Securing Healthcare Systems

Dan Bowden is the CISO at Sentara Health, a 130-year-old health care provider with a team of 30,000 people delivering quality healthcare across 12 hospitals. Bowden’s focus has been on building secure digital environments for new mobile apps, telehealth platform implementations and integrating these Electronic Health Record system patient member portals, as well as migrating Sentara systems to cloud infrastructure as a service and platform as a service environments and leveraging leading technologies to maximize efficiency and safety.

According to a recent report, 92 ransomware attacks occurred at healthcare organizations in the past year, a 470% increase from 2019. In responding to questions about improving the integrity of healthcare systems, Bowden explains why we’re lagging so far behind in healthcare security.

It’s because of how the data is managed, data standards, data integrity. And in healthcare, I learned early on, even in health systems that might use the same platforms for patient and health information, that did not mean there was any kind of uniformity or standards. … In healthcare, we’ve struggled with this because there’s a whole bunch of mini markets, statewide or regionally.

In this episode of Cybersecurity Unplugged, Bowden discusses:

  • Blockchain solutions in healthcare;
  • The shift to telemedicine;
  • Real risks around medical device security.

CLICK HERE for a full transcript of the conversation.

This episode has been trascribed by AI, please excuse any typos or grammatical errors.

Steve King 00:13
Good day everyone, I’m Steve King, the managing director of cyber theory. Today’s episode is going to focus on the adoption of blockchain technologies in medicine. Joining me today is Dan Bowden, the CISO at Sentara Health, a 130 year old health care provider with a team of 30,000 people delivering quality healthcare across 12 hospitals. Dan’s focus has been on building secure digital environments for new mobile apps, telehealth platform implementations, and integrating these EHR system patient member portals, Electronic Health Record system patient member portals, as well as migrating Sentara systems to cloud infrastructure as a service and platform as a service Environments and leveraging leading technologies to maximize efficiency and safety. So welcome, Dan. I’m glad you could join me today.

Dan Bowden 01:18
Thanks, Steve. It’s great to be here and happy to have a chance to talk about this. Great. I know

Steve King 01:23
that you’ve been exploring and implementing blockchain solutions in healthcare for a while now. I think it was Estonia that moved all of its Healthcare Billing to blockchain. 95% of their health information is ledger based. And I think almost all of their prescription information is digital. Why have the American hospital and medical systems lagged so far behind?

Dan Bowden 01:53
Wow, this is a great question, Steve. And I will preface this that this is my own opinion. It’s tough. I’ve been in healthcare now since 2007. And I came from banking. And just literally the first day, what I learned is a lot of the reason banking works, and you can get to your money anywhere you can, you can practice you can use your Visa cards, MasterCard, anywhere that accepts Visa and MasterCard in the world. It’s because of really just how we how the data is managed data standards, data integrity. And in health care. I learned early on, even in health systems that might use the same platforms for patient and health information that did not mean there was any kind of uniformity, or standards and how the data is maintained and managed further, a lot of manual work. And people can who have been involved in manual data collection, if it goes on over time. It’s, it’s fraught with inconsistencies and errors. We’ve grown into this, I think in just the United States overall, whether it’s healthcare or just the way we we do things, I think certain sectors have been able to sub optimize how data is gathered, the standards, the formatting, the integrity, the accuracy. And in health care, we’ve struggled with it just because it’s a whole bunch of us, I kind of refer to him as mini markets, you know, statewide or regionally. And you probably anyone who has changed health providers, even if you just go across the street, you know, when you go across the street, and new providers gonna hand you that clipboard with three or four or five pieces of paper and asked you to check a bunch of boxes and circle a bunch of things and fill out a bunch of stuff you’ve already done before. Sometimes it happens again at your own provider. So it’s its data, there is no uniformity. So unless these these different provider organizations and payers go out of their way, which they don’t there’s no money paid for going out of your way to reconcile and patient match and plan member match data. And so I think that’s been a big problem is just the incentive to do it. Where Estonia, you’ve got an it’s an interesting use case. I think you’ve got leaders in the country who in a way they run, they run the country like it’s a startup company, they they’ve got a lot more to smaller, smaller scope, a lot more control to kind of enact those, those kinds of measures for uniformity were in health care, that kind of decision. version of decentralized markets all over the country makes it very difficult. So I think that’s the big challenge is just the way data map data is managed. And I could go on and on, we have presentations on this long with manual work, we still rely on a lot of, you know, sending data over fax machines, you know, data, you know, communication among different platforms is done either with kind of formats that are inconsistent and or sometimes insecure. And there’s a lot of work. So I think that it’s a, it’s a huge problem to solve. I’m blessed to be at one of the the health organizations that is stepping up and centerra has made some, some notable investments. And and I’ve been very fortunate to get to work outside my I guess, outside my day job domain or being the Cisco I get to work very closely with a lot of our business folks and business folks in some of the very large health insurance companies and technology companies in the country to try to work on this.

Steve King 06:12
Yeah, and I know blockchain has been a source of sort of contention in terms of different views held by different folks and in cybersecurity, maybe you can give our listeners some background on blockchain and and why you’re bullish and why you think it’s ready for primetime.

Dan Bowden 06:32
Yeah. Well, you know, it’s important like people hear oh, this is Dan. So he does this Oh, talking about blockchain. I’m like, No, I’m I’m a healthcare technology executive right now talking about blockchain. It’s a business enabler. And what we tried to explain is it was not a cybersecurity enabler. It’s not a cybersecurity tool or platform, I think in terms of it can enable privacy and privacy utility. But really what it does, I think if there was any kind of analogy, technology, speaking wise, the analogy is a very foundational level, in a way kind of what TCP IP is. The the internet, I think, you know, blockchain can be a similar enable for business, and how businesses work together. So I always tell people, you know, you have those, those blockchain decision decision trees about do I use blockchain? Or should I just use a database, and it’s a great decision tree. And I would say, if you’re just doing something inside your own company, the utility of blockchains pretty limited. However, if you want to change the game, or you have a lot of b2b, b2c use cases, business business business to consumer use cases where you’re trying to really enact integrity of data. So identities, we want to know this steve King is the various very specific steve King in the midst of all the other Steve kings in the United States. So when Steve this steve King walks into a new provider, and let’s say we’re in a wonderful world, where he shows a QR code on a mobile app, and that provider scans it. And in real time, it burps out a request on to this, this network enabled by blockchain. And the question is, is this steve King covered under a health plan? And immediately, there’s a reply that comes back from Aetna that says yes, that Steve King is pretty is covered under our health plans. And this, these are the specifics of his copay for seeing his primary care provider. Or these are this is where he is currently on paying through deductible. And so we want to enable those kinds of things where those questions get answered right away, and then maybe in the future, Dave, you can that clipboard questionnaire of all those questions, you can just provide that one time, and then update it when you want through that same mobile app. And you can decide who that shared with, you know, through the through a digital ledger that’s enabled by blockchain and you can make decisions about updating updating your address and then your phone number, your email address, who you choose to share health information with or what health information you share. And so it’s it’s an A enabler in that respect. So that’s why I tell people when we’re not talking about cybersecurity, we’re talking about trying to change the game and the terms on which healthcare business is really transacted.

Steve King 09:50
Yeah, and so my question is, why can’t I do that? Now I’m then having spent the last couple of months in and around a health care system here. I’ve Probably completed that clipboard questionnaire five different times and yet it was the same provider. So my question is, why don’t we have that little QR code now?

Dan Bowden 10:14
You know, what is it we we are working on it, and I don’t, I don’t want to play a commercial. But Bernie won by they do some homework on centerra health care. There are other organizations very notable, another very notable health care provider. In the country, I can say I can say their names, but we are we’re working with other peers such as Cleveland Clinic, Aetna, Anthem, HCSC, PNC Bank, IBM, others to try to solve that, Steve, we want you to have that. And then we also want your providers to be able to update their information, believe it or not, if you go out on your health plan, website, and you try to find a orthopedic provider, you maybe want to see a knee doctor, it’s kind of best in class accuracy of those directories. And it’s probably 70% Believe it or not, so, but it’s the same challenge where we don’t gather data, well, we gather it manually, and we don’t validate it too well. And so that’s why we want to go back to your point about the clipboard clipboard, we need to figure out how to put the data with good efficacy in the right system. And that’s the beauty of maybe something enabled by a digital ledger, like like blockchain I, I’ve now been doing this long enough, I talk about Ledger’s rather than the blockchain specifically, but the the idea is, then we give Steve access to that information updated as Steve needs to. And then also same thing with providers that you work with. And if your your provider leaves or changes or goes out of your network, you can you can learn that more in an automated fashion rather than trying to have a visit or have a claim rejected, that you thought would be covered. And so we’re we’re working on it on the why there’s a whole bunch of work to be done. These companies, there’s a new company, we we we’ve helped, you know, some tears invested significant Lee in in terms of helping to enable called Avenir health. And there’s some competing consortiums that we I hoping are successful, because it’s a very challenging situation where the incentive model that we get paid, we kind of get paid for the overhead and dealing with all the inaccuracy. And we’re not proud of it, we want to get out of it. But it’s a problem that we need to build a new, a new network, so to speak, and the network, I believe, is going to be based on blockchain. So you know, the competing organizations to Avenir health, if you go look up the coalesse, Health Alliance, synaptic Health Alliance, all of these organizations have some of the top health care companies in the United States in the world, working to solve these problems. And so that’s what we’re hoping that they can they can build this, this ledger in a way because if you think about it, if we have really clean patient data, we can patient match steve King out of every other steve King United States, we get really clean provider data. Providers can update their information, they can update networks they’re in, they can be on boarded into new health systems and onto new health plans in much greater time than we do today. Then we can clean up other problems, who hasn’t had a claim rejected that they thought would be approved, who hasn’t had a knee surgery and thought, Oh, it’ll just be one bill for the knee surgery. And then they learned it was actually 10 different bills, and four or five got rejected or one came back in kind of what they call these surprise bills, where you didn’t realize that some out of network radiologist was pinch hitting that day. And so you got hit with an out of network bill. These are all kinds of problems that we have with the healthcare data management and the back end your business and payment processing. And we’re not definitely not not proud of these issues. We want to fix them. The good news is that are our lot of organizations that are investing in this and some brilliant people involved. I am humbled every time I get on a phone call with these folks at the caliber of business innovation technology, people who are involved. And I think what they should do is do what you’re doing, Steve, keep asking the questions about when will it be fixed? And yeah, I’m hoping we see some good progress. I’m hoping that you see some things really as early as your first quarter Next year, some good things happening.

Steve King 15:02
Well, it’s certainly a complex space. And I, you know, you it’s funny that financial services folks have been early adopters in blockchain. And wouldn’t it be ironic if medicine eclipses their adoption rate and we have a kind of a holistic system in place here come next year, that would be amazing. If I shift for a second to the world of telemedicine, because you know, now, you know, we’re, I don’t think that this has been a temporary solution. I think we’re a temporary solutions might have the maturity for adoption here and a much wider basis as folks get more comfortable, kind of taking many things these to go places for at home. What do you think the adoption rate for telemedicine is going to be? And what do you think that whole air is gonna look like in about five years?

Dan Bowden 15:58
I think it will be the preferred primary care encounter method. We’ve been working on telemedicine for a long, long time, I got to university of Utah in 2007. And I remember 2000 789 to 10, those years, we had the Utah Telehealth Network utn. The challenge with adoption has always been a couple of fold one, you know, just patients understanding what the capabilities are. And then to back in the early days, you know, 10 years ago, the providers, and it just wasn’t an incentive model for the individual providers or the health systems where I think now we’ve got sort of some generational turnover in the providers where I think now we have the Generation X group that are that generation of people who saw the old automate old manual things and the new automated things and they like the ladder. And so I think as that new newer generations of providers come into the workforce, then that’s one thing that that’s bonded is one you got to have physicians who are willing to do telehealth engagement. And then I think the inflection point that the pandemic put on us for telehealth now patients and again, back to the Gen X and younger generations of patients, they’re going to prefer that in many ways. And that whole you know, it’s it’s easier nobody hands you a clipboard when you do telehealth. Yes, exactly. And, and so, but we’ve got to get better at gathering information. Because the problem is so the beauty with telehealth today is the quick utility of the interaction and the encounter the challenges, we still still do need to figure out how to do the data gathering and reconciliation. So some of the health systems that is tough is they they don’t have the telehealth encounters completely integrated into their health record platform. And so that’s going to be the next big thing to really start, you know, leveraging them as a business utility and not just the convenience, then I think that, you know, the pandemic, we needed that convenience. And so the convenience factor was so, so needed and so high in 2020. And through the kind of, you know, maybe not as much in 21. But now, we’ve maybe not reduced focus, we all still offer telehealth. But we definitely need to go back and now get those telehealth encounters all of the data that’s gathered integrated into the patient’s central record and the health record platform better than maybe we have in the past. Right.

Steve King 19:07
Switching back to security if I could for a minute on the the IO MD side or the hour you want to refer to it to the OT device side of the house. You’ve been you’ve been active for a long time and as a patient, you know, has every right to be concerned about a hacker messing with heart monitors. What’s the real risk around medical device security and and what have you guys done about it? I know I’ve been in hospitals where visiting folks, or I’ve walked down the aisle and had access to these, you know, portable computer stations were? Yeah, they’re open ports and I could insert a USB drive. No problem. So I’m I’m curious about what you guys have done in everything. are to protect and defend.

Dan Bowden 20:02
Yeah, it’s a it’s a great point. And really, what you have to do is pay for something, you know, basically like a red team engagement, where they kind of, you know, size you up in that black box mode on the Internet, what can they learn about you and get in, but then also let them walk into your facilities, and tell you how easy it was to get to a workstation or attaching a device to your network. And we’ve we’ve done that we did one this summer. And so we’re asking the questions. All right. So where what are new preventive things we can implement? And what are new? Just detective and response things? You know, where, you know, because hospitals are tough. They’re public access. And while there are obviously some controlled entry areas, there are always situations where you got to say, Okay, what, what workstations are out in the open? And what can they get to? And let’s pretend a bad guy, let’s let a bad guy, bad guy sit down at that workstation, and tell us where they could get? And are we able to suppress that and keep it so that, you know, they’re there? They can’t get anywhere with someone’s credentials if they’re not supposed to. And so that’s the challenge is role based access. It’s fraught with a lot of challenges, but one is where should the workstations be let’s not have any out in public areas that are of any utility to getting to sensitive data, but to if there are any that aren’t constantly being attended or worked on? How do we secure those, you know, in terms of, you know, timeout, lock out? And then when someone is at the workstation, what can they see? What can they get to if they were a malicious actor, that’s one thing. The other is big picture. All those medical devices, you know, there’s always been the worry about individual systems being hacked and, and a bad guy, bad actor affecting the integrity of readings or changing doses or, you know, treatment. But I think the big picture we’re really worried about is, what if somebody just takes us down all of our call ADT admission, discharge, and transfer all of the workstations that support ADT? What if they all go down at once? Now we maybe we have to go on divert, maybe we your health system can’t see patients, and maybe a five minute ambulance ride just turned into a 25 minute ambulance ride for somebody? And so there’s there’s that whole spectrum, you know, internally, what happens at a workstation? And then big picture, the individual devices and the larger service? How do we keep these things so that going so that our doors are open, and we can get patients in and out as we need to. So it’s, there’s a lot of work, but we’ve been, we’ve made investments in platforms that specialize in medical device activity on our network. So you know, medical devices don’t don’t leave the same breadcrumbs. As normal Windows devices, you have to find, you know, these data scientists went to work for these medical device security companies and learns to fingerprint NetFlow traffic, so that they can fingerprint a and Aleris infusion pump off your network out of all of the other brands, have infusion pumps and every other device, and then help you figure out, what can it talk to what vulnerabilities are on the attached workstation, if there is one. And so there’s so much to do, but the only way to know where you are, and assess yourself is to bring in, you know, a team to assess you and look at it and then and then work on the recommendations.

Steve King 24:00
Yeah, that’s great that you’re doing that. I’m also concerned and this is my final question. And I’m conscious of the time here. I want to want to get out in 30 minutes here, but I think that whole healthcare, target market is is interesting in that it’s a big one, right? I think that data tells us that there were like 100 US healthcare organizations impacted by ransomware since they started tracking that, and that’s, I don’t know 12 million plus patient records. And I think there were 92 or something ransomware attacks on healthcare organizations, which was like a 60% increase year over year. What are we doing beyond your own medical network to change the dynamics there? I know that you know, it’s easy on the one hand and say look, you know, we can’t be bothered with this stuff or saving lives. But something has to give Right.

Dan Bowden 25:01
That’s right. And I think what in healthcare, we’ve worked really hard to get everyone to collaborate and work together. I think we, if you go back to when I started healthcare in 2007, I keep coming out of finance, what I observed was an ecosystem of sub optimized technology stacks, the cardiology, radiology lab, etc. And then we had to make all these things talk together. And we didn’t have like IT experts explaining how to do this well. And so there’s been this course, this path of this trajectory of learning. And I think we’ve got some other health systems that have been able to advance their expertise and do it well. And there’s still a lot who haven’t. And so we are definitely encouraging a lot more collaboration a lot more working in these efforts, we call it when President Obama signed the Cybersecurity Information Sharing Act. In 2015, there was a specific section for health care, section 405. And we’ve done a lot of work, very intentional work in health care, and some great leaders in that space across health care, to try to build a document standard that any health system can adopt, and trying to collaborate and teach them and help them do it. So that’s what we have to do there is no, there’s no silver bullet. There’s no easy fix to this, it is a lot of ground game work, and comparing notes and figure out what’s the plan and which technology solutions if we do go to those held a particular health system most and so I, it’s one, like I said, there’s not a silver bullet. It’s just a lot of work. And so that’s thing if I have healthcare, this Those are people listening and you you want to talk about cybersecurity, look up section 405 D and healthcare security work and look up some of the CISOs who’ve been working on this, you know, myself Eric Decker, at Intermountain Healthcare. He’s done an incredible amount of work, and worked on public policy as well for this, but reach out to all of us and ask, How can we get involved in how we can we learn more and do more to help everybody kind of pick up their capabilities?

Steve King 27:30
Yeah, that’s great to hear. And, you know, obviously, you have a passion for this. And I’m glad you do we need more folks like you, Dan, to kind of lead the way here. And this is, you know, one of the series open wounds, if you will, that we have across the whole spectrum of cyber security and the sooner we close it and and protect it, the better off we are all going to be and and we’re out of time. That was great, though I appreciate I appreciate you taking the time out of your schedule to share some thoughts about blockchain and tele medicine and what’s going on in the healthcare world. I’m pretty sure this is an interesting exchange for our folks. So thank you again.

Dan Bowden 28:11
All right. Thank you. It’s nice to talk with you see hope you had a great day.

Steve King 28:16
Great. Thanks, Dan, and thanks to our listeners for joining us in another one of cyber theories unplugged reviews of the complex and weird world of cybersecurity technology and our new digital realities. Until next time, I’m your host Steve King, signing out.

Category: Podcast
Previous Post
Everything is Hackable
Next Post
Security Strategy for the Blockchain
Menu