June 3, 2025 • 57 mins
Nestled along the scenic Southern Oregon coast, Southern Coos Hospital faces a unique set of challenges that many healthcare organizations never encounter. With just 25 beds serving a rural population of about 15,000, this critical access hospital demonstrates remarkable innovation in stretching limited resources while maintaining robust cybersecurity practices.
Scott, the hospital's CIO who transitioned from fundraising and marketing into healthcare IT, shares the compelling story of how a ransomware attack just before COVID-19 transformed their approach to cybersecurity. This pivotal moment prompted Southern Coos to increase their cybersecurity budget from a mere 2% to over 12% of their IT spending - a decision that positioned them ahead of many similar-sized facilities in protecting patient data.
The conversation delves into practical strategies that resource-constrained healthcare organizations can implement immediately: outsourcing Security Operations Center functions to specialized vendors, prioritizing security awareness training for staff, and making strategic investments in asset management tools. Scott's candid assessment of HIPAA's limitations ("a nice entry point to compliance but in no way updated for the current threat environment") demonstrates the gap between regulatory requirements and actual security needs that healthcare organizations must bridge themselves.
Perhaps most transformative for this rural hospital was implementing Epic's electronic health record system, which revolutionized how they transfer patient records during emergencies. What once took 30+ minutes now happens "with the click of a button" - a game-c
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com, YouTube and LinkedIn
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit ht
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
One second Welcome to another episode here of
Cybersecurity with thePetronella Technology Group.
I am, of course, blake Ray here.
I am actually sitting down withScott.
Scott works at a small regionalhospital, the Southern Coos
(00:23):
Hospital.
An interesting conversation weare going to have here about AI
being in a rural hospitalsetting, making use of the
frugal budget that I'm assumingyour hospital has, and how to
stretch every dollar inhealthcare.
Welcome to the episode.
Speaker 2 (00:44):
Well, thank you, Blake.
I really appreciate theopportunity to speak with you
today.
Speaker 1 (00:47):
Yeah, tell us about Southern Coups, tell us how you
got to where you are, and tellus a little bit about yourself
as well.
Speaker 2 (00:55):
Perfect.
Well, I'll start with myselfand then lead into some of the
initiatives at Southern Coups.
I have been in healthcare onlyfor about the last 10 years of
my career.
I grew up in fundraising andmarketing, actually, and then
took a turn to the IT worldsomewhat by necessity.
(01:19):
I was working at Southern Coupsas the primary fundraiser and
marketer and demonstrated somefacility with project management
, started helping out the ITdepartment and the admin staff
with some projects and thenmoved over to the chief
information officer role abouteight years ago and so I have
(01:46):
loved it every minute.
There have been many challengesthat I'm sure we'll get into,
but it was a great move for meand for my career.
But also just learning the insand outs of healthcare, it and
then healthcare in general hasbeen just really enlightening
for me personally andprofessionally.
Southern Coos Hospital andHealth Center is a small
(02:07):
critical access hospital.
We're down here on the southernOregon coast, we are licensed
for 25 beds and our census hasbeen growing dramatically over
the last few years.
We recently went live with EpicCommunity Connect and that's
hosted by Providence HealthSystems.
(02:27):
So Providence is our host forthe Epic instance and we just
went live with them on December7th.
So in a certain regard we arestill in a post-live
optimization environment.
So a lot of work to dooptimizing the workflows,
particularly around the clinicalworkflows.
We've got a lot of those lockedin but a lot that needs to be
(02:50):
remediated.
And let's see Southern CoosHospital.
We've got a full service ED,24-7 ED.
We've got primary care, whichis growing, and just hired a
couple of family nursepractitioners.
We've got two MDs on staff.
We just hired a gynecologicalsurgeon and we're in talks with
(03:16):
the dermatology group, also witha general surgeon.
So over the last again over thelast about year, we've really
kind of hit our stride in growth, trying to serve a very rural
population.
And just to give you kind of aquick idea of what our
population looks like, we arethe town of Bandon.
(03:37):
Oregon is where Southern CoosHospital is.
We do have about 3,200 peoplein the town of Bandon.
However, our catchment areas ismore along the lines of about
15,000 people up and down theSouthern Oregon coast.
We are lucky to have the BandonDunes Golf Resort right in our
backyard.
It's a world-class facility andin fact Southern Coos Hospital
(03:59):
is providing medical servicesfor the 125th USGA Amateur
Tournament which happens inAugust.
So are developing a lot of uh,a lot of partnership
opportunities with abandoneddunes and other businesses
around the around banded in theSouthern coast.
Speaker 1 (04:19):
Yeah, I was doing some research before.
I mean, it's beautiful there.
Speaker 2 (04:23):
Yeah, it really is, I mean I mean just the.
Speaker 1 (04:26):
It's so scenic, yes, and it's also particularly
amazing because I mean you guysgot the best of both worlds.
I mean you've got the stateparks, I mean you've got tons of
recreational sites.
I mean type of natural, uhpreserves yep uh, I mean the
coastline of Oregon.
I mean, need I say more?
It's stunning.
Speaker 2 (04:48):
I'm really glad you brought that up, blake, because
we get a lot of people here fornatural resource tourism and
recreational tourism.
In addition to the things youmentioned, we've got a
significant network of bikingtrails and hiking trails.
A lot of people come out hereto wind surf, uh.
(05:10):
People come out to fish uh,people, you know we'll bring
their motor homes in or their uh, uh, you know, bring their
tents and kind of camp for, youknow, a month or two during the
summer.
Uh, it's, uh it's.
It's a great place for greatplace for recreational tourism.
Speaker 1 (05:26):
Yeah, you guys are about four hours away from
Portland, is that right?
Speaker 2 (05:30):
Yeah, about four, four and a half, depending on
how fast you drive and what timeof day it is, but yeah, it's
about four and a half northsouth.
So we're out here right on theedge of the continent, so to
speak, and we're verygeographically isolated, which
brings a lot of challenges whichI'm sure we'll get into.
(05:52):
But yeah, we have a lot of ourpatients will go to other
locations for specialty care andsometimes primary care,
depending on you know when, whenthey can get a, get an
appointment.
Speaker 1 (06:09):
So what has been um kind of like the uh strategy
that uh Southern cruise hastried to deploy in terms of
service, service offering.
I mean, you know, patient care,like I'm sure you guys have a
unique strategy, considering yousaid you have 25 beds in a town
(06:30):
of about 3,200.
What has been some of thepriorities that you guys have
focused on?
Speaker 2 (06:36):
Yeah, that's a great question.
So what we've done like iswe've done several studies on
what we believe our communitywill need from a healthcare
perspective.
So one of the reports that wedo is mandated by federal law.
It's the Community Health NeedsAssessment.
Now that's done about everythree years as required, and so
(07:00):
ours is a couple of years out ofdate, so we'll do another one
next year.
In the meantime, we feel likethree years isn't quite enough
to get a handle on kind of whatour demographics are showing in
terms of where they're seekinghealth care, what they are, what
you know what kinds of servicesthey need.
And then for us to make ananalysis on what we can do
(07:24):
in-house as a small hospital andthen what we can do to
strengthen the communicationwith what we call tertiary
medical facilities thosefacilities that are maybe in a
Roseburg Oregon or a EugeneOregon or even in Portland
Oregon that we can strengthenthe communication between
(07:44):
Southern Coos Hospital and thoseother organizations to ease the
transition or believe that wecan implement fairly quickly at
a reasonable cost for us andalso that will have the greatest
(08:13):
impact on our patients.
So, for instance, I mentioneddermatology.
You might not think thatdermatology would be a big issue
, but we have a very elderlypopulation.
We also have a populationgenerally that doesn't use a lot
of sunscreen, which is oddbecause the Southern Oregon
(08:34):
coast is cloudy about ninemonths out of the year and so
people don't think they need to,but they do, and so we get a
lot of skin cancers and thingslike that.
So dermatology is one specificservice line that we're
developing.
General surgery is another.
Again, we have a lot of folkswho need biopsies and need
colonoscopies and endoscopiesand just as kind of maintenance
(08:58):
and preventative care.
We also are looking at anorthopedic surgeon because,
again, our population trends outelderly.
A lot of folks are, you know,in wanting to have a knee
replacement or a hip replacement.
We want to be able to providethose services here.
Speaker 1 (09:17):
Yeah, so that's kind of cool.
I mean, it seems like you guysare taking a community first
approach to health care, justkind of like doing consensus,
seeing what the needs are of thecommunity and building your
hospital system around it, whichis kind of a cool approach,
that's absolutely right, andit's an approach that is really
brokered by necessity.
Speaker 2 (09:38):
We feel that we can't , as a small community and I
should say that we are communityowned, meaning that we are not
owned by a larger system we arepart of a health district and
it's a taxable district, and sowe feel beholden and responsible
to our community, which reallymotivates us to get as much
(09:59):
community input about ourcurrent and future direction as
possible.
Speaker 1 (10:04):
Yeah, I mean that's an amazing approach.
I'm curious, and this isprobably something that a lot of
our questioners are asked.
I mean I've worked and we'vetalked with a lot of the bigger
health systems upstate New York,I mean New York City, I mean
Los Angeles County.
I mean you can imagine theamount of funding that goes into
those healthcare systems.
(10:25):
Curious to get Um, curious toget sorry, curious to get your
take on um how funds areappropriated, uh to smaller
healthcare systems and how, howthey're prioritized and what
type of challenges you guys have, uh being a rural provider and
how you're addressing them.
Speaker 2 (10:42):
Yeah, that's a great question.
So so, not to get too much inthe weeds, but we are, as a
critical access hospital, that's, a federal designation.
So as a critical accesshospital, we are eligible for a
different, higher level ofreimbursement than perhaps other
hospitals are, and so what thatmeans is that a lot of our
(11:04):
expenses are reimbursed at alittle bit of a higher rate.
The critical access designationwas created in the 90s in order
to preserve rural health carefacilities.
Between 85 and 96 or so,hundreds of hospitals were
closing.
So Congress acted to createthis designation as essentially
(11:28):
to preserve the safety net, andso we, you know again, feel very
responsible for the utilizationof the funds and the revenue
that we bring in.
We also get taxable income ortax income from our constituents
.
So between those two, you knowbetween actually three revenue
(11:50):
streams the reimbursement, andthen you know our regular, you
know fee for service and thenalso our tax income.
We are very careful about whatwe spend our money on, basically
, and so we've always got tokeep our eyes on, you know, the
bottom line, you know, month onmonth, but then also year on
year, and kind of trying to makethose strategic decisions and
(12:12):
strategic investments that willbear fruit for us.
You know, one, two, five yearsdown the road.
So that has been a challengefor us to kind of shift our
thinking, particularly from thegovernance level and from our
board of directors.
We have a great board ofdirectors.
They're publicly elected, whichis wonderful.
(12:32):
However, there's no mandatethat they have health care
experience.
So, you know, anyone can and bydesign, anyone can apply as a
candidate and then be elected,and that's great because we want
a wide variety of experience.
There is a higher educationalcurve for new incoming board
(12:57):
members just to kind of wraptheir minds around the
complexity of health caregenerally but then also rural
healthcare.
And so you know, when we proposeeven, you know, small
multi-million dollar projects,that takes a lot, of, a lot of,
(13:19):
I guess, presentation andevaluation, just understanding
all the vendors that areinvolved.
I mentioned earlier that we hadjust gone live with Epic in
December.
That was the culmination ofabout a two-year project where
we spent about a year evaluating, going through all the vendors.
We came up with a total costownership for the entire project
(13:42):
and we had a lot of negotiationwith our board.
They wanted to be sure and theyshould be, they wanted to be
absolutely positive that thiswas the right path for us to go
in, because if we had failedthat would have crippled our
hospital.
So you know, every other ruralhospital in America is going
(14:03):
through the same evaluation invarious forms, and so that bears
a lot of risk.
So we have to be absolutelysure that we have the right
resources in place to make theseprojects successful.
Speaker 1 (14:18):
I'm assuming the age-old adage of carpentry,
which is measure twice, cut once, and your case is truly that.
Speaker 2 (14:28):
It's measure, like you know, 12 times.
Yeah, and you know, and thething is, blake, is that you
know, as we go through theseevaluations, you know certain
external environmental factorschange, right, while we're
making those evaluationdecisions, and we might make a
decision at the beginning of theprocess that you know, six,
(14:51):
eight months into the process wehave to reevaluate because of
some sort of externalenvironmental change that we
didn't have anything to do with.
I'm what I'm thinking ofspecifically are labor costs
right, or, um, or material costs, those kinds of things yeah, I
mean, and obviously, since youguys are super rural, I mean, um
(15:14):
, the the mandates don't change.
Speaker 1 (15:16):
Like you're, you still have patients, you still
have patient data.
Um, I mean, you still have toto to protect their data.
You know, hipaa doesn't changedepending on your size.
Yeah, exactly, and so I'mcurious about you know what are
some of the compliancechallenges that face rural
(15:37):
hospitals similar to yours?
Speaker 2 (15:50):
Well, you forecasted this really well, blake, in
terms of making sure the data isgetting into the system with a
certain amount of accuracy andthen, on the other side, making
sure that we have the ability topull that data into a reporting
form that we can then reportout to our regulatory agencies.
You know, really, ever sinceCOVID the regulatory burden has
(16:16):
become pretty intense and thereare lots of regulatory mandates
now that weren't in place beforeCOVID, and you know we are.
We feel very strongly we needto be compliant, and every other
hospital does too.
We have a quality departmentthat we've been building up.
That's been a strategyinternally for us.
We started off with a singlequality director and now we have
(16:38):
a team of four, and two ofthose are data analysts, and so
we're doing the same thing inclinical informatics, where we
started off with no clinicalinformatics department a few
years ago and then, when I camein, I identified that as a need.
So we've been slowly building upthat department and really
(17:00):
shifting from a I guess I wouldcall it a break-fix model, both
in quality and IS in clinicalinformatics, to a more kind of
proactive data analytics modelwhere, you know we have the
staff to reset passwords and toreplace printers and things like
(17:21):
that.
You replace printers and thingslike that, but the higher value
I guess, in a certain regard, ahigher value job description, I
guess is to really dig into themore active data mining, and so
we're really doing that.
We're creating a kind of across-departmental team between
(17:44):
all those folks I talked aboutclinical informatics, is and
quality to really kind offormalize our reporting to
regulatory agencies.
We also have internal reportingthat we'd like to do,
particularly around providerperformance, provider
(18:08):
performance, wanting to makesure that our providers are
providing the best qualityservice to our patients as
possible.
So it's been a real journey forus, as I know it has been for a
lot.
As those regulatory burdensincrease, we have, luckily and
with some strategy, made thatdecision to increase staff and
competencies around dataanalytics.
Speaker 1 (18:32):
I'm glad that you also kind of brought up, brought
up COVID.
You know, obviously COVID was ahuge kind of test and benchmark
measurement for most of thehospitals that we've.
We've talked to and and andhealthcare service providers.
Um, how did that kind of affectyour, your network, your
hospital network?
(18:53):
Um, and you know, I'm assumingyou know, with 25 beds I mean,
it was probably a little bitmore overwhelming than anything.
And how have you kind oflearned from that experience
into now serving it andproviding more overarching
services and being able to takeon a little bit more of some
(19:16):
type of virus or illness?
Speaker 2 (19:19):
Yeah, yeah, no, that's a really good question,
blake, and I'll approach it in anumber of different ways.
So the first is from thepatient.
So, from a patient perspective,what was actually really
interesting is that we actuallysaw a decrease in our inpatient
census and also our primary carevisitation, and we think that
(19:41):
the reason is that, becausewe're remote, because there are
transportation, a lot of ourpatients have transportation
challenges.
They either don't drive or theycan't drive any longer.
People just weren't able to gethere.
Also, there was a general sensehere in our community and I
(20:02):
can't really speak for a lot ofother communities, although I've
heard, you might, you know, Ihave heard and read other
articles about how othercommunities have this phenomenon
as well.
You might pin this as a pointof research is that a lot of
people in rural communities feltlike they just wanted a shelter
in place and they put off a lotof their medical needs, and so
(20:26):
that was very instructive for us, just in terms of, you know,
kind of developing not onlycommunication strategies to our
patients but also, perhaps, youknow, preparing, you know, I
guess, a more robusttransportation strategy in the
case of a future pandemic.
So we have been working withour local ambulance company and
(20:47):
other medical transportcompanies to kind of, you know,
develop a, develop a strategy,just in case Right.
So then, from a you mentioned anetworking point of view point
of view, before COVID there wasa real sense that we were kind
(21:10):
of out here on our own and thatwe were siloed, geographically
isolated.
We didn't really have a lot ofconnection with the state health
authority or the hospitalassociation, let alone with
other critical access hospitalsand rural facilities.
So during COVID, there were, youknow, as you probably remember,
(21:31):
there were, like you know,millions and millions of
meetings happening, you know,just by virtue of us all being
isolated, but then also becauseeverybody was trying to figure
out what was going on,particularly early on, and so I
can just remember, you know,being on meetings and meeting
after meeting, basically dailyor by daily meetings where, um,
(21:52):
you know, with the state justtrying to figure out like, why
is this money coming to our bankaccount, or where's the PPE?
Or you know the, you know, youknow what PPE is.
I don't need to explain that toyou, but I mean it's.
You know it was, it was daily,and that has really continued
after the pandemic we have amuch closer relationship, not
(22:14):
only with our state healthauthority and the hospital
association, but also with stategovernment.
We also have a really brokered,a deep relationship with our
reps, our local representatives,and so that was really a
(22:34):
takeaway for us to make surethat we had those connections.
Speaker 1 (22:39):
Yeah, no, I mean I'm sure.
Yeah, it's changed a lot ofthings in health care.
Yeah, I'm serious.
Let's spin it back a little andtalk about maybe some of the
cybersecurity threats that youfeel like are particularly
affected more in a rural setting, did more in a rural setting,
(23:05):
Because obviously, like you know, you guys don't have the same
type of budget for cybersecurityand IT that some of the other
people we've talked to.
What do you feel areparticularly challenging threats
to overcome for cybersecuritycompliance, especially being in
a rural setting?
Speaker 2 (23:21):
Yeah, you hit the nail on the head.
I mean, it's about budget andit's about making a conscious
decision to invest incybersecurity just like any
other project.
And that's what we've done istry to spin it less as a, less
as a.
I think there's a kind of a.
You know, a lot of people havekind of an antiquated notion
(23:41):
about cybersecurity as beingsort of like a nice-to-have and
not a must-have, and so, youknow, we really have, you know,
kind of pitched it as amust-have for the success and
for the sustainability of theorganization, and so we treat it
(24:04):
as a project and we'veincreased our cyber spend from
about 2% of our IS budget tojust over 12% over the last well
, over the last four years.
And the reason for that is thatwe were subject to a ransomware
attack, and that was rightbefore COVID hit.
So we had this.
(24:24):
Interestingly enough, southernCoos had this series of really
unfortunate events in early 2020, which was our CEO was let go
right before COVID.
We had a major ransomwareattack and then COVID.
So there was like it was areally hard first quarter of
(24:45):
2020 for us Not that it wasn'thard for everybody else either,
but at any rate.
So we were subject to aransomware attack, which then
really instigated the investmentinto cybersecurity.
So, generally, I recommend avery formal and insistent
(25:06):
approach to cybersecurity as amust-have.
And in terms of outside threatsI mean we are constantly on the
lookout for intrusion we reallytry to lock down our tax surface
through various means.
One of the key things we did,though back to the budgetary
(25:28):
constraints, is that we realizedwe didn't have the resources
nor the ability to insource ourSOC center, and we really
decided that for us us as asmall rural hospital it was best
to subscribe to a broker and,essentially, an MDR vendor.
(25:52):
So that has reduced the costfor us significantly.
It's still not cheap, right,but at the same time, there
really wasn't any way for us tobuild a SOC here on site, due to
our resource constraints,certainly.
Also, there is a certain a lotof rural areas deal with this
(26:18):
there is a certain skill gap inour workforce, certain skill gap
in our workforce.
We just there wasn't reallyanybody here, you know, in
Bandon particularly that youknow was qualified to work in a
SOC.
Speaker 1 (26:30):
So so for us it just really made a lot of sense to
you know, outsource that?
No, that makes a lot of sense.
Yeah, I mean, costs areincreasing, not only for IT, but
it seems that the compliancemandates are always changing,
yep, yep.
So, you know, I'm curious topunch in a little further, sure,
(26:55):
on how you guys kind of handlethe ever-evolving, like HIPAA
policy updates, so like there'sproposed updates for some time
this year.
They did some temporary changesin 2020.
And then you know, they had thephase two HIPAA audits in 2016.
(27:15):
You know, obviously they'retrying to modernize, you know,
regulations and uh, and so I'mcurious if you could punch in a
little further.
Um, talk about how you guys uhaddress those uh regulation
changes, how you stay on top ofcyber security, um, and and
(27:37):
again, it seems like you'remaking every dollar effectively
act like 20 or $30, which is iscrazy um to consider.
So, so, yeah, if you couldtouch on that.
Speaker 2 (27:51):
Yeah, I'd be happy to .
So, in terms of compliance, uh,we uh, we're certainly
compliant with HIPAA law.
Uh, however, we uh and I don'tI think I don't I'm not alone in
this, and I think a lot ofother CIOs and IT professionals
are on board with the idea thatHIPAA it's a very nice entry
(28:13):
point to compliance but in noway is updated for the current
threat environment.
I mean, it really is not.
And so we do it because we'rerequired to.
We do find value in the HIPAArisk assessment In terms of
(28:36):
keeping up with well, I shouldsay before that, but in order to
amend that, the HIPAA riskassessment, we also, you know,
we work with our MDR vendor to,you know, keep track of our
threat surface, our attacksurface.
(28:58):
We have regular meetings withthem, to you know, kind to
review our environment.
We do penetration testingthrough them.
We've also worked with Mindcast, our email protection vendor,
to do security awareness program.
(29:19):
It's a really robust securityawareness program focused on the
end user, and one of thereasons we do that is because
end users are often the kind ofthe weakest link in the chain,
and so we do a lot of educationthroughout the year, you know,
specifically focused on our endusers and we do things like we
(29:43):
do social engineering tests,like sending an ad or something
to someone saying, hey, if youclick on this link, then Right
the FN links.
And so we do a lot of that, Alot more than is required.
So, again, we've really takenthe tact that the current
(30:05):
requirement for HIPAA is notsufficient for us any longer.
We need to do more, and thatwill position us for immediate
compliance, hopefully improvedcompliance laws.
I can't really comment on theHIPAA proposal.
(30:29):
I've read the proposed changes.
I think that they're.
I mean, the most generalcomment I will make is that it
is in the right directionBecause, as I said, you know,
the HIPAA compliance laws arejust not sufficient for the
current threat environment.
Speaker 1 (30:48):
Yeah, a lot of the new proposed stuff again is
talking about kind of expandingpatients' rights and how they
can access their health data alittle bit more efficiently, yep
, tightening some of thosetimeframes that are required for
record deliveries, and thenjust transparency around fees
(31:09):
and copies of health records.
And then, you know, talkingabout addressing some of the
cybersecurity expectationsaround, like encryption or like
MFAs or like utilization ofcloud storage, which, you know,
none of those things reallyexisted in 1996, when this thing
rolled out.
(31:29):
And so, yeah, and then now Imean, if you look at 2020, how
you know a lot of the telehealthor the conferencing platform,
zoom teams, things like that youknow they weren't particularly
compliant with HIPAA and then soyou started to saw a push in
2020 for that because telehealthwas on the rise, yes, so, so
(31:51):
again, yeah, I mean it's, it'sevolving and it's going in a
good direction.
And yeah, I mean a lot ofpeople that we've talked to you
know, when you said that yourbudget, you know, like you like
almost like 10x your budget, Iwas like geez, you know, that's
kind of crazy because you know,most of the time, people don't
understand the importance ofinvesting in cybersecurity until
(32:13):
you know something happens,like in your case, it's always
oh cool, like it's never goingto happen to us until it does?
you know a lot, a lot of peopleand a lot of uh, not only
businesses, but you know even uhum, like hospital networks.
Take that same approach, youknow which is which is scary,
which is really scary?
Speaker 2 (32:34):
yeah, I'll just make a couple comments on that blake,
because you bring up a couplegood points.
One is that, um, what really,what really drove us to
particularly MFA, but also someof the other cybersecurity
improvements, was our insuranceand, frankly, they started
(32:56):
requiring MFA.
I think maybe two or threeyears ago.
Maybe it was optional threeyears ago, but two years ago
they did start requiring it toget a lower rate.
So we had already done that,we'd already implemented MFA.
So we were there, but when itwas not required, we took note
of that and then that reallyaccelerated our adoption and
(33:20):
deployment of the MFA programparticularly.
So there are multiple inputshere and multiple triggers.
They're motivatingorganizations like ours to
improve our defenses.
So I just want to make note ofthat.
Speaker 1 (33:35):
Yeah, no, I'm curious to talk a little bit too on how
you've invested in technology,especially cybersecurity
technology.
I know you said that your, yoursecurity operations center is
outsourced, which is, you know,a huge kind of uh like fee.
That I mean because thetechnology just investing in
hardware and then managing itand then making sure the drives
(33:58):
are, I mean it's just all thefun stuff, right, that you would
expect with managing on-premhardware, um, but how how has
southern coos uh invested in, Imean beyond uh, the stock?
Like how have you guys investedin in security?
Speaker 2 (34:17):
yeah, we also invested in a zero trust uh
vendor um and uh cloud andthey've been a great partner for
us.
We have a number of remoteworkers, so that was something
we really wanted to lock down.
During COVID we actually had adifferent vendor and then we've
recently switched to Cloudflare,which we think is a superior
(34:39):
vendor and product.
So that's a main one.
Another investment has actuallybeen in and this is kind of
peripheral but investing in ourhelp desk solution.
We're just in the midst oftransitioning from a kind of a
free model that didn't have alot of functionality to a paid
(35:02):
model that gives us a lot morefunctionality so we can triage
things very quickly and easily.
And again, I guess I'llhighlight again that security
awareness training.
I can't stress the importanceof that.
It is very important for us, forthe obvious reasons, but also
(35:25):
because people forget, right.
I mean, we have, we're askingpeople to do their daily job,
areas that they are experts in,and then we add on this thing
that they, you know, that theyfeel, you know, in certain
regard they feel like it's youknow, kind of a you know it's
not really necessary, and orthey feel like it's like, oh,
(35:47):
you know, they feel kind ofburdened by it and they are, but
it is an essential burden, inmy view, that they, that they
take part in the securityawareness training.
Speaker 1 (35:56):
Yeah no, I mean it's so important, I mean it's so,
it's so affordable too.
Speaker 2 (36:02):
Yeah, and one more thing is that we just recently
revamped our asset managementtool and our approach.
Where we are, you know, keepingmuch better track of every
single piece of hardware that wehave in our ecosystem.
You know again, driven, youknow, driven largely because of
(36:23):
because remote workers, and thenalso, you know just, you know
we were doing it, you knowpretty well, but, but now we can
really really dive into everysingle piece.
Speaker 1 (36:35):
I mean, asset management is so huge.
Yeah, asset management,security awareness training yeah
, definitely go a long way yeah.
Speaker 2 (36:47):
Sorry, go ahead.
Speaker 1 (36:48):
No, I said yeah, yeah , I was agreeing with you I'm
curious too because, um, youknow, being in a rural situation
and you guys probably face Imean, I'm sure you guys have
obviously faced some some crazyemergent situations, emergency
like patients that have cameinto the ER and you guys have
(37:09):
had to, you know, work withother hospital networks, like
explain how that particularly ishandled from Southern Coups you
know transferring, you knowdata and information, patient
records to uh other uh networkhospitals with outside the
network or other health systems.
(37:30):
Um but but how, how?
How have you guys managed to touh, to efficiently do some
things like that?
Speaker 2 (37:39):
Yeah, that's a great question.
So I'll frame this from afunctional standpoint and we as
a critical access ED and thenwe'll transfer to a higher level
of care if needed, if warrantedfrom a diagnostic standpoint.
(38:09):
So and in fact we often have weoften will instruct our, you
know, being mindful of federalEMTALA law.
We will often work with ourfirst responders to divert
patients to a higher level ofcare if needed.
So, for example, if it's likean MBA and you know there's just
(38:33):
we just don't have the capacitynor the you know, the equipment
to triage even a motor vehicleaccident, they will often go to
a higher level of care facility.
So that is our model For thosepatients that do come here and
we treat, stabilize and thentransfer.
(38:56):
From a medical record standpoint, converting to Epic has been a
game changer for us.
Epic has a you'll have to checkthis on me, but I believe that
it's about a 75% market share inOregon.
It's very high and on the WestCoast, which is about two hours
east, we often have air flightsto Portland for neurological
(39:32):
issues like stroke or aneurysms.
The ability for us toimmediately transfer records on
that patient has been a gamechanger for us.
Now that we're on Epic.
A lot of those medicalfacilities are on Epic so we can
(39:56):
essentially transfer medicalrecords with the click of a
button, whereas, you know, withour former system, because it
was not Epic, it would typicallytake, you know, 30 minutes an
hour, if not more, depending onyou know, depending depending on
on you know, the patient, youknow their, the extent to their
medical records.
So we, it's it's just been froman interoperability standpoint,
(40:18):
it has just increased oureffectiveness, increased our
speed and also increased ourpatient and family satisfaction
scores because we are able tosay yes to the family, like when
they ask for medical records tobe transferred, we can say yes,
they are there, you know, andget confirmation from the uh,
(40:41):
from the responding facility.
So that that, to us, has beenthe biggest change and has uh
really really increased our uh,our you know, kind of the trust
in the system.
Speaker 1 (40:54):
No, epic has some great products.
Um, actually, ironically,recently my, um, my, my doctors
switched over to epic and justthe the power of like my chart,
like having having your records,like literally.
You know you talked abouthaving an older demographic
(41:15):
there, but you know,particularly I've noticed just
how how much data I have in myfingertips.
You know, and I can monitor,like literally blood tests over
blood tests, and see theprogression of of how like my
health has has changed, and Imean booking at a fingertip is
is it's incredible.
Speaker 2 (41:35):
It really is.
Speaker 1 (41:37):
And I'm I'm glad you guys have have switched into
that.
It seems like it'll it'll makethings a lot easier and it's a
great product.
Speaker 2 (41:42):
Yep definitely.
Speaker 1 (41:45):
You know you talked a little bit about security
awareness training, but I'mcurious if you could lean into a
little bit further how youfoster a cybersecurity first
mindset around like doctors andthe administrative teams, you
know.
How can you, you know, passbesides cybersecurity, you know,
(42:07):
the security awareness training?
How can you kind of foster andto have that think first click,
second approach?
Speaker 2 (42:15):
Right, that's good and so I think for us it's an
ongoing project.
I'll just say that.
But our providers have adopteda lot of our cybersecurity
(42:38):
projects, programs, ourinitiatives, and that has gotten
easier over time.
Again, when it affects us, itis more tangible, it's something
that we can point to for ourproviders and say, look, this
happened to us.
It's not just a myth that peopleare getting attacked all the
(42:59):
time.
We can show them data, whichI've started showing.
Data for the sort of generalcyber attack frequency and
healthcare is increasing Year onyear.
It's increased exponentially,so I can show that data.
(43:22):
Also, as we are hiringproviders, they are tending
younger and often they have.
First of all, they haveexperience with Epic right.
So they were often trained onEpic or Cerner, most often Epic,
and they have used Epic.
(43:44):
They understand the clinicalworkflows.
But then also from a cyberstandpoint, they either have
been subject to an identityattack or they know of a
facility Maybe they worked at afacility that had a cyber attack
.
It's so common now it'sactually really uncommon for
(44:05):
people not to have personalexperience with a cyber attack
that more and more people are,more and more of our providers
are compliant and eagerlycompliant.
Speaker 1 (44:15):
That makes sense.
I'm super curious to, from yourrole, your seat, how do you
measure success with your IT andIT initiatives and compliance,
and is there any particularmetrics that you feel within
your organization that you tryto strive for?
Speaker 2 (44:38):
Well, yeah, absolutely.
It's a good question because alot of times we say we're kind
of pounding the drum incybersecurity and people are
like, oh yeah, eye roll.
But I mean I think that so whatwe do is.
So I mentioned the securityawareness we have statistics
about by department, whatpercentage compliance.
(44:59):
So we make that transparent.
We make that data transparent.
We also, in terms of thepenetration testing and social
engineering tests that we do, wehave statistics about who
clicked on what and then we cango back and you know kind of
(45:19):
work with the user who clickedto, you know, to further
education.
So we have clear statisticsaround that.
So that's, you know, from aneducation standpoint, those are
my success metrics.
Is that the higher we get interms of compliance and the
lower we get in terms of, youknow, clicking on phishing
(45:41):
emails, the better.
I will give you a quick antidote.
The first time we did thepenetration testing exercise not
penetration, I'm sorry thephishing email exercise I had a
bet with our CEO.
I said, oh, I'll bet that 50%of recipients will click on this
link and he said, no, I thinkit's going to be lower than that
(46:02):
, he said.
I think he said he thought itwould be around 20, like 15 to
20%.
I was like you're on, so I hada bet and in fact it came in at
12%.
So you know all the educationis.
You know that is a clearindication that education is
working.
Speaker 1 (46:20):
Yeah, totally.
Speaker 2 (46:23):
One other, one other success metric on the kind of
the backend is the, ourvulnerability scans and we are
we patch everything, or nearlynearly everything, and so the
you know the number of patchesper month that you month.
That's a success metric for us.
We don't leave anythingoutstanding and then we make
(46:53):
decisions about.
I should say we don't leave anyof the high criticality
vulnerability scans.
We don't leave those hanging,we patch those immediately.
There's thousands and thousandsof lower priority that we don't
necessarily patch, but thosehigh criticality vulnerabilities
we do scan and we do patchimmediately.
Speaker 1 (47:17):
I'm curious, looking forward into the future of
particularly rural healthcare isthere any cybersecurity or IT
innovations that you feel aremost exciting about being
implemented within your hospitalnetwork, or maybe things that
you're excited for that you'velearned about recently that you
(47:38):
hope to uh kind of bring intothe rural healthcare system?
Speaker 2 (47:42):
Well, it's going to sound super dry, but anyway, um,
the uh, the thing that I'm mostexcited about excited about, I
think um, I don't know if it'swhat I'm most excited about I'm
really excited about right now,which is, uh, automatic log
review, and we have a realproblem.
We just don't have capacity toreview logs, and so there are
(48:06):
several products on the marketfor this, but we have not
invested in that yet.
However, it's on our roadmapand I think, even though we have
a pretty pretty good ISdepartment for the size that we
are, I think that we canautomate.
You know, we can automate thatlog review quite quite easily,
(48:30):
either by securing a third partyvendor or even building an AI
agent internally.
Speaker 1 (48:35):
So yeah, no, I mean all great answers and I know
this is kind of like a wish listthing here, but you're
particularly on the front linesand smaller communities and
serving patients from acybersecurity perspective.
Um, what would make your jobeasier from a federal
(49:01):
perspective, you know, from acompliance perspective?
Like, is there is there thingsout there that I mean, obviously
we all have challenges withinour careers, um, but is there is
there things that you feel likeare super inefficient?
Um and then you know, how areyou kind of uh combating those
or things that maybe you wishfor in the future?
(49:21):
That would be a little bit morestreamlined in a rural
environment.
Speaker 2 (49:26):
Yeah, that's a really good question.
Let's see issues.
If we could have a singlesource of truth for all
regulatory issues includingregulatory requirements,
(49:47):
including HIPAA, includingcybersecurity, including state
regs, including CMS regulationsif there was a single source of
truth and a clear roadmap tofulfilling those regulatory
requirements, that would makeour jobs easier.
(50:08):
Every organization kind of hasto piecemeal it together.
There is state support InOregon we have our office at
Rural Health is really active inkind of helping create that
roadmap and that single sourceof truth, but even they are, it
(50:28):
is very difficult to keep up.
So, if you know, what I wouldsuggest is that there would be a
single set of guidelines thatare clear, that each element is
clear and distinct, without anyoverlap, because there's lots of
overlap in the regulatoryrequirements and I think that
(50:50):
that would help us.
That would really help us froman efficiency standpoint.
I think also, I'm kind ofpivoting a little bit, I think,
and I've suggested this at thestate level, but it hasn't
really gotten anywhere yet.
I'm hoping that it might atsome point in the future but
(51:11):
some sort of you know statewideor multi-state collaboration
around cyber security kind ofsetting, you know like
cybersecurity office from youknow state to state Kind of like
CISA, but for health right LikeCISA, except for health, and
(51:32):
also, you know, maybe that'sstate by state, maybe it is
federal right yeah, because CISAis.
And also I'm worried, right Likeright now I think CISA is under
fire a little bit.
I think you know, if, if thestates were able to, you know,
kind of create something similarthat had a, had a clear line to
federal requirements, right,that would be very helpful.
Speaker 1 (51:56):
I'm curious something like that really exists?
Speaker 2 (51:59):
you know, like um no, I just dropped that up one day.
Speaker 1 (52:03):
Oh, I mean, it seems like it'd be efficient, like,
let's just say, for example,there was a hospital, a breach
that happened in, uh, in somepart of Texas or something Right
, and this is like here's,here's how it happened here.
Here was what we noticed, um,and here's how we fixed it.
You know some type of kind oflike whiteboard that other
(52:24):
hospitals could read that sayslike oh cool, like or not cool,
but oh shit, you know a hospitalin texas was hit.
You know, like here's how, uh,here's what we need to look out
for, right, so kind of like alike a memo board for for health
, cyber attacks, right, yeah, itseems like something like that
(52:45):
should exist.
So that way, you know these,these smaller hospitals can can
mitigate risk and be moreefficient.
Speaker 2 (52:52):
Yeah, that's, that's that's I've had the idea of in
my mind, in the back of my mindfor a long time, in the back of
my mind for a long time, becausethere are lots of, I guess,
message boards or tools outthere for other kinds of
cybersecurity-related issues.
I mean, there are a millionhacking sites, right, and
(53:15):
hacking message boards andthings like that.
Yeah, yeah.
But I love that idea of justhaving kind of a centralized you
know a centralized repositoryor you know communication
platform in which people are,you know, sharing you know the
unfortunate attacks but thenalso sharing how they mitigated
the impact, you know tool, tips,that kind of thing.
(53:37):
So it needs to happen.
Speaker 1 (53:39):
It needs to happen.
Love it, tips, that kind ofthing.
So it needs to happen, it needsto happen, love it.
Um, we are at the top of ourhour here and I feel like we
covered a lot we did, thank youappreciate it.
Yeah, your, your insight isamazing.
Um, again, like I said, it issuper unique to have a
perspective like yours.
Um, together, information andand to, uh, to approach things a
(53:59):
little differently.
Um, and, and hopefully I meanour listeners I'm sure they'll
find a ton of value.
And seeing things the way thatyou see things, um, especially
coming from your background, youknow having to make things work
uh, doubly, quadruply.
You know efficient and uh, andand growing from there.
So, um, is there anything youfeel like we didn't talk about?
(54:22):
Or maybe that you had sittingin your back pocket, that you
were waiting to pull out?
Speaker 2 (54:27):
Well, just one, and I'm not sure we have the time,
but I'll just talk about a veryhigh level, which is AI and
innovation.
And so I will just say that Ihave been part of an advisory
council working with severalfolks to create a rural health
community the RHC that's whatwe're calling it so far.
(54:50):
We may rename it at some pointin the future, but it's a very
we're in our in the very earlystages of developing this, and
as part of work, I have alsobeen developing, essentially, an
AI governance toolkit for ruralhealth, and so I'm hoping that
that will be done in about amonth or so.
(55:11):
And then what you know, it'ssomewhat self-serving because I
need the AI governance here atSouthern Coos, because we're
deploying several AI tools andinitiatives over the next year
and a half or so.
We also have some AI projectsalready in existence, so I
(55:32):
needed the governance.
But also because I believe inrural health and, again, a lot
of people don't have thecapacity to develop it on their
own, and why should they really?
We're going to make thattoolkit available to, you know,
any rural hospital that wants toutilize it.
Speaker 1 (55:49):
Is yeah, I mean, we would love to share that
information with our listeners.
Is there any way that theycould find or maybe get involved
or participate in your newproject?
Speaker 2 (56:03):
Yes, uh, find or maybe get involved or
participate in in your newproject.
Yes, uh, I may need to get backwith you on that, but it's our
rural health community.
I can get you the url justrecently changed.
Um, I think I'll need to getthat to you, that url to you
yeah, no problem.
Speaker 1 (56:15):
thank you so much for spending, you know, an hour
with us and sharing and yeah,we'll definitely stay in touch.
I look forward to getting thoseURLs and then not only that but
distributing those and helpingkind of get the word out about,
you know, not only SouthernCoups but, you know, helping you
(56:36):
know more people that are inthe regulated health space
understand a little bit moreabout cybersecurity.
You know how they should beeffectively implementing
strategies to secure theirnetworks.
You know their patients and,yeah, you know I think a lot of
people can learn a lot from whatyou're doing there.
Speaker 2 (56:57):
Great.
Well, I really appreciate theopportunity to talk with you and
hope that your listeners getvalue out of this.
Speaker 1 (57:05):
Oh, they, totally will, totally will.
Thank you so much for your time, scott as well.
Speaker 2 (57:09):
Thank you, blake.
Talk to you soon, all right,yes, sir, bye-bye, bye-bye.
One second Welcome to another episode here of
Cybersecurity with thePetronella Technology Group.
I am, of course, blake Ray here.
I am actually sitting down withScott.
Scott works at a small regionalhospital, the Southern Coos
(00:23):
Hospital.
An interesting conversation weare going to have here about AI
being in a rural hospitalsetting, making use of the
frugal budget that I'm assumingyour hospital has, and how to
stretch every dollar inhealthcare.
Welcome to the episode.
Speaker 2 (00:44):
Well, thank you, Blake.
I really appreciate theopportunity to speak with you
today.
Speaker 1 (00:47):
Yeah, tell us about Southern Coups, tell us how you
got to where you are, and tellus a little bit about yourself
as well.
Speaker 2 (00:55):
Perfect.
Well, I'll start with myselfand then lead into some of the
initiatives at Southern Coups.
I have been in healthcare onlyfor about the last 10 years of
my career.
I grew up in fundraising andmarketing, actually, and then
took a turn to the IT worldsomewhat by necessity.
(01:19):
I was working at Southern Coupsas the primary fundraiser and
marketer and demonstrated somefacility with project management
, started helping out the ITdepartment and the admin staff
with some projects and thenmoved over to the chief
information officer role abouteight years ago and so I have
(01:46):
loved it every minute.
There have been many challengesthat I'm sure we'll get into,
but it was a great move for meand for my career.
But also just learning the insand outs of healthcare, it and
then healthcare in general hasbeen just really enlightening
for me personally andprofessionally.
Southern Coos Hospital andHealth Center is a small
(02:07):
critical access hospital.
We're down here on the southernOregon coast, we are licensed
for 25 beds and our census hasbeen growing dramatically over
the last few years.
We recently went live with EpicCommunity Connect and that's
hosted by Providence HealthSystems.
(02:27):
So Providence is our host forthe Epic instance and we just
went live with them on December7th.
So in a certain regard we arestill in a post-live
optimization environment.
So a lot of work to dooptimizing the workflows,
particularly around the clinicalworkflows.
We've got a lot of those lockedin but a lot that needs to be
(02:50):
remediated.
And let's see Southern CoosHospital.
We've got a full service ED,24-7 ED.
We've got primary care, whichis growing, and just hired a
couple of family nursepractitioners.
We've got two MDs on staff.
We just hired a gynecologicalsurgeon and we're in talks with
(03:16):
the dermatology group, also witha general surgeon.
So over the last again over thelast about year, we've really
kind of hit our stride in growth, trying to serve a very rural
population.
And just to give you kind of aquick idea of what our
population looks like, we arethe town of Bandon.
(03:37):
Oregon is where Southern CoosHospital is.
We do have about 3,200 peoplein the town of Bandon.
However, our catchment areas ismore along the lines of about
15,000 people up and down theSouthern Oregon coast.
We are lucky to have the BandonDunes Golf Resort right in our
backyard.
It's a world-class facility andin fact Southern Coos Hospital
(03:59):
is providing medical servicesfor the 125th USGA Amateur
Tournament which happens inAugust.
So are developing a lot of uh,a lot of partnership
opportunities with abandoneddunes and other businesses
around the around banded in theSouthern coast.
Speaker 1 (04:19):
Yeah, I was doing some research before.
I mean, it's beautiful there.
Speaker 2 (04:23):
Yeah, it really is, I mean I mean just the.
Speaker 1 (04:26):
It's so scenic, yes, and it's also particularly
amazing because I mean you guysgot the best of both worlds.
I mean you've got the stateparks, I mean you've got tons of
recreational sites.
I mean type of natural, uhpreserves yep uh, I mean the
coastline of Oregon.
I mean, need I say more?
It's stunning.
Speaker 2 (04:48):
I'm really glad you brought that up, blake, because
we get a lot of people here fornatural resource tourism and
recreational tourism.
In addition to the things youmentioned, we've got a
significant network of bikingtrails and hiking trails.
A lot of people come out hereto wind surf, uh.
(05:10):
People come out to fish uh,people, you know we'll bring
their motor homes in or their uh, uh, you know, bring their
tents and kind of camp for, youknow, a month or two during the
summer.
Uh, it's, uh it's.
It's a great place for greatplace for recreational tourism.
Speaker 1 (05:26):
Yeah, you guys are about four hours away from
Portland, is that right?
Speaker 2 (05:30):
Yeah, about four, four and a half, depending on
how fast you drive and what timeof day it is, but yeah, it's
about four and a half northsouth.
So we're out here right on theedge of the continent, so to
speak, and we're verygeographically isolated, which
brings a lot of challenges whichI'm sure we'll get into.
(05:52):
But yeah, we have a lot of ourpatients will go to other
locations for specialty care andsometimes primary care,
depending on you know when, whenthey can get a, get an
appointment.
Speaker 1 (06:09):
So what has been um kind of like the uh strategy
that uh Southern cruise hastried to deploy in terms of
service, service offering.
I mean, you know, patient care,like I'm sure you guys have a
unique strategy, considering yousaid you have 25 beds in a town
(06:30):
of about 3,200.
What has been some of thepriorities that you guys have
focused on?
Speaker 2 (06:36):
Yeah, that's a great question.
So what we've done like iswe've done several studies on
what we believe our communitywill need from a healthcare
perspective.
So one of the reports that wedo is mandated by federal law.
It's the Community Health NeedsAssessment.
Now that's done about everythree years as required, and so
(07:00):
ours is a couple of years out ofdate, so we'll do another one
next year.
In the meantime, we feel likethree years isn't quite enough
to get a handle on kind of whatour demographics are showing in
terms of where they're seekinghealth care, what they are, what
you know what kinds of servicesthey need.
And then for us to make ananalysis on what we can do
(07:24):
in-house as a small hospital andthen what we can do to
strengthen the communicationwith what we call tertiary
medical facilities thosefacilities that are maybe in a
Roseburg Oregon or a EugeneOregon or even in Portland
Oregon that we can strengthenthe communication between
(07:44):
Southern Coos Hospital and thoseother organizations to ease the
transition or believe that wecan implement fairly quickly at
a reasonable cost for us andalso that will have the greatest
(08:13):
impact on our patients.
So, for instance, I mentioneddermatology.
You might not think thatdermatology would be a big issue
, but we have a very elderlypopulation.
We also have a populationgenerally that doesn't use a lot
of sunscreen, which is oddbecause the Southern Oregon
(08:34):
coast is cloudy about ninemonths out of the year and so
people don't think they need to,but they do, and so we get a
lot of skin cancers and thingslike that.
So dermatology is one specificservice line that we're
developing.
General surgery is another.
Again, we have a lot of folkswho need biopsies and need
colonoscopies and endoscopiesand just as kind of maintenance
(08:58):
and preventative care.
We also are looking at anorthopedic surgeon because,
again, our population trends outelderly.
A lot of folks are, you know,in wanting to have a knee
replacement or a hip replacement.
We want to be able to providethose services here.
Speaker 1 (09:17):
Yeah, so that's kind of cool.
I mean, it seems like you guysare taking a community first
approach to health care, justkind of like doing consensus,
seeing what the needs are of thecommunity and building your
hospital system around it, whichis kind of a cool approach,
that's absolutely right, andit's an approach that is really
brokered by necessity.
Speaker 2 (09:38):
We feel that we can't , as a small community and I
should say that we are communityowned, meaning that we are not
owned by a larger system we arepart of a health district and
it's a taxable district, and sowe feel beholden and responsible
to our community, which reallymotivates us to get as much
(09:59):
community input about ourcurrent and future direction as
possible.
Speaker 1 (10:04):
Yeah, I mean that's an amazing approach.
I'm curious, and this isprobably something that a lot of
our questioners are asked.
I mean I've worked and we'vetalked with a lot of the bigger
health systems upstate New York,I mean New York City, I mean
Los Angeles County.
I mean you can imagine theamount of funding that goes into
those healthcare systems.
(10:25):
Curious to get Um, curious toget sorry, curious to get your
take on um how funds areappropriated, uh to smaller
healthcare systems and how, howthey're prioritized and what
type of challenges you guys have, uh being a rural provider and
how you're addressing them.
Speaker 2 (10:42):
Yeah, that's a great question.
So so, not to get too much inthe weeds, but we are, as a
critical access hospital, that's, a federal designation.
So as a critical accesshospital, we are eligible for a
different, higher level ofreimbursement than perhaps other
hospitals are, and so what thatmeans is that a lot of our
(11:04):
expenses are reimbursed at alittle bit of a higher rate.
The critical access designationwas created in the 90s in order
to preserve rural health carefacilities.
Between 85 and 96 or so,hundreds of hospitals were
closing.
So Congress acted to createthis designation as essentially
(11:28):
to preserve the safety net, andso we, you know again, feel very
responsible for the utilizationof the funds and the revenue
that we bring in.
We also get taxable income ortax income from our constituents
.
So between those two, you knowbetween actually three revenue
(11:50):
streams the reimbursement, andthen you know our regular, you
know fee for service and thenalso our tax income.
We are very careful about whatwe spend our money on, basically
, and so we've always got tokeep our eyes on, you know, the
bottom line, you know, month onmonth, but then also year on
year, and kind of trying to makethose strategic decisions and
(12:12):
strategic investments that willbear fruit for us.
You know, one, two, five yearsdown the road.
So that has been a challengefor us to kind of shift our
thinking, particularly from thegovernance level and from our
board of directors.
We have a great board ofdirectors.
They're publicly elected, whichis wonderful.
(12:32):
However, there's no mandatethat they have health care
experience.
So, you know, anyone can and bydesign, anyone can apply as a
candidate and then be elected,and that's great because we want
a wide variety of experience.
There is a higher educationalcurve for new incoming board
(12:57):
members just to kind of wraptheir minds around the
complexity of health caregenerally but then also rural
healthcare.
And so you know, when we proposeeven, you know, small
multi-million dollar projects,that takes a lot, of, a lot of,
(13:19):
I guess, presentation andevaluation, just understanding
all the vendors that areinvolved.
I mentioned earlier that we hadjust gone live with Epic in
December.
That was the culmination ofabout a two-year project where
we spent about a year evaluating, going through all the vendors.
We came up with a total costownership for the entire project
(13:42):
and we had a lot of negotiationwith our board.
They wanted to be sure and theyshould be, they wanted to be
absolutely positive that thiswas the right path for us to go
in, because if we had failedthat would have crippled our
hospital.
So you know, every other ruralhospital in America is going
(14:03):
through the same evaluation invarious forms, and so that bears
a lot of risk.
So we have to be absolutelysure that we have the right
resources in place to make theseprojects successful.
Speaker 1 (14:18):
I'm assuming the age-old adage of carpentry,
which is measure twice, cut once, and your case is truly that.
Speaker 2 (14:28):
It's measure, like you know, 12 times.
Yeah, and you know, and thething is, blake, is that you
know, as we go through theseevaluations, you know certain
external environmental factorschange, right, while we're
making those evaluationdecisions, and we might make a
decision at the beginning of theprocess that you know, six,
(14:51):
eight months into the process wehave to reevaluate because of
some sort of externalenvironmental change that we
didn't have anything to do with.
I'm what I'm thinking ofspecifically are labor costs
right, or, um, or material costs, those kinds of things yeah, I
mean, and obviously, since youguys are super rural, I mean, um
(15:14):
, the the mandates don't change.
Speaker 1 (15:16):
Like you're, you still have patients, you still
have patient data.
Um, I mean, you still have toto to protect their data.
You know, hipaa doesn't changedepending on your size.
Yeah, exactly, and so I'mcurious about you know what are
some of the compliancechallenges that face rural
(15:37):
hospitals similar to yours?
Speaker 2 (15:50):
Well, you forecasted this really well, blake, in
terms of making sure the data isgetting into the system with a
certain amount of accuracy andthen, on the other side, making
sure that we have the ability topull that data into a reporting
form that we can then reportout to our regulatory agencies.
You know, really, ever sinceCOVID the regulatory burden has
(16:16):
become pretty intense and thereare lots of regulatory mandates
now that weren't in place beforeCOVID, and you know we are.
We feel very strongly we needto be compliant, and every other
hospital does too.
We have a quality departmentthat we've been building up.
That's been a strategyinternally for us.
We started off with a singlequality director and now we have
(16:38):
a team of four, and two ofthose are data analysts, and so
we're doing the same thing inclinical informatics, where we
started off with no clinicalinformatics department a few
years ago and then, when I camein, I identified that as a need.
So we've been slowly building upthat department and really
(17:00):
shifting from a I guess I wouldcall it a break-fix model, both
in quality and IS in clinicalinformatics, to a more kind of
proactive data analytics modelwhere, you know we have the
staff to reset passwords and toreplace printers and things like
(17:21):
that.
You replace printers and thingslike that, but the higher value
I guess, in a certain regard, ahigher value job description, I
guess is to really dig into themore active data mining, and so
we're really doing that.
We're creating a kind of across-departmental team between
(17:44):
all those folks I talked aboutclinical informatics, is and
quality to really kind offormalize our reporting to
regulatory agencies.
We also have internal reportingthat we'd like to do,
particularly around providerperformance, provider
(18:08):
performance, wanting to makesure that our providers are
providing the best qualityservice to our patients as
possible.
So it's been a real journey forus, as I know it has been for a
lot.
As those regulatory burdensincrease, we have, luckily and
with some strategy, made thatdecision to increase staff and
competencies around dataanalytics.
Speaker 1 (18:32):
I'm glad that you also kind of brought up, brought
up COVID.
You know, obviously COVID was ahuge kind of test and benchmark
measurement for most of thehospitals that we've.
We've talked to and and andhealthcare service providers.
Um, how did that kind of affectyour, your network, your
hospital network?
(18:53):
Um, and you know, I'm assumingyou know, with 25 beds I mean,
it was probably a little bitmore overwhelming than anything.
And how have you kind oflearned from that experience
into now serving it andproviding more overarching
services and being able to takeon a little bit more of some
(19:16):
type of virus or illness?
Speaker 2 (19:19):
Yeah, yeah, no, that's a really good question,
blake, and I'll approach it in anumber of different ways.
So the first is from thepatient.
So, from a patient perspective,what was actually really
interesting is that we actuallysaw a decrease in our inpatient
census and also our primary carevisitation, and we think that
(19:41):
the reason is that, becausewe're remote, because there are
transportation, a lot of ourpatients have transportation
challenges.
They either don't drive or theycan't drive any longer.
People just weren't able to gethere.
Also, there was a general sensehere in our community and I
(20:02):
can't really speak for a lot ofother communities, although I've
heard, you might, you know, Ihave heard and read other
articles about how othercommunities have this phenomenon
as well.
You might pin this as a pointof research is that a lot of
people in rural communities feltlike they just wanted a shelter
in place and they put off a lotof their medical needs, and so
(20:26):
that was very instructive for us, just in terms of, you know,
kind of developing not onlycommunication strategies to our
patients but also, perhaps, youknow, preparing, you know, I
guess, a more robusttransportation strategy in the
case of a future pandemic.
So we have been working withour local ambulance company and
(20:47):
other medical transportcompanies to kind of, you know,
develop a, develop a strategy,just in case Right.
So then, from a you mentioned anetworking point of view point
of view, before COVID there wasa real sense that we were kind
(21:10):
of out here on our own and thatwe were siloed, geographically
isolated.
We didn't really have a lot ofconnection with the state health
authority or the hospitalassociation, let alone with
other critical access hospitalsand rural facilities.
So during COVID, there were, youknow, as you probably remember,
(21:31):
there were, like you know,millions and millions of
meetings happening, you know,just by virtue of us all being
isolated, but then also becauseeverybody was trying to figure
out what was going on,particularly early on, and so I
can just remember, you know,being on meetings and meeting
after meeting, basically dailyor by daily meetings where, um,
(21:52):
you know, with the state justtrying to figure out like, why
is this money coming to our bankaccount, or where's the PPE?
Or you know the, you know, youknow what PPE is.
I don't need to explain that toyou, but I mean it's.
You know it was, it was daily,and that has really continued
after the pandemic we have amuch closer relationship, not
(22:14):
only with our state healthauthority and the hospital
association, but also with stategovernment.
We also have a really brokered,a deep relationship with our
reps, our local representatives,and so that was really a
(22:34):
takeaway for us to make surethat we had those connections.
Speaker 1 (22:39):
Yeah, no, I mean I'm sure.
Yeah, it's changed a lot ofthings in health care.
Yeah, I'm serious.
Let's spin it back a little andtalk about maybe some of the
cybersecurity threats that youfeel like are particularly
affected more in a rural setting, did more in a rural setting,
(23:05):
Because obviously, like you know, you guys don't have the same
type of budget for cybersecurityand IT that some of the other
people we've talked to.
What do you feel areparticularly challenging threats
to overcome for cybersecuritycompliance, especially being in
a rural setting?
Speaker 2 (23:21):
Yeah, you hit the nail on the head.
I mean, it's about budget andit's about making a conscious
decision to invest incybersecurity just like any
other project.
And that's what we've done istry to spin it less as a, less
as a.
I think there's a kind of a.
You know, a lot of people havekind of an antiquated notion
(23:41):
about cybersecurity as beingsort of like a nice-to-have and
not a must-have, and so, youknow, we really have, you know,
kind of pitched it as amust-have for the success and
for the sustainability of theorganization, and so we treat it
(24:04):
as a project and we'veincreased our cyber spend from
about 2% of our IS budget tojust over 12% over the last well
, over the last four years.
And the reason for that is thatwe were subject to a ransomware
attack, and that was rightbefore COVID hit.
So we had this.
(24:24):
Interestingly enough, southernCoos had this series of really
unfortunate events in early 2020, which was our CEO was let go
right before COVID.
We had a major ransomwareattack and then COVID.
So there was like it was areally hard first quarter of
(24:45):
2020 for us Not that it wasn'thard for everybody else either,
but at any rate.
So we were subject to aransomware attack, which then
really instigated the investmentinto cybersecurity.
So, generally, I recommend avery formal and insistent
(25:06):
approach to cybersecurity as amust-have.
And in terms of outside threatsI mean we are constantly on the
lookout for intrusion we reallytry to lock down our tax surface
through various means.
One of the key things we did,though back to the budgetary
(25:28):
constraints, is that we realizedwe didn't have the resources
nor the ability to insource ourSOC center, and we really
decided that for us us as asmall rural hospital it was best
to subscribe to a broker and,essentially, an MDR vendor.
(25:52):
So that has reduced the costfor us significantly.
It's still not cheap, right,but at the same time, there
really wasn't any way for us tobuild a SOC here on site, due to
our resource constraints,certainly.
Also, there is a certain a lotof rural areas deal with this
(26:18):
there is a certain skill gap inour workforce, certain skill gap
in our workforce.
We just there wasn't reallyanybody here, you know, in
Bandon particularly that youknow was qualified to work in a
SOC.
Speaker 1 (26:30):
So so for us it just really made a lot of sense to
you know, outsource that?
No, that makes a lot of sense.
Yeah, I mean, costs areincreasing, not only for IT, but
it seems that the compliancemandates are always changing,
yep, yep.
So, you know, I'm curious topunch in a little further, sure,
(26:55):
on how you guys kind of handlethe ever-evolving, like HIPAA
policy updates, so like there'sproposed updates for some time
this year.
They did some temporary changesin 2020.
And then you know, they had thephase two HIPAA audits in 2016.
(27:15):
You know, obviously they'retrying to modernize, you know,
regulations and uh, and so I'mcurious if you could punch in a
little further.
Um, talk about how you guys uhaddress those uh regulation
changes, how you stay on top ofcyber security, um, and and
(27:37):
again, it seems like you'remaking every dollar effectively
act like 20 or $30, which is iscrazy um to consider.
So, so, yeah, if you couldtouch on that.
Speaker 2 (27:51):
Yeah, I'd be happy to .
So, in terms of compliance, uh,we uh, we're certainly
compliant with HIPAA law.
Uh, however, we uh and I don'tI think I don't I'm not alone in
this, and I think a lot ofother CIOs and IT professionals
are on board with the idea thatHIPAA it's a very nice entry
(28:13):
point to compliance but in noway is updated for the current
threat environment.
I mean, it really is not.
And so we do it because we'rerequired to.
We do find value in the HIPAArisk assessment In terms of
(28:36):
keeping up with well, I shouldsay before that, but in order to
amend that, the HIPAA riskassessment, we also, you know,
we work with our MDR vendor to,you know, keep track of our
threat surface, our attacksurface.
(28:58):
We have regular meetings withthem, to you know, kind to
review our environment.
We do penetration testingthrough them.
We've also worked with Mindcast, our email protection vendor,
to do security awareness program.
(29:19):
It's a really robust securityawareness program focused on the
end user, and one of thereasons we do that is because
end users are often the kind ofthe weakest link in the chain,
and so we do a lot of educationthroughout the year, you know,
specifically focused on our endusers and we do things like we
(29:43):
do social engineering tests,like sending an ad or something
to someone saying, hey, if youclick on this link, then Right
the FN links.
And so we do a lot of that, Alot more than is required.
So, again, we've really takenthe tact that the current
(30:05):
requirement for HIPAA is notsufficient for us any longer.
We need to do more, and thatwill position us for immediate
compliance, hopefully improvedcompliance laws.
I can't really comment on theHIPAA proposal.
(30:29):
I've read the proposed changes.
I think that they're.
I mean, the most generalcomment I will make is that it
is in the right directionBecause, as I said, you know,
the HIPAA compliance laws arejust not sufficient for the
current threat environment.
Speaker 1 (30:48):
Yeah, a lot of the new proposed stuff again is
talking about kind of expandingpatients' rights and how they
can access their health data alittle bit more efficiently, yep
, tightening some of thosetimeframes that are required for
record deliveries, and thenjust transparency around fees
(31:09):
and copies of health records.
And then, you know, talkingabout addressing some of the
cybersecurity expectationsaround, like encryption or like
MFAs or like utilization ofcloud storage, which, you know,
none of those things reallyexisted in 1996, when this thing
rolled out.
(31:29):
And so, yeah, and then now Imean, if you look at 2020, how
you know a lot of the telehealthor the conferencing platform,
zoom teams, things like that youknow they weren't particularly
compliant with HIPAA and then soyou started to saw a push in
2020 for that because telehealthwas on the rise, yes, so, so
(31:51):
again, yeah, I mean it's, it'sevolving and it's going in a
good direction.
And yeah, I mean a lot ofpeople that we've talked to you
know, when you said that yourbudget, you know, like you like
almost like 10x your budget, Iwas like geez, you know, that's
kind of crazy because you know,most of the time, people don't
understand the importance ofinvesting in cybersecurity until
(32:13):
you know something happens,like in your case, it's always
oh cool, like it's never goingto happen to us until it does?
you know a lot, a lot of peopleand a lot of uh, not only
businesses, but you know even uhum, like hospital networks.
Take that same approach, youknow which is which is scary,
which is really scary?
Speaker 2 (32:34):
yeah, I'll just make a couple comments on that blake,
because you bring up a couplegood points.
One is that, um, what really,what really drove us to
particularly MFA, but also someof the other cybersecurity
improvements, was our insuranceand, frankly, they started
(32:56):
requiring MFA.
I think maybe two or threeyears ago.
Maybe it was optional threeyears ago, but two years ago
they did start requiring it toget a lower rate.
So we had already done that,we'd already implemented MFA.
So we were there, but when itwas not required, we took note
of that and then that reallyaccelerated our adoption and
(33:20):
deployment of the MFA programparticularly.
So there are multiple inputshere and multiple triggers.
They're motivatingorganizations like ours to
improve our defenses.
So I just want to make note ofthat.
Speaker 1 (33:35):
Yeah, no, I'm curious to talk a little bit too on how
you've invested in technology,especially cybersecurity
technology.
I know you said that your, yoursecurity operations center is
outsourced, which is, you know,a huge kind of uh like fee.
That I mean because thetechnology just investing in
hardware and then managing itand then making sure the drives
(33:58):
are, I mean it's just all thefun stuff, right, that you would
expect with managing on-premhardware, um, but how how has
southern coos uh invested in, Imean beyond uh, the stock?
Like how have you guys investedin in security?
Speaker 2 (34:17):
yeah, we also invested in a zero trust uh
vendor um and uh cloud andthey've been a great partner for
us.
We have a number of remoteworkers, so that was something
we really wanted to lock down.
During COVID we actually had adifferent vendor and then we've
recently switched to Cloudflare,which we think is a superior
(34:39):
vendor and product.
So that's a main one.
Another investment has actuallybeen in and this is kind of
peripheral but investing in ourhelp desk solution.
We're just in the midst oftransitioning from a kind of a
free model that didn't have alot of functionality to a paid
(35:02):
model that gives us a lot morefunctionality so we can triage
things very quickly and easily.
And again, I guess I'llhighlight again that security
awareness training.
I can't stress the importanceof that.
It is very important for us, forthe obvious reasons, but also
(35:25):
because people forget, right.
I mean, we have, we're askingpeople to do their daily job,
areas that they are experts in,and then we add on this thing
that they, you know, that theyfeel, you know, in certain
regard they feel like it's youknow, kind of a you know it's
not really necessary, and orthey feel like it's like, oh,
(35:47):
you know, they feel kind ofburdened by it and they are, but
it is an essential burden, inmy view, that they, that they
take part in the securityawareness training.
Speaker 1 (35:56):
Yeah no, I mean it's so important, I mean it's so,
it's so affordable too.
Speaker 2 (36:02):
Yeah, and one more thing is that we just recently
revamped our asset managementtool and our approach.
Where we are, you know, keepingmuch better track of every
single piece of hardware that wehave in our ecosystem.
You know again, driven, youknow, driven largely because of
(36:23):
because remote workers, and thenalso, you know just, you know
we were doing it, you knowpretty well, but, but now we can
really really dive into everysingle piece.
Speaker 1 (36:35):
I mean, asset management is so huge.
Yeah, asset management,security awareness training yeah
, definitely go a long way yeah.
Speaker 2 (36:47):
Sorry, go ahead.
Speaker 1 (36:48):
No, I said yeah, yeah , I was agreeing with you I'm
curious too because, um, youknow, being in a rural situation
and you guys probably face Imean, I'm sure you guys have
obviously faced some some crazyemergent situations, emergency
like patients that have cameinto the ER and you guys have
(37:09):
had to, you know, work withother hospital networks, like
explain how that particularly ishandled from Southern Coups you
know transferring, you knowdata and information, patient
records to uh other uh networkhospitals with outside the
network or other health systems.
(37:30):
Um but but how, how?
How have you guys managed to touh, to efficiently do some
things like that?
Speaker 2 (37:39):
Yeah, that's a great question.
So I'll frame this from afunctional standpoint and we as
a critical access ED and thenwe'll transfer to a higher level
of care if needed, if warrantedfrom a diagnostic standpoint.
(38:09):
So and in fact we often have weoften will instruct our, you
know, being mindful of federalEMTALA law.
We will often work with ourfirst responders to divert
patients to a higher level ofcare if needed.
So, for example, if it's likean MBA and you know there's just
(38:33):
we just don't have the capacitynor the you know, the equipment
to triage even a motor vehicleaccident, they will often go to
a higher level of care facility.
So that is our model For thosepatients that do come here and
we treat, stabilize and thentransfer.
(38:56):
From a medical record standpoint, converting to Epic has been a
game changer for us.
Epic has a you'll have to checkthis on me, but I believe that
it's about a 75% market share inOregon.
It's very high and on the WestCoast, which is about two hours
east, we often have air flightsto Portland for neurological
(39:32):
issues like stroke or aneurysms.
The ability for us toimmediately transfer records on
that patient has been a gamechanger for us.
Now that we're on Epic.
A lot of those medicalfacilities are on Epic so we can
(39:56):
essentially transfer medicalrecords with the click of a
button, whereas, you know, withour former system, because it
was not Epic, it would typicallytake, you know, 30 minutes an
hour, if not more, depending onyou know, depending depending on
on you know, the patient, youknow their, the extent to their
medical records.
So we, it's it's just been froman interoperability standpoint,
(40:18):
it has just increased oureffectiveness, increased our
speed and also increased ourpatient and family satisfaction
scores because we are able tosay yes to the family, like when
they ask for medical records tobe transferred, we can say yes,
they are there, you know, andget confirmation from the uh,
(40:41):
from the responding facility.
So that that, to us, has beenthe biggest change and has uh
really really increased our uh,our you know, kind of the trust
in the system.
Speaker 1 (40:54):
No, epic has some great products.
Um, actually, ironically,recently my, um, my, my doctors
switched over to epic and justthe the power of like my chart,
like having having your records,like literally.
You know you talked abouthaving an older demographic
(41:15):
there, but you know,particularly I've noticed just
how how much data I have in myfingertips.
You know, and I can monitor,like literally blood tests over
blood tests, and see theprogression of of how like my
health has has changed, and Imean booking at a fingertip is
is it's incredible.
Speaker 2 (41:35):
It really is.
Speaker 1 (41:37):
And I'm I'm glad you guys have have switched into
that.
It seems like it'll it'll makethings a lot easier and it's a
great product.
Speaker 2 (41:42):
Yep definitely.
Speaker 1 (41:45):
You know you talked a little bit about security
awareness training, but I'mcurious if you could lean into a
little bit further how youfoster a cybersecurity first
mindset around like doctors andthe administrative teams, you
know.
How can you, you know, passbesides cybersecurity, you know,
(42:07):
the security awareness training?
How can you kind of foster andto have that think first click,
second approach?
Speaker 2 (42:15):
Right, that's good and so I think for us it's an
ongoing project.
I'll just say that.
But our providers have adopteda lot of our cybersecurity
(42:38):
projects, programs, ourinitiatives, and that has gotten
easier over time.
Again, when it affects us, itis more tangible, it's something
that we can point to for ourproviders and say, look, this
happened to us.
It's not just a myth that peopleare getting attacked all the
(42:59):
time.
We can show them data, whichI've started showing.
Data for the sort of generalcyber attack frequency and
healthcare is increasing Year onyear.
It's increased exponentially,so I can show that data.
(43:22):
Also, as we are hiringproviders, they are tending
younger and often they have.
First of all, they haveexperience with Epic right.
So they were often trained onEpic or Cerner, most often Epic,
and they have used Epic.
(43:44):
They understand the clinicalworkflows.
But then also from a cyberstandpoint, they either have
been subject to an identityattack or they know of a
facility Maybe they worked at afacility that had a cyber attack
.
It's so common now it'sactually really uncommon for
(44:05):
people not to have personalexperience with a cyber attack
that more and more people are,more and more of our providers
are compliant and eagerlycompliant.
Speaker 1 (44:15):
That makes sense.
I'm super curious to, from yourrole, your seat, how do you
measure success with your IT andIT initiatives and compliance,
and is there any particularmetrics that you feel within
your organization that you tryto strive for?
Speaker 2 (44:38):
Well, yeah, absolutely.
It's a good question because alot of times we say we're kind
of pounding the drum incybersecurity and people are
like, oh yeah, eye roll.
But I mean I think that so whatwe do is.
So I mentioned the securityawareness we have statistics
about by department, whatpercentage compliance.
(44:59):
So we make that transparent.
We make that data transparent.
We also, in terms of thepenetration testing and social
engineering tests that we do, wehave statistics about who
clicked on what and then we cango back and you know kind of
(45:19):
work with the user who clickedto, you know, to further
education.
So we have clear statisticsaround that.
So that's, you know, from aneducation standpoint, those are
my success metrics.
Is that the higher we get interms of compliance and the
lower we get in terms of, youknow, clicking on phishing
(45:41):
emails, the better.
I will give you a quick antidote.
The first time we did thepenetration testing exercise not
penetration, I'm sorry thephishing email exercise I had a
bet with our CEO.
I said, oh, I'll bet that 50%of recipients will click on this
link and he said, no, I thinkit's going to be lower than that
(46:02):
, he said.
I think he said he thought itwould be around 20, like 15 to
20%.
I was like you're on, so I hada bet and in fact it came in at
12%.
So you know all the educationis.
You know that is a clearindication that education is
working.
Speaker 1 (46:20):
Yeah, totally.
Speaker 2 (46:23):
One other, one other success metric on the kind of
the backend is the, ourvulnerability scans and we are
we patch everything, or nearlynearly everything, and so the
you know the number of patchesper month that you month.
That's a success metric for us.
We don't leave anythingoutstanding and then we make
(46:53):
decisions about.
I should say we don't leave anyof the high criticality
vulnerability scans.
We don't leave those hanging,we patch those immediately.
There's thousands and thousandsof lower priority that we don't
necessarily patch, but thosehigh criticality vulnerabilities
we do scan and we do patchimmediately.
Speaker 1 (47:17):
I'm curious, looking forward into the future of
particularly rural healthcare isthere any cybersecurity or IT
innovations that you feel aremost exciting about being
implemented within your hospitalnetwork, or maybe things that
you're excited for that you'velearned about recently that you
(47:38):
hope to uh kind of bring intothe rural healthcare system?
Speaker 2 (47:42):
Well, it's going to sound super dry, but anyway, um,
the uh, the thing that I'm mostexcited about excited about, I
think um, I don't know if it'swhat I'm most excited about I'm
really excited about right now,which is, uh, automatic log
review, and we have a realproblem.
We just don't have capacity toreview logs, and so there are
(48:06):
several products on the marketfor this, but we have not
invested in that yet.
However, it's on our roadmapand I think, even though we have
a pretty pretty good ISdepartment for the size that we
are, I think that we canautomate.
You know, we can automate thatlog review quite quite easily,
(48:30):
either by securing a third partyvendor or even building an AI
agent internally.
Speaker 1 (48:35):
So yeah, no, I mean all great answers and I know
this is kind of like a wish listthing here, but you're
particularly on the front linesand smaller communities and
serving patients from acybersecurity perspective.
Um, what would make your jobeasier from a federal
(49:01):
perspective, you know, from acompliance perspective?
Like, is there is there thingsout there that I mean, obviously
we all have challenges withinour careers, um, but is there is
there things that you feel likeare super inefficient?
Um and then you know, how areyou kind of uh combating those
or things that maybe you wishfor in the future?
(49:21):
That would be a little bit morestreamlined in a rural
environment.
Speaker 2 (49:26):
Yeah, that's a really good question.
Let's see issues.
If we could have a singlesource of truth for all
regulatory issues includingregulatory requirements,
(49:47):
including HIPAA, includingcybersecurity, including state
regs, including CMS regulationsif there was a single source of
truth and a clear roadmap tofulfilling those regulatory
requirements, that would makeour jobs easier.
(50:08):
Every organization kind of hasto piecemeal it together.
There is state support InOregon we have our office at
Rural Health is really active inkind of helping create that
roadmap and that single sourceof truth, but even they are, it
(50:28):
is very difficult to keep up.
So, if you know, what I wouldsuggest is that there would be a
single set of guidelines thatare clear, that each element is
clear and distinct, without anyoverlap, because there's lots of
overlap in the regulatoryrequirements and I think that
(50:50):
that would help us.
That would really help us froman efficiency standpoint.
I think also, I'm kind ofpivoting a little bit, I think,
and I've suggested this at thestate level, but it hasn't
really gotten anywhere yet.
I'm hoping that it might atsome point in the future but
(51:11):
some sort of you know statewideor multi-state collaboration
around cyber security kind ofsetting, you know like
cybersecurity office from youknow state to state Kind of like
CISA, but for health right LikeCISA, except for health, and
(51:32):
also, you know, maybe that'sstate by state, maybe it is
federal right yeah, because CISAis.
And also I'm worried, right Likeright now I think CISA is under
fire a little bit.
I think you know, if, if thestates were able to, you know,
kind of create something similarthat had a, had a clear line to
federal requirements, right,that would be very helpful.
Speaker 1 (51:56):
I'm curious something like that really exists?
Speaker 2 (51:59):
you know, like um no, I just dropped that up one day.
Speaker 1 (52:03):
Oh, I mean, it seems like it'd be efficient, like,
let's just say, for example,there was a hospital, a breach
that happened in, uh, in somepart of Texas or something Right
, and this is like here's,here's how it happened here.
Here was what we noticed, um,and here's how we fixed it.
You know some type of kind oflike whiteboard that other
(52:24):
hospitals could read that sayslike oh cool, like or not cool,
but oh shit, you know a hospitalin texas was hit.
You know, like here's how, uh,here's what we need to look out
for, right, so kind of like alike a memo board for for health
, cyber attacks, right, yeah, itseems like something like that
(52:45):
should exist.
So that way, you know these,these smaller hospitals can can
mitigate risk and be moreefficient.
Speaker 2 (52:52):
Yeah, that's, that's that's I've had the idea of in
my mind, in the back of my mindfor a long time, in the back of
my mind for a long time, becausethere are lots of, I guess,
message boards or tools outthere for other kinds of
cybersecurity-related issues.
I mean, there are a millionhacking sites, right, and
(53:15):
hacking message boards andthings like that.
Yeah, yeah.
But I love that idea of justhaving kind of a centralized you
know a centralized repositoryor you know communication
platform in which people are,you know, sharing you know the
unfortunate attacks but thenalso sharing how they mitigated
the impact, you know tool, tips,that kind of thing.
(53:37):
So it needs to happen.
Speaker 1 (53:39):
It needs to happen.
Love it, tips, that kind ofthing.
So it needs to happen, it needsto happen, love it.
Um, we are at the top of ourhour here and I feel like we
covered a lot we did, thank youappreciate it.
Yeah, your, your insight isamazing.
Um, again, like I said, it issuper unique to have a
perspective like yours.
Um, together, information andand to, uh, to approach things a
(53:59):
little differently.
Um, and, and hopefully I meanour listeners I'm sure they'll
find a ton of value.
And seeing things the way thatyou see things, um, especially
coming from your background, youknow having to make things work
uh, doubly, quadruply.
You know efficient and uh, andand growing from there.
So, um, is there anything youfeel like we didn't talk about?
(54:22):
Or maybe that you had sittingin your back pocket, that you
were waiting to pull out?
Speaker 2 (54:27):
Well, just one, and I'm not sure we have the time,
but I'll just talk about a veryhigh level, which is AI and
innovation.
And so I will just say that Ihave been part of an advisory
council working with severalfolks to create a rural health
community the RHC that's whatwe're calling it so far.
(54:50):
We may rename it at some pointin the future, but it's a very
we're in our in the very earlystages of developing this, and
as part of work, I have alsobeen developing, essentially, an
AI governance toolkit for ruralhealth, and so I'm hoping that
that will be done in about amonth or so.
(55:11):
And then what you know, it'ssomewhat self-serving because I
need the AI governance here atSouthern Coos, because we're
deploying several AI tools andinitiatives over the next year
and a half or so.
We also have some AI projectsalready in existence, so I
(55:32):
needed the governance.
But also because I believe inrural health and, again, a lot
of people don't have thecapacity to develop it on their
own, and why should they really?
We're going to make thattoolkit available to, you know,
any rural hospital that wants toutilize it.
Speaker 1 (55:49):
Is yeah, I mean, we would love to share that
information with our listeners.
Is there any way that theycould find or maybe get involved
or participate in your newproject?
Speaker 2 (56:03):
Yes, uh, find or maybe get involved or
participate in in your newproject.
Yes, uh, I may need to get backwith you on that, but it's our
rural health community.
I can get you the url justrecently changed.
Um, I think I'll need to getthat to you, that url to you
yeah, no problem.
Speaker 1 (56:15):
thank you so much for spending, you know, an hour
with us and sharing and yeah,we'll definitely stay in touch.
I look forward to getting thoseURLs and then not only that but
distributing those and helpingkind of get the word out about,
you know, not only SouthernCoups but, you know, helping you
(56:36):
know more people that are inthe regulated health space
understand a little bit moreabout cybersecurity.
You know how they should beeffectively implementing
strategies to secure theirnetworks.
You know their patients and,yeah, you know I think a lot of
people can learn a lot from whatyou're doing there.
Speaker 2 (56:57):
Great.
Well, I really appreciate theopportunity to talk with you and
hope that your listeners getvalue out of this.
Speaker 1 (57:05):
Oh, they, totally will, totally will.
Thank you so much for your time, scott as well.
Speaker 2 (57:09):
Thank you, blake.
Talk to you soon, all right,yes, sir, bye-bye, bye-bye.
Popular Podcasts
True Crime Tonight
If you eat, sleep, and breathe true crime, TRUE CRIME TONIGHT is serving up your nightly fix. Five nights a week, KT STUDIOS & iHEART RADIO invite listeners to pull up a seat for an unfiltered look at the biggest cases making headlines, celebrity scandals, and the trials everyone is watching. With a mix of expert analysis, hot takes, and listener call-ins, TRUE CRIME TONIGHT goes beyond the headlines to uncover the twists, turns, and unanswered questions that keep us all obsessed—because, at TRUE CRIME TONIGHT, there’s a seat for everyone. Whether breaking down crime scene forensics, scrutinizing serial killers, or debating the most binge-worthy true crime docs, True Crime Tonight is the fresh, fast-paced, and slightly addictive home for true crime lovers.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
The Clay Travis and Buck Sexton Show
The Clay Travis and Buck Sexton Show. Clay Travis and Buck Sexton tackle the biggest stories in news, politics and current events with intelligence and humor. From the border crisis, to the madness of cancel culture and far-left missteps, Clay and Buck guide listeners through the latest headlines and hot topics with fun and entertaining conversations and opinions.