Transcript
save grandma's life or will this help that particular child? Putting the patient at the top of the list is going to be the most critical. Any of those services that can support patient care, making sure you have a hot list, a prioritized patient care list, so that there's going to be particular surgical cases that still need to happen, life-saving type cases. And I would assume that those would be priority number one. Welcome to Building Cyber Resilience in Healthcare. The attackers are learning from each other and we should be too before everything's on the line. Here, healthcare leaders share the stories, insights, and lessons that get hospitals operational again faster and patient care restored. I'm Josh, your host, and with that, let's get started. Hey, thank you so much for joining us. I'm really excited today to talk with Dr. Sam Bhatia. He's a medical director and industry advisor at Microsoft's Healthcare and Life Sciences practice. Dr. Bhatia, thank you so much for joining us. I have tons of questions for you, but I think the first one I would ask just to help our listeners get to know you better is you are both a medical doctor and you've worked at kind of a who's who's list of technology organizations. How did that come to be? Yeah, thanks for having me. I would say it's what our leadership calls a two-sport athlete, you know, a clinician and a healthcare tech industry advisor. So you have to be able to speak both languages. And today, more importantly than ever, we have, you know, AI in healthcare where AI can make the biggest impact. So how did I how did it lead to this point? It all started in the realm of meaningful use when the EHRs were being mandated by CMS to be deployed at any health system, hospital or clinic. And that's when I became interested in becoming a clinical informaticist. And I spent almost a decade at Cerner doing so, working with CMIOs, physicians, and really had a keen sweet spot for pathology and, you know, all of the workflows that go on in the lab. They say that 70% of all clinical decisions are made from lab data or pathology data. So really honed in into that space and saw the power of how, you know, that data could really help save lives and help people. So that's number one. Number two is being able to, in a lifetime as a practicing physician, I'd probably be able to help maybe 10,000 people. Going into technology and where I am today, I'm able to help millions of people. If you think about it, there's a Microsoft computer in every hospital in the world. I am in a position where I can leverage this platform to really help humanity. Yeah, and I think that was something that drew me to you when you and I were talking about other things we're working on is this desire to not just sell something, but to, I don't know, have our lives represent something better than ourselves, bigger than ourselves. So one of the reasons I was so excited to talk to you is because you've got that rare skill set. And we talked to a lot of organizations about this idea of, you know, when the worst happens, when a cyber attack happens, there is this loss of trust. That's the real issue. It's not your ability to restore data or not. It's this, you know, I can't trust anything. So now I have to restore data into this whole new environment, an isolated recovery environment. And we've learned from a number of organizations that there's this need to have a tightly constrained, really laser focused list of core capabilities and the applications that support those, that we term the minimum viable hospital. Not that the applications that aren't on the list aren't important, but more, you know, if we have a tightly constrained list that's prioritized within the list, we know we're always working on the most important thing to get that organization back online. That then once, you know, dial tone is restored, we've stopped the bleeding to use that analogy, then we can start working on the nice to haves, right? I always pick on finance for no apparent reason, but like the data warehouse for finance or you know, some HR systems to do with recruiting or whatever may, you know, annual appraisals, we might be able to survive for a month or two without those and nobody's going to die, right? So I was talking with Heather Costa in a previous episode and she used the analogy, does it save grandma? And so maybe you could talk to us a little bit about like, with your experience as a clinician, what sort of systems do you think of, or how would you go about defining what's in that minimum viable hospital? What's good enough? Yeah. First of all, I love the, you know, the phrase minimal viable hospital that did, did you or rubric create that? So we started working on something we called the minimum viable business, which is just, we saw this pattern of everything's offline. You can't recover back to production. You're going to have to prioritize. So like get really consistent and clear on these are the priorities, know them, be able to recover them somewhere else. And so, you know, the, the necessity for an isolated recovery environment, the necessity of the recovery process kind of forces this, I have to make hard decisions about prioritization. So coming out of that work stream, the minimum viable hospital, we think it was original with us. It's not super important, but we've tried to put some thought and effort into this area of knowledge. Yeah. Yeah. So as a clinician, and then, you know, as a healthcare IT tech person, I think that's such a great term MVH because it reminds me of minimal viable product. When we're talking about, you know, creating software product solutions, what it really, you know, means is that, you know, the smallest set of applications and services that are required to deliver a safe, you know, patient care environment during an extended cyber attack or outage that are deemed necessary. I think in healthcare, we, we know that it's not about if a organization will have some sort of incident, but when, and so MVH should be top of mind to everyone. And I think also, secondly, that the list of these minimal viable applications should be around three to five. And so what, you know, what does that look like? You mentioned coding and billing. That's a great one because of the need to stay in business and, and be viable with the margins these days in healthcare are so low. I think communication collaboration is another one. It's going to be hypercritical for all departments and all staff and to be on the same page. So some sort of mechanism for that. I know the go-to is EHR. So that definitely has to be on the list. That's a source of truth for many. But then also identity and network infrastructure. I think that's, that plays a big role in all of this as well. Customizing that list per health system is critical for an MVH. I know as somebody who used to administer Active Directory, like it just works. And then you think about that being offline and having to like roll it back two weeks and recover it to new hardware and that sort of thing. Like we've been in meetings where people say like, I tried that once in a lab and three weeks later, I was still getting errors. You know, like it's brain surgery. Cause that is so critical to everything else. You know, where do you think there's a tendency to have this like all or nothing attitude of there is no substitute for quality care. Like how do we help these teams who have to go out and deal with, you know, doctors and kind of come to terms with this is a nice to have versus a must have. We know in, for instance, in the national health system in the UK, they've now had some documented deaths that pointed back to inability to get lab results in a timely manner. So like how, where do you draw that line and say, this is important, but maybe we could live without it for a while. Yeah, I think it goes back to if this can help or solve the patient problems first. So to your point earlier, will this save grandma's life or will this help? You know, that particular child putting the patient at the top of the list is going to be the most critical. So any of those services that can support patient care, making sure you have a list, you know, a hot list that prior prioritize patient care list. So that, you know, there's going to be particular surgical cases that still need to happen. Life-saving type cases. And I would assume that those would be priority number one. And then everything else falls after that. Again, remember, we've been doing this many years before these electronic systems were in place. So just making sure that everyone is highly familiar with downtime procedures. And I know downtime procedure sounds so manual and which surgeries and which clinics on a spreadsheet and manual documentation and double checks for meds and, you know, alternative communication, you know, modalities as well as staff surging. But in today's age, I think with AI, there's abilities to create these hybrid downtime models that need to be explored with health systems as a whole. Almost like some sort of standardization of a downtime procedure, of a hybrid downtime procedure model. Yeah. I was talking with a nurse recently and, you know, she had a 50-year career. An EMR was a relatively recent thing in her career. She's been a charge nurse. She's taught, you know, other nurses. And she mentioned, she said, I actually haven't seen the manual or the reference manual that we had at every nurse's station that you would use to calculate dosages. She's like, I haven't seen that in a number of years. And we actually together, we Googled it until she was like, there, that's the one. It used to be out there. And it was interesting to think about there were all of these manual processes that used to exist. But I will bet at some point somebody went like, nobody's using those. There's a cost-saving measure here. We could stop, you know, having those at every nurse's workstation and then realizing like we've made a thousand decisions along the way. How we design the facilities, you know, even the vacuum tube systems. Now I've been in some hospitals where on the end of that vacuum tube system is now a robot that moves the things. And so if that goes offline, you know, can you safely put a person there? It's just interesting to think about how much has changed. I think everybody always goes back to this. Well, it's these young doctors and nurses who've never used paper, but realizing like the complexity of care has changed. The number of therapies, you know, the use of IV pumps, like all of the things that are not the same as they were 20 years ago. Yeah, and so when we talk about security with each one of these processes, I don't, I still don't think disaster recovery and IRE are at the top of mind for clinicians, for nurses, for researchers. And now more than ever, to your point, you know, we've automated some, let's say, you know, we've automated over 50% of our workflows in the hospital. So, you know, why aren't we thinking that security is part of that narrative or top of mind? And why aren't we able to pivot now back to those old manual processes in the time of emergency, you know, when life or death really counts? So just, you know, I think that's what you're talking about. I still feel like that's the holy grail for, you know, for security. If we could get the clinicians to all collectively keep security at the top of mind, I think it would help a lot of the organizations, not only in the U.S., but around the world from a security standpoint. I have a dumb idea that I want to throw out, and you're the first person I'm pitching this to, but... There are dumb ideas, right? You have a great title at a legendary leading organization. So I've heard this from a couple places now that at the end of these cyber attacks, there's often this need for what they're calling attestation. So one of the insights that we have to share with people is, you know, you can have something move to a SaaS vendor, but then have that SaaS vendor cut you off, not because the service is unavailable, but because out of an abundance of caution, they may not want what's happening in your organization to spill over to theirs. So we've heard this now from a number of CIOs and CISOs that they got cut off from key SaaS services during an attack. And to restore those, they wanted a letter of attestation saying the incident had been handled, there was no longer a risk. And so what we end up with is a hot potato situation between the incident response vendors' lawyers, the health providers' lawyers, and the SaaS vendors' lawyers all deciding what is an acceptable level of due diligence and risk. So I have a dumb idea that maybe between the resources you have at Microsoft and the people we know in parallel, could we bring in like some folks from some of the EMRs and some of the incident response vendors and like you have a general counsel, we have one, could we start to define together this framework of this is what a reasonable level of due diligence looks like that then gives everybody something to aim for, right? The incidents response vendors know they need to complete this list of tasks. Other lawyers could look at it and say, well, that's what they thought was reasonable. So like, maybe we could adopt this here. And in doing so, could we speed up the resolution of these incidents? What do you think? Absolutely. I don't think it's a dumb idea at all. I think we could start with a think tank and then we could standardize on this to your point. I think the market needs that, healthcare needs that especially. And instead of having these one-offs or delays in patient care because of lack of standardization in agreement of what good looks like, I think it's actually a brilliant idea. Let's do it. All right. Well, I will be in touch and we'll pull some people together. So what I'm taking away from this today is that you think the minimum viable hospital is a decent idea. Knowing what are those critical applications and having clinicians involved in that process of like, how do we preserve care? What's the right list of applications? Recognizing that DR probably won't save you. You're going to need to go to an IRE. A hundred percent. Yeah, I'm grateful for having this conversation. I think right now we're with the AI revolution going on. This is more important than ever. And we need to have more conversations like this. All right. Thank you so much for joining me. I'm really grateful to Dr. Bhatia for being willing to join us and also being willing to join my little pet project. So I have a challenge for all of you. If you know somebody who's a general counsel of a health system or an organization that provides IT services to healthcare or maybe at one of the major EMR vendors who'd be willing to join our little project around how do we help solve this attestation issue and create a framework so that we can speed up these recoveries, I'd be really grateful if you'd send them my way. If you know anyone else who can add to the body of knowledge and help us learn how to recover healthcare more effectively and quickly with less impact to patients and less financial strain on the systems, please join. We'd love it if you'd send those folks our way and we'll add them to the growing body of knowledge on this topic. Thank you so much. We also want to hear from you. If you know somebody with insights and lessons learned who'd be willing to share, reach out to me on LinkedIn and we'll get them on the show.
