64: Dave Ledoux: “I’m ready to pivot at any time”
by Sara Nguyen
Episode 64 of HIPAA Critical features an interview with Dave Ledoux, CIO of Innovive Health.
Hannah Trum: I’m Hannah Trum, and this is HIPAA Critical podcast from Paubox, where we discuss security, technology, and compliance news with healthcare industry leaders.
The need for the healthcare industry to leave antiquated technology and security practices behind is ever-present. But if our industry learned anything during the pandemic, it’s this: Healthcare has to be accessible and easy to consume. The days of a one-size-fits-most approach when giving patient care, especially mental health care, are coming to an end.
My guest today, Dave Ledoux, understands and welcomes this reality. Dave is the CIO of Innovive Health, and as he says, “Captain Cloud”. During his tenure, he’s pretty much done at all; updated their InfoSec stack, migrated from hard copies to the cloud, and reduced overall technology spend.
Now he’s working to support and advise a leap into a data-driven approach to patient care, a topic we cover today, along with selling cybersecurity to the C-suite, how AI will be helpful in healthcare, and the challenges of an organizational rebranding from a tech standpoint.
Dave, I am so glad to have you on HIPAA Critical today. You are one of my favorite people to talk to, especially about cybersecurity. So I’d like to go ahead and jump in.
Your company has recently done a name change and a mission change. So I’d like to talk about that a little bit. What kind of challenges does your team face on the technical side of the brand change from Nozomi to Innovive?
Dave Ledoux: I can tell you as an officer of the company, before I get to the technical part, I had no idea the legal layers and changing your name. If I imagine stars in the past like Prince and Kanye currently, the legal battle is really, really challenging.
Like you can’t just lay a DBA in there and start sending out bills in healthcare, and then add in tax-paid health care. There are so many agencies which have to sign off on you proceeding.
I was partly participating in that, because a lot of those tied to our tech systems, but I was very surprised. I don’t think we’ll do this again.
Hannah: Well, I would hope not.
Dave: Yeah, we’ll stick with Innovive.
On the technical side, it was far less challenging, to be honest. It was challenging in the sense that we had to line up 15+ moving parts to kind of happen in a very specific timeline. So we picked a Sunday, late at night, to match with the billing cycle and to match with a low spot in our user activity. So we do home care, and we do the same amount of visits every day of the year. So on a Tuesday, we do just as many visits that we do on Christmas Day. So there is no real weekend or vacation, so to speak.
The reality of the tech side really is that as an entirely cloud-based company, I had to cut over all of my tenant URLs in a very narrow timeline. And that starts with Microsoft and cascades to the other cloud platforms. Since they’re cloud-based, everything functions really on a URL. So if I’m opening a Word document, for instance, behind that is the box URL, which now has to point to a new tenant.
Some companies do much better, they have what’s called spoofing. And so it has to be approved by them. Spoofing, of course, is a word that Paubox uses quite a bit. It’s a bad thing, generally. But when you cut over and you legally own both names, you’re allowed to spoof your old name to your new name. The companies that do that, thank you. It is fantastic. The companies that don’t, please consider it.
Hannah: You mentioned the cloud, and I know that when you first joined your company, moving everything to the cloud was like your big first challenge. Why do you think transitioning data servers and assets to the cloud is so important, especially in healthcare?
Dave: The two biggest words are scale and cost. You’re absolutely correct. When I showed up here, we were entirely terrestrial other than having a Microsoft 365 hybrid tenant. So partly in the cloud, and the cost was huge. Tracking costs were extremely expensive. We happen to have, irrespective of cloud or terrestrial, we had all sorts of redundant systems layered over top of each other.
And so in the cleanup, I noticed that moving to subscription models allowed far better licensing control. You’re not buying a real block of licenses, you’re buying a virtual, as-you-need chunk of license so you can (have) an elastic platform. And the scale is the most important part.
If I have a server that sits in a closet, in a building, whether it’s a data center, or whether that’s one of my offices, then I have to buy more of those as I grow. If I have an allocation that sits in AWS or Azure, then I just step on the throttle and they give me more. As a company that has our eye on national growth actively in process scale is very important.
Hannah: So the cloud helps you achieve that at a lower cost with higher performance.
Dave: It does. Yep. To put it very succinctly.
Hannah: I like to do that. So when I was doing some research on Innovive, I noticed that you have taken a big switch into providing telehealth all the time. Health care never stops, mental health never stops, so providing health care to patients at their homes via telehealth or other services can increase your attack surface. How is your department updating or changing its training with this new mission in mind?
Dave: So in our market space, your research is on point. Specific to innovative health, our patient base, which is nearly exclusively mental health…very, very small variances from that patient base.
Telehealth is a tough sell. Primarily because the interface really kind of creates a point of confusion. So for instance, when I first started here, I went on some visits with our clinicians to get an idea of what I’m dealing with. I’m going to tell them to carry device X and press these things in the field, like what does the field look like?
And the very first patient was a paranoid schizophrenic among comorbidities, she also had diabetes, etc, some other conditions as well. And it took us – and I’m not joking here, Hannah – took us over 40 minutes to get into the front door. Her paranoid schizophrenia had her convinced that someone was attacking her. And the door was barricaded. There were multiple chairs and all that stuff. And so imagining a device beeping and saying, “Take your pills now” could trigger such an event.
Hannah: Yes, definitely.
Dave: So the good news on the telehealth side is that the billing pathway has opened as a result of the pandemic. Prior, telehealth was kind of a fun thing for people to dabble in. And now you can actually get paid for it.
Specific to our space in mental health, we’re a bit far from having a device that is either sufficiently interactive for such a person, or having that connect directly to our in-person care with any real success.
Hannah: But it is something that y’all are working on trying…that’s kind of your mission going forward for maybe the next decade, at least?
Dave: Yeah, I would shorten that probably to five years. I would say real success, like “Everyone’s using it all the time. We love it. It’s the standard thing” in 10 years for sure. And so working on it falls into a couple of categories. Yes, I am actively testing devices, and helping shape where they go. And then on the payment side or the payer sources are actively working on how do we make this something that we embrace, rather than just kind of accept if you push for it?
Hannah: So from the tech side, how did you weigh the pros and cons of being data-driven with your patient care with the rest of the C-suite? You know, from a technical and security standpoint, that’s a lot of HIPAA violations that could happen. So how did you sell the need for the technology and the privacy to the rest of your team?
Dave: It is. It’s a smart piece of insight that…there are a lot of points of HIPAA violations. You’re right.
Hannah: That’s a lot of human endpoints.
Dave: Yeah. And something that gets charged per line. So I mean, one errant email and we’re in trouble. So since that cost is kind of easily grasped, especially with my CFO who I have a great relationship with. I’m a big cost center for him, so I get to know him very well.
Hannah: I work in marketing, so I’m always the cost center for the CFO.
Dave: “Yep, I’ve got another one for you.” “Okay, come on in, Dave.” So justifying it at the finance office is pretty straightforward. Because I can show I need to spend, let’s say 100 grand here, because that’s going to prevent, at any time, spending 5 million-the penalty.
But for a more specific perspective, getting into how we spend that money and where it gets spent, such as Paubox, such as having encrypted tenants for all of our cloud providers, a BAA in place everywhere, and the danger of having a non-encrypted provider that won’t sign a BAA.
And so it’s challenging because everyone wants a lower cost. And everyone wants quick and easy, they want to deploy by Monday, we’re talking about it on a Friday and having all those ducks in a row slows that down. You get better and better at these conversations, but I’ll say that they never become really easy.
Hannah: Yes, proving your ROI over something that’s not tangible. Like just trust me that you need this invisible cybersecurity help because it will be so costly if we don’t.
Dave: If you look forward, in this current world, the exposure is only greater. Like basically, there will never be less attack surface than there is now.
Hannah: There will never be less people on the Internet than there are today.
Dave: Bingo. Or nefarious players looking to take you down.
Hannah: Exactly. So are y’all expanding your cybersecurity stack to help mitigate this risk that’s caused by using more data for your patient care?
Dave: A little. We’re in pretty good shape. And I did a lot of that expansion in the last couple of years. And so I’ll say cautiously I like where I am now. But it is something that is kind of under constant review. It’s very different from “Do we go Microsoft, or G Suite?” Well, that’s kind of like, you settle. And you really kind of stay in that groove for a long time, generally.
Whereas cybersecurity is something like every week, you’re reading and testing, and you’re always demo-ing stuff like, “Do you have a better thing?” Or “Is it worth more money with a different direction?” So I’m not actively expanding currently, other than I keep my ear very close to the ground. I am ready to pivot anytime, for sure.
Hannah: How does this 24/7 approach to mental health affect that technology or InfoSec policies that you’ll have for your customers, for your consumers, or for anyone, basically, that’s working with y’all?
Dave: We have an interesting profile in the sense that the patients we treat I wouldn’t consider our customers because they don’t pay us. We have the practitioner, and then we have the payer source, and we are the provider. The patient receives the service, and the money comes from elsewhere. It’s interesting because we think about that as the customer, that’s a much larger entity than trying to make it. We are absolutely a B2B platform with kind of a C below it. We have to take care of the C, but the B is where the money comes from. And they are a large entity, generally a national player and all that stuff.
So that kind of drives our always-on nature. And that’s where our 24/7 comes from. Because the customer side is limited to a daytime visit. We do visit seven days a week, but they are restricted to a daytime visit. Whereas the payer source, the other B, they never really turn off.
If we go back to the start, it really drives a lot of my cloud platforms because rather than having what I would consider original redundancy for terrestrial where I’ve got maybe a second server to failover to I want to have true cloud where there’s just servers everywhere.
I need no less than 10 natural disasters to even put a dent in the performance of what I’ve got available. Because I do have people – my employees working quite often in the middle of the night. I’ve got visits starting as early as 7am, and so I’ve got employees preparing them before 7am. I’ve got visits occurring as late as 9pm, which might go to midnight. We really are – even though we’ve got kind of office hours of sorts – we really are 24/7 as a company, even though the visits don’t take place then.
My policies have to be for the most part autonomous. My platforms have to be able to function and self-heal a little bit because I don’t have a large team. I don’t have someone on my team who’s awake at 2am unless they have to be. We do that sometimes like when we’re cutting over to a new name, for instance.
I can’t really go with a small provider with a button press kind of platform. I have to have something that really can learn three items in and I have to have systems that can self heal. And I also have to have teams ideally that are only on my timezone. It’s nice having the hour shifts either way. You don’t have to kind of keep me in this country, but having the West Coast involved is a very big hit.
Hannah: Yes, yes. And you also said self-healing, which is something a previous guest of mine, Su Bajaj has said about email AI. So can you explain how you think email AI and self-healing can really help cybersecurity – not just at your company, but at any company?
Dave: Sure. If we can have intelligent systems that can, for instance,…I want to be able to set policies for approving an outbound email by DLP platform. I don’t want to have that be a manual human-being approval. So first of all, it would go into an approval tray based on terms that I set. But secondarily, I want AI to learn based on past approvals by humans what it can then autonomously approve going forward.
Right now I have less humans involved. Because generally, any smart platform can figure this out. There are going to be repetitive approvals in there that fit a pattern. Let’s have AI detect those patterns and move forward based on those.
Now there is a danger when you’re dealing with it, but this is different than approving a purchase for a widget. That has kind of a lower impact. Like maybe a $25 item gets out the door. It shouldn’t have – that’s okay. We can learn from that and not do that again. Sending the wrong medication to the wrong patient has a different impact.
AI can get there. But there’s gonna be a big huge magnifying lens. Like let’s have a whole sandbox with a whole patient load and let’s watch it work in there before we really start testing on humans and just apologize because there’s no room for that there.
Hannah: There is no room for error when you’re doing it with actual humans. So would you say that you think self-healing like an email AI perspective is really where healthcare needs to go in the future in the next 10 to 15 years?
Dave: I would say without question it needs to. We are talking about an industry that still uses paper faxes. I am extremely cautious after having spent a few years in the healthcare industry, as a provider, that we can get there. I’ll never stop trying, it doesn’t discourage me, but I am realistic.
Hannah: So how would you sell the importance of good InfoSec hygiene or email AI to the rest of your senior management? But for anyone that’s listening, if they’re trying to get their senior management on board with this, how would you sell it to them?
Dave: That’s the right question. I don’t think the answer is… there’s no elevator pitch for that. As far as I’m concerned – as much as I love people, I’m a person myself – I love reducing the amount of stuff that people have to do in a repetitive nature, I think that’s such a waste of our time.
This entire chat that we’re having is all original content. You can’t automate a podcast with different people. I would hate to have that task load for any person. So imagine what a machine does, and imagine a person feeding the machine, imagine that, and I want a cloud electronic platform…like that notion of that working perfectly with self-healing AI, very quickly, smart learning AI, I think it’s an easy sell.
The problem is since we’re not there it’s a little bit like selling better oxygen. It’s like the concept is fantastic. And the reality of it happening is probably 10 times as good as the concept. Having it not be there is I think the challenge in front of us.
Hannah: What kind of ransomware schemes or scares have you witnessed in this last year?
Dave: This may just get past the year line, but a significant partner of ours was taken down for weeks at a time. So they had someone who sat, unfortunately, at the core server and clicked the link, and all servers were encrypted and locked, and they were hard down for about six weeks.
Hannah: That’s awful.
Dave: We are a customer of theirs, and we had to revert in some areas to a paper process. A paper basement layer is built so you can go back there if you do. It was horrible. Internally, it was embarrassing. Externally, like we function as a business was fine. But it was just like how can this happen? How can everything pivot around that? For us, it happened to be our EMR. So you don’t really have a backup EMR. You can’t do that. And nor can you have a running copy of it. It just doesn’t work that way.
So that was critical. That was, for us, that was really, really, really super ultra bad.
Other stuff that I’ve come across. Luckily, we’ve had no impact. By the way, I can maybe pat myself a little bit on the back. I can compliment Paubox. I think the best defense is not letting someone see something. Because humans, me included, are gonna get caught. Like their stuff is too good. Everyone’s got a gift card number that they are interested, right?
Hannah: I just recorded another episode with Aja Anderson, our Paubox Customer Success Manager. We were talking about how we both got text messages that said your Bank of America account is compromised, and she was like, “Oh, my God,” because she just made a purchase. But I was sitting on my couch, and I was like I don’t have Bank of America. I know this is fake, but I know that someone will fall for it because everyone has Bank of America, right? It only takes one time.
Dave: Sure. They work on percentages. So if you send out a message at whatever time or whatever day some percentage of people are going to be busy enough that they’re going to just click on it to make it go away. Percentage…Bank of America is certainly a percentage player in the market. So send out that and you’ve got enough people they’re gonna say, “Well, I don’t want my account locked. I will click on this.”
Send out an Apple notification. There’s enough Apple people in this country that they could just work down the list. The danger is real and if you get the right person sitting at the right device with the right amount of privileges, an entire company can get taken down. That’s what we experienced. It was just brutal. I had no idea that a company of our size could function mostly on paper on a billable side of the company.
Hannah: It makes you think about if the Internet died.
Dave: It does. And it’s funny because that brought up a lot of conversations in my office about every system. People kind of went into panic mode. Do we have a backup for… 30 things?
Let’s think about this. Some of them were kind of easier answers, but I can’t really have a whole secondary phone system. How would we tell everyone what the new number is? Some things don’t backup. That means I can’t have a whole second HIPAA certified email system that is hot and ready to serve. By the time we cut over to these things everything will be fixed.
Hannah: Yes, yes. And then talk about a cost load. Like talk about selling cybersecurity or C suite “Hey, we need this. But then we also need this maybe backup if the internet dies.” Do you have any last minute tips or anything for any of our listeners today?
Dave: I would say a broad tip about anything cloud-related is keep an eye on your cost structure. Subscription-based services have a downside of sometimes surprising you. AWS can scale exponentially. Now if you’re not aware that you have a process that is scaling exponentially, then your cost will scale exponentially. And that next bill will be a surprise.
That’s where I see the most common mistakes. It’s easier to say I bought 10 licenses, and I own them. But to buy as many licenses as you need with automatic scaling autonomously, it can be dangerous. So you might not realize that you had something that was stuck and behind the scenes hired 10,000 people.
On a security side I would say it is far, far, far easier to do your homework ahead of time than it is to have a great recovery plan.
Hannah: For more information about the topics Dave and I covered in this episode, please head to paubox.com/blog or you can view the transcript for other helpful links. Every episode of HIPAA Critical is available on paubox.com or via Apple Podcasts, Spotify, iHeartRadio, Stitcher, Amazon Music or wherever you listen.
Thank you for tuning in to another episode of HIPAA Critical; I’m your host, Hannah Trum, signing off.