In this episode, Dr. Peter Tippett, one of the first person to develop a commercial antivirus software, discusses how careMESH is providing easy and secure communication and collaboration between clinicians locally to share digital patient records. Peter also discusses the issues related to information security in healthcare.
Healthcare, like in other industries, requires digital communication in everything, be it care coordination, patient safety, reducing readmissions, unnecessary ER visits, or analytics. To address this marketplace requirement, careMESH makes a set of national secure service that helps health systems to easily communicate about patients and share patient records from their own EHR to any outside physicians/ clinicians, reducing the time consumed by traditional communication ways within health systems.
According to Peter, health systems have started investing in and adopting digital transformation to provide ‘virtual health’ through their own EHRs, EMRs to provide care coordination, social determinants, and enabling home health workers for patients. These health systems are the powerhouse, incubating the innovative startups and providing them the focus they require to make the change happen in healthcare.
Welcome to The Big Unlock podcast where we discuss data analytics and emerging technologies in healthcare. Here are some of the most innovative thinkers in healthcare information technology talk about the digital transformation of healthcare and how they are driving change in their organizations.
Paddy Padmanabhan: Hello again everyone. Welcome back to my podcast. This is Paddy and it is my great privilege and honor to introduce my special guest today, Dr. Peter Tippett, Founder and CEO of careMESH. Peter, thank you for joining us and welcome to the show.
Peter Tippett: Thank you so much. It’s a great privilege.
Paddy Padmanabhan: Thank you. So, Peter, you have a very interesting background. And among other things, you are also the first person to have developed a commercial antivirus software. So, tell us how all that came about.
Peter Tippett: Well, I was one of those tech engineering nuts even when I was a teenager. I was a ham radio operator and a commercial radio engineer and a pilot. I was one of those couple of kids that were allowed in high school to touch the 55-board teletype locked in the closet. And in college, I stumbled into more things. I used a very similar computer in a lab doing really early cholesterol and Hyperlipidemia work. And I used it to automate their analysis and results. And then for my college seasons, I wound up as an apprentice and an assistant for two different Nobel Prize winners. The first guy sequenced the first protein and the second guy, Bruce Merrifield, synthesized the first protein. And I was there, you know, and used computers in his lab to automate that whole process. And along the way was the first guy to synthesize an active immunoglobulin. And of course, all of that got me a scholarship for an M.D. Phd at Case Western Reserve. And then when I was at Case, I was President of the Cleveland Computer Club. I started a software company in my attic trying to do other sorts of things. And when the virus problem came along, I created the first commercial antivirus. It was called Vaccine, but eventually changed its name. We wound up in a booth a few booths down from Steve Jobs at the West Coast Computer Fair. We grew that company, which was called Certus, for a couple of years before McAfee and the other guys came along and we sold it to Symantec and renamed it Norton Antivirus and then grew it in two more years past 300 million bucks. It was the big heydays that everybody likes to hear about.
Paddy Padmanabhan: Yeah. Well, Norton Antivirus. Now, that’s a household name almost.
Peter Tippett: Well, that’s a lot to do with those guys now of course.
Paddy Padmanabhan: Well fascinating story. I do want to spend a few minutes, given your background with software security and antivirus software and so on. I do want to spend a few minutes on this podcast talking about the current state of cybersecurity. You know, healthcare has been the target of cybercriminals for several years now. And my understanding is that it is the favorite industry for cyber-attacks. I read somewhere that the annual cost of healthcare data breaches in the region of four billion dollars and there’s no sign that is abating anytime soon. And four out of five data breaches are attributed to healthcare data breaches, and providers, in particular, are being singled out for these attacks. So, can you kind of break it down for us and tell us what the big issues are today as it relates to information security in healthcare?
Peter Tippett: Yeah, absolutely. Obviously, security is a huge subject. Maybe I can talk you into doing a whole podcast on it down the line. But, you know, security is hard, but it’s really not as hard as we all give it credit for. I’m kind of a scientist in this world and I spent a lot of energy over the last 20-30 years trying to get a sense of how the risk economics really work. And my biggest take home over the years is that we’ve really typically get talked into putting what my mom says is putting the emphasis on the wrong syllable. We have spent a huge amount of money and user equity on things that have very low marginal value and we ignore and allow the simple, inexpensive things that are relatively easy. For example, you mentioned ransomware. The basic solution to that is backup. Nothing fancy. Right. And oddly, using some of these newer information sharing services like my company’s new careMESH offering that gets some of your data accessible in other ways, all by itself is a mitigation for things like ransomware. If you look at the breach science and look at how that works out in risk dollars, there’s really just two things that reduce the overall costs and risk and likelihood of a breach by vast of the majority than all other things combined. The first one is a strong identity, despite what everybody says, making passwords stronger or more complex doesn’t do a squat. But adding a second factor like the code that comes to your phone or a token or whatever, that reduces risk by many, many orders of magnitude. So, turn those things on. That’s really simple. And it is really, hugely strong. The other thing is around network management. Running your own data server and data centers and firewalls and all that stuff is hard and expensive and we’re all error prone. But any one of the cloud providers has a hundredfold more security and ops people than any IT health organizations does. And you know, they have the experience, use the cloud and embrace it. Those are the key issues.
Paddy Padmanabhan: Yes. You know, just coincidentally this morning, I was on a Twitter chat with a group of cybersecurity professionals and a couple of things came out of that discussion. And these are very commonsensical type of things. The two big issues that the participants in the chat pointed out were, one, it’s a cultural issue, less of a technology issue, more of a culture issue. And really educating everyone in the organization at every level to be watchful of phishing attacks or to your point, turn on two-factor authentication. It’s a cultural thing. And so, you’ve got to have the right kind of culture to protect yourself against cyber-attacks. The second thing they talked about was in the context of healthcare the business associates are a big point of vulnerability. So, care to comment on those two observations?
Peter Tippett: Yeah. I mean, you know, the power is clearly in the hands of the attacker if you’ve got a million people and you can succeed at one percent opening a phishing email. That one percent is in trouble. So, a big attack surface is how we talk about that. But two-factor authentication works even against phishing attacks. The bad guy gets your password. So, what? Still doesn’t work. So really, really, you have to do both. Don’t spend all your energy worrying about one thing. You need seatbelts and airbags and then speed signs and all the others, and they all work together to really reduce things.
Paddy Padmanabhan: Yeah, OK. I kind of agree with you. We should do a separate podcast down the road just talking about cybersecurity issues. But for today, let’s switch gears here and talk about your company. Tell us about careMESH briefly, the company and the solution you’ve developed and what does a marketplace need you’re trying to address?
Peter Tippett: Yeah. Thanks so much. I’m a doctor. I spent most of my time doing emergency medicine and paying for all these startups by working at night in the ER, but I’ve long been frustrated that doctors can’t simply send a patient record to some other doctor or to some other clinic. It’s like we’re in the years before the internet ever came along. A huge hospital system client of ours reinforced that for me again lately. They worked at this giant referral academic center. They take care of 20-30 percent of their patients come from more than 25 miles away. You know, when they send those patients back home, half of those doctors get a two-page fax. And the other half get two pages sent to them in the US mail. I’m not kidding. The likelihood of getting a digital record outside of that 25 or 30-mile range is nearly zero. And this is not right This isn’t how the world should work. It drives the doctors nuts on both ends. It drives the patients crazy. Even the average hospital is not at that pinnacle of referrals to the world where two-thirds of their community doctors are using a different EHR than the hospital. Less than 20 percent of those outside doctors routinely get digital-only useful patient data. And almost none of them can communicate back and forth with a big hospital or the doctors or whatever. So careMESH came along to change all of that. We decided to make a set of global national, you know, secure services that don’t require complex IT infrastructure. So, hospitals can easily discharge patients or send referrals right from their own EHR to any physician or practice in the country and not make that other end, have to do anything or buy anything or even know who the heck careMESH is. Like when you send a FedEx, they came along with the idea, which was, give it to us and we’ll get it wherever it needs to go, even if it’s on some weird island somewhere that’s our problem. So, hospitals should be able to simply look up a patient in their own EHR enhanced by our national careMESH provider directory and push the send button or the complete button. So, hospitals can also automate the setting of detailed admission and discharge summaries, not just ADTs and PIDs without requiring the recipient to submit patient panels or log into portals or pull lists of patients or other things like that. So, careMESH is a solution like none other available in the healthcare industry, giving hospitals the ability to quickly and securely send patient records to any outside clinician. Of course, we want to completely embrace the new cloud, compute models and strong identity and modern high-end security and privacy and all that and make those problems go away as well as further participating hospitals. And any big platform can do a lot more than just sending records from hospitals or getting two-way communication going or keeping things digital. Because hospitals need to be able to efficiently share data outside their walls. Care coordination, patient safety, reducing readmissions, unnecessary ER visits, analytics, you know almost everything requires digital communication. So, we want to be complementary to the stuff that already works like HIEs and EMRs. But they just don’t work well enough.
Paddy Padmanabhan: So, it seems like there’s two aspects to what you’re trying to do. One is having a robust provider data management system, process platform where you can go to it as a single source of truth. And it really is the truth as it relates to providing data and then using the same platform or related functionality as a draw on the platform, you’re using it for care coordination, doctor-patient communication and so on and so forth. Am I right? Are these two broad components of your platform?
Peter Tippett: Yeah. We think of it as finding the doctor in the first place or the clinic. I want to send a message to Dr. Smith in Salt Lake City; the patient just knows Dr. Smith right. And figuring out which Dr. Smith and making that part easy from within your own EHR for whoever the clerical or clinical person is. That’s the directory problem. And then once you find the person making it so that just doing whatever you normally do. You know, a doctor’s order to discharge and a clerical person following up with the pieces need to happen to get the record out there or the doctor going into the messenger or the basket or whatever it is in their EHR and finding somebody that’s outside their building and saying, you know, asking them a quick question or something. That’s the directory problem. Then once you find the person, you want all the natural things to happen so that when you hit the complete button or the send button, they actually receive the message and it works. And it’s digital and it helps them at the other end as well. So that’s the delivery problem. Of course, it’s not as easy as all that you’ve got to HIPAA get going and compliance and interoperability and make it easy on the other end and make the reimbursements all happen. Big compliance and incentive payments from PI and all that stuff work. But yeah those are the main two components.
Paddy Padmanabhan: Yeah. Let’s talk about the competitive landscape that you operate in. Provider data management has long been an issue in healthcare. If I recall it right, it’s like a three billion-dollar problem or something like that. There are lots of companies trying to address it and using different technology. You know, there’s one aligned group of companies using blockchain, for instance, to create a single version of truth among other things. And everyone every doctor that I’ve talked to would love to have this single source of truth where they don’t have to keep on credentialing them again and again. They go to this one place where, you know, everybody has it all in one place, and it’s all a single source of truth. But it is a competitive landscape and lots of people are trying to solve this problem as well. At the same time, it comes to the other aspects of your platform, the care coordination, the messaging for the EHR vendors, Epic, Cerner, big tech firms. How do you see yourselves in this competitive landscape and what do you think makes you a little bit different?
Peter Tippett: Yeah. The technology like blockchain versus not seems to me to be pretty relevant. The most important thing is, as you said, figuring out how to solve, I call this “the surround problems.” I wrote one of the chapters in Ed Marx’s book on innovation – ‘Voices of innovation.’ And I know you’re working a little bit with him. What a great project you guys are working on. And it seems to me that things that actually get the job done when there’s a huge legacy installed base of things is not trying to fight the installed base, but trying to complement it to work within the system that’s already there and figure out how to extend it relatively easily. The trend of making programs to decide you’re going to blow up whatever is there and start over again is kind of crazy. So, if you can make a directory, you know, ours is FHIR enabled and it’ll work through a browser or a phone or any of that. But that doesn’t help the hospital. You need to make it so that it just becomes the natural directory that’s used by all the services that already use the directory in the hospital like your Epic in basket or the discharge floors or whatever. It doesn’t make that disappear so that no workflow changes happen. And then you’ve got the other issue. But when you get to the competitive things, I think of this as healthcare is wildly local and always has been. And the technology that follows it has been local as well. So, it’s been really easy to hire a big contractor and spend a million bucks hooking your hospital at the other hospital. After you spend a year planning and you’re doing in a year fixing, it works. But now you’ve got two points connected. Well, you know, if you do the math, there’s five thousand plus hospitals and two or three hundred thousand clinics. That would be two hundred three hundred thousand factorial connections and BAAs and all that. That’s by the way, more than our grains of sand on earth. So, this is stupid. This isn’t something that could possibly scale. So, what we need is analogous to what we got when we built the internet. We need a way that everybody can use the same network for all of the basics to not to find the other guy, but also to get something to them without file size limits or anything like that. We need something that works with the EMR vendors and the HIEs and extends their functionality naturally. And we need something that enables all the care coordination platform. I don’t want to build a care coordination platform. I just want to make the ones that are out there actually work for somebody who isn’t involved or some other end that didn’t buy the other end. Making everybody buy both ends of a fax machine or a telephone is nuts. That’s not how those industries evolved and ours can’t get there either.
Paddy Padmanabhan: So how do you build a business case? I understood what you said that you’re working with the existing technology stack solutions that are out there and making them better. So how do you actually build a business case? What do people look for when trying to justify investment in your platform?
Peter Tippett: Yeah. I was on the PITAC, the President’s Information Technology Advisory Committee. I know it’s going on 20 years ago with Baylor and that whole gang. And we said if health, you know, this is a triple aim, in my words, slightly. If health care could only use information technology in rough parity with, the banking or other industries would get three things right. We’d get wildly healthier people and better long lives and all that. We’d get wildly lower costs to our study in the PITAC showed about 70 or 80 billion dollars a year. But the Institute of Medicine came along and did the big study and came to 700 billion dollars a year of savings for the country. And we get an entirely new kind of science. But other than that, it’s, you know, it’s probably not worth doing. So, we’re all married to this, right. And we now have computers everywhere. But there is pain. Everybody hates them. That’s largely because we haven’t had this sharing in the internet part that makes that work. So meaningful use came along we checked our 25, 15 or 20 or 10 or 16 boxes and got our checks. And now it’s switched to PI, promoting interoperability. And the PI penalties are real. Two of the six criteria are called referral loops or HIE measures or, you know, getting your care coordination going. They explicitly require getting of facts for a large proportion of referrals and discharge and transitions of care out of your own organization, 40 of the 50 points you need for PI and that’s 2 percent or 3 percent of your hospital payments from Medicare. So that, you know, for a medium or a bigger hospital, that’s 5, 10, 15 million bucks a penalty. So, there’s real meat now behind some of those and those the screws are tightening a little bit on that arena. And so, there’s some value there. We see the biggest value for getting this working, you know, the two thirds or three quarters or whatever it is of doctors and clinics that don’t work for you in a hospital. We really need to coordinate with these guys. In the past, we’ve ignored the people on the other side. But now that we’ve fixed the inside and it’s possible to do all the basics in the hospital, now it’s time to sort of extend. I hear this all the time from the CIOs. We’ve spent the last five years making this work at all. Now if we can only get the outside provider’s data and get them engaged and make it so that their job is easier and maybe make it so that they get some PI benefit or efficiency benefit, we’re still spending a huge amount of our time on the telephone and waiting around for the other doctor to talk to the other doctor or hiring a massive care coordinators to call and to show up at eight o’clock every morning and dial for dollars. And this is all nuts. This is 20 years ago. The internet fixed that for other industries. And it’s easy enough to find the efficiency value of tightening up your referral network and getting above 50, 60 percent referral leakage. And, you know 2, 3, 5 percent improvements in referral leakage add up to many millions of dollars of new revenues for a hospital.
Paddy Padmanabhan: Yeah, it’s very interesting. You mentioned banking and you mentioned how other industries are much further ahead. And John Glaser, who is the former CIO of Partners Healthcare, who is on my board of advisors, he wrote an article about this in the Harvard Business Review, where he pointed to this exact same contrast between banking and healthcare. And he makes the argument that you don’t have to do the whole hog, do everything the banking has done. But even if you do it selectively and move the needle, their significant gains to be had. And one of my other guests on the podcast, Daniel Barchi, who is the CIO of NewYork-Presbyterian, he made a very telling comment, he said we have really low thresholds today for digital engagement in healthcare. If somebody uses an online platform just to schedule an appointment that counts as digital engagement and that counts towards digital-enablement patients, and it can qualify you PO points for all kinds of incentives or conversely, penalties as the case may be. Healthcare I think is very unique in that regard because it is a system of incentives and penalties that are driving in many ways digital adoption. Is that a fair statement?
Peter Tippett: Yeah, I think so. You know, I think that the regulators have the right end game in mind. And I think that the knobs are roughly aligned and reasonably aligned. But nobody no business aligns themselves around regulatory incentives unless it’s also valuable to the business. I’ve had I can’t tell you how many CIO discussions I’ve had where they said, why aren’t you worried about this three-million-dollar penalty? And the answer is, if I spend so much of my energy worrying about that I wouldn’t do my business. We have to solve our real problems inside the business. And if we can make it align with getting two or three or million dollars or 10 or whatever it is, the feds fine, right? But it can’t be the principal driver. And so, the argument in banking is they’ve got a simpler data set than we do in healthcare, and that’s true. But tearing things down to the simple issue, you know, meds, problems, allergies, and demographics get that actually working, make it actually digital and get it sharing in both directions and make it work easily, whether at the other end is using a browser or there’s hundreds of EMR as it might be when your brother in law invented and there are twelve other users in the country that you still have to make it work with whatever the other guy is using and getting down to the basics and making the communication work at a really basic level is the key. And you know, once the basics are working, it’s easy enough to extend those a little bit.
Paddy Padmanabhan: Yeah. So, we are at the close here Peter. I would just love to hear your thoughts on what you’re seeing, your customers and health systems, in general, investing in as it relates to digital transformation. What are the top two or three things that you think that you see them focused on?
Peter Tippett: Yeah, I think that as a community, the health systems and IT activities in hospitals and bigger health systems has gotten the inside job pretty well under control. They are feeling like they’ve got, you know, actual functional EMRs, EHRs that actually do the basics and people are being productive with them on the inside. And so, I think there is a view towards the outside. We call it different names of call care coordination, we call social determinants, we call it enabling, you know, the home health workers, all those. We get lots of different names for all this stuff. In the end, it’s very virtual health. It’s getting, you know, getting the communication working. In the case of B2B, getting it working among providers means that you don’t have to force the patient to carry the record or come get it or be the middleman. And everybody wants the patient to have the data and be able to deal with it. But none of us make it. It doesn’t make a lot of sense to force the patient to be the connectivity link. So, I think that we’re getting towards this place in our world where we are enabling the communications. These platforms like carequality and the national sharing platform they’re getting some traction. The vendor platforms by Epic and others, they’re getting good traction. They enable good pieces of what needs to happen. But they don’t enable two-way communication. They don’t enable messaging. They don’t often enable giant things like x rays, sharing or other pieces. They often don’t enable a little guy very well on the Oddball platform. And so, you know, providing the glue that sort of fills in the gaps between the stuff that does work seems to me to be the place to be. And I think the venture community and the venture incubators and hospitals and health systems and those kinds of groups, they’re really a powerhouse. They’re the ones that can get the little startup guys and the new innovation guys. They can keep them on track. They can give them the focus they need because all kinds of people have good ideas. But all of us inside, you know, we largely are scientists in this world and businesspeople and the venture world in an incubator, they’re supposed to be experienced. And the good ones do help focus on actually making the change happen.
Paddy Padmanabhan: That’s said. In fact, in my recent podcast, I had a couple of senior executives from Epic and kind pretty much said the same thing that you just said, at least in terms of their product, focus on their platform, focus in terms of facilitating the seamless exchange of information, if you will. Well, Peter it has been such a pleasure speaking. There’s a lot that we can talk about and hope to carry on with the conversation and have you back on our podcast sometime soon. In the meantime, I wish your company, careMESH, and your team all the very best and look forward to staying in touch.
Peter Tippett: Great. Thanks so much.
About our guest
Dr. Peter Tippett is Founder and CEO of careMESH, former Chief Medical Officer of Verizon, and a leader in Health IT transformation, information security and regulatory compliance. Among other start-ups, Tippett created the first commercial anti-virus product, which became Norton, and founded TruSecure and CyberTrust. He was a member of the President’s Information Technology Advisory Committee (PITAC) under G.W. Bush and served with both the Clinton Health Matters and NIH Precision Medicine initiatives.
Tippett is a physician, board-certified in internal medicine, and was Research Assistant to R.B. Merrifield (Nobel Prize, 1984) and Stanford Moore (Nobel Prize, 1972) at Rockefeller University. He received a PhD in Biochemistry and an M.D., from Case Western Reserve University, and a B.S in Biology from Kalamazoo College.
Throughout his career, Tippett has been recognized with numerous awards and recognitions — including E&Y Entrepreneur of the Year, the U.S. Chamber of Commerce “Leadership in Health Care Award,” and was named one of the 25 most influential CTOs by InfoWorld.
About the host
Paddy is the co-author of Healthcare Digital Transformation – How Consumerism, Technology and Pandemic are Accelerating the Future (Taylor & Francis, Aug 2020), along with Edward W. Marx. Paddy is also the author of the best-selling book The Big Unlock – Harnessing Data and Growing Digital Health Businesses in a Value-based Care Era (Archway Publishing, 2017). He is the host of the highly subscribed The Big Unlock podcast on digital transformation in healthcare featuring C-level executives from the healthcare and technology sectors. He is widely published and has a by-lined column in CIO Magazine and other respected industry publications.