get done. And so the C-suite does not have that single pane of glass that says who has access to what do they have, what they need to do their job?

Have they been around a really long time and they've had all the access they've ever had through the course of their career at my [00:04:00] business? All of those simple, basic things and tenets that you would expect. To be able to run a business effectively at scale, you can't do it

I see the the machine learning, being able to take on those thousands of applications and onboard them correctly. And that will actually bring down the arms and legs necessary to run that as an example.

Bill Russell: But aren't you worried, I mean, there's a lot of talk about the AI skills, scarcity, and we, so we just had a a 229 meeting this past weekend.

I was talking to the CTOs. And they were talking about, one of the challenges they have with these generative AI tools, especially the ones that have a sort of a rag engine on the backend, is they feed it with all this data and then the generative AI tool, you can ask a questions and essentially you get ChatEHR where you're chatting with the medical record and all this other stuff.

You talk about a pane of glass. As As they were talking, I was sort of reminded of the early days. Google used to sell an appliance and you took that appliance and you put it on your network and it was really cool because it did what [00:05:00] Google does, right? It went out on your network, it searched all your file stores and whatnot, and made it available in a nice little search thing.

And you know what the first thing people found was?

how much Bill gets paid Exactly. Yeah, exactly right.

Bill Willis: was, so, and that speaks to, so there's two things that, that I'll unwrap on that Bill from my perspective. Number one, there is a knowledge transfer that needs to happen.

So when they say they want net zero on their staffing, that means they need to retrain the folks that are willing to be trained to learn a new tool set. We've all been around this a really long time, and, you've had to learn and reimagine yourself every five or six years at least.

That's been my experience in my career. Every five or six years you have to sit back and do self-awareness, self-assessment, what am I really going to be when I grow up, kind of thing, right? And so I see people that are maybe running, that are building Microsoft software and Java software, having to now learn how to build machine learning [00:06:00] software.

It's not that difficult, it's just another language. And if you become a linguistic person in computer software and computer science, it's another thing to learn the difference and the power of that is that machine learning and artificial intelligence will only do what you tell it. It's only as smart as the data that you feed it.

And if you feed it bad data, it's not gonna run well. We use the analogy of a car and you know, an internal combusting car and gasoline. If you feed a car bad gas and it doesn't have a fuel filter, it's gonna try and run and it's gonna break down on the side of the road. But if you give it good gas, it's going to perform the way you want it to.

And that's what I see in the things that we're doing right now in the space with machine learning is that it will do what you want it to, but you have to be very careful and you gotta put all the policies in place, right? The speed limit's 65, you don't turn left un red. You know, all of the basic core tenants of good governance will apply to that cell And then when it gets to that point, then the healthcare [00:07:00] folks can really. Take advantage of a series of things that are very, really exciting from my perspective.

Bill Russell: All right, let me throw this one out for Drex and Sarah, either one of you can take it. It's an all play for you guys. Well, it is. It, I mean, the headline is so that Becker's will get the click and they got the click from me.

So it leaders expect 18% hiring reduction in two years, two years from now. Do you expect a reduction in it staff? Equal net increase. And defend it like, why do you think that, Sarah?

Sarah Richardson: I would believe that. When it says a reduction, I would almost probably rephrase it from organizations I have run to reallocation.

So you're gonna uplevel a ton of skill sets through different capabilities, whether that's agentic programming, generative programming, et cetera. The need for the cleanliness of that data, for the ongoing onslaught of all of the things that will continue to feed into these models. I mean, we continuously hear that [00:08:00] storage and clean data are two of the biggest albatrosses that are existing for some of our leaders, so I don't actually believe you're gonna see the reduction.

I do believe you'll see the reallocation, so you could stay net neutral to a degree on your head count, but then be moving people into different roles, different opportunities. We're also hearing about the desire for there to be more. IT resources embedded directly into business lines, almost like the typical BRM role we've seen over the years, or solution architect and that expansion of IT capabilities.

So it upskills that upskilling brings them back and closer to the business. So I'd say I could run a net neutral shop, which I've always been very successful doing through reeducation, reallocation, and the conversations you're having to best support the business's ability for quality patient and physician experiences.

Drex DeFord: I mean even think back to my, you know, old CIO days and the data analytics team, it used to be that everybody came to the people in information services, to the analytics team and [00:09:00] asked for reports to be run and specific things to be done, and ultimately what they really wanted, but they didn't know how to ask.

For it was, can you just create a database and give me some tools at the front line so that I can get the information that I need when I need it to help me run my business in clinical and research operations better? And when we did that, maybe you run neutral. Maybe you can start to reduce. In this world, I think of AgTech and AI and, you know, the models that are coming we're gonna put a lot more people with those kinds of skills in the frontline in the clinic, and they're gonna be able to do this stuff and maybe we don't need as many people inside of information services to pull that off.

Bill Willis: I can see the push of. Pushing it resources in, in and getting them closer to operational OT services. In healthcare specifically to get to that edge point, you know? It's all gonna be all the snowflake data that's there to be able to look at things and make, be able to make diagnosis and be able to do it quicker, [00:10:00] faster, better and be able to time slice a 66-year-old white male, you know, blah, blah, blah, blah, blah.

And like boom, there's the diagnosis and you know, where I'm run my blood tests and I can see the seven things that I need to do, right? I can see that happening.

Bill Russell: If I were in front of a a board right now and they said what's it staff gonna look like in two years? I would say plan on the same salary level.

Do not plan on a reduction in soured level, but you could plan on a reduction in staffing levels. I think we're gonna be more top heavy. I think we're gonna be more like the tools are gonna get such that we need really highly skilled people who understand the operation, who understand the technology and directs.

You and I we're chatting over the weekend, that you know, essentially I said to the CTOs, I said, you know, I think I could throw a thousand documents into a Vector database and scan them and essentially make them available via a chat. And I think if you gave me an afternoon, I could probably do it.

I did it in an hour and a half.

Drex DeFord: Yeah I [00:11:00] played around with that telegram connection and it's pretty impressive to be able to see how quickly you could take a huge number of interviews, put them in a database, and then turn that into something I could ask. Plain English questions of, I didn't have to know programming languages or anything else.

The LLM understood what I was asking and was able to give me what it is that, that I wanted out of that batch of Right. You know, what was largely unstructured

Bill Russell: data? Oh it's all unstructured data, but here's the thing. I could give you guys a 20 minute video, a 20 minute YouTube video, and you could do the same thing.

And you guys probably don't know much about Vector. You may or may not vector databases and chunking and all that stuff, but the thing is, it gets abstracted. Like now you're just uploading these files. You could literally dragging, dropping these files in. It chunks them, it does all this stuff that used to take a couple of weeks to like.

You know, program and figure out. So I think we're gonna see more people who are really [00:12:00] tied to the operation and potentially even people in the operation going, I can do this. And then we need to put structures around them, which is where I wanna go with the next. I don't have a story per se about this one.

I wanna talk about the perimeter. I wanna talk about security a little bit since we have Bill here. I think it's a great opportunity. When I was talking to these CTOs, they were talking about the attack surface. They were saying the attack surface continues to expand.

In some places it's called hospital at home and some places it's called observation at home, depending on what the laws are in the state. But at the end of the day we're putting all sorts of devices in all sorts of places.

We had CTOs talking about the number of iPhones they have deployed. We had, people talking about the traditional like tap and go and all that other stuff. There's an awful lot that goes into defining the perimeter. It seems that whole idea has sort of changed since I A-A-C-I-O even eight years ago.

Of what it takes to secure that. I'm [00:13:00] curious. You know, from, I, I don't know, Drex, Bill I'll leave this for you guys to sort of kick us off. How is this evolving? How are we thinking about the perimeter? Some of these guys talked about edge computing. They're saying we're pushing more and more.

Of the actual processing to the edge so that we're not streaming this stuff back and forth to create some security and privacy controls. Even putting some of that processing in the cameras and devices themselves. this space seems to be fascinating and moving.

I'm curious whichever one of you wants to start.

Drex DeFord: I mean, I'll start. But I, it's almost like I wanna push some questions to Bill because it does get back to this whole, we think a lot about that edge often as the people and the people who are working out there in the nurses who are visiting, you know, patients who are at home.

And you know, that is how far out on the edge does that go? People working from home, all those kinds of things. But. It's not just that, it's also all of those [00:14:00] devices and all that software as a service and all those other things that used to be in our data center and under our control, the button aren't necessarily there anymore.

Those things also need care and feeding and coaching and boundaries and monitoring and all of that. So what do you see out there, Bill, when you're talking to folks about how they manage that stuff?

Bill Willis: What we advise and coach is that they, the very first thing we say is, there really is no perimeter anymore.

And if you have it, it's simply a legacy, right? As SaaS has taken off and you have all this computing available to you on your cell phone or whatever device you've got there. there is no program anymore. And so, a boundary becomes a business thing. It's like if you ha, if you take credit cards and you have to do PCI, that there is a financial boundary you have to create, but that is not a perimeter.

If you have US government contracts to do health and human services or [00:15:00] something at the DOD, you have to put a boundary around that because that's, you're doing FSMA type work and there's a set of controls that are around that, but a perimeter to say who has access to what has long been gone. Um, So the thinking that we try and have people align is a very simple but a powerful one.

We try and tell them to get rid of the password because the attack surface is still historically based on going in and phishing for passwords, whether you call the help desk or the service desk, or whatever you wanna call it, with that phishing exercise. So we coach and advise on basically three things.

Number one, who am I? Bill Willis authenticate that, don't need a password for that. Number two, authenticate the device. That I'm going to have a conversation with. And number three, bind those two things together. Then you use the web-based access control policies and say, can I actually perform the [00:16:00] service?

If you take those basic, simple, well understood tenants. That works across the board and eliminates the attack surface because a hacker does not have the relationship and the lock between the person and the device never will get it. So now you've eliminated the phone call to the help desk. So that's actually real return on investment, total cost of ownership change.

You have a well protected conversation between the person and the computing. The hacker can bounce on my door all day long and it doesn't matter.

Bill Russell: I think it was last year we had MGM and I wanna say Caesar's got hacked.

Bill Willis: Ok. The Okta attack at mgm, that's right.

Bill Russell: understanding was both of them originated with, essentially at the help desk.

Bill Willis: Like

Bill Russell: they

Bill Willis: were given that's right. Credential. And so you've got, so you, and here's the culture problem that we've always had, is that people that are set at a help desk, basic folks that will look at a script, but they're asked to be giving.

[00:17:00] Service. Right? They're positive thinkers. They're trying to solve a problem. They're not looking at, are you trying to break in? That's not their job, right? They read the script, one step, two step, three steps. You're in, right? You know, that's the attack service. If you just eliminate the help desk and say, passwords are no mo, no bueno, no more, we're not doing it.

Not only do you save millions of dollars across our horizon every year because. Our industry shows every time you call the help desk, it's 25 bucks for a password reset. Our dollars. If you outsource it, if you do 20,000 a year, that's 500 grand, right? So there's real money to the C-suite thing and reclaim it.

They wanna get rid of the passwords anyway. You show them and coach them on what the perimeter has been retired long ago, and now you've saved money, you've made it easier. It's a frictionless experience, and you protected the attack surface. Who doesn't want to do those things?

Drex DeFord: Man, how do you get rid of the password?

Sarah Richardson: Yeah. And how long would it take an org to fully [00:18:00] implement that in a way that they feel secure?

Bill Willis: Yeah, so it's the union of giving somebody access and then presenting access. So if you look at products like Ping and Okta and Microsoft's Entra, they all support it today, right? Multifactor authentication.

Whether I do it with my face or whatever you want, but you don't have to do the password. In fact, N NIST National Institute is standards and technology has come out in their 2.0 version, said thou shall not change the password anymore.

And is this long? I caught a fish this big. What that means is that you can't hack it and you use the other form of Who am I? What am I, and how am I, right? The three things you got, you only need two of them, and now it's gone. All of the tech, it's not a technology problem anymore. It's a cultural problem.

The technology's been around for quite a long time.

Bill Russell: I wanna come back to something somebody said in one of the meetings about the proposed rule. I remember [00:19:00] it was floating around before the change of the administration and they said the proposed rule they came out with it.

I forget what conference I was at. It was a fall conference. I think it was a fall conference. Might have been a spring conference. No, it was himss. Their proposed rule was gonna come out and people were like, in healthcare, were, their heads were exploding. It's not that it was the wrong things to do.

It was all the right things to do. It was just gonna cost a fortune and take forever it caused them to really rethink how they were doing things and I said. Well, you know, that thing has sort of been put on the back burner and a couple of the CTOs said, oh no. It's coming back.

Like it's working its way through and it's coming back again. Direct. I was kind of surprised to hear that this past weekend. I mean, I was, is this because I'm not watching the two minute drill?

Drex DeFord: I don't know. I wasn't, I don't think I was in that room when somebody said that. So Bill, I think Bill and Bill, I think what you're talking about is the NPRM, the [00:20:00] proposed rule for the HIPAA security rule updates that were sort of rolled out.

For public comment at the end of the Biden administration and then kind of disappeared in the, we're not doing any more regulation early on in the Trump administration. So I don't know where or how those may be coming back. That's an interesting comment. But , you know, you never know.

There's pieces and parts of these kinds of things that get written into law or get written into, i've, you know, new financial provisions. It can be sort of anything. This was specifically around the HIPAA security rule. But sometimes the behavior that was desired in that rule or proposed in that rule may get written into lots of other stuff.

I guess. Bill, have you heard something different? Bill Willis?

Bill Willis: Yeah, so I've seen some folks looking at HIPAA being able . To flip it on its head and actually make it a creative to the business and actually start baking it in and [00:21:00] going forward. I know I've long been in the country of Australia helping with their national Healthcare system.

I know for sure that they've been attacking that. In a very positive way. I think there is an appetite to do some of things, especially because at the beginning that when Bill brought the artificial intelligence to bear, this is ripe for that, right? Just think of all of the data that sits in healthcare that people want to not only take advantage of and monetize, but also people that want to get access to it.

I do believe that it's incumbent upon us to get those gates in place, and that's why the CTOC is coming back around because now they've got the tools with machine learning that they didn't have a few years ago to be able to actually take advantage of.

Bill Russell: it will be interesting to see if this makes it way.

I drex I just remember the conversations, I remember going through it way back when and it wasn't, I mean.

Drex DeFord: Yeah,

Bill Russell: I remember reading it going, yeah, this is good. This is good. This is good. I mean, I, everything I read, there's nothing bad about it. I understand. But the requirements were significant [00:22:00] and it, a lot

Drex DeFord: of it was the timelines too.

\ This stuff has to be done in a very short amount of time, and I think that was a lot of the challenge was the, I don't know how. You know how rural hospitals are gonna pull this off, or even large health systems. I don't know how they pull it off in the amount of time that's being proposed. And that's what's good about a lot of the NPRM stuff when it comes out.

This is like a negotiation, right? I ask. For this, and then health systems come back and say more like that, and then somewhere in the middle is kind of where they went. So, so

Bill Russell: direct, I mean, here, you know, remove the distinction between required and addressable. Require written documentation of all security rule policies, definitions, plans, analysis, update definitions, and reise implementation specifications.

Then it had things like required development and revision of technology, asset inventory and network map that illustrates the movement of EPHI throughout the regulated. Entities. Yeah, absolutely.

Drex DeFord: Should have that.

Bill Russell: I mean, establish written procedures to restore the loss of certain relevant electronic [00:23:00] information systems and data within 72 hours.

Drex DeFord: Totally. And everybody would love to have that. I mean, I think those are massively aspirational goals. The reality is like, you know, I don't remember what the NPRM had, but it was like they wanted you to be in that position where you knew where. Every piece of data was on your network that had anything to do with HIPAA and how it flowed across what parts of the network and in and out of what systems.

But they wanted it in a very short amount of time. And you and I both know, we've had a lot of conversations, a lot of CIOs,

Bill Russell: but think about third party risk and think about the breaches we've had in the last year require that business associates verify at least once every 12 months for covered entities and that business associate contractors verify at least once every 12 months for business associates that they have deployed technical safeguards required by the security rule to protect EPHI through a written analysis of the business associates', relevant [00:24:00] electronic information systems by a subject matter expert and a written certification that the analysis has been performed and is accurate, is not third party risk, like the thing we talk about at every CISO meeting.

Drex DeFord: It would be great if we had this kind of capability, but you know, you're talking about now an army of people who are an army of contractors that are gonna go out and get this information.

Bill Willis: We can make it really simple. It's like. If I have a third party contract, they don't have direct access to my stuff, they have to come through and have either two-factor or multi-factor authentication.

And if they don't use the access within, and again, this says 45 days for an aged account, they haven't used it in a month and a half, you take it away. Yeah, absolutely. For folks

Drex DeFord: who are coming into our systems, that's great. But how many of our applications now are SaaS where the data doesn't actually, those third parties or third parties will we file claims with them.

Bill Willis: , This is where we take the approach that all access management has to be [00:25:00] federated and initiated on the other side. And so you don't let them log in to that SaaS. You federate from the hospital. To the SaaS app, and that way you can then put the aging and say you don't have access

Bill Russell: To it anymore.

Amen. We don't outsource security. You know, Sarah I sat in the back of the room, which is really hard for me, but I sat in the back of the room in one of your 229 meetings and one of the CIOs was very bold and he essentially said, look, if they don't adhere to their business associate security things they're like. Don't even bother. And what he was saying is essentially he had support all the way up to the executive level and it's like, submit to this or we don't do business with you.

Sarah Richardson: Yeah. The other thing I found super interesting in recent conversations is there as the audit of all of the people inside your organization who only need internal.

Communication. They only need email for internal comms. And this additional layer of, Hey, if you failed a phishing attempt three [00:26:00] times, you don't even get email anymore. Oh yeah. There's like, there's these new parameters of like, who actually needs access externally That creates a bigger threat landscape.

And with the humans being your, your biggest area of vulnerability, sometimes you actually manage the humans differently or put them into different structures. And so that level of responsibility and awareness and really who gets that's with Licens, that's was saying

Bill Russell: earlier. He doesn't trust humans.

He wants a different system. Because

Sarah Richardson: humans give up their

Bill Russell: passwords all the time.

Bill Willis: They do. I mean, and that's the point, right, is that if we are to try and make the world a better and a safer place at the same time, then we need to think differently. This is not a technology or a tools problem.

These tools are available today and most of the hospital systems that I've been dealing with, like you have already have invested in Microsoft or another set of tools. They already have the tools. It is a cultural shift. On how people consume and [00:27:00] gain access and there are some that want to be assertive and say, thou shalt do it this way and take it there.

Others are more sensitive, like the social economic thing. It's like, I gotta be sensitive to some of this stuff. At the end of the day the faster that you accelerate the return on the investment the faster you'll protect the hospital system. And it is very linear that way.

If you do it, it'll happen. If you don't do it, you're gonna keep getting knocked on the

Bill Russell: Bill, I want to thank you for being here. And by the way, upping the cool factor the black background man, they just have a Steve Jobs look going there. It looks really good.

Bill Willis: You know, I had a black shirt on too. It was like, it just all like, I thought I wouldn't do that. Your

Sarah Richardson: head just flipped around the screen when you do that.

Bill Willis: Yeah, I'll send it to you. It's like, actually one of the other things I do national webcasts for, they're like. Black background, dark shirt. The whole thing.

So I mean, I'm more than happy to send too. So.

Bill Russell: Fantastic. Thank you everybody. Take care.

That's Newsday. Stay informed between episodes with our Daily Insights email. And remember, every healthcare leader needs a [00:28:00] community they can lean on and learn from. Subscribe at this week, health.com/subscribe. Thanks for listening. That's all for now.