Microsoft launches a free, AI-powered claims denial navigator from its Rural Health AI Innovation Lab.
The VA updates its AI strategy, which includes deploying tools for scheduling, real-time transcription, claims processing, and administrative tasks.
HHS officials say that the administration opposes private-sector vetting of healthcare AI tools, warning that it could shut out startups.
Samsung will add a heart failure detection feature to its Galaxy watches using an algorithm for left ventricular systolic dysfunction, while also developing Korea-built Ear-EEG technology that uses ear-worn electrodes to detect drowsiness and analyze video preferences.
UnitedHealth Group hires Michael Pencina, PhD, Duke Health’s chief data scientist and co-founder of the Coalition for Health AI, as chief AI scientist.
Qualtrics CEO Zig Serafin says that the company’s $6.75 billion acquisition of Press Ganey was driven by AI, giving the customer experience and analytics vendor “the most complete, specialized AI platform” to speed adoption in healthcare.
A study finds that clinician burnout fell from 52% to 39% within 30 days of implementing an ambient AI scribe across six health systems, with additional gains in documentation efficiency, patient communication, scheduling flexibility, and after-hours workload.
Some parents are letting their children use generative AI toys and chatbots to spark their creativity, but experts warn that the tools can confuse kids about what is real, limit their originality, and mislead them. A parent turned his four-year-old son, who is a fan of “Thomas the Train Engine,” over to ChatGPT’s voice mode and found him still talking two hours and 10,000 words later. He laments, “My son thinks ChatGPT is the coolest train-loving person in the world. I am never going to be able to compete with that.”
Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.
9 Sites Going Live with New Electronic Health Record in 2026
The VA will add nine sites to its Oracle Health EHR rollout in 2026.
Attuned Intelligence Raises $13M to Transform Hospital Call Centers with Supervised AI
Health system call center technology vendor Attuned Intelligence raises $13 million in seed funding.
Savista Acquires ONCO Services, Expanding Cancer Registry Leadership and RCM Capabilities
Savista, which offers RCM outsourcing and technology, acquires the cancer registry business of Onco Services.
Healthcare IT consulting firm Healthlink Advisors joins Chartis
Healthcare advisory business Chartis acquires Healthlink Advisors.
The VA will add nine sites to its Oracle Health EHR rollout in 2026.
Four Michigan sites will also go live in 2026.
Survey: “What’s your take on the value of IT Managed Services?” Sponsor: CTG. Due to recent legislative changes, Healthcare organizations are under growing pressure to balance cost, performance, and innovation. CTG wants to hear from leaders like you on how IT managed services can help — or hinder — those goals in this quick, 5-minute survey. Your insights will help inform industry understanding and provide a clear picture of how IT managed services is currently being used.
Contact Lorre to have your resource listed.
Australia-based healthcare AI company Heidi raises $65 million in Series B funding and names Simon Kos, MBBS, MBA (Lumyra.AI) as chief medical officer. Heidi works with Beth Israel Lahey Health (MA) and MaineGeneral in the US.
Qualtrics, which offers customer and employee experience software, will acquire healthcare market research company Press Ganey for $6.75 billion.
Health system call center technology vendor Attuned Intelligence raises $13 million in seed funding.
Savista, which offers RCM outsourcing and technology, acquires the cancer registry business of Onco Services.
Image-guided surgery technology vendor MediView raises a $24 million Series A funding round.
Chartis acquires Healthlink Advisors.
ReferWell names Mark Bergen, MS (Gebbs Healthcare Solutions) SVP of sales.
Susan Reagan (RLDatix) joins AssureCare as VP of sales.
Datavant names Josh Builder (CVS Health) as CTO.
The Ohio State University Comprehensive Cancer Center – Arthur G. James Cancer Hospital moves from piloting to fully implementing Veris Health’s remote patient monitoring platform.
CommonSpirit Health implements Safety Net Connect’s advanced care planning software at its four hospitals in Los Angeles as part of a pilot program for improved recuperative care coordination.
A new report from Trilliant Health titled “2025 Trends Shaping the Health Economy” contains some interesting points:
Zus Health CEO and Athenahealth co-founder and CEO Jonathan Bush will reportedly announce this week that he is running as a Republican in Maine’s 2026 governor’s race.
Blog Posts
Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.
Hipp Health Raises $6.2 Million in Seed Funding
Hipp Health, which offers AI software that automates clinical, administrative, and compliance workflows to behavioral healthcare practices, raises $6.2 million in seed funding.
Australia-based healthcare AI company Heidi announces $65 million in Series B funding and a valuation of $465 million.
Qualtrics to buy healthcare tech firm Press Ganey in $6.75 billion deal, FT reports
Qualtrics, which offers customer and employee experience software, will acquire healthcare market research company Press Ganey for $6.75 billion.
Talkspace Acquires Wisdo Health to Expand AI-Powered Social Health and Peer Support Solutions
Virtual mental healthcare provider Talkspace acquires Wisdo Health, which offers an AI-powered peer support and social health app.
Last week was a busy one. My already packed schedule was hit with meeting requests related to the US government shutdown.
There were discussions whether our organization should continue delivering telehealth services to Medicare beneficiaries. That led to talking about the pros and cons of telehealth in general.
Whether physicians like it or not, patients like it. I can’t imagine going back to a pre-2020 situation where all of our visits were conducted in person. Several of our practice locations added clinicians without adding exam rooms due to everyone having half days in which they deliver only virtual care, so that’s a win for lowering overhead.
Unfortunately, some juggling was needed to accommodate everyone’s clinic schedules, and not every clinician is thrilled. We will have to see how that shakes out over time.
I was also pulled in to deliver some unanticipated patient care after a colleague was injured and her backup was diagnosed with COVID. I did locum tenens coverage for this group and was still listed on their medical liability insurance policy, so I was happy to step in.
The practice is one of a growing number of Direct Primary Care sites, so they don’t have issues with credentialing or billing when they have to bring in outside coverage. It has been quite some time since I’ve used their EHR, but documentation was easy because I wasn’t worried about compliance with coding and billing metrics.
I was surprised by how many patients were more worried about their physicians than their own health issues. Most wanted me to pass along their wishes to get well soon. I’m used to having patients be irritated or annoyed when schedules are altered or delays come up, so it was a refreshing change.
The weekend brought some cooler temperatures in my world. It was time to catch up on yard work, then spend a couple of hours making sure that I can remain a practicing physician in 2026 and beyond. I had to do my state license renewal and my DEA number renewal. I decided to tackle the most recent bunch of “continuing knowledge assessment” questions that released on October 1 rather than waiting until the end of the quarter as I usually do.
I had a little fun with it. I fired up a couple of AI tools to see if one was better at answering board-style questions. I tried a couple of approaches, including taking the question and distilling it down into a concise prompt versus using the question nearly verbatim. Both approaches seemed to deliver the same accuracy in results and took about the same time to provide an answer.
It made me wonder whether physicians who cut-and-paste to get their answers learn as much as those who read the questions in detail and create a custom prompt. I haven’t seen studies that address that specific approach, but it would be interesting to see if retention differs.
I changed my tactic after a few questions, trying to figure out ways to use AI tools while still getting a good learning experience. I used traditional tools to look for the answer, then used AI tools to validate the choice that I thought was correct. This made the process faster even though it took a little longer to create the prompts.
This particular module is pass-fail, but many physicians have that competitive streak and want to have a perfect score. I liked the idea that I was validating my thought process rather than just searching for the answer.
I’m big into environmentalism and sustainability, so I think about the impact of AI tools. A friend recently mentioned data center projects in her state that are being blocked because of environmental impacts. This got me thinking about my own information-seeking behaviors and whether I should be more diligent about using traditional tools where possible rather than just jumping to AI tools because they are at my fingertips. I’m conscious of the environmental impact of products I choose in my daily life, everything from yogurt to sunscreen, so being more mindful about information resources isn’t a big leap for me.
I’m off to Anaheim for the American Academy of Family Physicians FMX conference, which was formerly known as Family Medicine Experience. Unlike healthcare IT conferences, the main stage lineup doesn’t feature celebrities or businesspeople, but actual physicians, including 19th and 21st Surgeon General of the United States Vivek Murthy, MD, MBA. I have to admit I’ve had a little crush on him since he appeared with Elmo teaching us not only how to cough into our elbows, but also about the importance of regular preventive visits and vaccines. You can bet I’ll be in fangirl mode.
Who would you like to see speaking on a conference main stage? What would you like to hear them cover? Leave a comment or email me.
Email Dr. Jayne.
Cancer AI Alliance unveils first collaborative AI platform for cancer research
The Cancer AI Alliance, a research collaboration of four major cancer centers, launches a platform that securely centralizes anonymized data from its members to train AI models.
Uniform virtual care platform vendor Collette Health acquires the Virtual Nursing Academy, which provides education for deploying virtual nursing in health systems.
Payments company Zelis Healthcare hires Goldman Sachs and JPMorgan for an early 2026 IPO
Healthcare payments company Zelis Healthcare prepares for an IPO that sources say could value the company at $17 billion.
The Cancer AI Alliance, a research collaboration of four major cancer centers, launches a platform that securely centralizes anonymized data from its members to train AI models.
Most poll respondents aren’t so loyal to their doctors that they will tolerate administrative frustration.
New poll to your right or here: What health tech term is most overused? That inspired me to check my HISsies awards from 10 years ago, where I was reminded that the most overused buzzword was “big data.”
I consummated my occasional urge this week to binge my favorite finance thriller movies: “Wall Street,” “The Big Short,” “Boiler Room,” and “Margin Call.” It was either impossible or expensive to do this before rollout of ad-supported streaming channels such as Pluto TV, Tubi, and The Roku Channel.
None scheduled soon. Contact Lorre to have your resource listed.
Uniform virtual care platform vendor Collette Health acquires the Virtual Nursing Academy, which provides education for deploying virtual nursing in health systems.
Former pharmacy chain giant Rite Aid closes its last drugstores, adding to the one-third of US pharmacies that shut down between 2010 and 2021.
TruBridge hires Michael Daughton, MBA (EnableComp) as chief business officer.
Lisa Dykstra, CHIME advisor and former Lurie Children’s Hospital SVP/CIO, died last week at 55.
England requires all GP practices to keep online consultation tools active 8 a.m. until 6:30 p.m. on weekdays, allowing patients to request appointments, ask questions, and describe symptoms without joining “the 8 a.m. scramble.” Some practices disable apps once slots fill, driving 6.6% of patients who can’t get through by phone to the ED. One practice cut appointment wait from 14 days to three, with 95% of patients seen within a week.
Blog Posts
Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.
Akron’s Summa Health completes $515M sale to for-profit HATCo
General Catalyst’s HATCo closes its acquisition of Summa Health and will convert it to a for-profit and use it as a living laboratory for the technology products of GC’s portfolio companies.
Trump to the health and tech giants: AI is not your ‘cartel’
HHS officials say that the administration does not support private sector vetting of AI tools in healthcare.
Koda Health Oversubscribes $7M Series A to Scale Goal-Concordant Care Nationwide
Koda Health, which offers patient decision support and advance care planning software, raises $7 million in a Series A funding round.
Medicare’s telehealth flexibilities lapse due to the federal government’s shutdown, with these changes:
HIStalk sponsors who are participating in the HLTH conference October 19-22: tell me about your activities and I’ll include them in my conference guide.
Survey: “What’s your take on the value of IT Managed Services?” Sponsor: CTG. Due to recent legislative changes, healthcare organizations are under growing pressure to balance cost, performance, and innovation. CTG wants to hear from leaders like you on how IT managed services can help — or hinder — those goals in this quick, 5-minute survey. Your insights will help inform industry understanding and provide a clear picture of how IT managed services is currently being used.
Contact Lorre to have your resource listed.
Fortified Health Security acquires cybersecurity firm Latitude Information Security.
Veradigm’s special investor update call offered no details on its anticipated Nasdaq relisting. The company said that its financials remain sound, but it again withheld profit metrics, citing the unresolved revenue recognition discrepancies that led to its delisting. It continues to hope to become current on SEC filings and have shares relisted sometime in 2026.
Waystar closes its $1.25 billion acquisition of Iodine.
General Catalyst’s HATCo closes its $500 million acquisition of Akron-based Summa Health, two years after it was announced. The VC firm will convert Summa to a for-profit and use it as a living laboratory for the technology products of GC’s portfolio companies.
TigerConnect hires Peter Stetson, MD, MA (Memorial Sloan Kettering Cancer Center) as CMIO and Sheeza Hussain (Press Ganey) as chief growth officer.
NextGen Healthcare promotes Srinivas Velamoor, MBA to president and CEO. He replaces David Sides, who will remain an investor and board member.
The VA updates its AI strategy, which includes:
HHS officials say that the administration does not support private sector vetting of AI tools in healthcare. Deputy HHS Secretary Jim O’Neill, who is a technology investor, tells Politico that the Coalition for Health AI could become a “cartel” that allows big companies to squelch startups.
Meta will use conversations with its AI products for targeted advertising. Its upcoming privacy update also authorizes using data that is captured by its smart glasses and its AI image generator to target ads on Facebook and Instagram, with no opt-out option offered.
Medical school professor Robert Wachter, MD provides interesting analysis of the “AI knowledge war” among OpenEvidence, Wolters Kluwer’s UpToDate, and Epic. Notes:
Keep the pumpkin-everything products — my most-anticipated fall treat is Mr. Autumn Man.
Blog Posts
Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.
Family members who I talk to about AI are usually surprised to learn that it’s being used in healthcare. They assume that regulations for its use must be in place. I explain the threshold for when software becomes a medical device that is regulated, but I’m not sure that resonates with the average patient.
The conversation frequently morphs into the fact that AI is everywhere, and has been to some degree for a long time, but people are mostly worried about generative AI solutions. Many other advanced technologies have been introduced in healthcare, such as brain-computer interfaces, but I’m not yet ready to bring those into the conversation with most of my relatives.
From Apple Fan Boi: “Re: Apple in hospitals. Did you see this article about hospitals finally ‘seeing the light’ with regard to Mac usage for clinicians? Now I just need to talk my CMIO into enabling me.” After spending the majority of my career on Windows-centric hospital platforms, I was surprised to learn that Emory Healthcare runs an all-Apple hospital. The 100-bed Emory Hillandale Hospital in Lithonia, GA is running the full spectrum of Apple devices everywhere, from the nursing station to the clinicians’ wrists. I would be interested in hearing from anyone who is directly involved in the project, whether behind the scenes or in an end-user capacity. As expected, the Apple article made it sound like the ultimate experience, but I’ve seen enough vendor-published pieces to know that reality is usually somewhat different from what that kind of article describes.
I spotted this article from last week that looked at the privacy concerns that are associated with brain-computer interfaces. They can be used to facilitate communication by patients who have difficulty speaking and writing, but require large volumes of neural data. The article summarizes ethical concerns with such data and whether patients understand the privacy elements that they give up when sharing this information with manufacturers and researchers.
Plenty of articles have described being able to infer the activities that couples might be participating in based on publicly shared biometric or wearable data. I hadn’t seen much written about brain data and its ability to predict certain diagnoses or the risk of declining function.
The article mentions that Chile became the first country to specifically protect neurodata and mental privacy, through an amendment to its constitution in 2021. The US has no federal laws around this, but legislators and the American Medical Association have expressed interest in developing a protection strategy.
It will be interesting to see how these privacy movements advance over the coming months and years and if consumers will be as willing to give up their mental privacy as they are in giving up data about their shopping, web surfing, and other habits through the countless apps and websites that people use almost continuously.
One of my former consulting colleagues reached out to ask for a curbside consultation on tick bites and the Powassan virus, which was recently found in a human in Illinois. The virus can cause brain swelling and there’s no specific treatment for it, so prevention is the best way to address the situation. My colleague was being asked to run some reports on his EHR database to find patients who might have had the condition without being diagnosed. His practice is big enough to support a “data guy,” but not big enough to have a CMIO or dedicated clinical informaticist, so I was happy to point him in the right direction.
Ticks spread plenty of other diseases, including Rocky Mountain Spotted Fever, ehrlichiosis, and Lyme Disease. If you’re going to be outside this fall, consider long sleeves and long pants as well as repellent sprays.
Removing a tick within 24 hours of attaching lowers risk. If you hesitate to visit a physician or urgent care for help with removal, many of us have seen tick bites on nearly every part of the body and we’re happy to take care of it for you rather than have you increase the risk by waiting. We’ll even tag and bag the tick so it can be identified and tested if needed.
We also have SpongeBob bandages in our cabinets this month. I wonder whether our usually beige-loving supply chain person was feeling whimsical or if the character version was just cheaper.
In my role, I don’t follow Medicare happenings as closely as I used to. Therefore, I wasn’t fully up to speed on the fact that the Medicare ACO REACH (Realizing Equity, Access, and Community Health) model will end on December 31, 2026. The program delivers value-based care to patients with traditional Medicare and encourages physicians and healthcare delivery networks to better coordinate care delivery, improve outcomes, and manage costs. The 160,000 providers in the nation’s 103 programs will need to decide whether their ACO will transition to a different ACO model or wind down.
ACO REACH is notable for its focus on health equity and a track for medically complex patients. Other elements made it more attractive to smaller provider groups compared to the larger CMS Medicare Shared Savings Program ACOs. If you work for an impacted organization, we’d love to hear your thoughts.
I’m behind on some continuing education requirements, so I’ll need to buckle down this week and get them completed. When I was thinking about obtaining my second board certification, I was more worried about learning the material and preparing to pass the exam than I was about what Maintenance of Certification would look like over the next couple of decades. It feels like I’m in an endless cycle of quarterly questions that are coming from multiple directions, and unfortunately, 80% of the material that I am quizzed on isn’t relevant to my scope of practice or work.
I understand that we are being held responsible for being well-rounded subspecialists, but I’d rather be spending my scarce free time reading material that would help me do my actual job better rather than frantically searching for answers to clinical scenarios I haven’t encountered in 20 years and will never encounter again.
How do you like to demonstrate lifelong learning? Do you prefer self-directed study or third-party accountability? Leave a comment or email me.
Email Dr. Jayne.
Federal Government Shuts Down as Telehealth Flexibilities Lapse
The federal government fails to extend funding for Medicare telehealth flexibilities before it shuts down, forcing providers to limit or cease some virtual care services.
VA AI strategy says early use cases will inform adoption in new EHR
The VA emphasizes in its latest AI strategy update that early use cases of AI will help to inform eventual integration of those capabilities with its EHR and other technologies.
Fortified Health Security Acquires Latitude, Expands Cybersecurity Advisory Capabilities
Fortified Health Security acquires Latitude Information Security and names Latitude CEO Mark Ferrari VP of its new risk and governance services unit.
The White House issues an executive order, “Unlocking Cures for Pediatric Cancer with Artificial Intelligence,” that doubles HHS funding for the National Cancer Institute’s AI-driven childhood cancer data initiative.
The FDA issues a Request for Public Comment on how to measure and evaluate real-world performance of AI-enabled medical devices.
Amazon announces a new generation of Echo devices that support its Alexa+ ambient AI assistant. The company says that Early Access users of Alexa+ are engaging the device in deeper conversations and using it to complete tasks related to smart home devices, booking reservations, and managing the family calendar. The Echo Show 8 costs $180, while the no-display Echo Dot Max runs $100. All models feature enhanced audio capabilities and the ability to be paired for richer sound.
AI-powered revenue management vendor SmarterDx acquires Pieces Technologies and launches SmarterNotes, which retrieves EHR data to create patient notes and flag missed revenue.
Business Insider reports that ambient scribe vendor Abridge, once closely partnered with and partly owned by Epic, now competes with the EHR giant as Epic develops its own AI tools. Abridge has raised $700 million at a $5 billion valuation.
Cardiac data management vendor RhythmScience licenses a heart failure algorithm from Cedars-Sinai, whose venture arm also led its Series A round.
Ambience Healthcare launches the first ambient AI inpatient CDI assistant, built on OpenAI, to capture compliant diagnoses at the point of care with explainable audit trails and EHR integration.
A 20-year-old biomedical engineering student creates ShotCaller, a mapping tool that helps Children’s Hospital Los Angeles oncologists target radiation for treatment-resistant tumors. Clinicians say their use of the tool has reduced the time required to create a radiation hotspot map from two hours to eight minutes.
Not healthcare related, but don’t forget to check your ChatGPT setup. A Reddit user whose wife uses their shared ChatGPT account to obtain marriage advice adds custom instructions.
Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.
Switchboard Health Acquires Conduce Health, Expanding AI-Enabled Specialty Care Capabilities
Specialty care coordination company Switchboard Health acquires Conduce Health, which offers AI-powered referral management and analytics software for specialty care.
HHS Doubles AI-Backed Childhood Cancer Research Funding
HHS announces additional funding for the National Cancer Institute’s Childhood Cancer Data Initiative, which will incorporate AI into its efforts to use EHR and claims data for research and clinical trial development.
Clearwater Receives Strategic Growth Investment from Sunstone Partners
Sunstone Partners acquires a majority stake in healthcare cybersecurity and compliance company Clearwater.
Confido Health raises $10 million in a Series A round to expand its AI voice agent platform for appointment scheduling and patient access.
Healthcare automation and insights company Smarter Technologies acquires care delivery automation vendor Pieces Technologies.
Specialty care coordination company Switchboard Health acquires Conduce Health, which offers AI-powered referral management and analytics software for specialty care.
I interviewed Conduce Health CEO Najib Jai, MD, MBA earlier this year.
Survey: “What’s your take on the value of IT Managed Services?” Sponsor: CTG. Due to recent legislative changes, Healthcare organizations are under growing pressure to balance cost, performance, and innovation. CTG wants to hear from leaders like you on how IT managed services can help — or hinder — those goals in this quick, 5-minute survey. Your insights will help inform industry understanding and provide a clear picture of how IT managed services is currently being used.
Contact Lorre to have your resource listed.
Sunstone Partners acquires a majority stake in healthcare cybersecurity and compliance company Clearwater.
CareCloud will acquire the Healthcare Financial Management Association’s MAP App, a revenue cycle performance benchmarking tool used by providers.
Assort Health raises $76 million in a Series B round, bringing total funding to $102 million since launching in 2023. It offers specialty-specific AI voice agents for inbound patient phone calls.
Confido Health raises $10 million in a Series A round to expand its AI voice agent platform for appointment scheduling and patient access.
Investors file a class action lawsuit against online weight loss clinic operator LifeMD, claiming that executives touted strong Q1 results and raised guidance without disclosing high acquisition costs and refunds. The company then missed Q2 targets, cut guidance, and saw shares fall 44% in one day. LFMD shares are down 80% from their all-time high in early 2021, valuing the company at $322 million.
Huntzinger Management Group renames itself to Avarion.
Elsevier promotes Brent Gordon to president of its Health Education business unit.
Clearwater promotes Baxter Lee to president. He takes over from Steve Cagle, who becomes a board advisor.
ChristianaCare names Petrena Saunders, DNP, RN (Vizzia Technologies) CNIO.
David Bartley, MBA (MedeAnalytics) joins Iris Telehealth as chief solutions officer.
Beebe Healthcare (DE) will go live on Epic next month.
RevSpring announces GA of its new referral management software.
Queen Victoria Hospital NHS Foundation Trust in England will roll out Altera Digital Health’s Sunrise EHR in November.
Innovaccer develops a Social and Community Health Information Exchange for public sector agencies.
Trilliant releases SimilarityIndex Hospitals, a free tool that allows hospitals to compare their key operating metrics with those of the 50 most similar US hospitals.
Ambience Healthcare launches an inpatient ICD-10 CDI assistant that helps hospitalists capture precise, compliant diagnoses during the encounter.
UK Prime Minister Keith Starmer announces NHS Online, a virtual service launching in 2027 that will let GP-referred patients speak to specialists by phone or video. The model draws on projects such as University Hospital Southampton’s, where irritable bowel disease patients could request help as needed, cutting in-person visits by 73% and wait times by 58%.
Golisano Children’s Hospital’s NICU increases the survival rates for babies born at 22 to 24 weeks from 14.3% to 70% after creating a collaborative initiative that includes adding protocols to its EHR.
Blog Posts
Mr. H, Lorre, Jenn, Dr. Jayne.
Get HIStalk updates.
Send news or rumors.
Follow on X, Bluesky, and LinkedIn.
Sponsorship information.
Contact us.
Steve Cagle, MBA was CEO of Clearwater at the time of this interview. He transitioned to board advisor on September 30.
Tell me about yourself and the company.
Clearwater is a healthcare-focused solutions firm that provides cybersecurity compliance and managed security services to hospitals, health systems, physician practice management groups, digital health, and health IT companies. Really all types of organizations in the healthcare ecosystem. We help those organizations to be more secure, be more compliant, and be more resilient so that they can achieve their missions.
I’ve been CEO of Clearwater since May 2018. My background is in healthcare. I started my career in a software company that provided quality management software to help pharmaceutical companies comply with FDA regulations, such as good manufacturing practices. I then spent some time in the pharma industry in consumer healthcare products, running a business before returning back to technology and compliance here at Clearwater.
How do health systems decide how much effort and money to invest in cybersecurity?
Unfortunately in healthcare, most organizations have been historically underinvested in cybersecurity. However, we have seen over the last five years or so an increased focus, especially following the pandemic, when we saw a wave of ransomware attacks on healthcare organizations. Then we had the Change Healthcare incident a year and a half ago, which affected about 70% of the providers and caused very extensive damage.
As healthcare organizations have continued to adopt new technology, technology has become critical to operating their businesses or providing care to patients. They have realized that cybersecurity mission critical and requires them to have the appropriate protections in place to reduce risks.
That’s really the key word. It’s about understanding your organization’s risks beyond the high level. A lot of organizations have done high-level risk assessments. They may be helpful as a starting point. But we need to go much deeper in today’s environment, where attack techniques have evolved to become difficult to defend and protect against.
Organizations have had significant impacts from ransomware attacks and breaches. That’s why the Office for Civil Rights of HHS, which enforces HIPAA regulations, has been focused on risk analysis and their risk analysis initiative. Risk analysis in healthcare requires that organizations understand where they have electronic protected health information, where they have those critical systems that support their operations or are connected to those systems with EPHI, and that they evaluate the vulnerabilities and threats, assess the controls that are in place, and determine the level of risk that exists with each system.
By doing that, organizations will be better informed as to where those high risks are. Based on their risk threshold, they can then identify those risks that fall above that threshold and put specific risk remediation or risk management plans in place to address those risks.
That’s a business-focused way of approaching cybersecurity. It’s not checking boxes. It’s not trying to have the best security program in the world. It’s really understanding your risk at a level that is appropriate. Then, taking actions to bring those risks to an acceptable level.
What were the most important lessons learned from the Change Healthcare incident?
Risk analysis. Clearly there’s been a lot of uptick in organizations really understanding, “I need to get to that next level. I’ve been doing the same type of assessment for many years. I’m going to invest more money into doing that risk analysis so that I can have better information about my security program.“
We’re seeing a lot of attention on cybersecurity and risk from the board of directors and the executive teams. From a cultural perspective, there has been a change in healthcare where this has become a priority that organizations need to focus on.
We’ve seen big changes in resiliency, where organizations have plans in place to not only respond to a security incident, but also to contain it to operate under duress through a business continuity plan. Having updated disaster recovery plans and testing those to make sure that they are effective.
As we look at all the solutions out there that are based on artificial intelligence, we have new concerns. There was a big rush to implement a lot of these new technologies that are based on AI. Unfortunately, many organizations did not take the time to establish policies and procedures about how they will use them and to assess the risks around these technologies.
It is still risk analysis, but it’s a different set of risks and different set of controls. We are seeing a lot of interest from our clients in helping them to establish governance around artificial intelligence, cybersecurity, and privacy, or to assess their risks of those programs and to help make sure that they are implementing these technologies in a responsible way.
The mainstream press loves headlines about the devastating impact to patients of a local provider that has gone down from a cyberattack. How much do we not hear about providers who are successful in preventing that kind of attack?
That’s a very important point that you’re making. We hear about the bad news, but we don’t hear about the good things that are happening.
We’ve done over 650 NIST Cybersecurity Framework assessments for our clients over the last 10 years. We track and trend maturity levels over time. We see that the industry is becoming more mature. We track over time the organizations that adopt the NIST Cybersecurity Framework, which is a commonly accepted and used framework in healthcare, and we see that they are improving above the bar of the rest of the industry. There’s really good data that we can point to that demonstrates that we are making progress.
The challenge is that the bar keeps getting higher. You have more vulnerabilities, more threat actors. Threat actors have been very successful in obtaining ransomware payments from healthcare. They pay more often than any other industry. When it’s easier to attack a certain sector that is more willing to pay and pay more, that’s going to attract more threat actors.
You don’t hear about organizations that are being responsible. They are assessing risks, maturing their security programs, and not having those attacks. Or if they do have a security incident, they are able to address it quickly and with minimal impact. They have network segmentation and other types of controls in place that make it difficult for threat actors to exfiltrate the data or to do damage.
We will continue to see that maturity improve over time. But we have to realize that unless we stop developing and implementing new technologies and increasing the attack surface, it’s not going to stand still. The bar is always going to become higher.
How often do providers pay a ransom, and if they do, what is a typical outcome?
Fewer providers are paying than in the past. A few years ago, it was 67% of the time, and that number has gone down probably closer to 50%.
You really can’t trust criminals. A lot of them will try to uphold their end of the bargain because they want people to continue paying, but that’s not always the case.
There’s also double extortion. You get the encryption keys to unlock your systems. Maybe some of these organizations have good backups in place and are willing to take the downtime that it takes to restore those systems, which could take days or weeks, or longer. In some cases, those encryption keys do not work. They’ve done so much damage that it doesn’t really help them.
Then the second extortion is to get the data back. Often the data will end up somewhere else in the future. Paying the ransom doesn’t give you any guarantees. You’re really taking your chances. That’s why you are seeing fewer organizations making that payment.
How do organizations allocate their spending across prevention, detection, and rapid recovery?
We always recommend starting with a baseline set of controls and adopting industry standard best practices. We can point to the NIST Cybersecurity Framework. We can also point to the 405(d) health industry cybersecurity practices. Those are both recognized security practices in healthcare based on an amendment to the HITECH Act in January 2021.
The 405(d) HICP is a great place to start because it is provided in different volumes for small, medium, and large organizations. It was developed through collaboration with over 600 firms in healthcare — providers, vendors, and the government. It’s a practical way of setting up those baseline controls.
Once you’ve picked a framework and standard, you go back to how much more you need beyond that. That comes down to the other requirements that you have. Do you have compliance requirements that you need to meet? Maybe even ones outside of HIPAA. Do you have clients, partners, or payers that require you to meet certain security standards, maybe a SOC 2 audit or HITRUST certification? What’s your risk profile? What kind of risk as an organization are you willing to accept?
Then you do that risk analysis to see where you have gaps between your current level of risk and what’s acceptable. Using all that information, we create a target profile. It’s a long-term roadmap of where we want to focus. That will help determine where to make those additional investments. We know the minimum requirements for standards and practices, but going beyond that, what is the organization’s specific situation?
What is the value of health systems communicating regularly with their boards about cybersecurity, and what metrics are most useful for board members to understand the situation?
We speak to a lot more boards now than we did maybe five years ago. It’s pretty frequent. One of the key functions of a board is risk management. If the board is being informed of the other types of risks across the organization, cybersecurity has become an important area of risk, and one that they need to be informed about.
Typical things that we will talk to boards about are trends, particularly across the sector, and the higher-level concerns or risks that they need to think about.
The board should be putting the governance in place. What higher-level policies do we want to have as an organization? What is the level of risk we are willing to accept?
Sometimes, but not as much any more, we see risk tolerance levels being set by more at the operating level, the IT department. The IT department is not the risk owner. If a security incident renders a hospital in a position where it can’t see patients, that’s a board level issue. That’s all the way up to the board. So the board needs to decide how much risk we are willing to take. How many resources are we willing to apply? And then put the management team to work with the mandate and the support to implement a program that will ensure that the organization is in line with those policies and is on a path to meet that risk threshold.
We have to keep in mind that risk changes over time. Just because we are below our risk threshold today doesn’t mean that tomorrow we’re not. We do M&A, acquire a new part of the business, partner with somebody else that includes new third-party risk, changing the threat landscape. It’s constantly changing, so the board needs to make sure that that risk management program is prioritized and resourced. Then getting information to know that it’s actually being executed appropriately.
What changes do you expect to see in HHS OCR’s enforcement of HIPAA and security?
The Office for Civil Rights has been focused a lot this year on its risk analysis initiative, where it’s making sure that organizations are prioritizing that risk analysis that I spoke about earlier. The notice of proposed rulemaking was released at the beginning of the year. Part of that rule contains updates to the risk analysis requirement that reflect its current enforcement actions and guidance.
A lot of other requirements are more specific and are required under the rule. I don’t think that rule in its current form will necessarily be the one that is eventually published. I do think, however, there will be an update to the rule or at least some additional standards that organizations will need to meet. The HIPAA security rule was last updated in 2013. The world has changed a lot since that time.
Most of the industry is looking for something specific we can point to, not overwhelming, but addressable. Ideally with some support and help from the government, especially for those smaller organizations or rural health organizations that don’t have the resources or the money to improve the programs the way that they would like.
What does the company’s strategy look like over the next 3-4 years?
Our strategy is to be a market leader in healthcare cybersecurity and compliance. To do that, we need to have a full set of capabilities that are relevant to healthcare organizations. Not just today, but over the next several years. Our strategy is to continue to ensure that we can provide those services to our clients in a way that helps them reduce costs, become more efficient, and focus more on their mission, whether it’s treating patients or driving their business. Being a partner and extension of the organization to help them address cybersecurity compliance.
We are excited about our growth at Clearwater. We are grateful to have dedicated professionals in the organization, as well as a growing list of clients that we collaborate closely with. We are dedicated to this industry and looking forward to continuing to serve this industry and help make a difference in healthcare.
We are thrilled to announce a growth investment from Sunstone Partners, which is a private equity firm that focuses on tech-enabled services with a particular focus in cybersecurity and healthcare. That makes them a great partner for Clearwater going forward. We are excited to have a great partner that can help us better serve our clients. We will be investing in more technology, as well as continuing to scale the organization.
HIStalk Sponsor Announcements Webinars
> OpenAI is reportedly considering entering the consumer health market, such as creating a personal health assistant or health data…