Dissecting Digital Health — with Trish Williams
Trish Williams’ name is synonymous with healthcare cybersecurity in Australia and across the globe. She’s convinced that security and health is super cool — uber cool in fact — and listening to her, you will believe it too.
This is the full transcript of the podcast Dissecting Digital Health with Dr Louise Schaper, interview with Trish Williams Professor of Digital Health Systems at Flinders University in South Australia.
Guest: Professor Trish Williams, Flinders University
Host: Dr Louise Schaper, HISA
Tweet Louise @louise_schaper Tweet Trish @TrishWilliamsAu
Production: This podcast is produced by Ivan Juric
Show Notes
[1:40] Opening Remarks by Dr Louise Schaper
[1:49] Today’s guest, Trish Williams discusses her position at Flinders University which allows her to combine her passions in health informatics, security, medical devices and standards. Trish shares how she has been interested in computing within a medical context since the mid 1980s.
[4:05] Trish reveals that all of her immediate family members are healthcare professionals, spurning her interest in healthcare computing. Trish shares what attracted her to computing, and her eventual move to Australia to work for Medrecord.
[7:04] Louise has Trish share her journey to becoming one of the world’s leading security experts in digital health. Trish shares that the issue of security in computing came about in the 90s due to the advent of the networks, the internet and sharing data.
[8:58] Louise discusses the rising concerns around cybersecurity in healthcare and asks what steps Trish believes Australia needs to take regarding these concerns. Trish compares and contrasts the security issues and measurements between Australia, the UK, and the US, taking important variants into consideration. She delves into the healthcare model differences which play a big role in the motivations behind the cybersecurity threats in Australia versus the US.
[16:05] Trish addresses Louise’s concerns about the rising cybersecurity issues in Australia and the lack of understanding around what security is. She goes on in depth to describe security’s invisible nature and explains the challenges that come with working against hackers
[20:31] Trish touches on the biggest issues in cybersecurity and Louise shares an anecdote of a kid who guessed a password to an iPad and download apps as an example of our apathy towards tighter security.
[24:15] Louise brings up a recent security issue in which Trish was involved, and asks Trish to share the story. Trish goes into her story leading to her brief media fame thanks to security issues regarding the popular mobile game, Pokemon Go.
[25:42] Louise begins bringing the conversation to a close by asking Trish to share any advice that she has for people wanting to start a career in digital health and health informatics. Trish gives her two cents on what she believes will lead to a fulfilling career in the field, particularly focusing on narrowing down on a specific area. Louise and Trish discuss the dialogue they have around explaining their work to others.
[28:33] Louise asks Trish to answer a final question, having her reflect on her professional life and share what contribution she’s made in healthcare informatics that has made her the happiest. Trish talks about the practical differences she’s contributed to, and Louise commends her on her efforts and passion.
Closing Remarks
Full Transcript
Opening Remarks by Dr Louise Schaper
[1:40] Louise: Welcome to Dissecting Digital Health with me, your host, Louise Schaper. Today, I have a very exciting guest. Guest, who are you?
Today’s guest, Trish Williams discusses her position at Flinders University which allows her to combine her passions in health informatics, security, medical devices and standards. Trish shares how she has been interested in computing within a medical context since the mid 1980s.
[1:49] Trish: I’m Trish Williams. I’m the CISCO Chair and Professor of Digital Health Systems at Flinders University. I’ve been there for nearly a month. Prior to that, I was the Associate Dean at Edith Cowan University Computing.
[2:02] Louise: Okay, and what bought on the move?
[2:05] Trish: Flinders offered me a position that puts together everything that I am so passionate about. So it’s health informatics, security, medical devices, international standards, and all of those things all mixed together in one and gives me the opportunity to be able to put those together as well as get other researchers together, and work as that collaborating point of contact for people and get them all to work together.
[2:35] Louise: Cool! That sounds alright. I’ve been thinking about this, as I’ve known you for a long time…. Now, you are a woman who’s in IT who specialises in cybersecurity. I imagine you are a rare beast, is that right?
[2:49] Trish: It is quite rare. It came about because I originally did mathematics and computing at university. The only option at that point was probably to go into mathematics teaching. I decided I didn’t want to do that and fell into some of the computing, not really by mistake, but we were still using punch cards. I hate to say that.
[3:14] Louise: Do you mind me asking what time frame we’re looking at?
[3:20] Trish: Considering I’m 28, that would make it in the early 80’s. In the early 80’s, computers had just come in and we didn’t have screens. We still had teletypes. To actually do the work on, you had to use PDP-11 and punch cards. It started from that, but I did the computing and really, really loved it. I’ve always done it from a medical perspective because I’m the only non-medical doctor in my family. I used to say I got shipped to Australia and my mother used to hate it.
I’ve always done health-based computing because I grew up around hospitals and the whole of medicine, so therefore my passion has always been to apply my computing related knowledge to everything in the health field.
Trish reveals that all of her immediate family members are healthcare professionals, spurning her interest in healthcare computing. Trish shares what attracted her to computing, and her eventual move to Australia to work for Medrecord.
[4:05] Louise: Interesting. I didn’t know that about you. So, Mum, Dad and siblings are all in healthcare, right?
[4:10] Trish: Yes, they are. They are all in healthcare.
[4:12] Louise: So what professions were your Mum and Dad?
[4:13] Trish: My mother was a pathologist; my father was a radiologist. I used to work in a pathlab in all my holidays. My sister-in-law’s a GP and my brother is a geriatrician. There’s a lot of varied experience amongst all that.
[4:31] Louise: When you started, saying, “Hey Mum, Dad I’m going to apply this computing stuff to healthcare”, what was their response? Were they thinking, “great career choice Trish, really proud of our daughter”, or what were they thinking?
[4:41] Trish: I think my father was. He was right into pulling everything apart and putting it back together again, so I learned how to service my car at about the age of 10 because
he was always pulling things apart and putting them together. It’s just what I knew. They did originally think I was gonna go into medicine but I think it was the only thing I thought I didn’t really want to do, but the moment that I was actually using something new, like computing, which was very new at that time, my father was really excited about it.
He absolutely loved it. He isn’t really of the era that had computers, particularly, personal computers, but he would’ve loved it.
[5:22] Louise: That’s fascinating! Surrounded by that, and obviously, you had an interest in medical stuff in life, you said you’ve been around it since you were young, what was it that attracted you to the computing side of things? I know you well, you’re such a people person, so I would’ve thought you’d make a great doctor as well. So what do you think was it that attracted you?
[5:43] Trish: I think it was the analytical side of it. I like solving problems and I think the mathematics side of it was much stronger then than it is now, particularly at university level. It’s pushed a lot more. I started with that and worked for a company called Update Software who did clinical systems in the UK, in Exeter. Then, I came to Australia and I was offered a job here to write the first clinical records package for Australia, so I came across in ’86 to do that.
[6:15] Louise: Is it that the first clinical records package for Australia?
[6:18] Trish: That Australia had. That was with a company called Medrecord. We did some work in conjunction with the college of general practitioners, and that was in ‘86.
[6:28] Louise: So, even your association with the College of GPs goes back a long way.
[6:33] Trish: Different people then, but yes. That’s how it all started in Australia. But that link to that clinical side of it has always been there so even from a security perspective, I’d done a lot of stuff in general practice and then in pharmacies and still did a lot of the technical side of it and some of the programming, but then when I went to the university, I was teaching in networking and security. Obviously, I have just done the security as far as health is concerned, which is, as you said, quite a unique thing.
Louise has Trish share her journey to becoming one of the world’s leading security experts in digital health. Trish shares that the issue of security in computing came about in the 90s due to the advent of the networks, the internet and sharing data.
[7:04] Louise: Okay. We fast forward a few years. You’re now one of the world’s leading security expert in digital health, cybersecurity and health. How did that come about? In those early days, because you did a computing degree when no one else except major geeks do computing degrees. Was it like programming, and then … how did the transition to security come about?
[7:33] Trish: The original degrees were very much programming-oriented. I learned about 5 languages within the first couple of years. We also went out to work in industry in England as well, which meant you had a lot of experience before you actually left the university, which is still something that people or companies in industry really value today, as they want someone to start and be able to hit the ground running. The security in computing wasn’t really an issue up until the ’90s because when things weren’t connected, the security side of it wasn’t an issue. It’s really only with the advent of major networking and the internet that security really reared its head.
We always had access and authentication in programs, but it wasn’t particularly good, but when you started having everything connected, then the security became more important.
It was about that time that I went to work at the university, at ECU. Then got interested in the security side of it and ended up doing my PhD in that because I’d done a lot of work on clinical decision making and how medical practice works. The security was a natural transition, really. That’s how I ended up getting into doing a lot of it from that perspective.
Louise discusses the rising concerns around cybersecurity in healthcare and asks what steps Trish believes Australia needs to take regarding these concerns. Trish compares and contrasts the security issues and measurements between Australia, the UK, and the US, taking important variants into consideration. She delves into the healthcare model differences which play a big role in the motivations behind the cybersecurity threats in Australia versus the US.
[8:58] Louise: On the security side of things, the feeds that I get everyday that land in my inbox and on Twitter. I get so much stuff around cybersecurity and healthcare. It mostly comes out of the US. I see recently, in the UK, just a few weeks ago, the Caldicott report came out and now they’ve walked away from Care.data. We’ve made cybersecurity a focus at this conference and having you and Theresa here is fantastic. But I’m surprised, given the recognition of how important cybersecurity in healthcare is that it doesn’t get more attention here. There are case examples internationally and the UK have just walked away from this massive program that they invested a lot of time and money into and we don’t want to be repeating the same mistakes in Australia. So, how do you? ….I guess I have a few questions. [Laughter] From the security perspective, what do you say that Australia needs to do? Also, we need people to do it. Where are we going to get these? How do we attract the future generations of cybersecurity professionals to healthcare? Do we need a CSI Health (tv show)?
[10:32] Trish: I think we do! We just need to convince people in health that security and health is super cool, uber cool. Really, the whole thing you’re talking about is the fact that in the US, there are lots of cases from all sorts of things.
Whether it is malware and CryptoLocker encrypting data that people can’t get into in hospitals or whether it’s just getting into networks, or in fact, even from the things that we’re talking about at the conference this week about medical devices and the security of medical devices as you integrate it, which includes things to do with e-safety and with standards.
The reason that the US get so much more publicity: one, is that they’re a lot bigger than we are, and two, they’re a lot further ahead than we are in Australia. The same thing in the UK, their systems have been very geared towards clinical practice always, whereas in Australia, the ecosystem is such that particularly for primary care, practices didn’t have electronic records, for instance, until quite late because it was all based on the actual running of the business and the accounting side of it, whereas in England, that doesn’t apply; the models are the other way around because their funding is different.
When you come to Australia, we haven’t had many issues that have been in the papers. There’s two reasons. One is that it’s not that we haven’t had as many issues, but we don’t recognise them. If you actually have a system that’s hacked into, let’s say your clinical record is changed, no one’s going to know about that until you went back to the GP. There’s no way that if information is changed that you look at it on a regular basis. Now, the difference between healthcare and the financial sector is the financial sector have always had to protect all that and people really value their money, they didn’t as much value their health information until now. Partly, it’s because you may not know that things have happened. Also, the whole thing around cybersecurity in health is no way near as advanced as it is in the financial sector and is certainly not as advanced as it is in the US. The US are doing things on a clinical basis to do with security and privacy and confidentiality which we don’t do over here. They have systems of doing things from integrating things like some of the HL7 work and ISO and different places to look at data security for privacy, where you attach what the consent is for patients to actual data. We don’t do that in Australia. We’re not that advanced or not as far forward as they are in other parts of the world in regards to that. Our issues haven’t come to the floor yet and haven’t been published. The other thing is that when you look at health information,
it’s quite easy to understand why people would want to get financial information because cybersecurity is all about protecting things from happening by mistake and making sure that things are obviously available when you need them, but also it’s about financial gain.
Most of the time, cybersecurity is trying to stop people from either making mistakes, or in fact from other people getting into the data and things that you don’t want them to get into. That’s mainly for some financial gain. There is some maliciousness, but that’s usually against individual companies or possibly individual people or high profile things, but in general, nearly all of that is related to money in some way. So whether it’s getting your identity for medical identity fraud, that’s the other thing in the US. The whole of their system is geared around funding from health insurance, whereas in Australia, we don’t have that model. We have a split model at the moment. If it goes towards more of the American model, then more that would be evident. Medical identity’s such a huge money thing and without it, you can’t have various types of care, whereas we don’t have that situation in Australia.
It’s not that health is more interesting, but it’s actually an easier target. If you try to get into a bank is much more difficult. Trying to get into a hospital system is relatively easy.
[15:10] Louise: A lot more people should be focusing on this stuff. It strikes me as really quite interesting that we’re not doing that. For example, I would think that health ministers would have good people advising them what to say to questions such as “If we put our health records online, that it’s going to cause problems because they can be hacked. What do you say about that?” The best answer and the worst answer I’ve ever seen was given by a minister a while ago, who answered that question in front of a bunch of television cameras saying, “well, actually, all the 20 somethings I know don’t really care about security so…”, and I was like “oh my god, no. You need a better answer.” I’m sure you would have a better answer Trish. What is yours?
Trish addresses Louise’s concerns about the rising cybersecurity issues in Australia and the lack of understanding around what security is. She goes on in depth to describe security’s invisible nature and explains the challenges that come with working against hackers
[16:05] Trish: I think we’re going to talk about at the conference. Part of this is we’re not scared enough about what happens to our clinical records. We understand everybody pays lip service to security, but partly, I think most people don’t really understand what it is. It’s something that you can’t see. It’s not something tangible that you can look at, like a bank account where you can see, “someone’s taken a thousand dollars out of my bank account.” It’s not a tangible thing that, as individuals, we care quite enough about. If you’re fearful of hackers, you will do things differently. You’ll behave differently in cyberspace than you would if you think everythings quite safe. In fact, it doesn’t really cross your mind. The comment about the 20-year-olds is because they also don’t see that their information has any value. I don’t know that we were any different when we were twenty, its just that the situation is different and a lot of information can go anywhere and people can see it. Whereas, when we were twenty, we didn’t have to think about things like that. If someone asked your name and address you just gave it to them.
It’s just that we’ve switched into an electronic environment and now more people want our information because it has some value, but we just give it away in the same way.
It’s not particular to the 20-year-olds.
[17:35] Louise: So what about people who use privacy and security as a reason for not doing e-health?
[17:41] Trish: Well, that’s quite short-sighted. The thing is, with security and with privacy, you’re never going to have 100% security. The moment you develop something and then usually you’ll want to secure it right way to go. But the moment that you’ve actually done that, there’s a whole group of very intelligent people around the world who we like to call hackers and think of them as bad people, but very intelligent groups of people who are trying to work out how to break that or get into it, and it’s not because they are looking at you as an individual. It’s an exercise. Some of these people are probably the most intelligent in the world because people who develop the security solutions, for instance, are usually at that level as well. It’s not just a game. It’s about using intellect to be able to work through what someone else has put in place. That’s always going to happen.
In fact, in any other situation, if we didn’t call it security, you’d call it innovation. [Laughter] It is. In any other circumstance, we would call creating something, and then changing and breaking it, as innovation. We don’t call it innovation. In security, we call it hacking.
[19:10] Louise: Excellent. I love that angle. I’m very much looking forward to hearing what you’ve got to say at the conference on Wednesday.
We need to re-position security as the enabler to healthcare
[19:18] Trish: I think the thing that goes with that (and I didn’t coin the phrase, Vince McCauley did) is to think of security as the enabler to healthcare. We always view security as trying to stop you doing something. It’s always in the way, or you have to do something, but actually, we should be looking at it and flipping it the other way around and saying “okay, how do we make security help us get information?” Not “how does it stop us?” Part of that is because
security is usually considered afterwards and therefore it’s something that we put onto people and inevitably, you have to change your processes or human procedures to cater for that.
[20:07] Louise: That’s one of the reasons we have a profession of health informatics because if you just put clinicians and IT people together, it’s just a disaster. Most IT people wouldn’t understand that you can’t just put rules in place that interrupt clinical workflow, and if you do, there are consequences to that, and with the consequences in what we do, people can die.
Trish touches on the biggest issues in cybersecurity and Louise shares an anecdote of a kid who guessed a password to an iPad and download apps as an example of our apathy towards tighter security.
[20:31] Trish: That’s been all the way through from beginning of computing and programming. We have given people programs that were not intuitive. When even Microsoft Word came out, it wasn’t very intuitive and we had to learn to work with it. Now, we’ve come into a situation where we say “enough is enough.” We actually want the computers to work the way that we work, not being told what to do. We’re still in that transition period which probably started 30 years ago, so it might take us 50 years to get to that. We’re doing this more with robotics and with voice recognition, but making them work for us, rather than us doing what someone has programmed and directed we need to do.
The problem with security is that one of our main ways of doing security is authentication passwords, and everything else which, as a human activity, people are rubbish at. Absolutely rubbish.
[21:34] Louise: Password 123 is not a good one?
[21:39] Trish: The most common password is “password” with a zero on it, 12345, and animals’ names. And “fluffy” is right up there.
[21:47] Louise: Oh, the animals’ names. So funny, it was a weekend last year. There were kids at the house who we didn’t know. We weren’t paying attention to what they were doing as we were having our own conversations. One of the kids who’s probably 8 came up to us and asked, “what’s the name of your dog?” we said, “Buddy.” Then after the kid left, we found he had downloaded all these games onto our iPad we had left lying around because the dog’s name was the password. So we ended up with a bill from someone’s child that we don’t know.
[22:32] Trish: I think, probably the people who work in security, because we understand more about what’s going on. It’s not that we’re more trustful, but we tend to, in certain situations, make decisions like that where it’s like someone says, “how do you have a different password for everything?” Get real. Nobody’s a superhuman. You can have a password manager, but in fact from a human perspective, that means every time you need to do something, you need to look it up. But that’s not very conducive to work flow either, so we have different methods of being able to do that. I use a 3-step method for where something is. If its something I completely don’t care about it, then I would tend to use a combination of 2 or 3 passwords. If I can’t remember which one of those three it is, then I’m in trouble.
The things that are medium security need to be different and the things that for banks and everything else, all entirely different. That leveling means that something in life can actually cope with, whereas of the maybe 350–400 different systems that I, one time, have to log into, put in a password manager.
You do tend to put things in your phone, but it’s still quite to difficult to manage. The problem is because passwords is still our primary form of identification and authentication onto a system that says who you are, which then says what are you allowed to do.
Louise brings up a recent security issue in which Trish was involved, and asks Trish to share the story. Trish goes into her story leading to her brief media fame thanks to security issues regarding the popular mobile game, Pokemon Go.
[24:15] Louise: We’ve had an interesting security issue come up recently and I believe that you’ve become a bit of a celebrity in Adelaide since moving there — you’ve made the news. Tell us about that. What happened? [Laughter]
[24:29] Trish: At my first week, we launched the Flinders Digital Health Research Centre which I’m co-director with Professor Anthony Maeder, which is very exciting and it’s multidisciplinary. So, the media people ring and say, “you’re a bit unique. You’re a woman in security and we need someone to talk about Pokemon Go.”
Having children, I promptly rang one of my sons up and said “do you know anything about Pokemon Go?” He just gave me all of these things so then that was my starting point to go and research what it was and I understood what the security issues were and that’s what the news were actually interested in. So my street cred had gone up immensely just because I’ve been on channel 7 and channel 10 news, not because I had anything to do with security. In fact, one of them was just about common sense — what should people do. There are people having Pokemon tools, what should parents watch out for with their children.
[25:30] Louise: Right. I’m sure that’s a good use of your PhD knowledge, how you turn all that knowledge into advice for parents.
[25:38] Trish: Pokemon is cute, I mean, Pikachus.
Louise begins bringing the conversation to a close by asking Trish to share any advice that she has for people wanting to start a career in digital health and health informatics. Trish gives her two cents on what she believes will lead to a fulfilling career in the field, particularly focusing on narrowing down on a specific area. Louise and Trish discuss the dialogue they have around explaining their work to others.
[25:42] Louise: Obviously, I’m gonna have to do a series of interviews with you Trish, otherwise we will be here for hours because there are so many things I want to talk to you about.
One of the reasons I started this podcast is that I love what we do and I know you do and there’s about a thousand people joining us tomorrow, who all are passionate, completely crazy people who love health informatics. I’m hoping that by joining this podcast that we can help inspire people to be attracted to this field and to learn a bit about it and its diversity. What I wanted to ask you is what advice you might have to people who want to start or advance their careers in this fascinating world of digital health and health informatics?
[26:39] Trish: My first piece of advice is absolutely over it [laughter]. The second thing is to try and work out what attracts you to it — what is it in particular that you think you’d like to get into, because health informatics, much like computing, much like security. It used to be this big and it’s now this big.
There are multiple areas you can work in, so you should probably go and think about what it is that’s attracting you to it and what sorts of things you might be interested in and then find someone to talk that over with. Actually, go and talk to as many people as you can to find out ‘what does this look like’. If you can, find a mentor because if you can then focus your goals a little more about what you’re interested in, then it’s about identifying what knowledge you have already and then identifying where to enhance that knowledge.
Whether it is through things like CHIA, or whether it’s university courses or training, and then seeing what experience you can bring to that, because one of the things that people in health often don’t realise is they have a lot of experience that is really valuable to health informatics. It’s actually about using that for a practical outcome, and actually working through it that way.
[27:59] Louise: A practical outcome is really important. I often change my ‘pitch’ of what I do, depending on who I’m speaking with and context. If you talk about a real definition, people fall asleep sometimes. Sometimes, I just say it’s about computers and health, even if it’s not about computers and health, but it often piques interest and then we can have more of a conversation.
[28:20] Trish: I have done that about three times this week. Just today, there’s someone asking what I did in life and they go, “sounds really interesting. I have no idea what it is.” Then I say, “well it’s actually a bit of mixture of computing and health.”
Louise asks Trish to answer a final question, having her reflect on her professional life and share what contribution she’s made in healthcare informatics that has made her the happiest. Trish talks about the practical differences she’s contributed to, and Louise commends her on her efforts and passion.
[28:33] Louise: That’s cool. Excellent. Alright, my last question for you today, thank you, is when, not that you’ll ever retire, but one of these days, you’ll look back on your professional life and when you do, what would’ve make you really happy to know what you have contributed to?
[28:47] Trish:
I think there are several things that make me happy — finding things that have made a practical difference. I’m very much into for security particularly, finding what actually works for people. Not just theoretically what people should do, but actually how can they do that at a practical level.
I think the other thing is that, from an educational point of view, impacting students. I love it when students come back to me and say things like, “thank you, I never realised at the time that you were teaching me to think, as well as imparting knowledge.” They come back and they say really nice things. They get it at some point afterwards, which I think is really important. I think the other thing I really like about health informatics are the people. One of the things, mostly, is all of people that you work with, and particularly things like this event, for instance. I like making people smile.
[29:56] Louise: You’re pretty good at it. [Laughter] You can take the breadth of knowledge that you have, that you’ve built up over the years and I think the point you are made about looking at practical outcomes is important. There’s not many people in health informatics who are actually interested in the use of computers in healthcare. It’s about what can we do with that information, what can we do to make life easier for clinicians. How can we improve things for consumers, for patients.
We’re not that interested in data for data’s sake. What we’re interested in is what can we use that data for, and how can that data be useful for people.
Closing Remarks
Trish, our time is out. Thank you so much for joining me today on Dissecting Digital Health and being my first experimental interviewee. Has it gone alright Val, production assistant? We’re getting a thumbs up. Alright, then cool. Well, thanks a lot. I look forward to round 2, we’ll get you on the show again.
[30:50] Trish: Thank you. I’ll come back again.
[30:51] Louise: Thanks! Bye!
You may wish to check out
UK’s Caldicott Review, July 2016
UK — Care.Data closes after Fiona Caldicott review calls for tougher measures to keep information confidential
HL7
International Standards Organisation (ISO)
Contact Us
Suggest a guest via dissectingdigitalhealth‘AT’gmail.com
Want to learn more about digital health and health informatics — join HISA: Australia’s Digital Health Community www.hisa.org.au
