Newsday: IT Preparedness, Data Breaches, and Apple’s Privacy Moves with David Ting

July 1, 2024: In a recent conversation featuring @David_Ting and @BillRussellHIT, the discussion delved into critical issues plaguing various industries, particularly the alarming frequency of behind-the-scenes companies experiencing data breaches affecting companies daily. They highlighted the expansive reach of current information gathering capabilities, emphasizing its potential as we continue to scale AI systems capable of processing vast amounts of data. The conversation also raised poignant questions about the readiness of healthcare professionals to operate effectively amidst system breaches, underscoring the importance of robust backup solutions, but most importantly, the preparedness of clinicians processes necessary for hospital systems while they safeguard patient care and ensure data integrity.Additionally, they touched on Apple’s recent privacy moves, influencing broader discussions on privacy in the digital age.

Key Points:

  • Discussing a Recent Breach
  • Champion Challenger Model for IT Resilience
  • Challenges of Cloud and Business Continuity
  • Apple’s AI and Privacy Innovations
  • Privacy Concerns in the Modern World

 

News articles:

Read on thisweekhealth.com.

 

Video Transcript:

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

This episode is brought to you by Tausight. Tausight uses patented AI and advanced machine learning technology. To discover both structured and unstructured PHI. Going beyond DLP solutions to safeguard patient data from breaches, their experienced team is dedicated to mitigating the financial losses and reputational challenges healthcare organizations face allowing providers to focus on delivering quality care.

Trust the experts, trust Tausight check them out at thisweekhealth. com slash Tausight.

Today on Newsday.

IT infrastructure is down, what do you do? What’s your backup strategy? And like they say, a plan on the shelf is only as good as whether you practice it or not, whether you rehearsed it, whether you know by muscle memory what to do.

My name is Bill Russell. I’m a former CIO for a 16 hospital system and creator of This Week Health. where we are dedicated to transforming healthcare, one connection at a time. Newstay discusses the breaking news in healthcare with industry experts

Now, let’s jump right in.

(Main)

Discussing a Recent Breach

📍 All right. It is Newsday and today I’m joined by David Ting, CTO and Founder at Tausight. I love these conversations because every time we get together, I learned something new, this and generally here’s what happens. We get on the call, we start talking and then all of a sudden we’re like 15 minutes into a conversation.

And I’m like, hey, we should hit record. So this time you started telling me about a breach that I wasn’t aware of. And I’m like, we’re not doing that this time. We’re just going to hit record. So by the time this gets out, people will have heard about this.

So recent breach, tell us about the recent breach.

It’s interesting. We always think because we’re in healthcare, that healthcare is the only sector that gets compromised while CDK is the core cloud hosted service that 15, 000 car dealerships uses both in Canada and the U S. For managing cars, scheduling, everything from scheduling inventory to processing deals.

And they got compromised by quote, an Eastern European company who’s demanding millions and millions of dollars. So nothing is happening. Everybody’s going back to paper. It happened last Wednesday. So they shut down everything.

Simply because there’s way too much stuff in there.

That’s amazing to me. wonder how many of these systems there are out there. we had the pipeline last year where we were like, Oh, wow. We didn’t recognize. But there’s probably so many systems that have scaled to a significant amount that don’t realize we come in contact with every day That it’s Change Healthcare that so Change Healthcare is now sending out the breach notifications.

And my only finally And by the way, I appreciate Change Healthcare should have to send out the breach notification The only problem with getting it from Change Healthcare is Nobody’s going to know who Change Healthcare is. My parents don’t know who Change Healthcare is. Most patients have no idea.

It’s such a behind the door kind of company, but that’s the world we live in today. There’s a whole bunch of behind the scenes kind of company. Do you think we’ve identified the other Change Healthcare’s that exist in healthcare that could shut us down.

Isn’t that the same as what happened with the car dealerships?

I’ve never heard of these folks. You go into a car dealership, something magically happens, they spit out an order, they Yeah, you would think they’d have to hack Ford or Chrysler or somebody. Yeah, you’d think, but nobody’s processing anything. They’re doing it by pencil and paper. All the auctions, all the, post memorial day, that’s the big sale time for cars.

That’s the hit them really where sales would potentially have been the highest. And so everything is slept. So you can see the huge financial impact this is going to have on everyone.

So this is likely not nation state. This is likely financially driven.

They’re asking for tens of millions of dollars.

Hey, if you can get 22 out of change. This thing is potentially even larger financial impact.

Champion Challenger Model for IT Resilience

So one of the CIOs at a recent 229 project meeting their strategy moving forward and I’m not going to share who it is because I don’t want to Identify them as a target, but it’s, there’s so much wisdom in it.

I wanted to run it by you. He said they’re moving forward with a champion challenger model, and essentially whoever wins, the bake off, they implement them, but they only implement them for 80 percent of the transactions. The challenger will win 20 percent of the transactions and they implement both.

Interesting Backup. Backup. And then they write the contract in such a way that if one goes down, the other can ramp up to, a hundred percent for a time being. And so he had identified at least four or five other systems that they’re doing Champion Challenger in and implementing both. And I’m like how much more does that cost?

He goes, the change healthcare outage was so dramatic in terms of its impact. He goes that this is like peanuts compared to that.

I think it gets back to trying to figure out what your incident response plan is going to be in what systems are you truly dependent on that in case of any of them, first of all, identify who they are.

Somebody didn’t do a very good job. Risk assessment in the scenario where you’re tied to one service that runs your entire industry, just like change is probably one of the major players , in managing your finance, identifying who they are, figuring out what your alternative strategies are going to be, should something go south.

But that’s a whole totally new way of thinking. I think most of the time when I’m sure when you were the CIO, you basically go, gee, I have full control. Everything is. Pretty much in my server room, in my organization. Now with cloud hosted services, we count on a lot more transactions occurring outside of our grasp

Challenges of Cloud and Business Continuity

I had a conversation with the CIO and I told him in 2012, we put together an architecture to move to the cloud and we were gonna have, obviously it was gonna be hybrid, we were gonna have some things in the cloud, some things local. And I said, the hardest thing we had to grapple with was business continuity.

We were in Southern California. The whole place is, sitting on fault lines. So you have to really consider what an extended outage might look like and my comment to him was, okay, so we move stuff to the cloud and we get cut off from the cloud. How are we going to operate? We don’t have that luxury of not having access to those systems.

And I told him how we created a reverse kind of model where essentially Primary was in the cloud, secondary was local. And as we talked through that, you remember SunGuard, the company? They used to do these contracts where, they had these data centers that are ready to ramp up in case of an emergency.

And you could lease like a small amount and then ramp up in the case of an emergency very rapidly. And it was that kind of, it was that kind of model. We had excess capacity built into our data centers locally. that we could ramp up, but we also had copies of data and those kinds of things.

It does require, as the architecture changes, it requires a different way of thinking about continuity and recovery.

I think it does. I think, remember the old, I remember when mainframes had to be replaced, IBM used to come in with the several trailers, one of which was to hook up your backup mainframe in case, Everything failed.

The other one was the one that would be the takeover, the responsibilities as a Ripped out primary mainframe in your server room. Are we going to get to that point where a trailer will show up, be pulled into your parking lot and serve as your backup, generator, storage, compute,

Does it matter if you can’t get to the data?

Yeah, that’s the whole point. Now, if you can’t get to the data, you’re told,

Great. So I roll in. an EPIC truck and I hook it up to the health system and I can run EPIC, even my instance of EPIC, but it doesn’t have the data. The clinicians are looking historical data. Let me give you this other story.

Cyber attack led to harrowing lapses at Ascension Hospital, clinicians say. This is an NPR article where they said let’s see, ransomware attack on Ascension, one of the largest health systems in the U. S., severely disrupted patient care by locking clinicians out of critical electronic health systems.

Nurses and doctors reported numerous lapses, including medication errors and delayed lab results due to an abrupt shift from electronic to manual systems. While the health systems claimed readiness for such disruptions, many staff members noted the lack of adequate training for extended downtime. I want to focus on that extended downtime thing now, because we used to plan for, a couple hour outage, then we planned for maybe a week outage.

But that’s not what we’re seeing. That’s not what we saw with Scripps. It’s not what we saw with CommonSpirit. It’s not what we’re seeing with Ascension. And now whatever this company is, CD, whatever that, that’ll be an extended period of time where these car dealerships are on paper. In the case of this hospital system, they’re saying, Hey, these people weren’t trained for manual systems.

I guess my question is, it’s one thing to look at IT and say, Hey, prepare for this, but we’re talking on the floor. We’re talking about, I don’t think that’s an IT job to prepare for how the floor operates when the technology goes away.

Absolutely it’s not. I think it’s a cross the board.

It goes back to every department. You have to do these readiness training to say in the event where the IT infrastructure is down, what do you do? What’s your backup strategy? And like they say, a plan on the shelf is only as good as that. Whether you practice it or not, whether you rehearsed it, whether you know by muscle memory what to do.

The last thing you want to do is to say, oh, let’s go and open the book and see what we’re supposed to do across the entire hospital. I can’t imagine the chaos it must create. A lot of the newer Physicians working in the hospital don’t know how to deal with paper.

I know. Don’t know how to deal with the fact that the decision support systems aren’t there. And they have to revert back to instincts. And you can see how widespread that impact could be.

📍 📍 📍 📍 Hi everyone, I’m Sarah Richardson, president of the 229 Executive Development Community at This Week Health. I’m thrilled to share some exciting news with you. I’m launching a new show on our conference channel called Flourish. In Flourish, we dive into captivating career origin stories, offering insights and inspiration to help you thrive in your own career journey.

Whether you’re a health system employee in IT or a partner looking to understand the healthcare landscape better, Flourish has something valuable for you. It’s all about gaining perspectives and finding motivation to flourish in your career. .

You can tune in on ThisWeekHealth. com or wherever you listen to podcasts. Stay curious, stay inspired, and keep flourishing. I can’t wait for you to join us on this journey.

Your point is well taken when. I was interviewing the CIO at Skylakes.

He said, we ran out of pens and paper. Like that was one of the first things, like we didn’t have nearly enough paper. He goes, but then we gave the paper and pens to the clinicians and they sort of looked at us like, what do you want us to write down? Like they had never functioned that they knew like some things to write down, but.

It wasn’t like a form that they filled out and like they’re used to in the EHR and, drug interactions and that kind of stuff. We rely really heavily on the technology. And so think it does have to be on the floor. It does have to be muscle memory. This is leadership above the CIO.

This is CEO taking this stuff saying, all right, hey, if we go down, we’re going to be prepared for this.

have a major flood, that affects your hospital you can’t get power and you’re running on generators and your staff can’t come in. I think you’re better prepared for that than an IT outage, to be honest.

Apple’s AI and Privacy Innovations

Let me talk to you about the Apple announcement. Cause we haven’t talked since then. And you and I have been talking about AI moving to the edge and Apple seems to be the one who’s really going to make this common their new operating system, they’re essentially moving it to the phone.

It’s going to be embedded somehow in the phone so that it looks at all the stuff on your phone and says, Hey, David, here’s his calendar, here’s his email with those kinds of things. And you’re going to be able to interact with, but it’s going to be. I don’t know if it’s a small language model, but it’s going to be small enough to fit on that phone and do things.

And then, when you make a request that’s outside of what’s on the phone, it will make a request to a protected system that’s still within Apple and still does the things that it does, because Apple is one of the few companies that is really communicated. We care about your privacy. We care about your data.

We’re not going to compromise that. So they go to that next tier of their large language model within their Apple data centers to try to solve that problem. But then if they can’t, they’ll go to OpenAI or anybody else who wants to hook in. They could go to Anthropic or others, but they will clearly state, next step in this is we are going to send your information.

to the bad outside world, and they’re going to see your data. Are you sure you want to do this? I think it’s an interesting model, because it talks to the edge architecture, it talks to the value of privacy as a competitive differentiator, and then and of course, making people aware of where their data is going in order to get that answer.

Privacy Concerns in the Modern World

I’m curious, did you have a chance to look at some of those announcements? Yes, I did.

So every time I book a flight or plan a trip, and I go look at all the services I use to figure out, where are you going, when are you going, what hotels are you staying at, how long are you going to be, all the ancillary services that you’re going to pull in.

Your privacy is totally out there the moment you type in your name and reserve that plane. And I go, okay, Our entire trip end to end is out there now. Securing that privacy is going to be incredibly difficult. data is going to be used to train the model at some point, because somebody’s going to have that information this great world where we want to customize the experience and optimize it, both from a, How many dollars can I extract out of you as a customer?

To how can I benefit you from an experience point of view is going to drip out more and more about your privacy.

I was doing something on my phone the other day and I said, Hey, I want to connect to this service. did the normal thing where it came back and it said, Hey, you’re going to be sharing this information.

And I looked at it and I’m like, They want access to my entire calendar. They don’t need access to my entire calendar. Like, why are they asking for that?

To give you a better experience. They’ll give me a better experience. I’m okay if they said, Hey, we want to write appointments to your calendar.

I’m like, yeah, I get that. I’m going to make an appointment. You’re going to write it. But even then, I don’t really need them to do that. And I think the other thing people don’t realize is how much information is in your calendar. It’s not just your information. It tells them where you’re at right now from, 11 to 12.

It tells them you’re on the phone with me. It tells them your email address. It tells them, It tells you the zoom that I’m in it tells you the physical location. I get these little notifications that, Hey, you’re supposed to be here. Or we know that, even things like OpenTable where I made reservations on our trip, all that data is being aggregated.

Do we just throw up our hands and say, Oh, this is fruitless. If you want to live in this modern world of convenience you have to give up your privacy.

It’s a tough question. It’s a really tough question, especially when you’re driving in your car, location at any point.

I’m thinking of this as I’m driving through California vacation. I said, there’s no privacy. My location’s being broadcast. They know exactly where I am, what car I’m in, what stops I’m making next. What places, told, gee, don’t broadcast the fact that you’re going to be away because it ups your risk profile for your home.

That’s what thieves do. It used to be leaving newspapers on the driveway. Now it’s, then it became the, don’t broadcast it on Facebook, social media. Yeah.

Social media would then be the conduit. But we voluntarily give up all this information just as part of our normal course of living.

So the question then becomes, what can we secure? I think you have to have gradations of really important stuff, and then less important stuff. I care more about, um, activities that relate to obviously our healthcare records, our financial records, our personal any kind of other civil events, civil records that we keep.

And then the rest of it, is there really that important? But then you think, gee, maybe I don’t want people to know I’m visiting this location, and so there’s gradations of how that information can be misused. That worries me. And certainly as a privacy person, I always worry about, and my wife goes, Hey, isn’t that information already known?

The hotels already know where we are. They already know what hotels we’re staying.

I don’t want the hotels telling the retailers telling the, I don’t want this big network of things behind the scenes happening and, do trust Apple more than I trust Google because Google’s business is information.

Apple’s business is devices, right? They sell lots of devices. They, and cloud services, they’re now a services company. But. have not tried to make millions on information. And so I gravitate to when people tell me, should I buy a Google phone or should I buy an Apple phone? I’m like There’s no question in my mind.

Even the data where people look at the packets that are sent back from the phones, they’re like, oh my gosh, that phone is broadcasting like a ton of information back.

I know. That’s where it really bothers me that all these modern conveniences You know, my thermometers know what my daily routine looks like, which room of my house I’m using.

And you buy Nest because it’s, this is independent company. And then all of a sudden Google buys them and then it’s like, okay.

Now they have my camera in my front door and my alarm system with the cameras inside. I’m going, where is this? Where’s this world going to? Yeah. And, you think, oh, I’m not paying for the camera.

Therefore the camera’s not being used. Oh no, the camera’s being used. It’s just not being used by you.

Yes.

The police department has access to it. Yeah. We are creating this surveillance. We are

indirectly creating a surveillance state where it guarantees us, gee, you’re getting all these conveniences and you’re getting all this awareness and safety potentially, but we’re giving up all the surveillance.

Privacy. I did not mean to go down this route.

oh man, what am I going to do? People now know.

Deepfake Technology and Future Implications

Of course, other crazy thing is The deepfake stuff is crazy. And so we’re going to record this in a video. We’ll put it out on Google. And every time I look at how this is advancing, it’s advancing so rapidly.

My daughter takes my voice and she can now literally type words in it, it says whatever. And the videos are getting there too, where you essentially can take this video and when she’s done, she could do a video of you and I talking and she can make us talk about. Whatever she wants us to talk about.

It’s getting to that point where foundation has to be, okay, I know this about these two people. Is this conversation likely one that they had? You’re almost going to have to ask that question.

And as you get more and more videos yourself being broadcast, the likelihood of that information being scraped together to train a model that will start to become more and more like you it becomes more real.

Yeah.

Yeah. I remember of the banks I used, they went to voice as the password mechanism. And I thought about that after a while. I’m like that’s not good. I just have to record you. Yeah. You just have to get me to say my word. I’ve seen that on Mission Impossible. Man, we’re in so much trouble. Man again you don’t disappoint. This conversation has me rethinking my personal privacy.  Ithink we need to have digital versions of ourselves that are aliases of our true identity that we can basically share it. This is the whole notion of your digital twin being your alias that you can, just like your credit card, it could be reverted.

Privacy is a very difficult thing to secure. And I think we. From our perspective, see it in a different way, simply because we do know what the extent of information gathering can be, already exists, and how it can be leveraged, especially as we build larger and larger AI systems that can ingest all those data.

Absolutely.

Conclusion and Closing Remarks

David, you don’t disappoint. Thank you again for coming on the show. Appreciate it. Look forward to the next conversation.

Same here. Great talking to you.

Thanks for listening to Newstay. There’s a lot happening in our industry and while Newstay covers interesting stuff, another way to stay informed is by subscribing to our daily insights email, which delivers Expertly curated health IT news straight to your inbox. Sign up at thisweekealth. com slash news.

Thanks for listening. That’s all for now