Encrypted Ambition: Where Ambition Meets Encryption - Inside The Minds Of Disruptors.
Where raw ambition meets real execution. Encrypted Ambition explores the vision, grit, and game plans behind today’s most disruptive founders and technologists. From startup trenches to boardroom breakthroughs, the Petronella team dives into the future of business, AI, and digital resilience.
Encrypted Ambition: Where Ambition Meets Encryption - Inside The Minds Of Disruptors.
From Ransomware to Recovery: How One Rural Hospital Transformed Its Cybersecurity
Nestled along the scenic Southern Oregon coast, Southern Coos Hospital faces a unique set of challenges that many healthcare organizations never encounter. With just 25 beds serving a rural population of about 15,000, this critical access hospital demonstrates remarkable innovation in stretching limited resources while maintaining robust cybersecurity practices.
Scott, the hospital's CIO who transitioned from fundraising and marketing into healthcare IT, shares the compelling story of how a ransomware attack just before COVID-19 transformed their approach to cybersecurity. This pivotal moment prompted Southern Coos to increase their cybersecurity budget from a mere 2% to over 12% of their IT spending - a decision that positioned them ahead of many similar-sized facilities in protecting patient data.
The conversation delves into practical strategies that resource-constrained healthcare organizations can implement immediately: outsourcing Security Operations Center functions to specialized vendors, prioritizing security awareness training for staff, and making strategic investments in asset management tools. Scott's candid assessment of HIPAA's limitations ("a nice entry point to compliance but in no way updated for the current threat environment") demonstrates the gap between regulatory requirements and actual security needs that healthcare organizations must bridge themselves.
Perhaps most transformative for this rural hospital was implementing Epic's electronic health record system, which revolutionized how they transfer patient records during emergencies. What once took 30+ minutes now happens "with the click of a button" - a game-c
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com, YouTube and LinkedIn
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
One second Welcome to another episode here of Cybersecurity with the Petronella Technology Group. I am, of course, blake Ray here. I am actually sitting down with Scott. Scott works at a small regional hospital, the Southern Coos Hospital. An interesting conversation we are going to have here about AI being in a rural hospital setting, making use of the frugal budget that I'm assuming your hospital has, and how to stretch every dollar in healthcare. Welcome to the episode.
Speaker 2:Well, thank you, Blake. I really appreciate the opportunity to speak with you today.
Speaker 1:Yeah, tell us about Southern Coups, tell us how you got to where you are, and tell us a little bit about yourself as well.
Speaker 2:Perfect. Well, I'll start with myself and then lead into some of the initiatives at Southern Coups. I have been in healthcare only for about the last 10 years of my career. I grew up in fundraising and marketing, actually, and then took a turn to the IT world somewhat by necessity. I was working at Southern Coups as the primary fundraiser and marketer and demonstrated some facility with project management, started helping out the IT department and the admin staff with some projects and then moved over to the chief information officer role about eight years ago and so I have loved it every minute. There have been many challenges that I'm sure we'll get into, but it was a great move for me and for my career. But also just learning the ins and outs of healthcare, it and then healthcare in general has been just really enlightening for me personally and professionally.
Speaker 2:Southern Coos Hospital and Health Center is a small critical access hospital. We're down here on the southern Oregon coast, we are licensed for 25 beds and our census has been growing dramatically over the last few years. We recently went live with Epic Community Connect and that's hosted by Providence Health Systems. So Providence is our host for the Epic instance and we just went live with them on December 7th. So in a certain regard we are still in a post-live optimization environment. So a lot of work to do optimizing the workflows, particularly around the clinical workflows. We've got a lot of those locked in but a lot that needs to be remediated.
Speaker 2:And let's see Southern Coos Hospital. We've got a full service ED, 24-7 ED. We've got primary care, which is growing, and just hired a couple of family nurse practitioners. We've got two MDs on staff. We just hired a gynecological surgeon and we're in talks with the dermatology group, also with a general surgeon.
Speaker 2:So over the last again over the last about year, we've really kind of hit our stride in growth, trying to serve a very rural population. And just to give you kind of a quick idea of what our population looks like, we are the town of Bandon. Oregon is where Southern Coos Hospital is. We do have about 3,200 people in the town of Bandon. However, our catchment areas is more along the lines of about 15,000 people up and down the Southern Oregon coast. We are lucky to have the Bandon Dunes Golf Resort right in our backyard. It's a world-class facility and in fact Southern Coos Hospital is providing medical services for the 125th USGA Amateur Tournament which happens in August. So are developing a lot of uh, a lot of partnership opportunities with abandoned dunes and other businesses around the around banded in the Southern coast.
Speaker 1:Yeah, I was doing some research before. I mean, it's beautiful there.
Speaker 2:Yeah, it really is, I mean I mean just the.
Speaker 1:It's so scenic, yes, and it's also particularly amazing because I mean you guys got the best of both worlds. I mean you've got the state parks, I mean you've got tons of recreational sites. I mean type of natural, uh preserves yep uh, I mean the coastline of Oregon. I mean, need I say more? It's stunning.
Speaker 2:I'm really glad you brought that up, blake, because we get a lot of people here for natural resource tourism and recreational tourism. In addition to the things you mentioned, we've got a significant network of biking trails and hiking trails. A lot of people come out here to wind surf, uh. People come out to fish uh, people, you know we'll bring their motor homes in or their uh, uh, you know, bring their tents and kind of camp for, you know, a month or two during the summer. Uh, it's, uh it's. It's a great place for great place for recreational tourism.
Speaker 1:Yeah, you guys are about four hours away from Portland, is that right?
Speaker 2:Yeah, about four, four and a half, depending on how fast you drive and what time of day it is, but yeah, it's about four and a half north south. So we're out here right on the edge of the continent, so to speak, and we're very geographically isolated, which brings a lot of challenges which I'm sure we'll get into. But yeah, we have a lot of our patients will go to other locations for specialty care and sometimes primary care, depending on you know when, when they can get a, get an appointment.
Speaker 1:So what has been um kind of like the uh strategy that uh Southern cruise has tried to deploy in terms of service, service offering. I mean, you know, patient care, like I'm sure you guys have a unique strategy, considering you said you have 25 beds in a town of about 3,200. What has been some of the priorities that you guys have focused on?
Speaker 2:Yeah, that's a great question. So what we've done like is we've done several studies on what we believe our community will need from a healthcare perspective. So one of the reports that we do is mandated by federal law. It's the Community Health Needs Assessment. Now that's done about every three years as required, and so ours is a couple of years out of date, so we'll do another one next year. In the meantime, we feel like three years isn't quite enough to get a handle on kind of what our demographics are showing in terms of where they're seeking health care, what they are, what you know what kinds of services they need. And then for us to make an analysis on what we can do in-house as a small hospital and then what we can do to strengthen the communication with what we call tertiary medical facilities those facilities that are maybe in a Roseburg Oregon or a Eugene Oregon or even in Portland Oregon that we can strengthen the communication between Southern Coos Hospital and those other organizations to ease the transition or believe that we can implement fairly quickly at a reasonable cost for us and also that will have the greatest impact on our patients.
Speaker 2:So, for instance, I mentioned dermatology. You might not think that dermatology would be a big issue, but we have a very elderly population. We also have a population generally that doesn't use a lot of sunscreen, which is odd because the Southern Oregon coast is cloudy about nine months out of the year and so people don't think they need to, but they do, and so we get a lot of skin cancers and things like that. So dermatology is one specific service line that we're developing. General surgery is another. Again, we have a lot of folks who need biopsies and need colonoscopies and endoscopies and just as kind of maintenance and preventative care. We also are looking at an orthopedic surgeon because, again, our population trends out elderly. A lot of folks are, you know, in wanting to have a knee replacement or a hip replacement. We want to be able to provide those services here.
Speaker 1:Yeah, so that's kind of cool. I mean, it seems like you guys are taking a community first approach to health care, just kind of like doing consensus, seeing what the needs are of the community and building your hospital system around it, which is kind of a cool approach, that's absolutely right, and it's an approach that is really brokered by necessity.
Speaker 2:We feel that we can't, as a small community and I should say that we are community owned, meaning that we are not owned by a larger system we are part of a health district and it's a taxable district, and so we feel beholden and responsible to our community, which really motivates us to get as much community input about our current and future direction as possible.
Speaker 1:Yeah, I mean that's an amazing approach. I'm curious, and this is probably something that a lot of our questioners are asked. I mean I've worked and we've talked with a lot of the bigger health systems upstate New York, I mean New York City, I mean Los Angeles County. I mean you can imagine the amount of funding that goes into those healthcare systems. Curious to get Um, curious to get sorry, curious to get your take on um how funds are appropriated, uh to smaller healthcare systems and how, how they're prioritized and what type of challenges you guys have, uh being a rural provider and how you're addressing them.
Speaker 2:Yeah, that's a great question. So so, not to get too much in the weeds, but we are, as a critical access hospital, that's, a federal designation. So as a critical access hospital, we are eligible for a different, higher level of reimbursement than perhaps other hospitals are, and so what that means is that a lot of our expenses are reimbursed at a little bit of a higher rate. The critical access designation was created in the 90s in order to preserve rural health care facilities. Between 85 and 96 or so, hundreds of hospitals were closing. So Congress acted to create this designation as essentially to preserve the safety net, and so we, you know again, feel very responsible for the utilization of the funds and the revenue that we bring in. We also get taxable income or tax income from our constituents. So between those two, you know between actually three revenue streams the reimbursement, and then you know our regular, you know fee for service and then also our tax income.
Speaker 2:We are very careful about what we spend our money on, basically, and so we've always got to keep our eyes on, you know, the bottom line, you know, month on month, but then also year on year, and kind of trying to make those strategic decisions and strategic investments that will bear fruit for us. You know, one, two, five years down the road. So that has been a challenge for us to kind of shift our thinking, particularly from the governance level and from our board of directors. We have a great board of directors. They're publicly elected, which is wonderful. However, there's no mandate that they have health care experience. So, you know, anyone can and by design, anyone can apply as a candidate and then be elected, and that's great because we want a wide variety of experience. There is a higher educational curve for new incoming board members just to kind of wrap their minds around the complexity of health care generally but then also rural healthcare.
Speaker 2:And so you know, when we propose even, you know, small multi-million dollar projects, that takes a lot, of, a lot of, I guess, presentation and evaluation, just understanding all the vendors that are involved. I mentioned earlier that we had just gone live with Epic in December. That was the culmination of about a two-year project where we spent about a year evaluating, going through all the vendors. We came up with a total cost ownership for the entire project and we had a lot of negotiation with our board. They wanted to be sure and they should be, they wanted to be absolutely positive that this was the right path for us to go in, because if we had failed that would have crippled our hospital. So you know, every other rural hospital in America is going through the same evaluation in various forms, and so that bears a lot of risk. So we have to be absolutely sure that we have the right resources in place to make these projects successful.
Speaker 1:I'm assuming the age-old adage of carpentry, which is measure twice, cut once, and your case is truly that.
Speaker 2:It's measure, like you know, 12 times. Yeah, and you know, and the thing is, blake, is that you know, as we go through these evaluations, you know certain external environmental factors change, right, while we're making those evaluation decisions, and we might make a decision at the beginning of the process that you know, six, eight months into the process we have to reevaluate because of some sort of external environmental change that we didn't have anything to do with. I'm what I'm thinking of specifically are labor costs right, or, um, or material costs, those kinds of things yeah, I mean, and obviously, since you guys are super rural, I mean, um, the the mandates don't change.
Speaker 1:Like you're, you still have patients, you still have patient data. Um, I mean, you still have to to to protect their data. You know, hipaa doesn't change depending on your size. Yeah, exactly, and so I'm curious about you know what are some of the compliance challenges that face rural hospitals similar to yours?
Speaker 2:Well, you forecasted this really well, blake, in terms of making sure the data is getting into the system with a certain amount of accuracy and then, on the other side, making sure that we have the ability to pull that data into a reporting form that we can then report out to our regulatory agencies. You know, really, ever since COVID the regulatory burden has become pretty intense and there are lots of regulatory mandates now that weren't in place before COVID, and you know we are. We feel very strongly we need to be compliant, and every other hospital does too. We have a quality department that we've been building up. That's been a strategy internally for us.
Speaker 2:We started off with a single quality director and now we have a team of four, and two of those are data analysts, and so we're doing the same thing in clinical informatics, where we started off with no clinical informatics department a few years ago and then, when I came in, I identified that as a need.
Speaker 2:So we've been slowly building up that department and really shifting from a I guess I would call it a break-fix model, both in quality and IS in clinical informatics, to a more kind of proactive data analytics model where, you know we have the staff to reset passwords and to replace printers and things like that.
Speaker 2:You replace printers and things like that, but the higher value I guess, in a certain regard, a higher value job description, I guess is to really dig into the more active data mining, and so we're really doing that. We're creating a kind of a cross-departmental team between all those folks I talked about clinical informatics, is and quality to really kind of formalize our reporting to regulatory agencies. We also have internal reporting that we'd like to do, particularly around provider performance, provider performance, wanting to make sure that our providers are providing the best quality service to our patients as possible. So it's been a real journey for us, as I know it has been for a lot. As those regulatory burdens increase, we have, luckily and with some strategy, made that decision to increase staff and competencies around data analytics.
Speaker 1:I'm glad that you also kind of brought up, brought up COVID. You know, obviously COVID was a huge kind of test and benchmark measurement for most of the hospitals that we've. We've talked to and and and healthcare service providers. Um, how did that kind of affect your, your network, your hospital network? Um, and you know, I'm assuming you know, with 25 beds I mean, it was probably a little bit more overwhelming than anything. And how have you kind of learned from that experience into now serving it and providing more overarching services and being able to take on a little bit more of some type of virus or illness?
Speaker 2:Yeah, yeah, no, that's a really good question, blake, and I'll approach it in a number of different ways. So the first is from the patient. So, from a patient perspective, what was actually really interesting is that we actually saw a decrease in our inpatient census and also our primary care visitation, and we think that the reason is that, because we're remote, because there are transportation, a lot of our patients have transportation challenges. They either don't drive or they can't drive any longer. People just weren't able to get here. Also, there was a general sense here in our community and I can't really speak for a lot of other communities, although I've heard, you might, you know, I have heard and read other articles about how other communities have this phenomenon as well. You might pin this as a point of research is that a lot of people in rural communities felt like they just wanted a shelter in place and they put off a lot of their medical needs, and so that was very instructive for us, just in terms of, you know, kind of developing not only communication strategies to our patients but also, perhaps, you know, preparing, you know, I guess, a more robust transportation strategy in the case of a future pandemic. So we have been working with our local ambulance company and other medical transport companies to kind of, you know, develop a, develop a strategy, just in case Right.
Speaker 2:So then, from a you mentioned a networking point of view point of view, before COVID there was a real sense that we were kind of out here on our own and that we were siloed, geographically isolated.
Speaker 2:We didn't really have a lot of connection with the state health authority or the hospital association, let alone with other critical access hospitals and rural facilities.
Speaker 2:So during COVID, there were, you know, as you probably remember, there were, like you know, millions and millions of meetings happening, you know, just by virtue of us all being isolated, but then also because everybody was trying to figure out what was going on, particularly early on, and so I can just remember, you know, being on meetings and meeting after meeting, basically daily or by daily meetings where, um, you know, with the state just trying to figure out like, why is this money coming to our bank account, or where's the PPE? Or you know the, you know, you know what PPE is. I don't need to explain that to you, but I mean it's. You know it was, it was daily, and that has really continued after the pandemic we have a much closer relationship, not only with our state health authority and the hospital association, but also with state government. We also have a really brokered, a deep relationship with our reps, our local representatives, and so that was really a takeaway for us to make sure that we had those connections.
Speaker 1:Yeah, no, I mean I'm sure. Yeah, it's changed a lot of things in health care. Yeah, I'm serious. Let's spin it back a little and talk about maybe some of the cybersecurity threats that you feel like are particularly affected more in a rural setting, did more in a rural setting, Because obviously, like you know, you guys don't have the same type of budget for cybersecurity and IT that some of the other people we've talked to. What do you feel are particularly challenging threats to overcome for cybersecurity compliance, especially being in a rural setting?
Speaker 2:Yeah, you hit the nail on the head. I mean, it's about budget and it's about making a conscious decision to invest in cybersecurity just like any other project. And that's what we've done is try to spin it less as a, less as a. I think there's a kind of a. You know, a lot of people have kind of an antiquated notion about cybersecurity as being sort of like a nice-to-have and not a must-have, and so, you know, we really have, you know, kind of pitched it as a must-have for the success and for the sustainability of the organization, and so we treat it as a project and we've increased our cyber spend from about 2% of our IS budget to just over 12% over the last well, over the last four years. And the reason for that is that we were subject to a ransomware attack, and that was right before COVID hit. So we had this.
Speaker 2:Interestingly enough, southern Coos had this series of really unfortunate events in early 2020, which was our CEO was let go right before COVID. We had a major ransomware attack and then COVID. So there was like it was a really hard first quarter of 2020 for us Not that it wasn't hard for everybody else either, but at any rate. So we were subject to a ransomware attack, which then really instigated the investment into cybersecurity. So, generally, I recommend a very formal and insistent approach to cybersecurity as a must-have.
Speaker 2:And in terms of outside threats I mean we are constantly on the lookout for intrusion we really try to lock down our tax surface through various means. One of the key things we did, though back to the budgetary constraints, is that we realized we didn't have the resources nor the ability to insource our SOC center, and we really decided that for us us as a small rural hospital it was best to subscribe to a broker and, essentially, an MDR vendor. So that has reduced the cost for us significantly. It's still not cheap, right, but at the same time, there really wasn't any way for us to build a SOC here on site, due to our resource constraints, certainly. Also, there is a certain a lot of rural areas deal with this there is a certain skill gap in our workforce, certain skill gap in our workforce. We just there wasn't really anybody here, you know, in Bandon particularly that you know was qualified to work in a SOC.
Speaker 1:So so for us it just really made a lot of sense to you know, outsource that? No, that makes a lot of sense. Yeah, I mean, costs are increasing, not only for IT, but it seems that the compliance mandates are always changing, yep, yep. So, you know, I'm curious to punch in a little further, sure, on how you guys kind of handle the ever-evolving, like HIPAA policy updates, so like there's proposed updates for some time this year. They did some temporary changes in 2020. And then you know, they had the phase two HIPAA audits in 2016. You know, obviously they're trying to modernize, you know, regulations and uh, and so I'm curious if you could punch in a little further. Um, talk about how you guys uh address those uh regulation changes, how you stay on top of cyber security, um, and and again, it seems like you're making every dollar effectively act like 20 or $30, which is is crazy um to consider. So, so, yeah, if you could touch on that.
Speaker 2:Yeah, I'd be happy to. So, in terms of compliance, uh, we uh, we're certainly compliant with HIPAA law. Uh, however, we uh and I don't I think I don't I'm not alone in this, and I think a lot of other CIOs and IT professionals are on board with the idea that HIPAA it's a very nice entry point to compliance but in no way is updated for the current threat environment. I mean, it really is not. And so we do it because we're required to. We do find value in the HIPAA risk assessment In terms of keeping up with well, I should say before that, but in order to amend that, the HIPAA risk assessment, we also, you know, we work with our MDR vendor to, you know, keep track of our threat surface, our attack surface.
Speaker 2:We have regular meetings with them, to you know, kind to review our environment. We do penetration testing through them. We've also worked with Mindcast, our email protection vendor, to do security awareness program. It's a really robust security awareness program focused on the end user, and one of the reasons we do that is because end users are often the kind of the weakest link in the chain, and so we do a lot of education throughout the year, you know, specifically focused on our end users and we do things like we do social engineering tests, like sending an ad or something to someone saying, hey, if you click on this link, then Right the FN links. And so we do a lot of that, A lot more than is required.
Speaker 2:So, again, we've really taken the tact that the current requirement for HIPAA is not sufficient for us any longer. We need to do more, and that will position us for immediate compliance, hopefully improved compliance laws. I can't really comment on the HIPAA proposal. I've read the proposed changes. I think that they're. I mean, the most general comment I will make is that it is in the right direction Because, as I said, you know, the HIPAA compliance laws are just not sufficient for the current threat environment.
Speaker 1:Yeah, a lot of the new proposed stuff again is talking about kind of expanding patients' rights and how they can access their health data a little bit more efficiently, yep, tightening some of those timeframes that are required for record deliveries, and then just transparency around fees and copies of health records. And then, you know, talking about addressing some of the cybersecurity expectations around, like encryption or like MFAs or like utilization of cloud storage, which, you know, none of those things really existed in 1996, when this thing rolled out.
Speaker 1:And so, yeah, and then now I mean, if you look at 2020, how you know a lot of the telehealth or the conferencing platform, zoom teams, things like that you know they weren't particularly compliant with HIPAA and then so you started to saw a push in 2020 for that because telehealth was on the rise, yes, so, so again, yeah, I mean it's, it's evolving and it's going in a good direction. And yeah, I mean a lot of people that we've talked to you know, when you said that your budget, you know, like you like almost like 10x your budget, I was like geez, you know, that's kind of crazy because you know, most of the time, people don't understand the importance of investing in cybersecurity until you know something happens, like in your case, it's always oh cool, like it's never going to happen to us until it does?
Speaker 1:you know a lot, a lot of people and a lot of uh, not only businesses, but you know even uh um, like hospital networks. Take that same approach, you know which is which is scary, which is really scary?
Speaker 2:yeah, I'll just make a couple comments on that blake, because you bring up a couple good points. One is that, um, what really, what really drove us to particularly MFA, but also some of the other cybersecurity improvements, was our insurance and, frankly, they started requiring MFA. I think maybe two or three years ago. Maybe it was optional three years ago, but two years ago they did start requiring it to get a lower rate. So we had already done that, we'd already implemented MFA. So we were there, but when it was not required, we took note of that and then that really accelerated our adoption and deployment of the MFA program particularly. So there are multiple inputs here and multiple triggers. They're motivating organizations like ours to improve our defenses. So I just want to make note of that.
Speaker 1:Yeah, no, I'm curious to talk a little bit too on how you've invested in technology, especially cybersecurity technology. I know you said that your, your security operations center is outsourced, which is, you know, a huge kind of uh like fee. That I mean because the technology just investing in hardware and then managing it and then making sure the drives are, I mean it's just all the fun stuff, right, that you would expect with managing on-prem hardware, um, but how how has southern coos uh invested in, I mean beyond uh, the stock? Like how have you guys invested in in security?
Speaker 2:yeah, we also invested in a zero trust uh vendor um and uh cloud and they've been a great partner for us. We have a number of remote workers, so that was something we really wanted to lock down. During COVID we actually had a different vendor and then we've recently switched to Cloudflare, which we think is a superior vendor and product. So that's a main one. Another investment has actually been in and this is kind of peripheral but investing in our help desk solution. We're just in the midst of transitioning from a kind of a free model that didn't have a lot of functionality to a paid model that gives us a lot more functionality so we can triage things very quickly and easily. And again, I guess I'll highlight again that security awareness training. I can't stress the importance of that.
Speaker 2:It is very important for us, for the obvious reasons, but also because people forget, right. I mean, we have, we're asking people to do their daily job, areas that they are experts in, and then we add on this thing that they, you know, that they feel, you know, in certain regard they feel like it's you know, kind of a you know it's not really necessary, and or they feel like it's like, oh, you know, they feel kind of burdened by it and they are, but it is an essential burden, in my view, that they, that they take part in the security awareness training.
Speaker 1:Yeah no, I mean it's so important, I mean it's so, it's so affordable too.
Speaker 2:Yeah, and one more thing is that we just recently revamped our asset management tool and our approach. Where we are, you know, keeping much better track of every single piece of hardware that we have in our ecosystem. You know again, driven, you know, driven largely because of because remote workers, and then also, you know just, you know we were doing it, you know pretty well, but, but now we can really really dive into every single piece.
Speaker 1:I mean, asset management is so huge. Yeah, asset management, security awareness training yeah, definitely go a long way yeah.
Speaker 2:Sorry, go ahead.
Speaker 1:No, I said yeah, yeah, I was agreeing with you I'm curious too because, um, you know, being in a rural situation and you guys probably face I mean, I'm sure you guys have obviously faced some some crazy emergent situations, emergency like patients that have came into the ER and you guys have had to, you know, work with other hospital networks, like explain how that particularly is handled from Southern Coups you know transferring, you know data and information, patient records to uh other uh network hospitals with outside the network or other health systems.
Speaker 1:Um but but how, how? How have you guys managed to to uh, to efficiently do some things like that?
Speaker 2:Yeah, that's a great question. So I'll frame this from a functional standpoint and we as a critical access ED and then we'll transfer to a higher level of care if needed, if warranted from a diagnostic standpoint. So and in fact we often have we often will instruct our, you know, being mindful of federal EMTALA law. We will often work with our first responders to divert patients to a higher level of care if needed. So, for example, if it's like an MBA and you know there's just we just don't have the capacity nor the you know, the equipment to triage even a motor vehicle accident, they will often go to a higher level of care facility. So that is our model For those patients that do come here and we treat, stabilize and then transfer.
Speaker 2:From a medical record standpoint, converting to Epic has been a game changer for us. Epic has a you'll have to check this on me, but I believe that it's about a 75% market share in Oregon. It's very high and on the West Coast, which is about two hours east, we often have air flights to Portland for neurological issues like stroke or aneurysms. The ability for us to immediately transfer records on that patient has been a game changer for us. Now that we're on Epic.
Speaker 2:A lot of those medical facilities are on Epic so we can essentially transfer medical records with the click of a button, whereas, you know, with our former system, because it was not Epic, it would typically take, you know, 30 minutes an hour, if not more, depending on you know, depending depending on on you know, the patient, you know their, the extent to their medical records. So we, it's it's just been from an interoperability standpoint, it has just increased our effectiveness, increased our speed and also increased our patient and family satisfaction scores because we are able to say yes to the family, like when they ask for medical records to be transferred, we can say yes, they are there, you know, and get confirmation from the uh, from the responding facility. So that that, to us, has been the biggest change and has uh really really increased our uh, our you know, kind of the trust in the system.
Speaker 1:No, epic has some great products. Um, actually, ironically, recently my, um, my, my doctors switched over to epic and just the the power of like my chart, like having having your records, like literally. You know you talked about having an older demographic there, but you know, particularly I've noticed just how how much data I have in my fingertips. You know, and I can monitor, like literally blood tests over blood tests, and see the progression of of how like my health has has changed, and I mean booking at a fingertip is is it's incredible.
Speaker 2:It really is.
Speaker 1:And I'm I'm glad you guys have have switched into that. It seems like it'll it'll make things a lot easier and it's a great product.
Speaker 2:Yep definitely.
Speaker 1:You know you talked a little bit about security awareness training, but I'm curious if you could lean into a little bit further how you foster a cybersecurity first mindset around like doctors and the administrative teams, you know. How can you, you know, pass besides cybersecurity, you know, the security awareness training? How can you kind of foster and to have that think first click, second approach?
Speaker 2:Right, that's good and so I think for us it's an ongoing project. I'll just say that. But our providers have adopted a lot of our cybersecurity projects, programs, our initiatives, and that has gotten easier over time. Again, when it affects us, it is more tangible, it's something that we can point to for our providers and say, look, this happened to us.
Speaker 2:It's not just a myth that people are getting attacked all the time. We can show them data, which I've started showing. Data for the sort of general cyber attack frequency and healthcare is increasing Year on year. It's increased exponentially, so I can show that data. Also, as we are hiring providers, they are tending younger and often they have. First of all, they have experience with Epic right. So they were often trained on Epic or Cerner, most often Epic, and they have used Epic. They understand the clinical workflows. But then also from a cyber standpoint, they either have been subject to an identity attack or they know of a facility Maybe they worked at a facility that had a cyber attack. It's so common now it's actually really uncommon for people not to have personal experience with a cyber attack that more and more people are, more and more of our providers are compliant and eagerly compliant.
Speaker 1:That makes sense. I'm super curious to, from your role, your seat, how do you measure success with your IT and IT initiatives and compliance, and is there any particular metrics that you feel within your organization that you try to strive for?
Speaker 2:Well, yeah, absolutely. It's a good question because a lot of times we say we're kind of pounding the drum in cybersecurity and people are like, oh yeah, eye roll. But I mean I think that so what we do is. So I mentioned the security awareness we have statistics about by department, what percentage compliance. So we make that transparent. We make that data transparent. We also, in terms of the penetration testing and social engineering tests that we do, we have statistics about who clicked on what and then we can go back and you know kind of work with the user who clicked to, you know, to further education. So we have clear statistics around that. So that's, you know, from an education standpoint, those are my success metrics. Is that the higher we get in terms of compliance and the lower we get in terms of, you know, clicking on phishing emails, the better.
Speaker 2:I will give you a quick antidote. The first time we did the penetration testing exercise not penetration, I'm sorry the phishing email exercise I had a bet with our CEO. I said, oh, I'll bet that 50% of recipients will click on this link and he said, no, I think it's going to be lower than that, he said. I think he said he thought it would be around 20, like 15 to 20%. I was like you're on, so I had a bet and in fact it came in at 12%. So you know all the education is. You know that is a clear indication that education is working.
Speaker 1:Yeah, totally.
Speaker 2:One other, one other success metric on the kind of the backend is the, our vulnerability scans and we are we patch everything, or nearly nearly everything, and so the you know the number of patches per month that you month. That's a success metric for us. We don't leave anything outstanding and then we make decisions about. I should say we don't leave any of the high criticality vulnerability scans. We don't leave those hanging, we patch those immediately. There's thousands and thousands of lower priority that we don't necessarily patch, but those high criticality vulnerabilities we do scan and we do patch immediately.
Speaker 1:I'm curious, looking forward into the future of particularly rural healthcare is there any cybersecurity or IT innovations that you feel are most exciting about being implemented within your hospital network, or maybe things that you're excited for that you've learned about recently that you hope to uh kind of bring into the rural healthcare system?
Speaker 2:Well, it's going to sound super dry, but anyway, um, the uh, the thing that I'm most excited about excited about, I think um, I don't know if it's what I'm most excited about I'm really excited about right now, which is, uh, automatic log review, and we have a real problem. We just don't have capacity to review logs, and so there are several products on the market for this, but we have not invested in that yet. However, it's on our roadmap and I think, even though we have a pretty pretty good IS department for the size that we are, I think that we can automate. You know, we can automate that log review quite quite easily, either by securing a third party vendor or even building an AI agent internally.
Speaker 1:So yeah, no, I mean all great answers and I know this is kind of like a wish list thing here, but you're particularly on the front lines and smaller communities and serving patients from a cybersecurity perspective. Um, what would make your job easier from a federal perspective, you know, from a compliance perspective? Like, is there is there things out there that I mean, obviously we all have challenges within our careers, um, but is there is there things that you feel like are super inefficient?
Speaker 1:Um and then you know, how are you kind of uh combating those or things that maybe you wish for in the future? That would be a little bit more streamlined in a rural environment.
Speaker 2:Yeah, that's a really good question. Let's see issues. If we could have a single source of truth for all regulatory issues including regulatory requirements, including HIPAA, including cybersecurity, including state regs, including CMS regulations if there was a single source of truth and a clear roadmap to fulfilling those regulatory requirements, that would make our jobs easier. Every organization kind of has to piecemeal it together. There is state support In Oregon we have our office at Rural Health is really active in kind of helping create that roadmap and that single source of truth, but even they are, it is very difficult to keep up.
Speaker 2:So, if you know, what I would suggest is that there would be a single set of guidelines that are clear, that each element is clear and distinct, without any overlap, because there's lots of overlap in the regulatory requirements and I think that that would help us. That would really help us from an efficiency standpoint. I think also, I'm kind of pivoting a little bit, I think, and I've suggested this at the state level, but it hasn't really gotten anywhere yet. I'm hoping that it might at some point in the future but some sort of you know statewide or multi-state collaboration around cyber security kind of setting, you know like cybersecurity office from you know state to state Kind of like CISA, but for health right Like CISA, except for health, and also, you know, maybe that's state by state, maybe it is federal right yeah, because CISA is.
Speaker 2:And also I'm worried, right Like right now I think CISA is under fire a little bit. I think you know, if, if the states were able to, you know, kind of create something similar that had a, had a clear line to federal requirements, right, that would be very helpful.
Speaker 1:I'm curious something like that really exists?
Speaker 2:you know, like um no, I just dropped that up one day.
Speaker 1:Oh, I mean, it seems like it'd be efficient, like, let's just say, for example, there was a hospital, a breach that happened in, uh, in some part of Texas or something Right, and this is like here's, here's how it happened here. Here was what we noticed, um, and here's how we fixed it. You know some type of kind of like whiteboard that other hospitals could read that says like oh cool, like or not cool, but oh shit, you know a hospital in texas was hit.
Speaker 1:You know, like here's how, uh, here's what we need to look out for, right, so kind of like a like a memo board for for health, cyber attacks, right, yeah, it seems like something like that should exist. So that way, you know these, these smaller hospitals can can mitigate risk and be more efficient.
Speaker 2:Yeah, that's, that's that's I've had the idea of in my mind, in the back of my mind for a long time, in the back of my mind for a long time, because there are lots of, I guess, message boards or tools out there for other kinds of cybersecurity-related issues. I mean, there are a million hacking sites, right, and hacking message boards and things like that. Yeah, yeah. But I love that idea of just having kind of a centralized you know a centralized repository or you know communication platform in which people are, you know, sharing you know the unfortunate attacks but then also sharing how they mitigated the impact, you know tool, tips, that kind of thing. So it needs to happen.
Speaker 1:It needs to happen. Love it, tips, that kind of thing. So it needs to happen, it needs to happen, love it. Um, we are at the top of our hour here and I feel like we covered a lot we did, thank you appreciate it.
Speaker 1:Yeah, your, your insight is amazing. Um, again, like I said, it is super unique to have a perspective like yours. Um, together, information and and to, uh, to approach things a little differently. Um, and, and hopefully I mean our listeners I'm sure they'll find a ton of value. And seeing things the way that you see things, um, especially coming from your background, you know having to make things work uh, doubly, quadruply. You know efficient and uh, and and growing from there. So, um, is there anything you feel like we didn't talk about? Or maybe that you had sitting in your back pocket, that you were waiting to pull out?
Speaker 2:Well, just one, and I'm not sure we have the time, but I'll just talk about a very high level, which is AI and innovation.
Speaker 2:And so I will just say that I have been part of an advisory council working with several folks to create a rural health community the RHC that's what we're calling it so far. We may rename it at some point in the future, but it's a very we're in our in the very early stages of developing this, and as part of work, I have also been developing, essentially, an AI governance toolkit for rural health, and so I'm hoping that that will be done in about a month or so. And then what you know, it's somewhat self-serving because I need the AI governance here at Southern Coos, because we're deploying several AI tools and initiatives over the next year and a half or so. We also have some AI projects already in existence, so I needed the governance. But also because I believe in rural health and, again, a lot of people don't have the capacity to develop it on their own, and why should they really? We're going to make that toolkit available to, you know, any rural hospital that wants to utilize it.
Speaker 1:Is yeah, I mean, we would love to share that information with our listeners. Is there any way that they could find or maybe get involved or participate in your new project?
Speaker 2:Yes, uh, find or maybe get involved or participate in in your new project. Yes, uh, I may need to get back with you on that, but it's our rural health community. I can get you the url just recently changed. Um, I think I'll need to get that to you, that url to you yeah, no problem.
Speaker 1:thank you so much for spending, you know, an hour with us and sharing and yeah, we'll definitely stay in touch. I look forward to getting those URLs and then not only that but distributing those and helping kind of get the word out about, you know, not only Southern Coups but, you know, helping you know more people that are in the regulated health space understand a little bit more about cybersecurity. You know how they should be effectively implementing strategies to secure their networks. You know their patients and, yeah, you know I think a lot of people can learn a lot from what you're doing there.
Speaker 2:Great. Well, I really appreciate the opportunity to talk with you and hope that your listeners get value out of this.
Speaker 1:Oh, they, totally will, totally will. Thank you so much for your time, scott as well.
Speaker 2:Thank you, blake. Talk to you soon, all right, yes, sir, bye-bye, bye-bye.
