- This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

UnHack (the News): Cybersecurity Leadership and Rural Hospitals Under Attack with George Pappas

GMT20241127-170018_Recording: [00:00:00] This episode is brought to you by Intraprise Health, a health catalyst company.

Make cyber security a priority, not a headache. Cyber attacks put patients at risk and cost healthcare organizations millions. But with convoluted software systems and risk and vulnerability data lost in silos, leaders know their organizations are vulnerable and they feel little control over the safety of their patients, resources, and healthcare.

Reputations are bottom line. Intraprise Health brings together cybersecurity experts with over 100 years of combined experience in healthcare to offer a comprehensive suite of innovative software and services. It helps leaders finally unlock a unified human centric cybersecurity approach. With Intraprise Health, you can improve your cyber security posture, protect your patients, and simplify your employees lives.

Visit thisweekhealth. com slash Intraprise health to find out more.

Today on Unhack the News.

George Pappas: (Intro) the other thing that is so important is you've gotta be seen as a leader in making things better, not just keeping score of [00:01:00] how bad they are.

Drex DeFord: Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News. (Main) Hey everyone, I'm Drex. This is UnHack the News. And, one of my favorite guests. I have a lot of favorite guests. This is definitely one of my favorite guests, though for UnHack the News.

It's George Pappas from Enterprise Health, a health catalyst company, the CEO. Good to have you on the show today.

George Pappas: Pleasure to be here, Drex. As always, I enjoy our conversations.

Drex DeFord: He chuckles as he says that because there are so many conversations that you are not privy to the listener that, [00:02:00] that George and I have sometimes over a running text gun battle that is happening from time to time.

But anyway, it's always great to have George on the show. You sent some really good articles today. I'm kind of psyched to cycle our way through them. The first one is Jigar Shaw posted a LinkedIn article. He's formerly from Tenet. He was the cyber identity and apps leader there, right?

And he talks about CSOs who execute and make an impact and transform. And so tell me What caught your eye in that article?

George Pappas: Yeah, and one of the things, I'll just say this, I enjoy so much about our conversations is that these articles point to the things, the root causes of stuff that we all live with.

And so for me that's why the UNH hacked the news part really is what this is. Yeah. Is taking the article and saying, what does it really, how did we get here? What does that mean? What is it about? Because these stories, there's so much [00:03:00] material. We could do a five hour session of this if we wanted to.

Drex DeFord: A lot of times we start with a story and it's almost like this, I can feel this coming on today. Where we like talk about the headline, but as we get into it, what we talk about has nothing to do with the actual story that was written, but it's a thread all another right.

George Pappas: Because it's deeper than that, and what I appreciated about this article very much was that, the author was really in a sense saying, you gotta get out there and execute. And, when I think about the clients that we've worked with and how they're organized. And how do you have a security relationship and a compliance relationship?

And a legal relationship is a CISO reporting to the CIO or to a Chief compliance officer or A CEO and all these adjustments of structure and role we've now seen over the last few years point to this issue and it's because I think in some ways the original job of security was much more [00:04:00] tactically focused because there was a lot that had to be done there.

But as this escalation of these attacks and the vulnerabilities and all that has grown, it's a much broader issue. Big, broad issue. And so different organizations sizes are looking for different ways to organize that. But in the end. A CISO who's gonna have, really good relationships with members of the leadership team has to be able to execute.

And has to be able to help prioritize and improve the resilience and the posture of the organization. And the other thing that really jumped out at me, because I'm in boardrooms discussing this all the time, is budget. If you took the top 10 vulnerabilities from a security assessment.

Yeah, I will bet you that remediating those would have at least. 50% non-security benefit to the organization because it's eliminating technical debt, right? It's making identity management with less friction, more fluid. It's [00:05:00] making your virtual server performance higher, so you think about, so CISOs and

Drex DeFord: security

George Pappas: is not an isolated event.

Exactly. It's not a thing that

Drex DeFord: happens. Yeah. Yes.

George Pappas: We always say it's a team sport, but when you think about how am I counting what's in my security budget versus my IT technical debt infrastructure improvement budget, yes. Going to a new set of access points with wifi seven are great, but that's also making things faster and more concurrent connections, and I don't think

the overall breadth of that statement is something that gets captured adequately. And so, when we talk to CFOs about the remediation we try and put in front of the team the business benefit, not just the security remediation benefit, because they are the same. I mean, not that they're complimentary and that gets overlooked a lot.

But you know, when I read the post that he wrote, the other thing that is so important is you've gotta be seen as a [00:06:00] leader in making things better, not just keeping score of how bad they are. There's a very important implicit leadership obligation for someone in that role, in my opinion.

We've talked about many people that we've met. You've met far more than I that have, you can see in how they execute their roles.

Drex DeFord: Yeah.

George Pappas: That they're doing that. But that's really

Drex DeFord: business leaders, their clinical leaders. Yeah. And that whole point of how do I make the business run more efficiently?

Correct. Security is a big part of that. Correct. Resilience makes sure that the business keeps running on an ongoing basis. And then I think a lot of the other stuff you talk about, like app rationalization is security infrastructure upgrades are security going to the cloud and running the cloud in a very thoughtful operational way is security.

George Pappas: And the other thing I wanted to point out, I think I put at the end of my, kind of as I was reading this [00:07:00] and sending you some of my thoughts, we deal with the clients all the time that have this issue is you have to get your leadership, and whether that's the audit committee of your board the functional leadership of the hospital system to understand how do you define resilience. How you define risk tolerance, that you're telling them, Hey, look, if you're saying you don't wanna go invest in X, Y, Z, so our risk tolerance is X, just so you'll understand what that means.

And oh, by the way, what does resilience really mean? Well, if something bad happens, you'll be resilient. Well, how do you define that? How fast you wanna be back up, you know? and all those other things that require more organizational effort and connectedness. Drilling for incident response, crisis communication, I think it was the last one of these we did was that hospital in Chicago that had that third party where they didn't like communicate about it for like months. Oh, I forget what the amount was. Yeah. So it took a long

Drex DeFord: time before they notified

George Pappas: the Right.

Drex DeFord: Yeah.

George Pappas: So that's where, you have to prepare in advance. You don't wanna be [00:08:00] doing that real time when something happens.

Drex DeFord: Yeah.

George Pappas: Well,

Speaker: That was a good article. Here's another one that you teed up for me. It's in help net security, why rural hospitals are losing the cybersecurity battle.

Interesting article. Interesting take. What did you carry away from that article?

George Pappas: From dealing with clients of all sizes, and this is where kind of my central point to you was if you're a very small ambulatory practice, your complexity factor is very low. In fact, think about the hicp 405(d right recommendations, which are the only ones I've seen outside of high trusts that are scaled based on the size and complexity of the organization, right?

Yeah. I'm saying that because even if you're a 10 doc practice, yeah, you still have to do it and it's hard for them to do it. They don't understand it, but the number of things you have to protect. On a relative basis are very small.

You get above a certain size health system, you have more resources, but these rural hospitals are in a very challenging place.

In the middle, they've got [00:09:00] legacy EHR systems, they've got PAC systems, they've got email systems that you know are not secure. The whole collection of things requires a lot of work, but they don't have the economic capability or the operational capability to do it. So it's an inversion of the size of the need and the organization's ability to address it.

And it's challenging because we do assessments and remediation work for clients of this size, and it's a very tough sledding discussion because you know that they may not even have a full-time security person at all.

They, have outstanding remediations and things like.

Multifactor authentication, which many take for granted Or things like secure email, which the article talks about. And I had something in my notes to you where, Microsoft did an awful lot last year with their sort of free sort of-ish program

For small hospitals.

But when you looked into the details of that, [00:10:00] they didn't provide the more advanced office environment to these hospital systems that has more security protections. It's software guys. Come on.

Drex DeFord: the other part of that, I think with a lot of these things, when you look at small facilities, rural hospitals, inner city hospitals who don't have a lot of resources, have little, tiny margins, and like you said, this.

The chief information officer is also the chief security officer and may also be running supply chain and maybe and doing that with a team of three other people. It's not like they've got an army helping them. When companies give away free stuff like applications or software.

Sometimes the problem is they don't have the people to, I mean, even if I have the free software, how do I install it? How do I run it? How do I manage it and monitor it and do all of that? And so when we looked at that program kind of a few months into it, it was like, why isn't anybody taking advantage of this?

Well, ultimately, several [00:11:00] organizations did, but I would bet that if you dug into it and said. How useful was this really to them? How much did they get out of it? You would find a lot of folks who installed or installed partially and then just maybe never got it up and running, or certainly didn't use it to its capabilities, right?

This is the services part that winds up missing in the free stuff. That's what a lot of those smaller organizations need that kind of expertise and help.

George Pappas: I agree. And I do think though, if that was the issue. It's not rocket science to solve for it. I mean, people need a sock. So have a collective sock, a collective admin, the configuration settings for these things are not, again, you're not splitting the atom here.

I just feel like it was a missed opportunity. Again, I don't know all the details. I read some pretty thorough information on it within the last couple months, but it was an example of just this is [00:12:00] one thing we should be able to fix for every healthcare organization. Email that's truly secure.

The number one way people get in, right?

Besides third party breaches, right? So, yeah. At least do that because you also know. It's just a function of living in an environment like that. And I haven't lived it, but I've spent enough time in them that is the place where information is being shared. That is a place where inadvertently other information is being sent.

So it's still a centralized communication, nervous system for an organization

Speaker: and a repository

George Pappas: for a lot of those smaller places too. Yeah, exactly. So at least lock it down, do that. Come up with some, multi federal authentication, has a lot of maturity. Now. They're, maybe not the highest performing form, but a less expensive performing form of it and start, go at it that way.

But that's, to me where, it's not that hard and I empathize with. The cost issue and the resource issue. I really do. And that's why like last year when the Biden administration [00:13:00] had that billion and a half dollars, they peeled off from the Medicare trust fund. I think it was 800 a million to reserve just for small hospitals.

It made a lot of sense, right? Yeah. And even in this bill that was just passed, on the 4th of July, even though it was ostensibly to offset for the Medicaid. Reductions they see coming. I think they put aside, I think it was 50 billion in the end. be cause that those are big kind of net patient revenue dollars that are being lost.

But there's gotta be a way to provide some additional support for these organizations 'cause. They have to be where they are 'cause they have to be close enough. People need serious help quickly. Yeah. And they're just not in an economic posture to be able to, overturn the technical debt. And the other aspect of this that I've seen in different states over the past few years play out is

one state's trigger for the percentage of the median, low income ban that, defines eligibility for Medicaid. That [00:14:00] can change a patient's census like that and change a revenue stream like that for the same number of people they're serving. Yeah, so they've got a lot on their plate.

And I, the article stated 60 million. I looked up that number a while ago, and it was consistent with that, how people getting that kind of healthcare and if these hospitals get nailed, how long are they down for a while?

Speaker: Yeah. So and again, sometimes that's the only hospital within a hundred miles.

Yeah. And so if you don't, yeah, you can't go to that hospital. You may not get to a hospital depending on Yeah kind of medical emergency you're having. Yeah.

George Pappas: Which could be serious. And it was interesting because as I was reading it too, I was thinking about the NPRM that was released back in December.

There was a 50 page executive summary that was actually pretty well done, that talked about. '

cause it was

a massive percentage of hipaa sRAs are self-assessment.

Speaker: Uhhuh.

George Pappas: I'm gonna grade myself. Oh, of course I'm doing well Uhhuh.

I don't have things I have to do. And you know that many of [00:15:00] these systems are front and center when it comes to that. That's why New York with its regulation, other states, I think Ohio just put out a new regulation. I haven't studied it yet. Are trying to close the gap here and New York to its credit provided grant money, resources to Right.

Get their, so have they been used? Have they been spent? I haven't followed up on that. I probably should, but that's where at least some of these states are really trying to address the problem instead of, cutting the staff at CISA and the things that we see going on. Yeah.

Drex DeFord: Yeah. I, speaking to that, I'm gonna bridge over to this cms.gov news release.

Okay, sure. I think we

Speaker 3: both.

Drex DeFord: I'm not sure how to describe it. I'll just let it speak for itself. White House tech leaders commit to create a patient-centric healthcare ecosystem, and that is the headline of the article and there's a lot inside of there. A lot of things that they say they want to do and , they have quickly by the way.

Exactly. Very quickly. Very [00:16:00] quickly. And I think it's just, I don't know. It's one of those things sometimes when I read something like this from the administration, I think to myself, like, believe what they do and not what they say. It's a good story. It's just, I

George Pappas: hope it's not just a story.

Yeah. With any administration you have to take that stance. I think, of course, in particular, I mean, just think about for a minute, the history of meaningful use in ONC, right? And I was it in one of these meetings with CHIME, I don't know, three or four years ago, and it was actually very powerful because they were able to get together like all seven

ONC directors from the beginning when the law was passed to present the former, so different administrations, right? Democrat, Republican, but they all said the same thing. We did a lot of good, but we didn't do interoperability. Yeah. We did a lot of good, but we still had X, Y, and Z left over, and I think interoperability is such a challenging [00:17:00] question, and yet we had 21st Century Cures Act go into place.

I think it went into effect two Octobers ago now. I'm trying to remember the exact year wasn't within the last two years, maybe three years, but what it took for that to get done, this notion of Tefca.

Where

you have a trusted exchange framework, meaning you are trusting technologically with a protocol, you all agree to how you will exchange information that also had, by the way, a security posture around it.

High trust. Okay. Yeah. And then you have the ca a common agreement. So I imagine it'd be something like maybe a BAA right? If you're gonna touch this information, you're gonna comply with hipaa, et cetera, et cetera, et cetera. And that has taken how many years to get off the ground. There's a lot of stored up demand for this kind of capability.

A lot of people going at it. And so when I read that press release, I thought, you know what? More pressure on doing that well is good. [00:18:00] However, I didn't see any mention of Tefca I didn't see any mention of how they're gonna truly measure what interoperability is going to look like. And then at the same time, further down in that release, I thought there were a lot of very useful things on the standalone government programs that they were updating.

'cause we all know that processes and organizations get bureaucratic. They're cleaning those up. I think that's fine but in the big picture. I hope something valuable comes of it, but it has to be secure. This is protected health information. There's a reason why we protect it. So the favorite target of hackers?

Speaker: Yeah.

George Pappas: There has to be a common exchange framework and all those companies in the release that we're saying, yes, we're gonna go do this. What's the other massive mega trend? We're living in the middle of AI now.

Drex DeFord: There's some resistance to it too. I mean, even though everybody says I'm totally on board, I absolutely wanna do it.

The data that is [00:19:00] held in your system, I think for a lot of companies is also, while it may not really be their data, they feel like. If I make it easy to exchange this data, it makes it really easy to replace me and my system. Even though it sounds good, it feels like there's always friction in the process too.

Do you see that same thing?

George Pappas: We're gonna go there, Drex. Okay. Yes. Let's be very clear. Okay. We call it a patient-centric system. Yeah. But in reality, look at the actual systems topologies and how they operate today. It's not patient-centric. It is provider-centric connected to several payers who are providing the reimbursement rates that keep that operation in business.

And it's, and they're run on very sophisticated, but very complex technology.

So that the technology provider also. They have an interest in keeping everything inside the beautiful walled garden with nice ferns and the babbling [00:20:00] brook and the little yoga mat. This is what good looks like.

That's right. But oh, you go outside, the translation of that field is not quite the same. Oh gee. You have to convert the units. Oh. And we don't really go that far back in the data. So, you can make a lot of mischief. Interface.

Drex DeFord: Yeah.

George Pappas: And provide enough to be technically compliant without really being useful.

And that's where for the patient, and there are a lot of people have taken shots at making this better. How do you make it really useful? And I hope that these companies that have large consumer businesses, massive amounts of consumer technology, can maybe apply some pressure, allow that to be more open and make it more useful, because I think it is better for patients.

I think that having all their information in one place versus logging into 15 portals,

Drex DeFord: I mean, I've always been a fan, it's just that the technology hasn't been there. The idea of a personal health record, right?

Yes. All of my data from all the places and all the things that I do and all the [00:21:00] stuff from my watch and all that right? Goes into my personal health record and I can make a decision about who and how I want to share with, including maybe even selling to research institutes. Who might pay me for my correct data instead of somehow it just gets given away today.

But then the health system somebody else makes, gets paid for using your data. I know, but big companies like Microsoft and Google have gone down that road and failed. But I now, I mean, here we go, we're gonna talk about ai. I wonder now if in the age of ai, like maybe we're there, maybe found the doorstep, we need to take a

George Pappas: rerun at it because before we get to that, I wanna go back to one other thing though.

Okay? If you remember was in that press release and they talked about the National provider Registry that talked about lots of other things. Notice one thing that was not there. A patient registry, universal patient,

right?

This has been one of these causes for how long? A long time, right?

Yeah.

So what do [00:22:00] people do now? They take the MRI of one in another and they use a fuzzy logic and try, is that really you and the five HIPAA indicator and all that? So, I think that is a problem. AI can obviously solve, deals with fuzziness and hopefully a good match, right? But I think that's also tells you.

We're still grappling as a country with this notion of privacy for sure. And patient centricity. Yeah. Which is why I believe the federal government has not found its way to actually have a patient registry.

Drex DeFord: A good example of that. Now I read this morning Change Healthcare has just updated the number of patients exposed in the breach last year.

Oh, really? Part of the reason that and they say. And we're pretty sure that the number's probably less than the new number that we're giving you. But because of the challenges that we're having with de-duplicating patients that we have in our [00:23:00] system, we are not completely sure. Whether or not it's that many patients or not. Straight to the heart of your point.

George Pappas: So I think that. Perhaps we can find a forcing function to do a practical thing there by having something that is unique, even if its privacy is maintained. There has to be a practical way to solve that problem, but now getting to your next big mega trend, right?

Yeah, I do believe that. AI can be power, obviously. It's massively powerful. We're seeing it already now, this MCP interface issue, even in one of bill's posts. 'cause he's been on this train now for a few weeks, yeah, I read that and I'm saying I get it conceptually I get it. And will MCP be the new Tef FCA or be a new operating model under Tef FCA

possibly. But hold on a second. If you think about the words, use these model context protocol middleware, cognitive middleware, there's all these different names. Can you [00:24:00] think about what it takes to build that? I mean, on top of mean, this is another one of those things sounds really good in

Drex DeFord: theory, but I think the devil's in the details.

As you start to use it, you'll find out where there are weak points and strong points. These systems

George Pappas: have finite states. They're sealed. And for the last 30 years, the vendors have for lots of legitimate reasons, but not just business reasons, have maintained very tight control over how they're accessed.

What you can put in versus read, et cetera, et cetera. 'cause

think about the commentator aspects of testing all this. Now AI can help with that. I hope they're doing it right. It can help with sample data, generational, if they're doing that too. But essentially I could foresee having been close to these systems, that writing the MCP layer could be as almost as big as writing a chunk of that EHR itself.

Because it has to orchestrate in a way that the system was never intended to orchestrate. And it has to, in a more flexible way, say, well, my AI question was X. [00:25:00] Have I met the goal yet? I'll keep looking. So all of a sudden you have a level of interaction by a programmatic entity that was never envisioned.

And so I think that we're certainly gonna do it. And by the way, let's take another current trend as of today, chat, GPT five was released today.

Yes.

MCP was open source by anthropic.

Chat GT five is thought to be. An anthropic killer. I'll use the words I heard on the press last night, Uhhuh, because of its programmatic capability.

So if you're the biggest guy in the jungle, are you gonna use their protocol or they a better one? So we're still in this era. Era. There's got another

Drex DeFord: competitive problem here. Yeah.

George Pappas: Yeah. Now, I do think AI as a technology type is much better able to handle ambiguity in those things. So that should be okay as long as it's not totally.

Semantically different.

Drex DeFord: But

George Pappas: that's where, we have a long way to go there. And I hope there's enough pressure and enough quality that can be brought out that can [00:26:00] actually do it. Because, I mean, just think about care navigation today. I mean, I had a circumstance with one my relatives a few years ago, and she was in the hospital and I had to go sit there and I'm watching the nurse.

Using Epic typing in stuff, trying to coordinate the internist, the surgeon, and they're all talking on cell phones, like guys. We fixed these problems years ago. Can we just like actually make it patient-centric maybe.

Drex DeFord: Yeah.

George Pappas: So I think there's a real opportunity there, but we got some wood to chop, I think.

Yes. Before Q1 26.

Drex DeFord: We do, we have a long way to go. And the other part of this is that we mostly think about healthcare as being the thing that happens inside the health system when in fact,

Speaker: right.

Drex DeFord: there's all the other things that happen in your life, EXPLO outside now, actually. All that stuff that affects, yeah, your actual health.

So,

George Pappas: yeah. I could also see, and I was thinking about the economics of this and patient spend, there are ways to handle that with, [00:27:00] value-based care allocations and a sophisticated ability. With more dynamic systems through AI to be intelligent in how they, kind of if you're providing this part of it, okay, there'll be some of that to you.

So I think there are ways to handle it. The question is how actionable will they be and how short a period of time and can we really get to an environment where the patient really has all that at their fingertips and they can orchestrate 'cause today. If they don't have a family member orchestrating or advocating, in a lot of cases they're in a pretty difficult spot.

Drex DeFord: Yeah.

George Pappas: And a

Drex DeFord: lot of this is really contingent upon us having the willpower to break the current system, and there's a lot of money pressure involved in that current system. As you said, there's a lot of 4 trillion a year drex. Yeah. 4 trillion a year. Yeah. Hey. Thanks for it's always fun. It's always fun, George, when we're on.

Thanks for being on the show [00:28:00] today. My pleasure.

Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.