Newsday: The Future of Tech – Third-party Risks, AI, and Cybersecurity with David Ting

Sept. 25, 2023: David Ting, CTO and Founder of Tausight, joins Bill for the news. They explore topics ranging from third-party healthcare risks, the complexities of cybersecurity, to the potential impacts of Artificial Intelligence (AI). Does our reliance on third-party systems expose us to risk, and how does this molecular spread of patient data affect us all? Can AI negate the need for intricate, hand-written code and how close are we to AI-powered robotic surgery becoming the norm? These thought-provoking yet grounded discussions not only propel us into pondering the future trajectory of the tech industry but also expound on its influence and potential in our everyday lives.

Key Points:

  • Third-party Healthcare Risks
  • Data Dispersal Complications
  • AI in Cybersecurity
  • Coding Automation
  • Generative AI Potential
  • Robotics in Healthcare

News Articles:

Read on thisweekhealth.com.

 

Video Transcript:

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Today on This Week Health.

My line to people, to the CISOs and the IT teams will be, Do you know where your PHI is as well as your attackers do? Because they’re after your crown jewels and you don’t even know where it is.  (Intro)

Welcome to Newsday A this week Health Newsroom Show. My name is Bill Russell. I’m a former C I O for a 16 hospital system and creator of this week health, A set of channels dedicated to keeping health IT staff current and engaged. For five years we’ve been making podcasts that amplify great thinking to propel healthcare forward.

Special thanks to our Newsday show partners and we have a lot of ’em this year, which I am really excited about. Cedar Sinai Accelerator. Clearsense, CrowdStrike,. Digital scientists, Optimum Healthcare IT, Pure Storage, SureTest, Tausight,, Lumeon and VMware. We appreciate them investing in our mission to develop the next generation of health leaders.

Now onto the show.

(Main)   📍 all right, it’s Newsday, and today I’m joined by one of my favorite guests. Oh, don’t tell anyone I said that, David. David Ting with Tausight. David, I’m looking forward… We have a great list of things to talk about today. Welcome back to the show, by the way.

Thank you, Bill, and always a pleasure to be on your show.

Well, I am looking forward to the conversation, but I want to start not where you expect us to start. I want to start with, I just had a… Chief Information Security Officer Roundtable in Charlotte one of our 229 roundtables last week. And I got to listen to a bunch of healthcare CISOs talk about the challenges they’re facing and those kinds of things.

I thought it was interesting, the amount of time we spent talking about third party risk. Oh, geez. Yes. So that’s not surprising to you at all?

Not surprising at all. We have gone into the world where patient records, our information, is pushed out into this distributed ether, where the Third party systems provide critical services, and we’re all interlocked together.

And it’s all around financial patient care tracking. All the information is now finely dispersed. I call that the molecular level of patient data.

Well, it’s a really gnarly problem because, one of the things we do at the table is we have people present the challenge, and then we all sort of lean in.

It’s like, what are the solutions? And some of these things… I mean, it’s just vigilance. It’s vigilance. And it’s really, and some of it’s contractual and some of it’s controls and some of it’s, but it’s a really gnarly, difficult challenge.

It really is, and we always tell people, you’ve got to know where your data is going, you’ve got to know who all your partners are, you almost want to impose a requirement that your third party vendors assess themselves and give you a report.

I mean, Trust but verify mentality. And I don’t think we do enough of that. We have in healthcare, as we did in early days of computer science, we trust everybody that had a connection to a computer. You must be on, at the same level I am because you have access to a computer, right? Now we don’t trust anybody with a computer connection.

Same mentality I mean, I’ll tell you stories about computer science centers, where you have a fellow researcher who just comes in and accesses your data, and you go, well, there are no firewalls because I trust that he is a trustworthy individual. It’s no longer the case anymore. The last thing I want to do is to have a computer connecting to my system.

Yeah, and not only that, we have to protect against infiltration from within. Like, people within our environment who are actually taking the information for whatever reason. There’s been history over the years that just the history of nurses being paid by outside sources to exfiltrate data and that kind of stuff.

If you think, somebody’s trying to send their kid to college and somebody approaches them and says, Hey. These records and that kind of, so as security professionals, we have to think through these things. But the one thing I do want to talk to you about is that we had an interesting conversation about the single pane of glass, like who is the single pane of glass?

And there was a company similar to yours was in the room and they said, we don’t care anymore. We will send our data and we will send our analytics to whatever pane of glass you choose. Because at the end of the day, we know we’re not going to be the single pane of glass, but we can feed that.

Is that the same approach you guys are taking? It is the same. So we started out by saying there’s the magic bullet of having a single pane. I think there are a lot of vendors that will provide that pane of glass. And what they really are looking for in this data rich world is, where do I get more data, where do I get more information, so I can aggregate them and apply them better using my set of tools.

We talked to a lot of CIOs who said, instead of giving me one more new tool, can you just help me make my other tools work better? Can you help my ServiceNow or CrowdStrike or my Splunk? Can you feed your data into those systems to give me better awareness at whatever granularity you can? And so I think that’s a Shift in our mindset as well, whereas in the earlier days, we say, Hey, here’s another dashboard.

Nobody wants to see yet another UI because a new set of tool mandates that you have a new set of trained engineers that can deal with it. And so they’d rather see it in some other, ported into some other data visualizer or analytics platform.

All right. So let me ask you this. I go around the room.

At different points, I’m actually facilitating. And the last two events, I looked at them and I said, all right, on a scale of 1 to 10, 10 being the world’s going to change, 1 being, I don’t even know why we’re talking about this, generative AI is going to change healthcare at what degree. And invariably, it ends up being about a 9 or, high 8, 9 for the group because there’s a whole bunch of people that say 10.

Immediately, it’s going to be a 10. And then there’s at least one person in the room, if not two, who will say, Eh, it’s a three. And maybe that’s because they’ve been burned over the years, but the general consensus is 10, 10, 10. This is going to change the world. And that’s the, the theme of our first article from the Wall Street Journal.

Five Things CFOs Should Know About Generative AI. The first one is very 10 ish. It’s adapt or die. What are your thoughts?

So I have to clarify that I’ve been working in the pattern recognition, machine learning space since graduate school. And that was a long time ago when we didn’t have any of the computing powers that we do today, and I’ve been waiting and watching to say, when will we hit that?

Nexus, where we have sufficient access to digital data, sufficient computing power, all the resources that we need, and the technology behind machine learning, deep learning, neural nets, when can they converge at a point where we can really now analyze data at large scales. That article in Wall Street Journal struck me as now is the time, adapt or die, because it is going to change the world.

It is changing already. I have more people than you know tell me, gee, this article I wrote, I really didn’t write it. I just threw in a bunch of stuff, and ChatGPT came out with it, and I did some more editing, and here it is. That, at a simplistic level, is only the first layer of automation, AI automation, helping you Bringing together concepts and certainly manipulating words.

But when you start looking at what NVIDIA and Intel are doing at the high level with their high performance computing hardware, where it’s going to change every industry out there that’s data driven. We’ve digitized our world. We’ve managed to improve the efficiency over paper.

Now we’re really starting to analyze the data and predictively figure out, what are the things we didn’t see? What are the things that we can use insight from multiple sources, not just internal data, but knowledge. In general I was reading an article on AI applied in robotics and how they can take images of things, how they can take real time sensor data together with verbal descriptions and written descriptions and merge them together using GPT technology to come back with words.

Things that you couldn’t have thought of. It embeds all this new knowledge that we can’t have. So, I think every organization that says, Gee, this is just another fad. I think we’re past that.

Yeah, I have this from I went to EPIC’s UGM conference, and they handed this out. Uses for generative AI.

They have clinical efficiency. It’s really good at summarizing things. Or creating narrative from discrete data elements and that kind of stuff. So there’s a whole list and clinical efficiency around that. Revenue cycle, same kind of thing. Explaining the bill. We always get those bills that are so complex.

Right. But you can actually feed that through a transformer or a GPT type model and it can come out the other side and say, hey, here’s what you’re being charged for, you can expect another bill because we can train it and then there’s some operational stuff. One of the things I do want to talk to you about is in the article it talks about, by the way, they have five things, adapt or die, do AI right, Build guardrails to avoid financial risks.

Absolutely. Good workplace buy in. Yep. You’d have to bring your organization along. You can’t just throw it out there and then assess ROI. But I want to talk about this, do AI right? We’re starting to hear this concept of multimodal models, right? So essentially you have, it’s like one brain to rule them all.

You could have all these. Generative AI models and all these AI models scattered around your health system. One could be looking at at imaging. One could be looking at operations. One could be looking at all that stuff. But the multimodal concept is essentially you talk to one brain that goes out there and queries all these other little parts of your brain and comes back with an answer.

Is that what we’re going to see sort of transpire here?

It’s that hierarchical model. So your brain works the same way. It’s hierarchical. It takes levels of intelligence. gathered from lower level, specialized processors, and it aggregates them along the way.

So do we not have to worry about creating dead ends?

Like, we could just implement as much different AI models as we want, and they’re all going to work together?

I think the data from, if you have that uber brain, that cortex, that can take information from all these models, or intelligence from multiple sources, it will discriminate. The ones that don’t play with the others, the ones that are outliers, will get discriminated, will be weighted less.

That’s what these neural nets are able to do with their supervised slash semi supervised learning. This is where the technology is going. And so as we, even as we build out our AI, we have been working on language models for recognizing PHI. And we have done a lot of work building our own healthcare language model.

It’s specifically to say, how do I recognize an unstructured content, whether the thing has PHI, PII, and is it going to be considered sensitive material that you need to protect. We have a hierarchical Structure for taking different pieces of data and grouping it together, and some of the data will eventually trim out and not be relevant.

Same thing’s gonna happen as we take these, what you call ’em, multimodal, I call ’em hierarchical. Yep. Hierarchical is what biological systems do. If you look at things like the eye, the ear, they all have multiple levels of specialty, specialization. But at the end of the day, when you hear something, it’s the result of multiple layers of these processing.

They have distilled and condensed that information. Often these AI models are very specialized. And so that’s what we’ll end up being. And the ones that don’t become relevant will, it will get waited out.

Yeah, deprecated.

We’ll get back to our show in just a minute. Our monthly Leader Series webinars has been a huge success. We had close to 300 people sign up for our September webinar, and we are at it again in October. are going to talk about interoperability from a possibility standpoint. We talk a lot about what you need to do and that kind of stuff.

This time we’re going to talk about, hey, what’s the future look like in a world where… Interoperability, where data, where information flows freely. And we’re going to do that on October 5th at 1 o’clock Eastern Time, 10 o’clock Pacific Time. We’re going to talk about solutions, we’re going to share experiences, we’re going to talk about patient centric care.

And see what we can find out. We have three great leaders on this webinar. Mickey Tripathi with the ONC. Mary Ann Yeager, Sequoia Project. And Anish Chopra, who I’m just going to call an interoperability. evangelist, which is what he has been to me ever since I met him about 10 years ago. Don’t miss this one.

Register today at ThisWeekHealth. com. Now back to our show.

S

o Mass General Brigham put ChatGPT through its paces. You read this on Healthcare IT News.

ChatGPT scores 72%. and clinical decision accuracy. So they gave it a bunch of vignettes, 36 published clinical vignettes. And it went through here in 71%. We already talked about that. The thing it did really well, it proved best in making a final diagnosis where the AI had 77 percent accuracy in the study funded in part by the National Institute of General Medicine and Science is lowest performing in making differential diagnosis.

Where it was only 60 percent accurate and in clinical management decisions underperforming at 68%. And these are just really essentially, differential diagnosis are really complex kind of things. So, but, you can almost tell if somebody is an optimist on this technology or a pessimist. I look at it and go, 72%?

ChatGPT isn’t a healthcare specific, medical specific, trained model.

I was going to say, yes, that’s exactly the scary part. If you owned it, if you trained it. So all these AI models, language models, if you give it enough information, it will learn over time. Just like you do, a med student goes through years of training to get to that level.

Thank you. Over time, it will improve. I mean, the, I think I was reading ChatGPT just what, multiple billions of parameters that are attunable as it goes through its learning phases, that’s an incredible amount of information. If you look at it in entropy and bits, that’s pretty impressive.

Yeah. By the way, they give this a, essentially it scored as well as a recent graduate. from medical school would have, would score.

And I think…

Well, it’s almost the same thing, right? A recent graduate, it’s going to get smarter as they practice with more experience and whatnot. And I think we’re going to see the same thing as we talked about with these hierarchical models or multimodal models.

You’re going to see information pass through these different filters. And then it’s going to get very accurate. It’s I have to confess when I asked that question at a round table and somebody says, it’s a three, it’s a fad, it’s going somewhere. I’m like. I don’t know where they’re coming from.

Like, I really try to hide my, like, I have it now on my phone. I use chat GPT about, on my phone, just asking it questions. I don’t know, about five to 10 times a day. Wow.

I think the thing that really struck out for me was as being an engineer and having looked at tons of code for IBM to basically have done their large language model for COBOL.

And programming languages is ability to go through legacy code and basically unravel it, that’s where the world’s going to move to. I mean, so do I say, geez, it’s not relevant and we’re going to have teams and teams of hand coded. Crafted by artisan model, or are we going to get to the point where AI is going to be able to do a lot of the work, provided we can give it the right input?

It’s all going to be around, gee, did you ask the right question? And can it generate the code that will have the intelligence of teams of programmers? Can I obviate the need for all these lines of individually coded Lines of code that has to be compiled, tested, et cetera, when a machine can help me take a specification and translate it into running code.

So you and I always end up here, by the way, and it’s this whole coding concept. And if people want to see this story, CIO Dive, IBM trains its LLM to read, rewrite COBOL apps. And it’s an interesting application of it. I remember seeing the. NVIDIA CEO gave a talk and I was in the room and he was talking about the fact that at the time, and this was gosh, it had to be at least four years ago, maybe three or four years ago, that he was talking about the fact that they had code that was writing code.

Yes. And he said, essentially we said, write a word processor. And we gave it examples and that kind of stuff, and it started writing, and he said, the first one was crap. Yeah, I mean, it was, nobody would want to use it. It had Shift F7 to print. I know, if you imagine, anyway, that was WordPerfect 5.

0, Shift F7 is how you print it. But regardless it, he said, and it got better, and it got better, and it got better. He said that the thing is… The iterations are in microseconds, whereas the iterations for a programming team are over months and, and years even. And he goes, so it’s not going to be long before you go to this model and say, write me a word processor and something back out.

That’s just. It’s high quality, is that gonna change? Like are we gonna start thinking about build versus buy a little differently when we can go to a tool and say, oh, that’s a fascinating question.

I think when that world becomes, when that reality is there and we can rationalize that the code that was written can be tested, that build by decision gets much harder because then everything can be bespoke.

If I give it a, the proper specification and I give it the testing parameters. So the question then becomes, will there be a whole new paradigm for how we build software? Especially for complex systems that today we use off the shelf and then tailor everything because we have, quote, the platform underneath.

Do I really care when computing costs and memory costs and networking and storage costs have become so marginal in the overall scheme of things? Most of the complexity now is in the software layers. And if I can. Use a engine to write code, the whole notion of COTS becomes.

That’s a very interesting model.

I’m going to give you seven years before we see that model become more and more practical.

Okay. I’ll take the, I’ll take the under on that over under, by the way, things are progressing a lot faster than I have ever seen in this.

Industry. Let’s close with robotics. There’s a thing on NVIDIA and whatnot, and you actually chose this. I’d love to hear your thoughts on, the combination of robotics and these AI models and coming together. What does this mean? What does it look like?

So the thing that out for me when I looked at the NVIDIA pages is the number of industries they’re working in. And on the robotics side, the ability to take multi types of data, sensor data, image data designs, verbal descriptions of things to do, and just watching what it can be used to condense it down.

Again, just like the programming model, how can I automate a workflow with a robotics arm that is fairly complex to manage in the first place. But it’s now taking tons of real time telemetry data, tons of video data, tons of descriptions of what you want it to do. And it’s coming back and saying, yeah, I figured it out for you.

I’ve plotted the path that my robotic arm needs to do. What that means is. We can start to use that real time model. And so, and the thing that’s, that really impressed me was, can I do this almost in real time and analyze all this data and have an inference model that can move things in real time for a complex workflow?

That’s going to change so much stuff. Think cyber security, think…

That’s where we… In cyber security, that’s where we live. It’s, I mean…

It’s instantaneous. Why can’t I apply this vision to all the sensory telemetry that I’m generating today that I have analytics platforms to do this today?

feed it into a large scale model that understands cyber security, go, hey, that’s an anomalous behavior. Here’s what we should be doing to interact with it, as opposed to the, again, handcrafted, customized models that we have today. It should be able to distill that level of data down. And, I’ve worked with the NVIDIA processors for a long time.

The thousands of GPUs you can get for next to nothing today It’s totally impressive. I mean, we wouldn’t have the 3D rendering, the graphics, the physics models that we have today, the weather models. They’re all based on the ability to break down tasks into little compute jobs that the GPUs that NVIDIA builds enable, and to now have them focus on, where’s that next challenge?

It’s automated driving of cars. The ability to take the same kind of design and apply it to other fields, where… Real time telemetry, real time imaging data, real time sensor data, real time design compliance requirements can all get fed into a language model to come back with predictive things that you can do to improve the workflow.

My first thought was, in surgery, could we have computer vision in there, seeing things, providing real time alerts to the surgeon, which immediately goes to the, why do we even have a surgeon?

That’s exactly it.

But you know, I mean, how long before Charles Boise and I talk about this all the time, a self driving car can get in zero accidents that lead to a fatality.

before it’s major news, whereas there’s going to be a lot of fatalities today on the road caused by humans and that we’ve just grown accustomed to that. And same thing in surgery, there will be people who die on the surgery table today. But it would be big news if there was not a surgeon who was actually there and it was actually a robot.

But I think culturally that’ll change though, I think. I think it will. I think there will be a tolerance for a certain amount of errors. As you would from a surgeon, but it will be more quantified, I’m sure.

But let me ask you this, because this, let’s stay in your current field, which is you talked about all this access to these GPUs, NVIDIA, and all this other stuff.

Don’t the bad actors also have access to those same things? And what does that mean that they have access to those same things?

They do the same things figure out how to counter the it’s the adversarial model for AI, right? You do something here. It’s game theory.

At large scale, you are building your defenses. It will advance the defenses. It will advance its mechanisms to attack you better, but it’ll play out a lot more combinations that you used to be able to do just by figuring out, gee, the social engineering. Model that you talked about the approach of trying to hack through a firewall or getting access.

It’ll just be more sophisticated

Yeah, well, let me actually we should close now. It’s a 20 minute mark if people will give me a little bit more time I want to ask you about MGM. So that’s interesting By the way, MGM probably spends more money than any health care system in the country around security I think that’s easily fair to say they have more money and they’re protecting a lot more stuff.

Okay, so this is my understanding. If I read this article correctly, this is my understanding of how they got in. They essentially called the help desk, convinced the person on the other side, that they had misplaced their password or whatever. It’s multi factor, so not only did they convince them that they misplaced their password and stuff, reset it, they also convinced them to reset the multi factor endpoint, target.

So essentially, they set the end. Exactly, they essentially said, hey, can you open the door and let us get in? So, they opened the door, they let them get in, And then, I mean, once they’re in, they’re very good at adapt at moving around. Although in an environment that spends that much money, I’m surprised they were able to move. as far and wide as it appears that they have. Now, we don’t know.

Once you’re inside, it’s all a matter of how long you can loiter and recon the environment. If you’re in, you can install all kinds of tools. I mean, the, Yes, it’s important to keep people out. It’s also important to segment and firewall off people so that you can’t laterally move.

It’s like the old firewalls in the buildings that one section caught fire, you want the firewall doors to close to avoid spreading. And somebody’s going to have to basically re examine how did they move laterally so easily. But getting through the front door with a social engineering approach or an insider that you planted that had access.

Well, and not to close this on a commercial, but it does change how you view what’s going on in your network. And for Tausight, you guys identify the PHI and PII just around the entire network and you tell people, Hey, here’s where it’s at. That’s important because if they’re in there loitering, that’s what they’re looking for.

Well, I always joke that, hey, your typical ransomware attacker, today, the latest generation, they come in, they establish a foothold, they spend four days loitering, looking for the content that they want to steal. So my, my line to people, to the CISOs and the IT teams will be, Do you know where your PHI is as well as your attackers do?

Because they’re after your crown jewels and you don’t even know where it is. is There still is this concept of, if I don’t know, I’m not going to be responsible. But does that still wash? I don’t think that washes, does it? No, that’s like saying, I took my driving lessons and I passed.

And so therefore I have a license to drive. And if I run into an accident, hey, I. I got my driver’s license, right? It’s not good enough. You got to be so defensive in how you drive. I mean, that’s, that was how I was taught, avoid hitting pedestrians, avoid all the things that you need to predictively think and anticipate as to bad things that can happen on the road.

That’s how you need to drive. This is how you need to operate your IT operation. A very good friend of mine told me cyber security and patient security, patient safety go hand in hand. Because at the end of the day, you’re protecting the patient. And the record that goes with the patient is just as important.

And everybody forgets. And it really is I often look at these breaches and I go, why is this still happening? Don’t they, if that were my bank record, I would be pulling my money out of that. Place as fast as I could but

It’s I hear that too But you’re also protecting your staff and whatnot because a lot of them are patients.

That’s number one and number two I’ll tell you what the ERP data is just as valuable I mean getting into all the employee records and all that other stuff then you get Bank account numbers you get routing numbers you get Social Security numbers. You ruined your patient, basically. You ruined the patient’s life.

If that much data got disclosed. I’d be worried endlessly about… Who’s got my data? What harm are they going to unleash on me in any number of different ways?

Well, hopefully we balance the conversation well so that people realize we’re optimists. I mean, there is, there’s a lot of great tools out there.

There’s a lot of advancements happening and we’re using AI as a tool to protect. But there’s also a is AI bad? I saw Oppenheimer. Did you see Oppenheimer? Yes. It’s interesting because people are like, oh, why would he invent, why would he, whatever, it’s like, he didn’t invent anything.

I mean, it existed. And he’s a scientist, he just discovered and the reality is in the right hands, nuclear is good. You have nuclear medicine, you have nuclear energy, in the wrong hands it’s bad and that’s the same of any new discovery.

Any technology, the spear that you use the caveman used to hunt is the same one that’s going to kill him in a confrontation.

So we’ve, I think we historically have always had to live on that yin and yang side of technology that can create major changes. And AI is, adapt or die.

Bringing it full circle. David, it is it is always great to catch up with you. Thanks for your time. Thank you.

And that is the news. If I were a CIO today, I think what I would do is I’d have every team member listening to a show just like this one, and trying to have conversations with them after the show about what they’ve learned.

and what we can apply to our health system. If you wanna support this week Health, one of the ways you can do that is you can recommend our channels to a peer or to one of your staff members. We have two channels this week, health Newsroom, and this week Health Conference. You can check them out anywhere you listen to podcasts, which is a lot of places apple, Google, , overcast, Spotify, you name it, you could find it there. You could also find us on. And of course you could go to our website this week, health.com, and we want to thank our new state partners again, a lot of ’em, and we appreciate their participation in this show.

Cedar Sinai Accelerator Clearsense, CrowdStrike, digital Scientists, optimum, Pure Storage, Suretest, tausight, Lumeon, and VMware who have invested in our mission to develop the next generation of health leaders. Thanks for listening. That’s all for now.