A Conversation with Dean Smith: Why Medical Informatics Are Here to Stay
Government security industry veteran Dean Smith talks with Mike Murray about securing EHRs and the challenges of interoperability across health systems.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
Tune in to this episode of In Scope, where founder and CEO of Scope Security, Mike Murray, interviews Dean Smith regarding medical informatics. This is the healthcare security podcast, with the latest interviews, technical tips, and perspective on the ever-changing healthcare ecosystem. Mike opens the episode by briefly asking Dean how life is going, then quickly jumping into the conversation on medical informatics.
What is medical informatics? Learn about this advanced application of technology to medicine and medical care. Dean gets into the electronic health records, patient portals, tele-medicine, and remote patient monitoring that merges the medical field with technology. While many assume it is “easy to secure paper records,” Mike asks Dean his perspective from a security standpoint. What is the challenge with the portable information? Should we go back to paper records? Don’t miss out on Dean’s crucial response regarding traceability and auditing capabilities with both systems.
The conversation continues as Mike and Dean discuss leveraging population health with the electronically structured data and the issue of interoperability. Records look different across the various medical technologies and hospital systems, so how do we solve this problem to make the information useful to public health? Dean touches on interoperability in regards to both systems and security.
As the digital transformation has taken off, new devices have been leveraged and data is being gathered in unprecedented ways. Learn that with moving outside the hospital walls to remote spaces, comes new network risks. Dean asserts that while access to data and information is key in the medical field—due to the life-threatening, urgent conditions being addressed—security should not be disregarded. He talks about the great advancements made with security already and how it is moving into play more and more as they work to secure medical data. Dean recalls a recent cyber attack at hospital near him and the top “costs” that such events bring—financial cost, patient cost, and a loss of confidence and trust in the system.
This episode closes with with a positive look to the future. Mike asks about the distribution on the security load and what the technological future of the medical field looks like. As Dean quotes, “Let no crisis go wasted”, he sheds light on how COVID-19 has offered unprecedented advancements for moving care into individual environments—making virtual care more user-friendly for the patient and doctor. A host of advancements in general technology have been catalyzed greater by COVID-19 to better the medical field we now know. Dean leaves the listeners to think about how these realities are opening eyes of investors and leaders.
– Mike introduces guest Dean Smith.
– What is medical informatics?
– A security look at paper vs. digital records.
– Challenge of interoperability.
– The digital transformation and its risks.
– Recent cyber attack at a hospital.
– Positive aspects for the future.
– Opening the eyes of investors and leaders.
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:17.9 Mike Murray: Hello and welcome to another episode of In Scope, The Healthcare Cybersecurity Podcast. As always, I’m Mike Murray, Founder and CEO of Scope Security. With me this week is Dean Smith, and I got introduced to Dean a few months ago by a close personal friend, and he’s just one of the most interesting people I’ve gotten to talk to in the healthcare ecosystem, in the last year. Dean spent much of the last 20 years at the US State Department, where he was doing all kinds of things around medical informatics, and is now, basically, a medical informatics consultant to the stars, for all intents and purposes. He’s the guy that understands that space and wherever I think about informatics and information flow and all of that stuff, security comes in, and we’ve had a couple of really great chats about security and information flow across the healthcare ecosystem. So I figured we’d have Dean on and we just shoot the breeze and see where we end up. But Dean, welcome. I hope my intro was a good one and let me know how you’re doing. How’s life?
0:01:23.5 Dean Smith: Oh, it’s good, Mike. Thank you for your very kind introduction. A little over the top. I’m not sure about [chuckle] informatics to the stars, but no, I’ve had a really wonderful career and very interesting experiences over the last… Certainly, the last few years, and it’s an interesting time for healthcare, in general, as we see it start to embrace technology and obviously a challenging time too, and how do you embrace these technologies in a safe manner. And again, you’ll speak to that here today, or this morning, I hope.
0:01:56.2 MM: Absolutely. So for the security people on the call, and I actually think I had to ask you this the first time we talked, what is informatics? Not everybody here is gonna know even what that field is.
0:02:07.1 DS: Sure. So informatics, medical informatics, is literally the application of technology to medicine, to medical care. And first right out of the gate, you think of electronic health records, and that, certainly, everybody, I think, is pretty conversant in that now. 90 plus percent of the United States healthcare providers use electronic health records. So our patients are using them now. They’re using patient portals, etcetera. So that’s informatics, but then there’s a lot… It segues into a lot of different fields, and we’re seeing it certainly with telemedicine now, or virtual medicine, remote patient monitoring. They’re just… Anywhere you see technology and healthcare combined, that’s informatics.
0:02:50.3 MM: That makes a lot of sense, and I think it’s really interesting that if you go back probably to when you started in your career in the ’90s and the 2000s, in the old days, when we had paper records, it was pretty easy to secure. It was hard… If you wanted to steal a million paper records, you needed a very large truck. You’ve presided over that transition. From a security perspective, I think it would be… I think there’s a lot of people who would be happy going back to paper, but what do you see as really the challenges as we’ve gone to this portable, easily, distributed way of getting that information? How do you think about the security challenge of that?
0:03:31.0 DS: Yeah, no, a great question, and I do date myself a little bit, because as you rightly point out, I did come up in healthcare with paper records and have been there during this transition, during this journey, to electronic records. Going back to paper themselves… ‘Cause we hear this argument a lot, “Paper is more secure and we should all go back to paper records,” and certainly, the EHR doom-sayers and naysayers out there, use that argument all the time. My first answer to that is, “Tell me who looked in your paper chart yesterday? Who had access to it? What did they do with that information?” There’s no traceability, there’s no accountability, there’s no auditing, real auditing, capability. So that then exposes a serious flaw, if you will, to paper records right out of the gate.
0:04:21.3 DS: And then of course, leveraging population health and metrics and all the things we can do, if we have electronic structured data just speaks to the power of EHRs, in general, and technology in medicine, and it’s here to stay. We’re not going back. That bell is not gonna get unrung, as they say. But my journey has been very interesting, again, coming up in the paper realm, and then seeing the transition, certainly in the 2000s, the OTs. As US healthcare system embraced technology, I had to do a little scrambling and actually ended up going back to school, if you will, and got a master’s in medical informatics, because it was a keen interest of mine, and as you pointed out, then I parleyed that education, that background, at the US State Department, where I was a medical officer in a leadership role and effectively became Chief Medical Information Officer at State for several years.
0:05:22.6 MM: One of the things that I think is really interesting, from an informatics perspective, is that consistency of data seems to be a real challenge. And from a security perspective, one of the things we’ve noticed is monitoring Epic, monitoring Cerner, monitoring MEDITECH, ostensibly, they’re all the same system or performs the same functions, but the data that comes out of them, the consistency on that, makes it a hard challenge, and I imagine across the medical informatics field, you see that data consistency challenge in spades, compared to what I’m looking at. Maybe talk about how do you solve that sort of problem around everything looking different and making it useful for the common audience. Like you were saying, like, population health across systems that have disparate data, that seems like a big challenge.
0:06:11.2 DS: Yeah, it’s huge, and what you’re speaking to is interoperability, which we don’t have, and there’s a lot of reasons that we haven’t really been able to achieve that to any real extent at least in the US marketplace. Obviously, our healthcare system doesn’t lend itself to that right out of the gate. There’s lots of competition, competitive, reasons why we don’t embrace interoperability. So we don’t embrace interoperability of information. So a lot of times, patients’ information doesn’t flow from system to system as they may move or change healthcare providers or systems. And similarly, there is lack of interoperability in terms of security and network security and we’re seeing this, right now, in the US, where we have some healthcare systems, literally, shut down in the last week or two because of security network flaws that they’ve experienced. So it’s a huge issue. HHS, our Department of Health and Human Services, has a whole division informatics specialists that are working on this. There’s certainly some legislative efforts being pushed, right now, to increase interoperability, and I think we’ll get there, but it’s a journey again. It’s not… And it’s certainly not one that’s completed as yet.
0:07:29.8 MM: And the thing that I think is interesting is, and you and I were talking about this a little bit before we started recording, but these are all challenges, so far, that you and I have talked about, that are within the four walls of the hospital. The new thing that we hear, that you hear all about, is patient control of their own data, data portability for the patients to be able to take it with them, moving medical care to the home and telemedicine. Like, 2020 has been… There was a healthcare CIO I was talking to a few months ago who said, “We just underwent three years of digital transformation in three weeks,” and I know you’re at the forefront of that, and you spend a lot of time thinking about those sorts of ideas, but maybe comment on that challenge. Like, as we move outside the four walls of the hospital, it starts to be even more difficult to keep interoperability and security around this data.
0:08:21.6 DS: Yeah, no, absolutely, and healthcare is again, slow to the dance, if you will, and it’s been slow to embrace technology in many ways, and we see that with the Internet of Things, if you wanna use that expression. Where, you go into any hospital, certainly any intensive care unit, emergency room, surgical suite, you see a ton of devices, monitors, and defibrillators, and pulmonary devices, etcetera, etcetera. Well, all of these are now being put on the network, being put online and being automated for good reason, and then you can then leverage that to move outside the walls of the hospital. And anything you can do to keep a patient out of the hospital, these days, certainly during COVID, is welcome news, but that does, then, expose new risks, exposes new network risks, new security risks, that really have to be taken into account. And taking a step back, healthcare, in general, has been very slow to embrace security. Healthcare specialists, your average doctor, nurse, clinician, is about taking care of the patient, immediately, and a lot of times the problems… Let’s face it, the problems are immediate. It’s life, death, whatever. So it’s about access, access to data, access to information and I gotta have it now. I can’t wait for a network patch to happen next week. That’s fine and good, but I need access.
0:09:50.5 DS: So if you look at the continue of access of data and security of data, healthcare is way out here in access and security is down the totem pole, if you will. Now, that is changing and that balance is changing, and I’ve certainly seen that in working at the US State Department, which is obviously a very… I don’t wanna say a risk-averse, but is an entity, an organization, that is very much keen on securing information. And so, taking some of the lessons that I learned there, and I can now apply that as I advise clients and entities about encryption at rest and in motion, and why is that important, and what do you gain from that? We’re seeing these cyber attacks, right now, that have just really crippled, as I mentioned, crippled some healthcare systems, and there’s real costs there… There’s monetary costs, obviously, you lose productivity, you shut down your hospital, essentially, for a week or two, certainly for elective procedures, that’s a real hit to the bottom line. And I just read one of the hospital networks… One of the hospital systems near me, got, recently, had a cyber attack, they have to replace over 2000 computer systems, now, in their network that got infected, and that’s not gonna come at a small price tag. Right?
0:11:15.8 MM: Nope.
0:11:16.1 DS: And so you look at the cost. So there’s financial costs, obviously, a big hit, and we may wanna touch more on. There’s obviously a real patient cost. You’ve got morbidity and mortality. We saw the recent reported death in Germany as a result of a cybersecurity issue. People get hurt with this stuff and you can’t underestimate that or under-emphasize the importance of that, but I think a third cost that doesn’t get attention is a cost of loss of confidence, and it’s a loss of confidence in the system, and you see it on the practitioners, the clinicians, after they’ve had one of these ransomware of shut-down attacks, they don’t feel like they’re, “Do I wanna put data in that EHR anymore? I don’t know.” They may have to go in later and upload all kinds of data that got missed during the two weeks that they were shut down, but I think we’re also seeing a loss of confidence in our patients.
0:12:17.1 DS: They know, “Boy, is my data secure? Can I trust this?” And we’re having a hard enough time, right now, to embrace technology in healthcare, and so when you have a loss of confidence and trust in it, it really just makes that journey that much harder.
0:12:31.0 MM: Yeah, no doubt, and it’s interesting when you talk to CEOs of hospitals, and I’ve had a few of these conversations lately, and you talk to them about how much they’ve spent, especially community hospitals, to build up the brand of trust with their patients, with their community, with their clinicians, across the entire ecosystem. They’re spending millions, tens of millions, in big systems, hundreds of millions of dollars to build this brand of trust with all those people, and you nailed it. We very rarely talk about the lack of confidence that is instilled when one of these events happens and how much that could actually cost you, not just in terms of dollar values, but in terms of how much you wasted in the last five years, that you just… If I spent $10 million a year, for the last five years, I can wipe that all out with one big incident.
0:13:24.3 DS: Oh, absolutely, and I think the studies aren’t there yet, but we will see long-term studies that look at that cost, and if I’m a patient… And we’re gonna see this with COVID, too, in there, ’cause there’s similarities there, and we know that during COVID, hospitals had to shut down, in terms of elective procedures. So if you were a patient who needed routine screening for colon cancer, you might put off your colonoscopy, your colon cancer screening test, you might put off… If you’re a woman, you might put off your mammogram or some of these routine things, you wonder how many conversations are gonna be held, in the future, between a clinician and patient, where the clinician says, “Gosh. We missed… We didn’t get that colonoscopy done on you last year, and unfortunately, you got something bad now,” and that’s a cost, and the same thing applies, I think, in some of these cybersecurity events, where elective stuff gets turned off, loss of confidence, patients put off things and down the road, there’s gonna be a cost to be paid. We don’t know what that cost is yet, and again, I think studies in the coming years, will look at it and tell us what that true cost is, but I don’t think you have to think too far outside the box to realize that there is a significant pain ahead from this stuff.
0:14:45.9 MM: Absolutely. So with that, let’s not end on such a down note. You’re spending a lot of time thinking about Telehealth and that sort of future, and I think there’s a real positive to that future. If for no other reason, then it does sort of distribute the security load, a little bit. When you can get the patients outside the four walls, that creates a new threat environment, but it also potentially gives some interoperability advantages. But maybe you just wanna talk about, what do you see as far as the future of the hospital and the technological future? Are we pushing medical devices into the home and the like?
0:15:20.8 DS: Yeah, we are. We’re certainly not there yet, and I think, check back in five, 10 years and we realize we’re in our infancy, now, but there’s that old adage, “Let no crisis go wasted,” and we’re seeing with COVID, again, what can we do to move care into a virtual environment to the extent that it can be done safely, with equal outcomes. So that’s happening, even as we speak. There’s a host of regulatory changes that are occurring to make virtual care, Telehealth care, much more user-friendly for the clinicians and the patients. So the regulations have been, I don’t wanna say relaxed, but certainly, I think aligned with what the reality is. We’re seeing pay parity where, historically, clinicians didn’t get paid for telemedicine or for virtual care, at least to any degree close to what they would do inside the brick and mortar space. So all of these forces are occurring to push care out, concurrent with the technology itself, which Moore’s law, everything is getting smaller and faster, etcetera, etcetera. And so, the devices can be taken home, can be used to monitor patients, and that data that can then be shared real time or asynchronously with nursing care, with specialists, even globally.
0:16:43.6 DS: So there’s a host of things that can be done. I’ve seen some work on virtual intensive care units. Again, planning for COVID, when an ICU in a region… When ICU network hits capacity, what do you do with those patients? It’s hard to move really critically ill patients three states away where they may have an open ICU bed. So how do you take care of some of these folks? So again, there’s a host of things primarily driven by COVID, but also tethering into just the advances in technology we’re seeing, and it’s exciting time. Again, not everything is doom and gloom, and there’s a lot that can be done to improve our security posture in healthcare. I think a lot of healthcare systems are finally waking up to that fact, all it takes is… Like, we were talking about, one of these ransomware or denial of service attacks or whatever, to open the eyes of administration and say, “Oh, my gosh, we got to invest in this. This is just as important as having surgical suites and all kinds of fancy toys.” So…
0:17:48.9 MM: Absolutely, and with that, that was fantastic, and thank you so much, and thank you for being here today. Tell the audience where they can find more of you in social media, things you’re doing, things you’re writing.
0:18:02.2 DS: Yeah, no, so I actually, since “Retiring” from State Department, I’m not fully retired. I set up a little consulting, LLC. It’s called Cascade Clinical Informatics, referencing the fact that I’m based out of Oregon, but I do a lot of consulting in the federal space, some international work, serve as a chief medical officer, consulting chief medical officer, for a couple of different organizations. So that’s keeping me plenty of busy. Been collaborating with a specialist at George Washington University to write a book on virtual healthcare in emergency medicine space, and that should be coming out soon, but really, LinkedIn, you can put it in, Dean Smith or Cascade Informatics, and it’ll pop-up and you can learn more about me there.
0:18:58.5 MM: Right on, and we’ll put that in show notes so people can find you. Dean, thanks again. This is fascinating, as always, and really enjoyed it and we’ll have you back on some time and we’ll talk about other things. I love it. Thanks so much.
0:19:12.1 DS: Hey, Mike, this has been great too, and I think all this stuff is moving so quickly, It’ll be interesting to see, next time we chat, where we’re at.
0:19:20.0 MM: Exactly. Thank you so much.
0:19:21.7 DS: Okay. Take care my friend.
0:19:23.8 MM: Thanks.
0:19:24.8 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up or you can listen on Apple podcasts, Spotify, or Stitcher, and if you have ideas for topics, guests, or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Dr. Dean Smith has over two decades of clinical, health informatics, and operational leadership expertise from the U.S. Department of State’s Bureau of Medical Services, as well as recent experience as Chief Medical Officer (CMO) in the private sector.
Dr. Smith, a licensed, board-certified physician, entered the Foreign Service as Medical Officer in June 2000. During his State Department tenure, he served as Senior Advisor for Medical Informatics from 2008 to 2018, and led a team that implemented synchronous telemedicine at U.S. diplomatic missions worldwide. They also developed a Medical Capability Information database of global medical resources with algorithms for management of over 40 common diseases. He has experience with VistA (Veterans Affairs EHR) and AHLTA (Department of Defense EHR), as well as NextGen and Epic (commercial EHRs).