Your Water, or Your Life

Matthew Holt, publisher of The Health Care Blog, thinks I worry too much about too many things. He’s probably right. But here’s one worry I’d be remiss in not alerting people to: your water supply is not as safe – not nearly as safe – as you probably assume it is.

I’m not talking about the danger of lead pipes. I’m not even talking about the danger of microplastics in your water. I’ve warned about both of those before (and I’m still worried about them). No, I’m worried we’re not taking the danger of cyberattacks against our water systems seriously enough.

A week ago the EPA issued an enforcement alert about cybersecurity vulnerabilities and threats to community drinking water systems. This was a day after EPA head Michael Regan and National Security Advisor Jake Sullivan sent a letter to all U.S. governors warning them of “disabling cyberattacks” on water and wastewater systems, and urging them to cooperate in safeguarding those infrastructures.

“Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices,” the letter warned. It specifically cited known state-sponsored attacks from Iran and China.

The enforcement alert elaborated:

Cyberattacks against CWSs are increasing in frequency and severity across the country. Based on actual incidents we know that a cyberattack on a vulnerable water system may allow an adversary to manipulate operational technology, which could cause significant adverse consequences for both the utility and drinking water consumers. Possible impacts include disrupting the treatment, distribution, and storage of water for the community, damaging pumps and valves, and altering the levels of chemicals to hazardous amounts.

Next Gov/FCW paints a grim picture of how vulnerable our water systems are:

Multiple nation-state adversaries have been able to breach water infrastructure around the country. China has been deploying its extensive and pervasive Volt Typhoon hacking collective, burrowing into vast critical infrastructure segments and positioning along compromised internet routing equipment to stage further attacks, national security officials have previously said.

In November, IRGC-backed cyber operatives broke into industrial water treatment controls and targeted programmable logic controllers made by Israeli firm Unitronics. Most recently, Russia-linked hackers were confirmed to have breached a slew of rural U.S. water systems, at times posing physical safety threats.

Aftermath of a cyberattack on The Municipal Water Authority of Aliquippa. Credit" MWAA

We shouldn’t be surprised by these attacks. We’ve come to learn that China, Iran, North Korea, and Russia have highly sophisticated cyber teams, but, when it comes to water systems, it turns out the attacks don’t have to be all that sophisticated. The EPA noted that over 70% of water systems it inspected did not fully comply with security standards, including such basic protections such as not allowing default passwords.

NextGov/FCW pointed out that last October the EPA was forced to rescind requirements that water agencies at least evaluate their cyber defenses, due to legal challenges from several (red) states and the American Water Works Association. Take that in. I’ll bet China, Iran, and others are evaluating them.

“In an ideal world ... we would like everybody to have a baseline level of cybersecurity and be able to confirm that they have that,” Alan Roberson, executive director of the Association of State Drinking Water Administrators, told AP. “But that’s a long ways away.”

Tom Kellermann, SVP of Cyber Strategy at Contrast Security told Security Magazine: “The safety of the U.S. water supply is in jeopardy. Rogue nation states are frequently targeting these critical infrastructures, and soon we will experience a life-threatening event.” That doesn’t sound like a long ways away.

Similarly, Professor Blair Feltmate, an expert in water systems at the University of Waterloo in Canada, told Newsweek: “The U.S. Southwest is on the edge of being out of water, due to a combination of climate-change driven extreme heat, growing drought and excess demand. Nonetheless, survival in the Southwest depends on this increasingly precarious water supply—as such, cyber bad guys will likely target this region using a 'kick 'em while they are down' logic.”

On the other hand, David Reckhow, Emeritus professor at UMass Amherst, also told Newsweek: “All community water systems are somewhat vulnerable to intentional contamination, but it's unlikely that cyberattack would result in a serious compromise in water quality or public health. On the other hand, a cyberattack could result in financial difficulties.”

In the interim, the EPA plans to increase the number of planned inspections, but EPA spokesperson Jeffrey Landis admitted to CNN the agency is “not receiving additional resources to support this effort.” It has 88 credentialled inspectors; there are something like 50,000 community water systems. Those are not encouraging ratios. I’ll bet Iran’s IRGC and China’s Volt Typhoon have more than 88 hackers…each.

Part of the problem is that many water systems just haven’t seen cybersecurity as key to what they do. Amy Hardberger, a water expert at Texas Tech University, told CBS News: “Certainly, cybersecurity is part of that, but that's never been their primary expertise. So, now you're asking a water utility to develop this whole new sort of department.”

Yes, we are.

I hope a lot of water systems take this. Credit: EPA

Frank Ury, president of the board of the Santa Margarita Water District in southern California, told The Wall Street Journal that he’s worried hackers might have penetrated systems and are lying dormant until a coordinated attack. Jake Margolis, Chief Information Security Officer of The Metropolitan Water District of Southern California, agrees, and warns: “Even if you’re doing everything right, it’s still not enough.” And we’re not even doing everything right.

It’s not as though water systems are all that robust generally. Drinking water infrastructure got a C- in the last ASCE Infrastructure Report Card, with the acknowledgement: “Unfortunately, the system is aging and underfunded.” It could have added: “and woefully unprepared for cyberattacks.”

So, we could have our water shut off, or made undrinkable through changes to how the water is processed. We’ve seen how corporations respond to ransom demands when, say, data is held hostage; what would we agree to in order to get safe water back? We worry about missiles carrying bombs or chemical weapons, so why aren’t we more worried about attacks to the safety of our water? 

And, in case you were wondering, water infrastructure is not the only infrastructure vulnerable to cyberattacks; the electric grid and even dams have been targeted. But safe water is about as basic a need as there is.

Safe water was one of the greatest public health triumphs of the 20^th century. Let’s hope we can keep it safe in the 21^st century.  

Getting the Future of Healthcare Wrong

Sure, there’s lots of A.I. hype to talk about (e.g., the AI regulation proposed by Chuck Schumer, or the latest updates from Microsoft, Google, and OpenAI) but a recent column by Wall Street Journal tech writer Christopher Mims – What I Got Wrong in a Decade of Predicting the Future of Tech --  reminded me how easily we get overexcited by such things.   

The future? Maybe. Credit: Gerd Altmann from Pixabay

I did my own mea culpa about my predictions for healthcare a couple of years ago, but since Mr. Mims is both smarter and a better writer than I am, I’ll use his structure and some of his words to try to apply them to healthcare.  

Mr. Mims offers five key learnings:

1. Disruption is overrated
2. Human factors are everything
3. We’re all susceptible to this one kind of tech B.S.
4. Tech bubbles are useful even when they’re wasteful
5. We’ve got more power than we think

Let’s take each of these in turn and see how they relate not just to tech but also to healthcare.

Disruption is overrated

“It’s not that disruption never happens,” Mr. Mims clarifies. “It just doesn’t happen nearly as often as we’ve been led to believe.”  Well, no kidding. I’ve been in healthcare for longer than I care to admit, and I’ve lost count of all the “disruptions” we were promised.

The fact of the matter is that healthcare is a huge part of the economy. Trillions of dollars are at stake, not to mention millions of jobs and hundreds of billions of profits. Healthcare is too big to fail, and possibly too big to disrupt in any meaningful way.

If some super genius came along and offered us a simple solution that would radically improve our health but slash more than half of that spending and most of those jobs, I honestly am not sure we’d take the offer. Healthcare likes its disruption in manageable gulps, and disruptors often have their eye more on their share of those trillions than in reducing them.

For better or worse, change in healthcare usually comes in small increments.

Yeah, most disruption is just talk. Credit: Eden Costantino on Unsplash

Human factors are everything

“But what’s most often holding back mass adoption of a technology is our humanity,” Mr. Mims points out. “The challenge of getting people to change their ways is the reason that adoption of new tech is always much slower than it would be if we were all coldly rational utilitarians bent solely on maximizing our productivity or pleasure.” 

Boy, this hits the healthcare head on the nail. If we all simply ate better, exercised more, slept better, and spent less time on our screens, our health and our healthcare system would be very different. It’s not rocket science, but it is proven science.

But we don’t. We like our short-cuts, we don’t like personal inconvenience, and why skip the Krispy Kreme when we can just take Wegovy? Figure out how to motivate people to take more charge of their health: that’d be disruption.

We’re all susceptible to this one kind of tech B.S.

Mr. Mims believes: “Tech is, to put it bluntly, full of people lying to themselves,” although he is careful to add: “It’s usually not malicious.” That’s true in healthcare as well. I’ve known many healthcare innovators, and almost without exception they are true believers in what they are proposing. The good ones get others to buy into their vision. The great ones actually make some changes, albeit rarely quite as profoundly as hoped.

But just because someone believes something strongly and articulates very well doesn’t mean it’s true. I’d like to see significant changes as much as anyone, and more than most, and I know I’m too often guilty of looking for what Mr. Mims calls “the winning lottery ticket” when it comes to healthcare innovation, even though I know the lottery is a sucker’s bet.

To paraphrase Ronald Reagan (!), hope but verify.

Tech bubbles are useful even when they’re wasteful

 Healthcare has its bubbles as well, many but not all of them tech related. How many health start-ups over the last twenty years can you name that did not survive, much less make a mark on the healthcare system? How many billions of investments do they represent?

But, as Mr. Mims recounts Bill Gates once saying, “most startups were “silly” and would go bankrupt, but that the handful of ideas—he specifically said ideas, and not companies—that persist would later prove to be “really important.”’  

The trick, in healthcare as in tech, is separating the proverbial wheat from the chaff, both in terms of what ideas deserve to persist and in which people/organizations can actually make them work. There are good new ideas out there, some of which could be really important.

Finding the right idea matters. Credit: Bing Image Creator

We’ve got more power than we think

Many of us feel helpless when encountering the healthcare system. It’s too big, too complicated, too impersonal, and too full of specialized knowledge for us to have the kind of agency we might like.

Mr. Mims advice, when it comes to tech is: “Collectively, we have agency over how new tech is developed, released, and used, and we’d be foolish not to use it.” The same is true with healthcare. We can be the patient patients our healthcare system has come to expect, or we can be the assertive ones that it will have to deal with.

I think about people like Dave deBronkart or the late Casey Quinlan when it comes to demanding our own data. I think about Andrea Downing and The Light Collective when it comes to privacy rights. I think about all the biohackers who are not waiting for the healthcare system to catch up on how to apply the latest tech to their health. And I think about all those patient advocates – too numerous to name – who are insisting on respect from the healthcare system and a meaningful role in managing their health.

Yes, we’ve got way more power than we think. Use it.

------------

Mr. Mims is humble in admitting that he fell for some people, ideas, gadgets, and services that perhaps he shouldn’t. The key thing he does, though, to use his words, is “paying attention to what’s just over the horizon.” We should all be trying to do that, and doing our best to prepare for it.

My horizon is what a 22^nd century healthcare system could, will and should look like. I’m not willing to settle for what our early 21^st century one does. I expect I’ll continue to get a lot wrong but I’m still going to try.

 

It's the Administrators, Stupid

Universities are having a hard time lately. They’re beset with protests the like of which we’ve not seen since the Vietnam War days, with animated crowds, sit-ins, violent clashes with police or counter protesters, even storming of administration buildings. Classes and commencements have been cancelled. Presidents of some leading universities seemed unable to clearly denounce antisemitism or calls for genocide when asked to do so in Congressional hearings. Protesters walked out on Jerry Seinfeld’s commencement speech; for heaven’s sake – who walks out on Jerry Seinfeld?

Administrators in Meeting World. Credit: Bing Image Creator

Derek Thompson wrote a great piece for The Atlantic that tries to pinpoint the source problem: No One Knows What Universities Are For. The sub-title sums up his thesis: “Bureaucratic bloat has siphoned power away from instructors and researchers.”  As I was nodding along with most of his points, I found myself also thinking: he might as well be talking about healthcare.

Mr. Thompson starts by citing a satirical piece in The Washington Post, in which Gary Smith, an economics professor at Pomona College, argues that, based on historical trends in the growth of administration staff, the college would be best served by gradually eliminating faculty and even students. The college’s endowment could then be used just to pay the administrators.

“And just like that,” Professor Smith says, “the college would be rid of two nuisances at once. Administrators could do what administrators do — hold meetings, codify rules, debate policy, give and attend workshops, and organize social events — without having to deal with whiny students and grumpy professors.”

It’s humorous, and yet it’s not.

The growth in universities’ administrative staff is widespread. Mr. Thompson acknowledges: “As the modern college has become more complex and multifarious, there are simply more jobs to do.” But that’s not always helping universities’ missions. Political scientist Benjamin Ginsberg, who published The Fall of the Faculty: The Rise of the All-Administrative University and Why It Matters in 2014, told Mr. Thompson: “I often ask myself, What do these people actually do? I think they spend much of their day living in an alternate universe called Meeting World.”

Similarly, Professor Smith told Mr., Thompson it’s all about empire building; as Mr. Thompson describes it: “Administrators are emotionally and financially rewarded if they can hire more people beneath them, and those administrators, in time, will want to increase their own status by hiring more people underneath them. Before long, a human pyramid of bureaucrats has formed to take on jobs of dubious utility.”

All of these administrators add to the well-known problem of runaway college tuition inflation, but a more pernicious problem Mr. Thompson points to is that “it siphons power away from instructors and researchers at institutions that are—theoretically—dedicated to instruction and research.”

The result, Mr. Thompson concludes is “goal ambiguity.” Gabriel Rossman, a sociologist at UCLA, told him: “The modern university now has so many different jobs to do that it can be hard to tell what its priorities are.”  Mr. Thompson worries: “Any institution that finds itself promoting a thousand priorities at once may find it difficult to promote any one of them effectively. In a crisis, goal ambiguity may look like fecklessness or hypocrisy.”

So it is with healthcare.

Anyone who follows healthcare has seen some version of the chart that shows the growth in the number of administrators versus the number of physicians over the last 50 years; the former has skyrocketed, the latter has plodded along. One can – and I have in other forums – quibble over who is being counted as “administrators” in these charts, but the undeniable fact is that there are a huge number of people working in healthcare whose job isn’t, you know, to help patients.

It’s well documented that the U.S. healthcare system is by far the world’s most expensive healthcare system, and that we have, again by far, the highest percent spent on administrative expenses. Just as all the college administrators helps keep driving up college tuition, so do all those healthcare administrators keep healthcare spending high.

But, as Mr. Thompson worries about with universities, the bigger problem in healthcare is goal ambiguity. All those people are all doing something that someone finds useful but not necessarily doing things that directly related to what we tend to think is supposed to be healthcare’s mission, i.e., helping people with their health.  

Think about the hospitals suing patients. Think health insurers denying claims or making doctors/patients jump through predetermination hoops.  Think about the “non-profits” who not only have high margins but also get far greater tax breaks than they spend on charity care. Think about healthcare “junk fees” (e.g., facility fees). Think about all the people in healthcare making over a million dollars annually. Think about pharmaceutical companies who keep U.S. drug prices artificially high, just because they can.

As TV’s Don Ohlmeyer once said in a different context: “The answer to all of your questions is: Money.”

Healthcare is full of lofty mission statements and inspiring visions, but it is also too full of people whose jobs don’t directly connect to those and, in fact, may conflict with them. That leads to goal ambiguity.

Mr. Thompson concluded his article:

Complex organizations need to do a lot of different jobs to appease their various stakeholders, and they need to hire people to do those jobs. But there is a value to institutional focus…The ultimate problem isn’t just that too many administrators can make college expensive. It’s that too many administrative functions can make college institutionally incoherent.

Accordingly, I’d argue that the problem in healthcare isn’t that it has too many administrators per se, but that the cumulative total of all those administrators has resulted in healthcare becoming institutionally incoherent.

Famed Chicago columnist Mike Royko once offered a solution to Chicago’s budget problems. “It’s simple,” he said. “You ask city employees what they do. If they say something like “I catch criminals” or “I fight fires,” them you keep. If they say something like “I coordinate…” or “I’m the liaison…”, them you fire.”

Healthcare should have that kind of institutional focus, and that focus should be around patients and their health, not around money.

Twenty years ago Gerry Anderson, Uwe Reinhardt, and colleagues posited “It’s the Prices, Stupid” when it came to what distinguished the U.S. healthcare system, but now I’m thinking perhaps it’s the administrators.

You Bet Your Life

America is crazy about gambling. Once you had to gamble illegally with a bookie, or go to Atlantic City or Las Vegas; now 45 states – plus the District of Columbia, Puerto Rico, and the U.S. Virgin Islands – have state lotteries. Since the Supreme Court struck down PASPA, the federal ban on sports betting, 38 states – plus the D.C. and Puerto Rico – offer legal sports betting. I didn’t think we could get any crazier, until I saw last week that arcade chain Dave & Busters was going to allow betting on some of its games.

Honestly, healthcare may be the only industry upon which you can’t bet, and I’m beginning to think that’s too bad.

It may come to this. Credit: Bin Image Creator

Dave & Busters are working with Lucra Sports, a “white-label gamification” technology company. “We’re thrilled to work with Lucra to bring this exciting new gaming platform to our customers,” said Simon Murray, SVP of Entertainment and Attractions at Dave and Buster’s. “This new partnership gives our loyalty members real-time, unrivaled gaming experiences, and reinforces our commitment to continuing to elevate our customer experience through innovative, cutting-edge technology.”

“Friendly competition really is a big fuel for our economy, whether you’re playing golf on Sunday with your buddies, or you’re going to play pickleball or video games or even cornhole at a tailgate. There’s so many ways that you can compete with friends and family, and I think gamifying that and digitizing all this offline stuff that’s happening is a massive opportunity,” Lucra CEO Dylan Robbins told CNN.

Credit: Brodie Brazil

The companies are careful not to describe what they’re doing as gambling; they avoid terms like “bet” or “wager.” Michael Madding, Lucra’s chief operating officer, told The New York Times that the focus was on “skills-based” games, such as Skee-Ball or shooting baskets: i.e., “recreational activities for which the outcome is largely or entirely dependent on the knowledge, ability, strength, speed, endurance, intelligence of the participants and is subject to the control of those participants.”

This falls into a category I had never heard of: “social betting.” With social betting, there is no third party setting the odds, and more head-to-head competition with people you know. You’re not betting against the house; you’re challenging your friends. It is estimated by gaming research firm Eilers & Krejcik to be a $6b market, and its proponents argue that it is not subject to licenses & regulations that other gambling does.

Not everyone agrees. Marc Edelman, a law professor and the director of sports ethics at Baruch College in New York, told NYT:

If two people are competing against one another in Skee-Ball, presuming that there is nothing unusual done in the Skee-Ball game and physical skill is actually going to determine the winner, there is no problem. If I am taking a bet on whether someone else will win a Skee-Ball game, or whether someone else will achieve a particular score in Skee-Ball, if I myself am not engaged in a physical competition, that very likely would be seen as gambling.

Brett Abarbanel, executive director of the University of Nevada, Las Vegas, International Gaming Institute, went further, telling CNBC: “regardless of the legal classification of the activity as ‘not gambling’ vs. ‘gambling,’ this is an activity in which participants are risking something of value on an outcome that is uncertain. Therefore, there should be consumer protection measures in place for players, particularly when the target audience is skewed toward younger participants.”

Both Illinois and Ohio gambling authorities have already expressed concerns; Illinois State Rep. Daniel Didech, chairman of the Illinois House Gaming Committee,, told CNBC: “It is inappropriate for family-friendly arcades to facilitate unregulated gambling on their premises. These businesses simply do not have the ability to oversee gambling activity in a safe and responsible manner.”

There are also numerous “social sportsbooks,” including Flitt, PrizePicks, and Underdog Fantasy, that are blurring the line between online sports gambling and social betting, between fantasy leagues and plain old gambling. And they do it with users as young as 13 and with little or no state oversight. Keith Whyte, executive director of the National Council on Problem Gambling, told The Washington Post: “What a lot of these social gaming — social casinos, social sportsbooks — have found is that the regulators ... either don’t feel like they have the jurisdiction or the time or energy to go after every single app that springs up.” 

Whether we like it or not, people are going to bet. “People will place a bet on ‘Will we have rainfall?’, or ‘How much snow will a certain place get?’, or ‘What will be the first day of snowfall?’” sports policy expert John Holden, JD/PhD, associate professor at Oklahoma State University, told Fox 5 NY last year.

So why shouldn’t they bet on health care?

Let’s face it: we all already bet on health care. We bet that the doctor we pick is well trained, competent, and of the highest ethical standards. We bet that the hospital we go to won’t kill us or make us worse. We bet that the prescriptions we take do far more good for us than they harm us. We bet on all these things, spending trillions of dollars, even though we know the odds are against us: in aggregate, Americans are getting sicker and dying younger.  That’s those other people, we tell ourselves; my doctor/hospital is the “best.”

What makes healthcare different from other areas that one might bet on is the paucity of data. I always remember a colleague told me years ago: “I can know more about the performance of every MLB player than I can about any physician.” And that was before legal sports betting.

If we were to bet on health care – either our own (social betting) or others’ (online gambling) – there’d be more data. We’d insist on it. We’d analyze it. We’d use it. It’d get better and more detailed over time. And, I daresay, healthcare would become better for it.

Personally, I don’t like to gamble. I don’t buy lottery tickets. I don’t go to casinos. I don’t even bet on the Super Bowl or March Madness. So I’m tired of gambling so much on healthcare without knowing more about the risks/rewards, without the data I need and should have. If betting is the only way to ensure the data, then I say: let's roll the dice.

Maybe Lucra could develop a gamification platform for us to bet with our doctors and hospitals.