Advancing Health Podcast

00;00;00;19 - 00;00;42;23
Tom Haederle
John Bluford's distinguished career in hospital and health system administration has spanned more than four decades. He's been recognized as one of the most influential people in health care, and served as chair of the American Hospital Association in 2011. He's also the founder of the Bluford Health Care Leadership Institute, a professional development program that introduces talented minority undergraduate scholars to health care administration with the expectation that this pipeline of talent will ultimately help to eliminate health disparities among populations dealing with sustained hardship.

00;00;42;25 - 00;01;08;05
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA communications. In this podcast, hosted by Joy A. Lewis, senior vice president of Health Equity Strategies with the AHA, Bluford describes how his institute trains promising young talent to assume leadership roles... the impact they've made...and how to deal with pushback in some quarters against DEI efforts in general.

00;01;08;07 - 00;01;14;25
Tom Haederle
This podcast was recorded at the American Hospital Association's Annual Membership Meeting in Washington, DC.

00;01;14;27 - 00;01;19;20
Joy A. Lewis
Good morning John. Thank you so much for joining me today. Is it fine to call you John?

00;01;19;20 - 00;01;21;02
John W. Bluford, MBA
Please do. Good morning to you.

00;01;21;02 - 00;01;46;10
Joy A. Lewis
Because I am sitting with the John Bluford. And this came together rather quickly, so I guess my timing was right. Thank you for carving time out of your busy schedule to join me in conversation today. Today's conversation is a really important one. We want to focus on how might we think about ways to create a diverse talent pool of health care leaders?

00;01;46;12 - 00;02;11;24
Joy A. Lewis
We know how important it is to have a diversity of thought, different perspectives weighing in, making decisions that then lead to better health outcomes for the patients and families and communities that we serve. So currently, you are the president, but also the founder of the Bluford Health Care Leadership Institute, which was established over a decade ago in 2013.

00;02;11;27 - 00;02;33;03
Joy A. Lewis
And your program trains and mentors and prepares early careerists to occupy, to advance through into leadership roles in health care settings. And I guess in addition to how you're spending your time today, we should talk about your tenure. Your career portfolio, which includes...

00;02;33;03 - 00;02;33;12
John W. Bluford, MBA
It's been a long one.

00;02;33;12 - 00;02;36;09
Joy A. Lewis
I know! Spans over 50 years.

00;02;36;12 - 00;02;40;03
John W. Bluford, MBA
Oh, just about...not quite over 50, but we're getting there.

00;02;40;04 - 00;03;15;15
Joy A. Lewis
Okay. I want to be like you when I grow up. So, former president and CEO, president emeritus of Truman Medical Centers in Kansas City, Missouri. Prior to that, CEO of Hennepin County Medical Center in Minneapolis, Minnesota. So let's start there. Can you walk our listeners through your journey and I guess leading into this question around what were some of the conditions that you observed, you witnessed inside hospitals and health systems that you led?

00;03;15;21 - 00;03;24;25
Joy A. Lewis
And also, as a former chair of the AHA's Board of Trustees, that led you to create the Bluford Health Care Leadership Institute.

00;03;24;27 - 00;03;56;02
John W. Bluford, MBA
Thank you very much, Joy. It's a great lead in. And I would start by saying that these 45 plus years in the business have always been in urban settings. Large tertiary teaching hospitals that dealt with underserved patient populations. So that has been my story from day one. As an epidemiologist for the Center for Disease Control and the areas of Saint Louis, Missouri.

00;03;56;04 - 00;04;30;17
John W. Bluford, MBA
Pruitt-Igoe housing project, which is the first federally funded housing project in the country. And that is kind of where my orientation comes from. More recently as a CEO -and I've been retired for ten years -but I'll say recently as a CEO of two major academe training centers, I discovered that there was not a pipeline of diverse talent coming through graduate school programs for hospital administration.

00;04;30;19 - 00;05;13;20
John W. Bluford, MBA
How do I know that? Because I was a preceptor for several programs across the country between the late 80s and 90s, and I consistently got very talented scholars to come to my institution to fulfill their requirements for graduate school. But none of them were diverse candidates because they weren't in the pipeline. And the genesis of the program that's in place right now is a request that I made to the Hennepin County Board of Commissioners to give me some funding to go to Morehouse College and recruit an undergraduate student to come to Minneapolis and work with me for the summer.

00;05;13;25 - 00;05;14;20
Joy A. Lewis
Just one.

00;05;14;22 - 00;05;16;28
John W. Bluford, MBA
Just one. You got to start somewhere.

00;05;16;29 - 00;05;17;11
Joy A. Lewis
Yeah.

00;05;17;14 - 00;06;01;01
John W. Bluford, MBA
Right. And that one student stayed with me for two years while I was at Hennepin, followed me to Kansas City, Missouri, and ended up working for me for 17 years. So that project was very successful in one respect, but not a lot of players. Secondarily, because of the success of that one student and my love for doing that kind of work and mentoring, I did the same thing when I got to Kansas City, Missouri, and that has led me to go to primarily HBCUs, Fisk University, Spelman College, Morehouse, Florida A&M University, North Carolina, and A&T and Hampton University,

00;06;01;01 - 00;06;01;27
John W. Bluford, MBA
more recently.

00;06;01;28 - 00;06;03;20
Joy A. Lewis
Not Howard, my alma mater.

00;06;03;22 - 00;06;05;10
John W. Bluford, MBA
But it will be there next year.

00;06;05;11 - 00;06;06;11
Joy A. Lewis
Okay.

00;06;06;13 - 00;06;35;01
John W. Bluford, MBA
And solicit and recruit some very, very, very talented and smart scholars and convince them that health care is a good career path for them and go for it. That's one reason for the BHLI,  and the other is a wonderful experience that I had in the early 80s as a participant in Harvard University's mid-career programs. I was 31 years old at the time.

00;06;35;04 - 00;06;51;22
John W. Bluford, MBA
And that experience just exposed me to how the sausage is really made in health care. And I wanted to expose these young people to that type of experience. I could go on and on, but that gives you a little bit of the seeding of the Bluford Health Care Leadership Institute.

00;06;51;24 - 00;07;25;26
Joy A. Lewis
And again, the early beginnings, rooted in looking at expanding and providing exposure to those from historically underserved, marginalized communities and giving them an opportunity to even consider health care. Absolutely right. So if anyone visits your website for BHLI, they will see the Institute is described as an intense professional development program. Can you share a little bit more? What does that mean?

00;07;25;26 - 00;07;29;00
Joy A. Lewis
What does intense mean in this example?

00;07;29;02 - 00;07;52;21
John W. Bluford, MBA
Intense. It's a two-eek program, seven days a week. Each day, our scholars are picked up by an executive van or bus at seven in the morning, and their day ends 12 hours later, as the last couple of hours of the day, they're working on a case study that they will present to a community audience at the end of the program.

00;07;52;23 - 00;08;17;06
John W. Bluford, MBA
So intense, in my view, means first and foremost, looking for very serious scholars that want to be successful and hopefully in the health care field. The idea is that we are preparing them not for the next level, but the level beyond that. We want leaders, not mid-careerists.

00;08;17;08 - 00;08;27;29
Joy A. Lewis
And we know that there's typically this plateauing that occurs when you get to the midpoint. How do you then move into the more executive senior leadership roles?

00;08;28;02 - 00;08;58;17
John W. Bluford, MBA
So we have a very strong didactic experiential curriculum with leaders from the industry all over the country coming in and sharing their stories, their personal stories. People like Mr. Rick Pollack, for example, or Mr. Wright Lassiter, for example. I think we've had four past chairman of the boards from the AHA. Mindy Estes comes to mind. Kevin Lofton has been a couple of times.

00;08;58;24 - 00;09;34;14
John W. Bluford, MBA
Jeanne Wood has been. So they're get experience and wisdom from the top of the industry. That's number one. Number two, not only didactic and experiential learning, but we really focus on executive presence and what people call soft skills. I don't agree with that terminology. I think they are essential skills. And by that I mean presentation skills, language skills, appearance skills, self-awareness skills.

00;09;34;16 - 00;09;59;26
John W. Bluford, MBA
How to network skills. We drill that into each and every one of these scholars every day and all day. Even though we do have some social activities, but it's not a frat party. You're still on stage. So we have golfing outings, and we've done bowling before, and we go to the performing arts. And we tour a couple of museums in Kansas City, high end.

00;09;59;29 - 00;10;09;06
John W. Bluford, MBA
But we're constantly looking at our scholars and observing our scholars and how they interact with each other and others.

00;10;09;06 - 00;10;09;17
Joy A. Lewis
How they show up.

00;10;09;17 - 00;10;19;24
John W. Bluford, MBA
How they show up. Good point. And we don't grade on the curve. If we catch something that's out of order, we pull them aside and said, you might want to reconsider how you're doing that.

00;10;19;27 - 00;10;21;11
Joy A. Lewis
No partial credit, huh?

00;10;21;11 - 00;10;25;09
John W. Bluford, MBA
No partial credit. And I think that's very enlightening for these students.

00;10;25;11 - 00;10;33;08
Joy A. Lewis
That's helpful. To your point, there's the didactic component, the experiential component. But then there's the: how do you read a room?

00;10;33;11 - 00;10;55;16
John W. Bluford, MBA
Exactly. There are two things that I could have mentioned too: etiquette training, because part of the interview process is often how you perform at dinner or lunch. So we do that and we have speech coaches come in and really help on the presentation skills. So the underlying theme of that, sometimes it's not how much you know, but how well you can communicate what you know.

00;10;55;20 - 00;11;02;22
Joy A. Lewis
That's right. Very comprehensive. I don't know what you do with folks like me who are not morning persons. At seven a.m.?

00;11;02;22 - 00;11;06;09
John W. Bluford, MBA
They get on board real soon or they're left behind.

00;11;06;09 - 00;11;28;03
Joy A. Lewis
They don't have a choice, right? That's right. So a little bit more about, I get the goal here. To your point, it's not mid-career. It's preparing folks for those senior leadership roles. What's been the impact when you look back over the past decade since the inception of this program? Where have your scholars landed? What have they gone on to do?

00;11;28;06 - 00;12;00;08
John W. Bluford, MBA
I'm glad you asked that question. And that's the best question of the interview, because we can talk a lot about what is and what is and what we want to be, but what's the impact is the punch line. And we have been quite successful in our goal. Now remember, the goal is to train culturally sensitive, talented individuals to ultimately impact health care disparities among minority and vulnerable patient populations over the next two generations.

00;12;00;14 - 00;12;01;21
Joy A. Lewis
That's tall order.

00;12;01;23 - 00;12;34;23
John W. Bluford, MBA
That's a tall order. We've got time, and it's going to take time to get it done. And in that regard, in round figures, we've had 150 participants come through the program over the past 11 years, 11 or 12 years. We've had 120 internships that have resulted from those students coming through our program. Now, internships are fully paid summer internships after their two-week didactic experience in Kansas City.

00;12;34;26 - 00;12;51;27
John W. Bluford, MBA
And those internships have been in 50 sites across the country. And the punch line is this: out of 121 students who've actually graduated from undergraduate school, because I interview them as freshmen and sophomores. So they're very young.

00;12;52;00 - 00;12;52;29
Joy A. Lewis
And you're doing the interviews.

00;12;52;29 - 00;13;22;08
John W. Bluford, MBA
And I do the interviews personally. Out of the 121 that have graduated, 100 of them are in health care space today, 83%. And the others are lawyers, and on Wall Street, they're doing well for their own personal careers. But 100 of them are in health care. So just give you an example, and this is a one hour interview in itself where some of these students are and more importantly, what they're doing.

00;13;22;11 - 00;13;49;24
John W. Bluford, MBA
And you can project what they're going to be doing in years to come. But we've got one of our scholars who was in our program in 2014. He is now the surgical specialty clinic director at Henry Ford Hospital. We've got another young lady. She's the pharmacy infusion manager at Emory Hospital's Winship Cancer Center, and she took me through a tour of this new facility.

00;13;50;02 - 00;13;52;29
John W. Bluford, MBA
It is really awesome. And she's in charge. 
00;13;52;29 - 00;13;53;12
Joy A. Lewis
And she's in charge. She's at the helm.

John W. Bluford, MBA
She's at the helm. And we've got another young lady, and I think you're going to meet her at your program in Kansas City later this summer. She's a deputy director for policy and human services for the governor of Kansas, and she's working on access to mental health and Medicaid expansion, which, as you know, is a big issue.

00;14;16;09 - 00;14;30;03
John W. Bluford, MBA
So we've got young people five, six, seven years in their career with no ceiling, doing meaningful and important work with good compensation.

00;14;30;06 - 00;14;35;22
Joy A. Lewis
That's critical. And, well, you started out with them getting paid internships. I noted that.

00;14;35;22 - 00;14;57;16
John W. Bluford, MBA
Absolutley. And they get paid for their two-week tenure in Kansas City as well. It's a $2,000 stipend because we realize while they're there they could have been working their summer jobs. So we want to be competitive to get the best students. And the best students are being paid for their time right now. Let me tell you a little bit about these sites.

00;14;57;18 - 00;15;30;17
John W. Bluford, MBA
I mentioned 120 internships, 50 different sites. The American Hospital Association membership and its leadership has been very valuable connectivity for us because we're placing our students in their institutions. So we've had students at Duke University, Johns Hopkins, Atlantic Health in Morristown, New Jersey, Advocate Atrium have taken a lot of our students. Truman Medical Center's my old stomping ground.

00;15;30;18 - 00;16;03;23
John W. Bluford, MBA
Obviously, it's taking a lot of students University Health and Cleveland, several Blue Cross Blue Shield programs across the country. Saint Luke's Hospital, Dr. Estes' old place, has taken several of our students. Aeon on a long term consultancy..so it just goes to show that networking and the loyalty and concern among my colleagues in the field are paying dividends as well and helping us do this.

00;16;03;23 - 00;16;35;20
Joy A. Lewis
Amazing, amazing impact. So when you started this Leadership Institute again in 2013, the environment was quite different, the external environment. And so what we're looking at right now are some serious - as my CEO Rick Pollack likes to call them - motivated adversaries with deep pockets who are waging a war against anything that smells or looks like diversity, equity, inclusion.

00;16;35;22 - 00;16;55;08
Joy A. Lewis
So again, we're in a very different place today. How are you thinking about the existing world that you're training these young folks to show up in? How are you preparing them to be successful with all the headwinds in the midst of these anti-DEI efforts?

00;16;55;13 - 00;17;47;15
John W. Bluford, MBA
That's a great question, and perhaps one difficult to answer, but it's easy for me. One, we started before these anti-DEI and affirmative action related mentality surfaced and as such very narrowly focused on teaching, mentoring, coaching, and perhaps more importantly, sponsoring the scholars in our program. And that sponsorship, that coaching, that teaching was very specifically directed toward dealing with health care disparities in America, specifically among minorities and underserved patient populations. Rural America, the different pockets that need the support.

00;17;47;17 - 00;18;21;12
John W. Bluford, MBA
And we wanted to make sure they were culturally sensitive to the issues of socioeconomic determinants, etc., which I now favor the public policy determinants of health, and be laser focused on that and eliminating the disparities. So we don't talk a lot about DEI or anything. We talk about disparities, socioeconomic determinants, and how you can position yourself to get in a decision making role to make a difference.

00;18;21;14 - 00;18;33;15
Joy A. Lewis
And the disparities have been there. They have a long tail, to your point, well-documented. So keeping a focus on the elimination, not the reduction, the elimination of those disparities.

00;18;33;15 - 00;18;34;07
John W. Bluford, MBA
Zero.

00;18;34;20 - 00;18;47;29
John W. Bluford, MBA
And we hope that we've given them enough time frame over the next two generations to make a difference. I certainly don't want my grandson's children to experience some of the same disparities.

00;18;48;00 - 00;19;02;05
Joy A. Lewis
Correct, correct. And I like the break down. You've done a really good job of distinguishing between mentoring and sponsorship, for example. Those two tend to get conflated and we know they're very different.

00;19;02;07 - 00;19;27;27
John W. Bluford, MBA
I think many of us who've had the pleasure of serving in this industry were helped quite a bit by someone that was in those positions that we wanted to get to. And it's not unusual for me to pick up the phone and call a colleague of mine and say, you know, Joy Lewis has been in your operation now for four years, and I understand she's doing well.

00;19;27;27 - 00;19;29;24
John W. Bluford, MBA
We want to see some growth in her career.

00;19;29;27 - 00;19;30;11
Joy A. Lewis
Right.

00;19;30;13 - 00;19;31;17
John W. Bluford, MBA
Yes.

00;19;31;19 - 00;19;51;13
Joy A. Lewis
Makes sense. Appreciate that. So we're coming up on time here. But I want to ask. It would be foolish to have someone of your stature sitting here and not solicit some piece of advice from you to these young scholars. What is it that you wish someone had told you?

00;19;51;15 - 00;20;23;20
John W. Bluford, MBA
You know, I've had such a positive journey, and I wish someone would have told me about what an opportunity and blessing it's gonna be to help and serve the community in which I work. It's hard work, but the work is twice rewarding when you see the results. That's a very powerful statement. And I tell everyone, at least in my case: never had a job.

00;20;23;23 - 00;20;42;08
John W. Bluford, MBA
It's always been a mission, not a job. And that's how I've gone about my work. Compensation and those kinds of things have always been secondary. And I tell people all the time, if you're going in it for the money, then do something differently. But if you go in it and do well, get your money.

00;20;42;10 - 00;21;13;09
Joy A. Lewis
That's powerful, John, and very compelling. This notion of you're in it because it's your cause to make lives better at the end of the day. So I can't thank you enough for your continued leadership. You lay the mantle down in terms of CEO-ship roles a decade or so ago, but you continue to add to that almost 50 year legacy that we referenced earlier, really impressive and impactful career that you've had and continue to have for many of us who are in the trenches here.

00;21;13;09 - 00;21;20;00
Joy A. Lewis
So it's great to be in community with you and to have this conversation. And thank you for your time.

00;21;20;05 - 00;21;22;03
John W. Bluford, MBA
Thank you for inviting me.

00;21;22;05 - 00;21;23;20
Joy A. Lewis
Absolutely.

00;21;23;23 - 00;21;32;03
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and write us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.

00:00:00:13 - 00:00:24:07
Tom Haederle
Changing demographics and financial pressures pose challenges for hospitals, especially those in rural communities, to maintain obstetric services. In the last five years, more than 300 birthing units across the country have shut down.

00:00:24:09 - 00:01:06:18
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA communications. Despite today's many challenges, some hospitals are implementing creative strategies to maintain necessary obstetric services for their communities. San Luis Valley Hospital in rural central Colorado is cross-training its clinical staff and partnering with community stakeholders to keep serving their community. Julia Resnick, AHA's director of Strategic Initiatives, recently spoke with Monica Hinds, an RN and director of Emergency Services and Obstetrics and Stephanie Posorske, a certified nurse midwife, about their approach to maternal care for the San Luis Valley community.

00:01:06:20 - 00:01:15:02
Julia Resnick
So, Monica, Stephanie, thank you both so much for joining me. Let's start with some background about each of you and San Luis Valley Health. Monica, I'll start with you.

00:01:15:04 - 00:01:40:14
Monica Hinds, R.N.
I am new to nursing. I've been a nurse for about ten years. This is my second career. and I attribute my nursing drive to OB, actually. When I had my kids, the OB nurses here at San Luis Valley Health were awesome, and I felt like that's what I wanted to give back to the community. So that was a little bit about myself.

00:01:40:16 - 00:01:58:11
Monica Hinds, R.N.
I have been overseeing the OB department for the last 4 to 5 years, I think is when I took over. I was, originally, an emergency room nurse. Became director of the emergency department, and then just sort of, fell into the OB leadership position as well.

00:01:58:14 - 00:02:03:02
Julia Resnick
So can you tell me a just a little bit about the community that is in the Valley?

00:02:03:04 - 00:02:22:28
Monica Hinds, R.N.
Alamosa is the central hub of the Valley. We do service several communities throughout the area, the San Luis Valley. And we are the only location that does labor and delivery. And so everyone does come to us, or they go outside of the valley for their OB needs.

00:02:23:05 - 00:02:26:21
Julia Resnick
Got it. And what kind of pregnancy care does your hospital provide?

00:02:26:23 - 00:02:44:24
Monica Hinds, R.N.
We pretty much do everything. Because even if we cannot manage the patients here, we make sure that we get them to that higher level of care. So we do have the C-sections, we do induce, we do have a local midwife that does deliver outside that we do support as well for her needs.

00:02:44:27 - 00:02:52:06
Julia Resnick
And tell me a little bit about the community stakeholders and partners that you work with, both for prenatal care and postpartum care.

00:02:52:08 - 00:03:11:07
Monica Hinds, R.N.
So we do have valley wide. They are also part of our labor and delivery department. They do manage their own patients. Do their own deliveries, do their postpartum care as well. And then we do have our ObGyn clinic here that, manages our patients for our hospital.

00:03:11:10 - 00:03:24:28
Julia Resnick
So turning to you, Stephanie. I know that there are a lot of challenges faced by rural communities, especially in terms of maternal care. So can you talk about some of the challenges, that expectant and postpartum moms are facing in your community?

00:03:25:00 - 00:03:49:18
Stephanie Posorske
So, interestingly enough, I think that social media has changed this significantly in the last ten years in the sense that everybody knows what's out there, and then what's that availability here? So they're, you know, they want to know, like, can I have an epidural? And yes, they totally can. And being able to meet those needs.

00:03:49:18 - 00:04:19:25
Stephanie Posorske
I think that we do a really good job of finding the niches that are really important. For example, women really worry about being able to have a lactation consultation. And while we don't have a specific lactation counselor, that that's just what they do. I'm our hospital's lactation counselor, on top of being a certified nurse midwife, so that we can still meet those needs without, you know, having to expend our resources.

00:04:19:27 - 00:04:41:08
Julia Resnick
Got it. And, you know, every day we're hearing about more OB units closing down unlimited access in rural communities. But you all are some of the rare ones who are managing to keep yours up and running and serving your community. So can you tell me about what strategies you're implementing that's able to keep your maternity unit open and thriving?

00:04:41:11 - 00:05:05:18
Monica Hinds, R.N.
We are seeing a decrease in, deliveries per year as well. And to be able to make our department managable as far as financial, we've really had to think outside of the box on what we're going to put on that unit. So we have expanded our unit to that surge overflow unit. We have implemented pediatric patients on part of our unit.

00:05:05:21 - 00:05:26:00
Monica Hinds, R.N.
We do some post-surgicals that are not Ob-Gyn related on our unit. So we really have grown our OB nurses into well-rounded nurses that do everything. And so we give them a lot of credit for the knowledge that they've had to obtain over these last few years just to be able to care for our patients in our community.

00:05:26:03 - 00:05:29:02
Julia Resnick
That's really wonderful. Stephanie, anything else you want to add?

00:05:29:04 - 00:05:57:03
Stephanie Posorske
Yeah, I think that there has come a lot of flexibility and changing our expectations of what works for people, and that that's what like all these units that have been able to stay open have had to do...is that we've had to become more flexible as an employee, but also the employer has had to become more flexible on what meeting the needs of everybody's situation so that we can keep this resource available.

00:05:57:05 - 00:06:17:14
Julia Resnick
That's great and wonderful that you're all willing to be so adaptable as you're trying to make your way through this. So besides clinical services, we know that a lot of rural women are also experiencing challenges around behavioral health, such as substance use, and other issues related to social determinants of health. So how are you addressing those issues in your community

00:06:17:16 - 00:06:20:29
Julia Resnick
especially for pregnant and postpartum women?

00:06:21:01 - 00:06:44:19
Stephanie Posorske
I think I can answer that. So I prescribe Suboxone, which is for people that use opiates. And on top of that, like being a great resource for people that use opiates so that they can hopefully get off opiates, it also opens the door for all avenues of people knowing that we're open to doing that and what we can do to help.

00:06:44:21 - 00:07:08:00
Stephanie Posorske
I think we really want to get out there this idea of like, we want you to come in, we want you to get care. Despite all of these challenges, whether it's for behavioral health or because you use some substance, we want to be the doors are open because this is an opportunity for us to capture people that are using

00:07:08:03 - 00:07:20:18
Stephanie Posorske
and it's when they're going to be most motivated to make a change in their lives. And so keeping that door wide open is the best way to do that and hopefully is working.

00:07:20:21 - 00:07:22:17
Julia Resnick
Monica, anything you want to add?

00:07:22:19 - 00:07:48:27
Monica Hinds, R.N.
So I would really like to add we do depression screening on all of our patients - no matter if they're observation patients or inpatients, postpartum in the middle of their pregnancy - just so we can try to catch these patients early enough to be able to give them the resources that they need. We have also really focused on our social determinants and making sure that we're asking those hard questions of patients, you know, do they need some help with housing?

00:07:48:27 - 00:08:06:16
Monica Hinds, R.N.
Do they need transportation? Is food a difficulty for them at this point in time? And we have great care coordination that actually will follow up on all of those patients prior to them being discharged to make sure that they're providing them the resources in the community that they need.

00:08:06:18 - 00:08:29:09
Julia Resnick
And yeah, I think you're both really getting at this idea that, like, these are sensitive questions and sensitive topics for people and keeping that door open so that they feel comfortable coming to you and asking for the support they need is just so crucial. So we always love stories that can really bring this to life. Do you have any stories from your hospital or patient stories, that can help bring to life the work you're doing?

00:08:29:12 - 00:09:02:03
Stephanie Posorske
I have a patient. She's had a baby already. Her and her partner have had times where they've used either fentanyl or opiates. And that door has stayed open to them, despite their not always being as compliant as we would like them to be. But they continue to come see us. Another provider in my clinic sees her husband so that we are both taking care of both of them and their substance use.

00:09:02:05 - 00:09:25:18
Stephanie Posorske
It's just lovely for them, like to have their baby, and for us to be continuing to work on this medical problem that they have. And it's not black and white and it's not it's not super easy. But every time they bring that little baby in and that they're still together and that they're still coming is exactly why that that door has to stay open.

00:09:25:21 - 00:09:34:08
Julia Resnick
Absolutely. And clearly the motivation is there. Yeah. And it's wonderful that you embrace them. Monica, any stories from your world?

00:09:34:10 - 00:09:58:00
Monica Hinds, R.N.
I don't have any specific patients. I mean, we do see when those those patients come in that have that substance use and and we're able to, you know, get them the resources that they need and be able to get them reunited with their baby, even if they aren't able to leave with them at discharge. But to be able to help them get that custody back.

00:09:58:02 - 00:10:06:07
Monica Hinds, R.N.
We see it, you know, not daily, but we see it a lot. It warms our heart that we can help those patients get back with their babies.

00:10:06:09 - 00:10:17:15
Julia Resnick
That is wonderful. So for other rural hospitals that are considering different creative avenues for providing maternal care, what advice do you have for them? What have you learned along the way?

00:10:17:17 - 00:10:56:10
Monica Hinds, R.N.
I'm going to say that you have to listen to your staff. It's been very difficult making that transition from just being a labor and delivery nurse and moving into other fields. It's definitely a lot easier with the newer nurses that are coming out, because that has expectations set forth on employment. But for those those experienced labor and delivery nurses, taking that time to listen to them, about their concerns and what kind of education that they need to make sure that they feel comfortable in providing the care to patients that they haven't cared for, you know, since nursing school, probably.

00:10:56:12 - 00:11:05:03
Monica Hinds, R.N.
So just stopping and listening to concerns is something that I feel that we can really learn throughout this transition.

00:11:05:05 - 00:11:05:27
Julia Resnick
Stephanie?

00:11:06:00 - 00:11:25:09
Stephanie Posorske
I mean I think that's really important. And like listening to your staff is how we will make changes together and not be like get all that pushback. And just like the adaptability like we talked about, we have to all be adaptable. We had to be adaptable in the sense that we brought these patients to our unit,

00:11:25:12 - 00:11:46:09
Stephanie Posorske
that we sometimes have some med surge patients on our unit. But depending on what's going on on labor and delivery, we have to be able to change that. And I think all of our expectations have changed, and we've all learned to evolve with the situation. And that's the true heart of nursing and medicine is that we have to be able to evolve and change based on the patient.

00:11:46:09 - 00:11:54:15
Stephanie Posorske
But big picture: How we evolve and have adapted and changed for our unit as a whole has been really how this has worked.

00:11:54:18 - 00:12:09:22
Julia Resnick
That is an incredibly powerful message that I think we all need to to take in to the work that we do, that, you know, the world changes and we need to change along with it to make things work. So to wrap up, what's next for you all? And SLVH's is work in maternal health?

00:12:09:25 - 00:12:12:06
Monica Hinds, R.N.
I'll let you go first, Stephanie.

00:12:12:09 - 00:12:35:18
Stephanie Posorske
Well, you know, I mean, Monica knows that I always have all kinds of ideas and some of them work and some of them don't. But we, you know, we all move forward and with our ideas and, you know, like, I'd like it if we had nitrous is an option for our patients. And I think we're totally on the brink of getting that. We want to meet to the need of everybody

00:12:35:21 - 00:12:53:28
Stephanie Posorske
which is a wide variety of people really here. And so finding ways that keep us safe and financially feasible, but also our meetings and needs and make us also feel like maybe we aren't as Podunk as sometimes we think, even.

00:12:54:00 - 00:13:10:08
Monica Hinds, R.N.
Yeah. And I would definitely agree with what Stephanie is saying. We we do try to stay up with the times, but making sure that we are providing that safe environment for our patients and for our staff as well, and giving them those opportunities to continue to learn and grow in the field.

00:13:10:10 - 00:13:27:00
Julia Resnick
Well, it's clear how dedicated you all are to your patients and your community and really making sure that door stays open to them. So I just want to thank you for the great work that you're doing to to support moms in your community and really appreciate your taking the time to talk with us today about your work.

00:13:27:01 - 00:13:28:15
Julia Resnick
Thank you so much.

00:13:28:17 - 00:13:29:24
Stephanie Posorske
Thank you for having us.

00:13:29:26 - 00:13:31:28
Monica Hinds, R.N.
Yeah, thank you for sure.

00:13:32:01 - 00:13:40:12
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and write us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.

00:00:00:25 - 00:00:33:19
Tom Haederle
Being a new parent is challenging in the best of circumstances, but it's even harder for expecting and new moms struggling with social and behavioral health needs. And living in a rural community means that the resources available to support new parents may be limited. The first 1,000 days from pregnancy to age two offers a crucial window of opportunity to create brighter, healthier futures.

00:00:33:21 - 00:01:17:00
Tom Haederle
Welcome to Rural, a yearlong series devoted to rural hospitals and health systems in America. I'm Tom Haederle with AHA Communications. St. James Health Care in Butte, Montana, now part of Intermountain Health, is designing care around new moms who need the extra support not just during pregnancy, but during the first two years of the baby's life. At this year's AHA Rural Health Care Leadership Conference, Julia Resnick, director of strategic initiatives at the AHA, spoke with April Ennis Keippel, community health director, Montana/Wyoming Market at Intermountain Health, and Joslin Hubbard, social worker at Intermountain Health at St.James Hospital, about how their first 1,000 Days program provides wraparound services for at risk new moms.

00:01:17:03 - 00:01:25:18
Tom Haederle
They were joined by Lacey Starcevich, a former program participant who shares her powerful journey to build a healthy life for herself and her family.

00:01:25:21 - 00:01:42:25
Julia Resnick
April and Joslin and Lacey, thank you so much for recording this podcast with us. We're here at the AHA Rural Health Care Leadership Conference. I'm really pleased to have all of you. So to kick things off, let's get a little background on your health care system. So can you tell us about Intermountain Health, St.James Hospital, and the community that you serve?

00:01:43:02 - 00:01:44:27
Julia Resnick
April, do you want to kick things off?

00:01:45:00 - 00:02:12:19
April Ennis Keippel
Sure. So we are a part of a large system, Intermountain Health, that includes hospitals in Montana, Colorado, Utah, clinics in Nevada as well. And St. James is located in southwest Montana. It's a community of about 35,000 residents, is a level three emergency department and really provides services for all the surrounding counties, which are primarily rural counties.

00:02:12:21 - 00:02:15:12
Julia Resnick
Anything else you both want to add about the hospital and your community?

00:02:15:12 - 00:02:30:04
Joslin Hubbard
Butte is a really proud community. It has a long history of mining and people are proud to be from Butte. They help each other out. They come together to support one another. And it's just a beautiful place to live.

00:02:30:07 - 00:02:44:00
April Ennis Keippel
And Butte was known as the richest hill on earth at one point and at one time was the largest city between Chicago and San Francisco in its heyday. So rich history in the community.

00:02:44:00 - 00:02:58:01
Julia Resnick
That is quite a history. And I love that piece about community because I think that's really what we're here to talk about. And our focus today is really on maternal health. So, Jocelyn, can you talk at all about the maternal population that you're serving and where your patients come from?

00:02:58:07 - 00:03:23:00
Joslin Hubbard
Yeah. So most of our patients live in Butte or Silver Bow County. We do serve the women from the surrounding counties as well. Our payor mix at our hospital is, you know, around 85% Medicare and Medicaid. And we have women primarily of Caucasian descent. And we serve ages, you know, teen age to later maternal - advanced maternal age, they call it.

00:03:23:01 - 00:03:26:06
Joslin Hubbard
So but just a really great mix of.

00:03:26:09 - 00:03:33:27
Julia Resnick
And even though most of your patient population does identify as white, are there any disparities that you've identified between like different subsections?

00:03:33:29 - 00:03:53:15
April Ennis Keippel
So a lot of the disparities we see in our community health needs assessment are actually related to socioeconomic status. Individuals living in poverty across all health outcomes have poorer outcomes. So anyone 200% or less of the federal poverty level just scores worse on a number of health outcomes.

00:03:53:18 - 00:03:58:29
Joslin Hubbard
April, Do you know what population of our patients fall within that 200% below poverty level?

00:03:59:04 - 00:04:05:24
April Ennis Keippel
The residents, I would say about 20% of overall residents. So one in five are below the poverty level.

00:04:05:27 - 00:04:19:22
Julia Resnick
Got it. And when you're thinking about these new parents in your community, are there any particular challenges that you've been seeing them experience? I know you touched on their socioeconomic status of needs, but in terms of behavioral health and how those challenges are impacting them.

00:04:19:24 - 00:04:46:18
Joslin Hubbard
So we have limited resources for our behavioral health and substance use. So those definitely impact our patients' access to care. When we're talking our socioeconomic struggles, it's even transportation to those appointments. It's housing, working with women and families. It's hard to talk about getting to appointments when they're not sure where they're going to live, you know, or stay that night or how they're going to get to that appointment.

00:04:46:21 - 00:04:53:07
Joslin Hubbard
You know, we have to take in all of that into consideration when we're dealing with people with substance and mental health needs.

00:04:53:10 - 00:05:01:00
Julia Resnick
Absolutely. So we're really here to talk about the Meadowlark Initiative. So can you talk to our listeners about what that is?

00:05:01:03 - 00:05:28:08
April Ennis Keippel
I can maybe start and then you can fill in as needed. So the Meadowlark Initiative is funded through the Montana Health Care Foundation. And it's really focused on providing intensive case management to the most at-risk patients prenatal and then following through til the second year of life. So, really helping to guide and support both prenatally and then also postnatal.

00:05:28:10 - 00:05:30:07
April Ennis Keippel
What else would you add, Jocelyn?

00:05:30:09 - 00:06:05:15
Joslin Hubbard
Yeah, so the initiative initially was funded by the Montana Health Care Foundation, but St.James has continued that, recognizing the need and the importance of this work. And so our program was the first 1,000 Days, which is from conception to age two, recognizing that it is the most critical and crucial time in human development. And when the brain develops, you know, it's just really using that care coordination piece to kind of bridge the gaps between those services, whether it's housing, food issues, transportation, mental health, substance use and the clinic or the hospital and how to connect patients when they come in for prenatal care with those outside resources, and then to continue to be

00:06:05:15 - 00:06:12:02
Joslin Hubbard
a resource and a support for them as they not only through their pregnancy, but as they embark on parenthood.

00:06:12:04 - 00:06:22:08
Julia Resnick
That's amazing that you have such a long perspective on it and not just, you know, a specific part of pregnancy or postpartum. So who are you partnering with or coordinating with to bring this all to life.

00:06:22:14 - 00:06:46:16
Joslin Hubbard
In terms of community resources? Yeah, Perfect. Yeah. So we have lots of you know, we partner with all of our resources in the community, whether that's private therapists. We partner with our Southwest Montana Community Health Center to provide mental health services as well as primary care following delivery. You know, our mental health centers and parenting agencies in the community as well.

00:06:46:18 - 00:06:53:24
Julia Resnick
So talk me through it...like someone finds out they're pregnant: how do they get enrolled in the program? Like, what happens next? What does that look like?

00:06:53:26 - 00:07:15:00
Joslin Hubbard
The hope is that they would seek prenatal care and come to an appointment. And at that appointment they would be screened for social determinants of health. So we would be screening for transportation issues, food insecurities, housing, as well as mental health and substance use. We would also be screening the partner or whoever is supportive of that woman in pregnancy.

00:07:15:02 - 00:07:28:25
Joslin Hubbard
So that we can really help the whole unit. And then they would meet with a care coordinator. And that care coordinator then would connect with resources and help identify needs, provide education, and then support throughout the pregnancy.

00:07:28:27 - 00:07:32:27
Julia Resnick
It's wonderful. And are there any stories you can share that can really bring this to life?

00:07:33:04 - 00:07:43:25
Joslin Hubbard
Well, I'm fortunate to have Lacey here today. Lacey was one of our moms in our program, and I think that she can speak to her story better than I could ever.

00:07:43:27 - 00:07:46:05
Julia Resnick
Great. Lacey, over to you.

00:07:46:07 - 00:08:11:12
Lacey St.arcevich
I'm Lacey. I just, on the 22nd of February, recently celebrate five years clean. I originally attended my first prenatal appointment actively using drugs. I was screened and obviously made the requirements for the program. At the time, I was homeless and still using. I left that first prenatal appointment not sure if I was going to get clean or not.

00:08:11:17 - 00:08:26:09
Lacey St.arcevich
Not even sure if I wanted to keep Bradon. That's my son's name. He'll be five in August, actually. So with the help of Jocelyn and the Meadowlark Initiative, I was able to connect with these resources and get help. And today I'm present for my children.

00:08:26:12 - 00:08:32:02
Julia Resnick
That's amazing. I'm just so glad you're here to share your story and that you've been involved in the program since, is that?.. Yes.

00:08:32:03 - 00:08:41:09
Lacey St.arcevich
Yeah. So anything I can do to help? There are just so many mothers out there who are in the same position I am. And it's an unfortunate situation. But with things like this, we can try to lower that number.

00:08:41:12 - 00:08:46:06
Julia Resnick
And I'm sure having contact with you helps them feel less alone and that, you know, there is a light at the end of the tunnel.

00:08:46:12 - 00:08:50:19
Lacey St.arcevich
You know, there's nothing more therapeutic than another addict helping another addict.

00:08:50:21 - 00:09:03:09
Julia Resnick
Wonderful. And I know that, you know, we have a great personal story of the impact of this work, but have you been measuring what the impact is on the women that are in the program? Yes. Yes, we have. Is there anything you can share?

00:09:03:11 - 00:09:06:28
April Ennis Keippel
If I look at my notes...I don't know off the top of my head.

00:09:07:00 - 00:09:31:28
Joslin Hubbard
We have found that women who participate in this program are more likely to have consistent prenatal care. They're more likely to take their child home at delivery. And that means from a lower involvement of the Child Protective Services Removals, women have better health outcomes to higher birth weights, lower complications, less hospital stays that are involved in the care as well.

00:09:32:01 - 00:09:44:24
Joslin Hubbard
And a lot of that's probably attributed to the more consistent prenatal care, as well as changing a lot of their lifestyle and ensuring that they have the food and resources that they need,  as well as you know, hopefully not using substances.

00:09:44:26 - 00:10:01:19
Julia Resnick
So to wrap us up, I love your words of advice for other rural hospitals that are really thinking about what they can do to improve their maternal and child health outcomes. What have you learned along the way that you can share with them? And Lacey, you'll have a slightly different version of that question.

00:10:01:22 - 00:10:30:04
Joslin Hubbard
You know, when we're dealing with rural, it's hard to find people to fill spots, right? And I think the most important thing is that we realize that this is just has to be someone who cares and who understands the community and the resources out there and who can show understanding and love and kindness to patients. There's not a magic wand. This is hard work, but it's, you know, it's done in partnerships and relationships that are built not only with the patient but with the community.

00:10:30:07 - 00:10:40:10
Joslin Hubbard
And, you know, just really taking time, stepping back, understanding what the needs of your community are and, you know, just addressing it one day at a time.

00:10:40:13 - 00:10:41:21
April Ennis Keippel
Well said.

00:10:41:23 - 00:10:43:26
Julia Resnick
Very well said, April.

00:10:43:28 - 00:11:10:09
April Ennis Keippel
I don't know if I could really add anything more to that. I think it just in looking at having a connector and a go-to person, I think is probably the most important thing so that there's a single point of contact that can help move forward any of the needs and make connections. And I'm not sure that that always would need to be a particular type of training to do that work.

00:11:10:10 - 00:11:22:25
April Ennis Keippel
So I think in a rural community you could customize it to really fit what you have available. But the key piece would be just to have that single person who can really help be the connector.

00:11:22:27 - 00:11:41:11
Julia Resnick
That human connection piece really just came out strongly in both of your answers. And Lacey, from being on the participant side of this and, you know, having been one of the moms in the program, what do you wish that hospitals knew about working with new moms who might need additional social or emotional support?

00:11:41:13 - 00:11:59:16
Lacey St.arcevich
We just need, you know, a setting that's not judgmental. We do not have a village. And programs like this help us create that village, and that sets us up for success. They help me create my family. They help not only me get clean and deliver a healthy baby, but my husband followed ensued because they provided us the resource to be able to do that.

00:11:59:19 - 00:12:00:22
Julia Resnick
It's wonderful.

00:12:00:25 - 00:12:16:03
Joslin Hubbard
I just wanted to call out Lacey. You know, not only does she have Bradon, but she now has a two year-old, Parker. She's married, has bought her own home, and is a role model for other women in our community and just so proud of where she is.

00:12:16:06 - 00:12:20:06
Julia Resnick
I'm so glad we can lift up your story and share it with the world.

00:12:20:09 - 00:12:21:03
Lacey St.arcevich
Thank you.

00:12:21:05 - 00:12:30:07
Julia Resnick
So, Lacey, Joslyn, April, thank you so much for joining this podcast. I look forward to seeing your presentation later today. And just congratulations on the fantastic work you're doing.

00:12:30:09 - 00:12:30:22
Joslin Hubbard
Thank you.

00:12:30:28 - 00:12:31:27
Lacey St.arcevich
Thank you.

00:12:32:00 - 00:12:40:12
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and read us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.

00:00:00:18 - 00:00:29:28
Tom Haederle
Ransomware and other cyber attacks directed against hospital and health system information networks have not slacked off in 2024. As you might imagine, cyber security experts are in great demand in the health care field these days, and their consensus opinion is that third party risk is a huge reason hospitals continue to be hit.

00:00:30:00 - 00:00:54:03
Tom Haederle
Welcome to Advancing Health, the podcast from the American Hospital Association. I'm Tom Haederle with AHA Communications. Hospitals and health systems work very hard and have invested a lot of time and effort into protecting their systems and data. But hackers continue to squirrel their way in. Third party technology and solution providers are often both at the point of the attack and the source of technical vulnerabilities.

00:00:54:06 - 00:01:09:01
Tom Haederle
In this podcast, part two in the series hosted by John Riggi, the AHA's National Advisor for Cybersecurity and Risk, we hear more from two cybersecurity experts from Providence about what their organization is doing to protect itself.

00:01:09:03 - 00:01:28:27
John Riggi
We have Adam Zoller, the chief information security officer from Providence, and we also have Katie Adams, the cybersecurity director for clinical technology services at Providence. Katie, turning to medical devices. Why is it so difficult to keep medical devices current from a cyber perspective?

00:01:29:00 - 00:02:00:06
Katie Adams
It's a great question, John, and I think there are several reasons. It's a really complex question with probably a complex answer. But, you know, when you think about a medical device, most of this equipment is actually touching a patient and can be directly in use 24 hours a day, seven days a week. So from a traditional cybersecurity lens, when we think about things like patching or operating system upgrades, becomes difficult to find a time when that device is actually available to make some of the cybersecurity upgrades that are required to keep that device current.

00:02:00:09 - 00:02:28:27
Katie Adams
From a financial standpoint, this medical equipment is extremely expensive. You know, we have medical devices in our environment that can be upwards of two and three million dollars. And even just the cost to upgrade that equipment can be as high as $200 - $250,000 just to lift the operating system of the device itself. And for a nonprofit organization like Providence that runs on extremely thin margins, the financial challenge of keeping this equipment current throughout its life becomes very complicated.

00:02:29:00 - 00:02:52:18
Katie Adams
You know, when you think about these devices, they're in our environment much longer than traditional IT equipment. We have medical devices that, you know, like an MRI or an X-ray or some of this other fixed equipment that may be in our environment for ten or 15 years. And throughout that time, from a software standpoint, you know, Microsoft is rolling out updates that are happening much, much more quickly than that.

00:02:52:21 - 00:03:14:20
Katie Adams
And so it becomes challenging to keep the device current from a cybersecurity perspective for as long as it's current from a clinical perspective. I think in addition, the fact that this is all regulated equipment, you know, that's managed by the FDA means that our vendors have to go through pretty significant rigor when they're updating or upgrading the operating systems associated with these devices.

00:03:14:20 - 00:03:28:27
Katie Adams
And so that process also just really slows down the time to market for when we can get the latest and greatest version of these devices. So there are a number of challenges that make it really difficult to keep medical devices current from a cyber perspective.

00:03:29:00 - 00:03:53:10
John Riggi
Thank you, Katie. Even though your answer was fairly concise for a very, very complex issue, you really touched on a couple of key areas. So on the one hand, we have this paradox. The devices themselves are built pretty good. They're built to last 15, 20 years, except the software subsequently becomes outdated. And we have this issue of legacy technology where the devices work as designed.

00:03:53:13 - 00:04:15:26
John Riggi
They take images, but it's the software package because at the time they were designed, these principles of secure by design were not in place. And often the manufacturers will..of course...their response may be, well, it's time to buy a new device, even though this one's working fine. The other issue you touched on about the patching, you know, I just want to expand on that a little bit.

00:04:15:27 - 00:04:41:13
John Riggi
Often the hospitals are criticized for not patching in a timely manner. And I hear this from government after attacks. You know, my response is, just as you said, Katie, I said we can't just roll out a patch from across the enterprise that touches medical devices. They have to be tested. We have to make sure that when the patch is deployed, it does not cause a malfunction in the device that affects patient safety.

00:04:41:13 - 00:05:09:00
John Riggi
We have to find a time to take these devices offline. So thank you for summarizing a very complex issue and giving some context for the difficulties and challenges. Adam, back over to you. From from a regulatory standpoint, what changes would you like to see to address this issue nationwide? In terms of third party risk, the challenges we face in having third parties often comply with what we're asking

00:05:09:00 - 00:05:16:09
John Riggi
on the cybersecurity front. HIPPA says we're responsible, but how do we make the third parties responsible as well?

00:05:16:12 - 00:05:42:21
Adam Zoller
Yeah, I think and that's a great question. And I can I want to piggyback my answers to that question. Because there's several pieces to that that need to be unpacked. I want to piggyback that on what you and also what Katie said previously. So I'd say, you know, overall, if we're looking at the regulatory landscape and you compare regulations like PCI to HIPPA, I think there's a fundamental misalignment in our priorities.

00:05:42:23 - 00:06:10:26
Adam Zoller
When you look at the regulations of, again, HIPPA compared to PCI and PCI is regulations for payment card industry protection of credit card details are more stringent than HIPPA IT controls. And, you know, I'm never one to really advocate for more regulation, but I do think there needs to be some higher level of accountability in the health care sector at large for adhering to industry best practice as itertains to cybersecurity controls.

00:06:10:28 - 00:06:37:27
Adam Zoller
So I guess to sum it up, it's hold us accountable, but make sure that as you hold us accountable, hold our third parties and suppliers accountable to the same regulations, because I find myself oftentimes at odds with the third parties that we do business with, having conversations with them about why their products or their services, their processes don't adhere to cybersecurity best practice, and how it introduces unnecessary cybersecurity risk to us in our patient care journey.

00:06:38:00 - 00:07:04:08
Adam Zoller
I shouldn't have to have those conversations with third parties. They should just be held accountable to regulations that hold them accountable from their regulators to adhere to those. I would also say regulations can't be at odds with modern IT practices. What I mean by that is oftentimes third parties push back on my conversations with them - and Katie's as well - to say, you know, we we are demanding that they adhere to modern IT security practices.

00:07:04:08 - 00:07:22:16
Adam Zoller
But then the third parties will oftentimes point back at the FDA certification and say, we can't do this because the FDA certified this device. And if we make this change that you're requesting, it's going to break that certification. The regulations can't be at odds with modern IT security practices. I'd also say that the accountability models are out of alignment.

00:07:22:18 - 00:07:55:10
Adam Zoller
Many third parties are publicly tradable companies. We're a not for profit company. Any time a company is beholden to shareholders and makes a choice to cut costs or to manage costs to hit their quarterly numbers at the expense of security best practice - and again, I'm not going to point the finger at any particular company - but I would say, you know, if there are publicly traded companies that are looking at cutting costs and hitting quarterly numbers versus, you know, investing in security best practice, that's going to lend itself to some additional regulatory scrutiny against those companies.

00:07:55:13 - 00:08:34:23
Adam Zoller
And I would also say something that I think we've hinted at through this conversation. Third parties have made a conscious choice to develop on commercial operating systems and commercial software. This commercial software and these commercial operating systems have lifespans that are far shorter than the devices that those pieces of software and those operating systems reside on. So, if it is true that these third parties are going to sell us and they will continue selling us these devices, running third party commercial software, then the device itself should either have a life span that matches the software that runs on that device or the vendor should be held accountable through regulation, keeping the software on that

00:08:34:23 - 00:08:59:24
Adam Zoller
device up to date through the entire acceptable lifecycle of that device. So if, for example, Windows software runs for seven years on a seven year lifecycle, and that device is designed to be in my ecosystem for 20 years, then I want to see a plan from that vendor that will upgrade that device at no cost to me to keep that software that the vendor chose to develop on secure and up to date through the entire lifecycle of that device.

00:08:59:27 - 00:09:18:20
Adam Zoller
And I think there should be regulation mandating that vendors can't sell devices that have either end of life or out of date software to customers. We've had issues in the last two or three years at Providence where major vendors have tried to sell us medical devices running end of life software, end of life operating systems.

00:09:18:20 - 00:09:21:17
Adam Zoller
And to me, that's just flat out unacceptable.

00:09:21:19 - 00:09:48:29
John Riggi
I appreciate that, Adam. You know, again, couple of comments on your wide ranging commentary, which I absolutely agree with. So, you know, and there's this misperception when vendors will say, no, we need FDA approval to upgrade here for security and so on. It's not accurate. The FDA website has a specific page devoted to explaining what security patches would need updates and which don't.

00:09:48:29 - 00:10:13:25
John Riggi
If it does not affect the function, the security patch does not affect the function of the device, you do not need FDA approval to implement that patch. And the FDA's made that very clear. Law passed last year, called the Patch Act provides that for all new technology where applications for new medical devices submitted after October 1, must include a lot of what you said, Adam, secure by design.

00:10:14:02 - 00:10:42:17
John Riggi
What is the plan to disclose vulnerabilities? What is the plan to update the systems and provide some type of support for the device over the lifetime of that device when comes to security? But that's only for new technology, for new applications submitted October 1. We have a massive legacy technology cybersecurity issue. Katie, since we're talking about your area, let's go over to you and give you a chance to also discuss with us.

00:10:42:19 - 00:11:05:03
Katie Adams
I would just add on to what Adam said. I mean, I think first and foremost, what we're asking for from our vendor partners is to really take cybersecurity seriously. This can't be an afterthought in the development of medical devices where they're so focused on the clinical aspect that they forget to include cybersecurity as part of the design of this equipment. That needs to be upfront as part of the initial innovation and design of the device.

00:11:05:03 - 00:11:10:04
Katie Adams
And so we need them to really work with us to help protect our patients and keep them safe.

00:11:10:06 - 00:11:46:06
John Riggi
Yeah. Thank you, Katie. And Adam, you did allude to their profit orientation on a lot of these companies, which we support, right? That's what makes this country great, capitalism, but not at the expense of security and patient safety. And ultimately, we as end consumers, as organizational and individual consumers have a choice. And I think we need to exercise that choice to impose market pressure on those third parties that do not have sufficient security to to let them know we can make a choice.

00:11:46:06 - 00:12:11:17
John Riggi
If we have that choice, we have public voices. We have regulatory voices that to help drive market forces where security becomes not an expense but a revenue driver for them. It becomes the selling differentiator perhaps, for some of these cybersecurity firms. Adam, over to you here for our last thought here. If you could make an ask of third party vendors around this issue, what would it be?

00:12:11:21 - 00:12:14:14
Adam Zoller
I don't have just one ask.

00:12:14:16 - 00:12:17:22
John Riggi
Given the fact we have limited time. Let's go ahead.

00:12:17:24 - 00:12:41:12
Adam Zoller
Yeah, a few things. I think. Number one, what Katie said: build security into your devices and software from the ground up. Know I shouldn't have to come to you as a third party and say, hey, institute this modern security practice in your device or software. Number two, if you're using commercial software operating systems, let us manage them like we do all other commercially developed operating systems, devices, etc. on our network.

00:12:41:12 - 00:13:08:15
Adam Zoller
And that includes things like scanning them for vulnerabilities, installing modern endpoint detection and response technology on the devices. Modern asset inventory mechanisms. Let us manage these devices as we do every other Windows or Linux device on our network. Hire, train and retain a security team. I can't tell you how many incidents that we've had over the last two three years where a third party gets hit by a ransomware attack and they don't have a full time security person at all.

00:13:08:17 - 00:13:36:21
Adam Zoller
Next, I'd say align your business practices with security best practices. For example, we had an incident, an issue a couple of years ago where a third party we were working with, a major third party was storing remote log on credentials in their instance of Salesforce. And obviously doesn't align to best practice. And then lastly, I would say don't show up to meetings with me or with Katie and refuse to cooperate on security best practice or don't show up to the meetings and play ignorant to security practices.

00:13:36:23 - 00:13:42:25
Adam Zoller
For me, patient health and safety is my number one priority and it should be your number one priority too, as a vendor.

00:13:42:27 - 00:13:47:06
John Riggi
Thank you for that, Adam. Katie, we'll give you the last word here.

00:13:47:08 - 00:14:03:20
Katie Adams
Man, it's hard to add on to that. I think Adam covered it pretty thoroughly. I would probably just go back to the partnership, right? We're in this together, and to deliver safe care to our patients requires not only Providence and our our health care partners and health care system, but the help of our vendors as well.

00:14:03:20 - 00:14:14:26
Katie Adams
And so rather than looking at medical device cybersecurity like a revenue stream, I would ask that they partner with us to really deliver the best possible care, safe care to our patients.

00:14:14:29 - 00:14:43:01
John Riggi
Thank you, Katie. And as I close out here, perhaps a word to our third party vendors. Please understand we have a choice in cybersecurity cells. This is a very, very serious responsibility for all of us here to protect patient safety and their data. But again, protecting patient safety is our number one concern. Pending cyber regulations, cybersecurity performance goals, specifically targeting hospitals

00:14:43:04 - 00:15:08:22
John Riggi
the AHA has a loud voice. We are also recommending any regulation that applies to us, especially around third party risk management to hospitals, must apply to the third parties as well. So Katie and Adam, thank you again for joining me today. Thank you for what you do every day as network defenders to care for our patients, serve our patients, defend them from all these varied cyber threats.

00:15:08:24 - 00:15:21:09
John Riggi
And thank you to all our frontline health care heroes for everything you do every day to care for our patients and serve our communities. This has been John Riggi, your National Advisor for Cybersecurity and Risk. Stay safe everyone.

00:15:21:11 - 00:15:29:22
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify or wherever you get your podcasts.

00:00:00:18 - 00:00:25:06
Tom Haederle
More than one in every three Americans had their health care records stolen or compromised last year, making 2023 the worst year on record for cyber attacks against the health care field. So far, that is, if anyone thought 2024 would turn out better, February's cyberattack against Change Health Care - still causing widespread problems throughout the health care system - does not seem like a promising start for improvement.

00:00:25:08 - 00:00:43:09
Tom Haederle
When such cybercrimes occur, however, it's easy to lose sight of the fact that hospitals are not the primary source of data theft attacks.

00:00:43:12 - 00:01:19:10
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA communications. For the bad guys, the backdoor into the protected systems of hospitals and health systems often comes via a third party. That could be a business associate, solution provider or some other entity. In this podcast, hosted by John Riggi, the AHA’s National Advisor for Cybersecurity and Risk, we learn more about the risks posed by third parties from two cybersecurity experts with Providence, a large not for profit health care system operating multiple hospitals and medical clinics across seven states.

00:01:19:13 - 00:01:53:00
John Riggi
Thanks, Tom. Thanks for everybody joining again today for hopefully another very interesting podcast. And we have some very special guests here with us today. We have Adam Zoller, the chief information security officer from Providence. And we also have Katie Adams, the cybersecurity director for clinical technology services at Providence. Adam, great to have you here with us. Well-known, well-respected within the entire cybersecurity community, long history in technology, including with the U.S. Army, as I recall.

00:01:53:03 - 00:01:56:01
John Riggi
Adam, could you tell us a little bit about your background?

00:01:56:03 - 00:02:19:17
Adam Zoller
Thanks, John. Really happy to be here and thank you for the kind words. Adam Zoller, like you said, I'm the CSO at Providence and I've been with Providence for about four and a half years. And prior to that, I was in the U.S. federal government space, both on the government employee side of the house and in the consulting side of the house, doing cybersecurity for the federal government, what's now the CISA organization, and then pivoted over into the commercial sector.

00:02:19:17 - 00:02:28:04
Adam Zoller
I served several years at General Electric in various roles in various companies under GE, and like I said, now at Providence. Happy to be here.

00:02:28:06 - 00:02:42:01
John Riggi
Great. Thanks. Great to have you here, Adam. And Katie, great to have you here as well. I know you've got a tremendously difficult job, as all of us do, but especially you in the medical device space. Could you tell us a little bit about your background?

00:02:42:03 - 00:03:04:09
Katie Adams
Absolutely, John. Thanks so much for the opportunity. So my name is Katie Adams and I am the director of cybersecurity for Clinical Technology Services here at Providence. And I'm actually relatively new to the cybersecurity world. So I've worked at Providence in project management and health care operations for a little over 12 years now and just stepped into this role in the last year and a half or so.

00:03:04:11 - 00:03:13:27
Katie Adams
In my role, I really work to bridge the gap between technology and patient care to promote cybersecurity throughout the organization. So looking forward to the conversation.

00:03:14:00 - 00:03:45:28
John Riggi
Thank you, Katie. Again, great to have you here. And this is a very, very timely conversation that we're about to have. Fortunately and unfortunately, as I said, your expertise is in high demand right now. And this is a very significant area of interest, specially when it comes to third party risk, which we'll be talking about today. And let me back up a little bit and talk about 2023 in the types of attacks we've seen in the volume and sophistication of these attacks and the attack vectors.

00:03:46:00 - 00:04:30:09
John Riggi
So 2023, unfortunately, is the worst year on record for cyber attacks targeting health care in hospitals, specifically. Largest number of protected health information data breaches ever. 126 million Americans had their health care records stolen or compromised last year. Ransomware attacks up 300%. Ransomware attacks accompanied by data theft as well, and of course, data extortion attacks. The ransomware attacks are the type of cyberattacks we're most concerned about because they result in, as we've seen over and over again, significant disruption and delay to health care delivery, risking patient safety.

00:04:30:11 - 00:05:06:07
John Riggi
But, you know, when I look at the numbers, Adam, Katie, there's a lot of stories behind the numbers. You dig deeper, you realize one: hospitals are not the primary source of data theft attacks. It's actually business associates, third parties and other types of health care providers. And you dig a little further and you see that not only is it the business associates that are being targeted quite heavily, it's third party technology and solution providers that are often the attack vector and the source of technical vulnerabilities which lead to other types of attacks.

00:05:06:09 - 00:05:27:00
John Riggi
And unfortunately, 2024 is not shaping up to be any better than 2023. Lots of reasons for that. Let's take a deeper dive on third party risk management and especially in organization, your side. Adam, if I could start with you. How does third party risk manifest itself in a hospital system the size of Providence?

00:05:27:02 - 00:05:51:25
Adam Zoller
Yeah, that's a great question. You know, as you mentioned, you know, hospital systems, health care providers were incredibly reliant on third parties to deliver critical services to our patients. Especially in Providence's case, the communities that we serve within and the poor and the vulnerable. And this results in these attacks against third parties and the risk results in lost productivity, both on the clinical side but also on the IT and security team side.

00:05:51:27 - 00:06:29:02
Adam Zoller
I spend a tremendous amount of my time and my team spends a tremendous amount of their time both assessing and addressing third party security risk before third parties are onboarded. And then after the third parties are onboarded, we spend a tremendous amount of time managing risk. As you mentioned, a lot of these attacks are coming in through the third party angle, whether it's reportable events like data theft events impacting business associates, or the regulatory risks that third parties introduce in our ecosystem or managing reputational impact, the third parties that introduce risk in our organization or get compromised managing that reputational impact, the results of that.

00:06:29:04 - 00:06:51:03
Adam Zoller
And then of course, the direct incident side of the house. From a third party perspective, we deal with a number of third party incidents. Like you said, 2023 was kind of a standout year when it comes to incident volume. In 2024, we're seeing, if not the same incident volume, but in the first couple of months and, you know, an increase in the first couple of months as far as incident volume is concerned.

00:06:51:06 - 00:07:14:15
Adam Zoller
And we're seeing incidents occur that span the entire gamut of types of incidents. You can imagine things like data theft, data loss that require us to report to regulators or impactful incidents like ransomware events that impact third parties. And these ransomware events can result in anywhere between, you know, a week of downtime for that particular third party, to upward of a month of downtime for that third party.

00:07:14:15 - 00:07:21:17
Adam Zoller
And when you're talking critical services that clinicians rely upon to deliver care, that can be very impactful.

00:07:21:19 - 00:07:41:17
John Riggi
Yeah, thank you for that, Adam. Absolutely right. And again, we've seen the impacts that ransomware attacks have on third parties. As you said, if they are mission critical or as I say, life critical in some instances, the bad guys have figured out, again, we're talking bad guys that are primarily based in Russia when it comes to ransomware groups.

00:07:41:24 - 00:08:07:03
John Riggi
They understand if they attack a key third party strategic node, let's say like an oncology software provider or a timekeeping service or many other or a quote-unquote "secure file transfer system," they know that gives them access to many organizations and the disruption is magnified, thereby forcing that third party in a very difficult position, perhaps to pay the ransom.

00:08:07:06 - 00:08:18:18
John Riggi
So we talked about clinical impact, Katie, that's your life and your world. Talk to us about how third party risk manifests itself on the clinical side of Providence.

00:08:18:20 - 00:08:39:02
Katie Adams
Yeah, absolutely, John. I think just to add on to what Adam was saying, you know, it really takes a village to deliver quality health care to our patients and our communities. And when third party systems go down, whether that's inside of Providence or whether it's vendors that are delivering critical care and critical services to our patients and our caregivers, it has a big impact on the organization.

00:08:39:02 - 00:08:55:29
Katie Adams
You know, we're looking at rescheduling patients for critical appointments. You know, you mentioned oncology patients. In the cancer space those treatments are really time sensitive. And so if we need to end up delaying their care as the result of a cybersecurity incident, it's a significant impact on our patients and our organization.

00:08:56:02 - 00:09:20:21
John Riggi
Yeah, thanks Katie again for pointing that out. It is the delay disruption to health care delivery by these cyberattacks which creates the risk to patient safety. I say this all the time to anybody who listen, including my current and former colleagues at the FBI and across across all government agencies. A ransomware attack on a hospital or one of our mission critical third party providers is not a data theft crime.

00:09:20:21 - 00:09:44:25
John Riggi
It is not a white collar crime. It is a threat to life crime. We understand the impacts. We see them constantly. Adam, going to get back to you for a minute. So Providence, massive system, multibillion dollar multi-state system. And I would assume that you all should not have any issues dealing with third parties at all, that you have it all under control, you have everything you need.

00:09:44:28 - 00:09:57:13
John Riggi
And those third parties simply adhere to any request you make. I don't think that's the case. But, so given your size, let's talk about how do you manage third party supplier risk at scale?

00:09:57:16 - 00:10:16:05
Adam Zoller
Yeah, you know, Providence, like other hospital systems, deals with a lot of the same sort of issues and incidents I would imagine that we're seeing sector-wide. So when we talk about managing third party supplier risk at scale, I think it's, you know, there's aspects of the people side of the house which I won't really touch on, but process certainly.

00:10:16:07 - 00:10:46:08
Adam Zoller
And then on the technical front, managing technical risks that third parties introduce also comes into play. So I think where I would start is, number one, just generally speaking, kind of on the people and process side: consolidation of roles and responsibilities when it comes to how you manage third party risk in a health care system. We've consolidated at Providence all the roles and responsibilities for clinical engineering under one accountable leader in that accountable leader roles up to the same accountable leader as cybersecurity at Providence.

00:10:46:08 - 00:11:16:27
Adam Zoller
So my boss, BJ Moore, the CIO, a huge proponent of cybersecurity and of managing clinical risk, is now accountable for both the clinical aspects of device management and engineering, but then also the cybersecurity aspects of the clinical device space and the third party applications space. And by having that consolidated level of roles and responsibilities up to one accountable leader, then you don't run into the same prioritization issues that I think a lot of my brethren in the space are are dealing with.

00:11:17:00 - 00:11:38:14
Adam Zoller
I would say also a security culture. A lot of security organizations kind of operate in the shadows and don't like to share their priorities or don't like to share the compensating controls that they have in place for cybersecurity or don't like to, frankly, share that we're having cybersecurity incidents very openly that are targeting either clinical devices or third party applications or third party services.

00:11:38:16 - 00:12:04:01
Adam Zoller
And we've taken a bit of a different approach at Providence. And that's an approach of not necessarily oversharing because there is risk to oversharing, but sharing with the appropriate level of individuals in our organization that we are facing cyber events and what we're doing specifically about the cyber events and what we're doing specifically to manage the risks. And I would also just generally say it's easier to catch issues on the way in than manage issues that are already in your environment.

00:12:04:01 - 00:12:29:11
Adam Zoller
And what I mean by that is having strong controls for vendor onboarding and third party risk assessments and architecture assessments upfront so that you're managing the risks that you accept when the vendors get onboarded into your ecosystem versus having to go play catch up and clean up after the fact makes it much, much easier. To that end, centralizing purchasing power in your organization is going to be a strong lever that you can pull to manage the risk that you're bringing into your environment.

00:12:29:11 - 00:12:48:12
Adam Zoller
Because if somebody in your in the field can't go out and buy whatever they want without going through the security process, that's going to prevent a lot of security risk from being inherited to your system. And then also, I would say just lastly, proactively address vendor security challenges and challenge the vendors when they come to you with proposed solutions that are insecure.

00:12:48:15 - 00:13:18:02
John Riggi
Thanks, Adam, for that. Couple of key points you mentioned. I think they're worth repeating. One, the consolidation of clinical engineering and cybersecurity under the same accountable leader, the chief information officer. We have seen a lot of institutions moving to that model to eliminate the gap. Quite frankly, we have seen in the other all the other alternate structure where clinical engineering biomed are totally separate, not managed by a chief information officer.

00:13:18:04 - 00:13:38:12
John Riggi
There is a gap in communication and visibility to the vulnerabilities even in inventory networks and so forth that the bad guys exploit. They have exploited very frequently. Katie, what are your thoughts on all of that Adam, you know, gave us a great overview picture. How does that impact you directly?

00:13:38:14 - 00:14:03:16
Katie Adams
Yeah, absolutely. John Well, I actually wanted to go back to, I think part of your original question that's really important to call out is how do we manage risk at scale? You know, Providence is a really large nonprofit health care organization with over 52 hospitals and and over a thousand clinics spread across seven different states. And especially because we are a health system that has combined several different smaller systems over time to become the organization we are today,

00:14:03:18 - 00:14:32:25
Katie Adams
we have a wide range of vendors, specifically in the medical device space. Different makes, different models. And so as we think about third party risk, really trying to manage and oversee all of those different permutations becomes quite complex quite quickly. And I think an additional layer that Adam was speaking to earlier is really a lot of these medical devices are so specialized from a clinical standpoint that there may often be only one or two vendors in the market that are even making this type of machine to deliver the clinical care that we need.

00:14:32:28 - 00:14:45:03
Katie Adams
And so in that case, it's really imperative that that vendor take cybersecurity quite seriously because there aren't a lot of other alternatives for us to look toward to be able to still deliver that same care to our patients.

00:14:45:06 - 00:15:14:15
John Riggi
Right. And again, I think you have some unique challenges as large as you are. There's often that misperception out there that, you know, they're large. They, again, have all the resources. They don't have the same challenges as other systems. But you have different challenges. As you said, you were formed by the acquisition of many other systems that did not have the same controls, perhaps in place, and the policies and in the wide array of vendors that you have to now deal with.

00:15:14:18 - 00:15:23:03
John Riggi
Adam, back to you. What types of incidents or events have you faced over the past several years and especially those that relate to third parties?

00:15:23:05 - 00:15:42:01
Adam Zoller
Yeah, I think if you can imagine it, we've probably faced that. And you know, Katie's also on the front line of this and and helping us remediate once we do get hit by these is attacks. But as you mentioned, John, earlier, I mean, we're seeing an unprecedented level of attacks across the health care industry and we're on the receiving end of a lot of those attacks at Providence.

00:15:42:01 - 00:16:06:23
Adam Zoller
So, you know, external attackers trying to commit payer provider fraud, you know, on the less impactful, I guess, the business operations side of the house. But, you know, just as impactful when you look at financial implications of being able to steal money that's due to a hospital systems from our payers. So we've seen a lot of fraud attempts, a lot of social engineering enabled fraud attempts, targeting our hospital system and the payers that we work with.

00:16:06:26 - 00:16:34:01
Adam Zoller
We've also seen attempted ransomware attacks. You know, knock on wood, we've been able to stay ahead of these ransomware attackers through, you know, really doubling down on doing the basics well at Providence and being very proactive in the way that we deal with managing security risk. We've also seen external attackers targeting our data for data theft purposes, you know, sometimes in conjunction with or I suspect, to be in conjunction with ransomware attacks.

00:16:34:04 - 00:16:55:09
Adam Zoller
We've also seen denial of service attacks. Those still exist and they're still being perpetrated by activist groups worldwide. We've had vendors on the third party side of the house bringing in infected laptops into our environment to perform maintenance on clinical devices and then introducing malware into our environment as a result of that infected laptop being plugged into a system.

00:16:55:12 - 00:17:17:10
Adam Zoller
We've also had third parties being hit by just about everything that I've talked about thus far, but I'll kind of zone in on number one: third parties being hit by ransomware. We've had some third parties that we rely on for clinical services that have been hit by ransomware attacks in the last several years. And as I mentioned before, those ransomware attacks have knocked these third parties offline for in some cases over a month.

00:17:17:16 - 00:17:38:24
Adam Zoller
And you can imagine that can be very, very impactful for a hospital system that's reliant on, for example, a third party to do lab work that gets hit by ransomware. And then we have to figure out where are we going to get that lab work done and then go forward. How do we work with that third party going forward to make sure that we're not accepting an inordinate amount of cyber risk by continuing to do business with that third party?

00:17:38:26 - 00:18:04:15
Adam Zoller
And then lastly, we've had third parties hit with data theft and use third parties as business associate are oftentimes then collaborating with us where we're both kind of on the hook to regulators to report these incidents and make sure that the victims of these incidents, the patients that that we care for, get notified that they were victim of a data theft event and then provide them with potentially credit monitoring or identity identity theft monitoring.

00:18:04:17 - 00:18:15:23
John Riggi
Yeah. Thank you, Adam. Clearly, the risk from your business associates transfers to you. But it's not just the technical risk. Legal and regulatory risk. All of that.

00:18:15:26 - 00:18:24:08
Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify or wherever you get your podcasts.