E. Jordan Spriegel (00:00)

instead of needing to look up something on Google or finding a YouTube video, mean, AI is starting to make this a lot easier and provide those answers for you. So while AI is also helping and making certain things stronger, like some of the endpoint detection responses we're seeing on the market, it's also making it easier for bad actors to get hands on the equipment needed to do harm.

Griffin Jones (00:29)

They weasel into fertility and OBGYN systems like a parasite. They use your staff, they learn your systems, then they exploit you and your patients for money. And cyber attackers aren't just state-sponsored actors gunning for large healthcare companies. AI has made it easier for teenagers, anybody, to do big business damage.

I looked for IT experts with fertility experience and I found Chris Diamond and Jordan Spriegel, partners at One Stop IT.

They're full service IT firm that helps with cybersecurity, EMR integrations, AI automation. Their decades of fertility experience is actually why Inside Reproductive Health uses One Stop IT for our IT needs. Chris and Jordan share how fertility centers protect themselves from these kinds of risks, what the risks are, the right and wrong way to migrate EMRs, and what fertility centers are automating with AI right now.

If you need IT help, you might talk to these guys. I'd be happy to make an intro or share my experience with you.

or find them at thinkonestop.com. Enjoy this conversation with your IT experts, Chris Diamond and Jordan Spriegel from One Stop IT.

Chris (02:35)

the biggest dangers are typically ransomware type of attacks where you're, know, you just say hypothetically, you come in on a Monday morning, your staff get there, nothing's working, right? Computers are locked, your systems and data are all encrypted. You see a ransom note pop up on your screen. Essentially, you're locked out of your own world, right? And you cannot function. That's kind of like essentially worst case scenario, right? Where we've seen it in large companies and small. This is where we tried to

prevent and avoid things like that and obviously prepare for them, right? Because sometimes it's inevitable. will, it's not, you know, as they say, it's not a matter of if it's a matter of when. So our job is covering all the bases to make sure it doesn't happen, but also be prepared to when it could happen, right? So essentially in a modernized form of insurance, I guess you could say.

Griffin Jones (03:23)

a matter of when not of if it's that common.

Chris (03:26)

I would say so.

Griffin Jones (03:27)

When I hear about ransomware attacks, I often hear about large health systems. Is it as frequent with smaller businesses, less frequent? Tell me about that.

Chris (03:38)

I would say less frequent for sure because there's less to gain, but it can happen at any degree. mean, we've seen both, obviously you see the large ones in the news, smaller ones you may not hear about as much, which are typically our clients, right? Most of our clients don't have internal IT and if they do, they may have limited internal IT resources. So we supplement that.

But the majority of the, I mean, it happens, I guess to answer your question, it happens at all sizes, right? And what makes them a target? I mean, nobody really has a definitive answer to that, I don't think. But it's usually financially or some type of, know, retribution sort of thing,

Griffin Jones (04:14)

So if you're smaller, you might have less to offer the potential attacker, but it's also likely that you have less defenses, right? Like it's like, who wants my toy? Who's going to steal my Toyota Camry? You know, when there's all these Benzes and BMWs out there, but the Mercedes and the BMWs might have better security systems or be behind a gated community and your Toyota Camry is sitting right there. Is it kind of like that with cybersecurity as well where

Yeah, the bigger ones might be targets because they've got deeper pockets, but you as a smaller entity might be an easier target.

Chris (04:52)

Yeah, I think you hit it right on the head there. Toyota camera yet, not as glamorous, not as expensive, but probably maybe easier to steal, right? So if they can steal a dozen of those in a week versus one Mercedes may take them longer. So I think that's kind of similar, right? There's some attacks that might be easier to accomplish and check a box off for the bad guys, right? The bad actors. So they can say, Hey, we hit X amount of clinics this month and you their ransom requests may be staggering, right? I mean, it could be.

just a small clinic that they may be requesting millions of dollars for, right, to recover the data. So the amount of damage is the same, right? It's really just like each company has its own tolerance level.

Griffin Jones (05:32)

Jordan, how are these attacks executed? Most of us don't know anything about cybersecurity or IT. So just talk to us about like how they're actually carried out.

E. Jordan Spriegel (05:43)

Yeah, so there's, there's a few different ways. mean, like Chris touched on earlier, social engineering tends to be a really big one. That's why having a strong security awareness training and things in mind to constantly test and make sure that your employees. Social engineering would mean someone that's a bad actor essentially is calling up and trying to essentially get someone to.

Griffin Jones (05:56)

What does social engineering mean?

E. Jordan Spriegel (06:09)

do something that could be clicking on a link, it could be getting those spam emails where it looks like it's from your employer. There's a lot of these and this is becoming a lot more common within the whole cybersecurity sphere. But then to also look at the other side, mean, with AI, mean, hacking is getting a lot easier for, you know, those teenage kids that you hear hacking into NASA.

Through AI, it's becoming easy to now do open port scans. With port scans, you can kind of figure out where you can get some vulnerability and kind of where some access can get in. From there, you can do some fingerprinting. That will allow you to pick up what kind of operating systems and what are on these devices. From there, you can then go look at the National Institute of Security Standards and Technologies, and you can go look at the common vulnerability exchange and find specific flaws.

for that operating system. Hacking isn't always done by, you know, state-sponsored actors. Sometimes it's just a 13-year-old kid in the basement seeing what he can do.

Griffin Jones (07:12)

And seems like that's getting easier. Why? Because of AI? Like they're using Claude to do this? Or why is it getting easier?

E. Jordan Spriegel (07:20)

I mean, technology is getting easier to access.

instead of needing to look up something on Google or finding a YouTube video, mean, AI is starting to make this a lot easier and provide those answers for you. So while AI is also helping and making certain things stronger, like some of the endpoint detection responses we're seeing on the market, it's also making it easier for bad actors to get hands on the equipment needed to do harm.

Griffin Jones (07:44)

Is social engineering the same as phishing?

E. Jordan Spriegel (07:47)

To an extent, yes. There's different kinds of fishing and some are just like terms like for example whaling would be a method of fishing where you're specifically going after larger or high value clients. So fishing is essentially a piece of social engineering.

Griffin Jones (08:07)

Before you pull one fish in hook line and sinker, instead you use it as bait to catch a bigger fish? Is that what whaling is or do I have that wrong?

E. Jordan Spriegel (08:15)

It's almost

just more defined targeted phishing. For example, I mean, there's lots of tools like Apollo or Zoom info where you could pay or look up companies to get certain people's information. Now actors are using these tools to help target and do some of that social engineering to get information within a company that most people wouldn't know to look.

Griffin Jones (08:38)

Is phishing getting better with AI right now? Because I'm terrified that it's going to get so good in a couple years. Like right now, very often you can tell if you're using common sense, this is a phishing scam. I think in some years time that it will seem really authentic. Like if you have AI bots that can crawl social media and do other things, then it could send

and do deep fakes and set, you know, could send a voice message from a spoof text message in Chris's voice saying, hey, Griff, ⁓ back when we were at the MRS, I conference, I left this thing in Nikki's office. Can you text me that like it will have context for who we know, where we've been, what we've done? Are we are we there with phishing right now? Or how close are we to something like that?

Chris (09:31)

yeah, I think it's very

sophisticated to answer your question and it's only getting better as you've seen. mean, there's, there's SMS components like you'll be surprised. And I think going back to the whaling comment, want to say, I'm not the expert in that, but whaling, think typically is going after CFOs, CEOs, business owners like you, Griffin. Typically, you know, they get ahold of your, Jordan was mentioning zoom info. It's a public thing you can sign up for and get everybody in every company. Right. So they target the whales of the company thinking, you they can get it. You've seen simple SMS to.

I've seen CEOs of large companies get an SMS from somebody saying, hey, I need to wire me money or something. And it gets to the point where you think it's real and you get almost to the point. And sometimes it's actually executed and hopefully it gets caught beforehand. But you'd be surprised when people are very busy, they get taken advantage of a little bit easier, I think. that's kind of why these things happen, right? Where it's, you know, I was at a staffing company years ago and we did, I'm just giving an example. We did transactions.

via paper check with a large customer. would pay those millions every month. And one of our employees got phished in an email and they not only get in there, but they monitor you and learn your behavior for about a month or two. She was being monitored. And finally they reached out on her behalf to the client and said, hey, effective next month, we're not doing paper checks. Why are the money to this account? Right. And it was of course an offshore account. And it took us about two months to realize it even happened because the customer and the money went missing and whatnot. So that

These things are calculated typically and targets are established and they do a lot of due diligence. It's not just like, we're just gonna throw a big net out there, right? And I think AI is making their lives easier to do this in a larger scale. So that's the scary part.

Griffin Jones (11:12)

And then what's an open port scan?

E. Jordan Spriegel (11:15)

That's kind of getting into nitty-gritty, but a port is essentially a piece within the network that a certain type of information will transfer through. So to look at it on a broad scale, HTTP for web browsing, that's often considered port 80. Well, port 80 doesn't encrypt traffic. So if you're only using HTTP, then

If someone is technically in your network or monitoring it, then they can kind of see some of that traffic that's going through. That was replaced by HTTPS, which is now port 443. As there's more applications and more types of data to be transferred, there's more ports. So as an example, some of the traffic that flows through the application of Facebook, will have its own port number and the type of traffic can have certain types of vulnerabilities that people

can exploit within a system.

Griffin Jones (12:09)

And then what's fingerprinting?

E. Jordan Spriegel (12:11)

Fingerprinting is essentially using tools to send signals to kind of be able to pull information on devices. If you're able to ping and do scans within a network, you can often decide and see what other devices are on it, what the operating system it's running. Through that, fingerprinting is essentially just gathering all of that information to be able to find other points of

vectors you can attack on.

Griffin Jones (12:40)

the cybersecurity attack a couple years ago Change healthcare, what happened with that?

Chris (12:47)

Yeah, so that one was their large, obviously, claims provider. I was working at a DSO back then, Dental Service, Oregon. Essentially, we use them to process claims. So as secure as our posture was security-wise, mean, that was a big disruption. That's a vendor, right? You're a close partnership. They do a lot of transactions for you. They keep the lights on, so to speak. So that was kind of an awakening moment for

a lot of executives and companies to realize like, hey, you know, a single point of failure like that can stop revenue from coming into my front door for X amount of days or weeks, right? And that's exactly what happened. So you kind of start scrambling to see like, hey, you know, how can we process claims without these guys and what steps do have to take? So really fast course correction, but also can be devastating, right, to a company.

Griffin Jones (13:36)

I know I'm asking you guys to Monday morning quarterback that situation. It's not like you were there and you know everything, but what do you think happened

Chris (13:45)

it was a long road to recovery for them. and you know, I've, I've probably seen a couple of those per month when I was running that. I T department there because there was just so much happening and all the vendors and partners, some of them onshore, some of them offshore. but essentially, you know, that's where the posture comes in, right? You have to have a game plan in place and that's where a lot of people fail.

where it's like, hey, we just got a new firewall. We're good to go. It's not the case. There's so many moving parts. that's fertility specifically has a lot of moving parts. And the clinics hold a unique set of data that could be potentially devastating for the patients and the practice. So especially when you have all the laws around HIPAA and things like that, compliance stuff that has to be followed. So the risk there is pretty tremendous.

in the fertility realm.

Griffin Jones (14:35)

Is there a common denominator between those attacks that you saw that it's often one thing or one category of things that people either didn't have in place or had the wrong thing in place?

Chris (14:47)

Common denominator is not having a pulse on everything. That's the hardest thing to explain to executives where they're like, we spent millions on cyber software. We spend millions on consultants. We spend millions on this, that, the other. But you know what? You need to have a team or representatives having a pulse on everything. And I think that's where some people or a lot of people fail because you know, it's kind of like the Murphy's law, right? You've checked all these boxes that are like common threats and then.

Boom, you saw the recent one with Striker, right? Striker was a huge medical supplier. mean, they used Microsoft, tens of thousands of employees. There's a product in Microsoft called Intune, which is meant to manage, make IT guys' lives easier. They manage all your endpoints, laptops, tablets, cell phones, you name it, right? Administrative credentials were gained somehow. I don't remember how, but somebody got a hold of that. Wake up the next morning, every computer was wiped.

how the employees computers were wiped. Nobody could work, right? So it's things like that where you're doing audits of your vendors, obviously you're following HIPAA as much as you can, but you need to keep a pulse on what everybody's doing that you're sharing information with,

Griffin Jones (15:56)

How do you possibly keep a pulse on all that? Like, I'm sure they thought they were keeping a pulse. Like, how do you possibly...

Chris (15:59)

It's.

It's

not easy, but it's conversation driven. that's where we, you you come in, you do an assessment. You're like, all right, let's again, check all the boxes off. You have old network technology. We update it. We get you, you know, endpoint management, endpoint detection response. We get everything up to snuff technically, but then we have to dig into policies, procedures, who are you sharing data with? There's integrations that, know, especially nowadays with private equity is buying.

Another practice you're inheriting things that you don't even know about, right? There's databases, there's transactions happening behind the scenes, especially in that embryology lab, right? Which is like the heart of an IVF clinic. You have, it's probably the least IT governed section of a business, right? Because there's lab equipment vendors that control the software. There's barely any updates that happen. There's no network segmentation. So, you know, things get crossed in. a ⁓ cyber attack hits that.

it could turn off the lights for a lot of things, right? And that happens quite a bit in other verticals, but it's devastating to, it can be to fertility and healthcare, right? Especially if it's a hospital environment or that has critical systems at play.

Griffin Jones (17:10)

As more hardware comes into the picture, does that introduce more risk? Like I was reading about cyber attack in the Wall Street Journal was actually an RIT Rochester Institute of Technology student that cracked the case. And you guys will probably think that I'm butchering this because I am, but it was something like.

they were hacking into things like smart picture frames and using that to like hack into other devices or like launch attacks from other devices. I know I'm butchering it, but is that risk at play as well now we have like really smart ultrasound machines and we have 3D ultrasound probes and we have time lapse incubators, we have electronic witnessing, like as there's smarter technology in the labs and in the clinics, are those...

potential entry points for attacks.

Chris (18:02)

Yeah, I mean, I would say 1000 % yes, because they do look for the weakest vulnerable piece of hardware, software, and the organization, right? So oftentimes, like in a lab environment, in a manufacturing environment, you have logic, little logic boards on a machinery. But if they are tied to the network, I mean, yes, that's basically an origin, right? That's how they're going to get into your network. And then from that point on, it's almost too late, right? That anything's kind of open game for them to access.

That's why if you've heard of IoT, like in your home or business environment, they have IoT networks. So basically if you have like an Alexa device, which can be easily hacked, right? You want to keep that on a separate network where it can get to the internet, but it can't get to your server or your personal files or whatever. There's that segregation piece, which is important.

Griffin Jones (18:48)

You guys have some decent experience working with fertility centers and I should also share that you provide IT services for inside reproductive health. And that's part of the reason why I'm interested in talking to you is because you've done a good job for us and taking care and showing us different blind spots and things that we were struggling with that we're not seeing any bit like we were because of you guys. So, you know, I'm biased towards you guys because

you've helped us, but you've also had some experience with fertility centers. What's your kind of approach with them? Like when you're starting to work with a new fertility center, what's the first things that you do?

Chris (19:29)

Yeah, I mean, obviously we do an assessment of their tech stack is probably the easiest, right? That's the immediate thing. And from that point on, you kind of dig into it a little bit more with such as like doing a security risk analysis, looking at who they do business with, who's data shared with. Like I mentioned in the embryology lab, I mean, there's tons of equipment that shares data, sends patient results back to certain other companies and third party cloud systems and whatnot.

So all of that, I mean, you kind of just have to set the baseline and understand what's happening in the environment, right? And then you kind of start digging into it piece by piece and understanding. And I'm a big fan of least privilege. I mean, it's a common theme, right? In cyber where everybody says you get access to what you need. So a lot of companies just have, may have an on-premise EMR that has a database that, you know, a vendor has access to, but they may have way too many privileges, right? So you kind of evaluate all that and start locking it down as best you can.

And the most difficult part is doing this while the business is operational because you can't be too intrusive because if you start locking people out of their systems and clinicians can't do their job and then it kind of becomes messy, but so it has to be carefully approached, I guess.

Griffin Jones (20:37)

tell me about that implementation of least privilege because there are things where we think we are following least privilege. And then it's like, who has access to that? And, and you all helped us see some of that to talk about that.

Chris (20:54)

Yeah, I mean, it's easily uncovered at the most, you know, outlying all the tech that's at play, right? All the software partners, all the vendors you're working with, everyone you're sharing data with and in a medical environment that's quite a few people, right? Because you're oftentimes outsourcing claims and you're sending all this patient data to a claims person that, you know, maybe overseas and whatnot. So really just understanding what's happening and documenting it and then, you know, spending the time and you can use AI tools for this as well, but you can get into each system there and just kind of.

run some basic reports and say, here's all the people that have full admin rights. Do they need these admin rights? And you start scaling them back slowly. And then here's all the data you're sending to this vendor. Does it need to go to that vendor? So you start scaling that back. And then you get to a point where it's like, we're sharing the data that needs to be shared and nothing beyond that. And then you're in a much better place. And then from that point on, it's really, as I mentioned, the if and when. mean, when it happens, you want to be prepared. So we try to do multiple air gap backups.

Jordan can probably speak on this more, but our cyber insurance policies kind of demand that we do that for our customers for these reasons, right? So you want to have air gap backups because if it does happen, and again, it may not necessarily be something that we're in control of. It could be a vendor that has a direct connection to a patient, a clinic's network that ultimately gets breached and then we have to clean up the mess. So we want to be prepared and have the backups ready.

Make sure we test the backups and here's how long it's gonna take to get back on your feet and then sit down and have these exercises and discussions with the leadership team. So.

Griffin Jones (22:23)

What are those air, did you say air gap? ⁓ What are those Jordan, and what is the underlying problem that they solve?

Chris (22:27)

Yeah, Jordan can speak on that a little bit.

E. Jordan Spriegel (22:36)

An airgapped backup essentially just means a form of backup that is not able to be editable. So once that backup is in place, there are certain methods in place that will prevent it from being able to continuously copy more data backups. The reason for this is, if you were to get ransomware, and then you continue to back it up, well, now your backup is also gonna be triggered and is no good.

One of the most common misconceptions we see when dealing with backups is that people will often think just because it's in the cloud that they are safe. That is not the case. You still want your cloud backups to be irreputable ⁓ and not editable. So you just really need to look at the big picture. Also, you got to make sure too that your cloud where your cloud storage is being backed up elsewhere. I mean,

Do you have to look at the disaster recovery piece? If there's a natural disaster that happens in Florida at a data center in Florida where all of your information's kept and a hurricane comes and that data center gets wiped out, well, if they don't have a disaster recovery place that's geologically separate, I mean, there's a chance that they could lose your information.

Griffin Jones (23:49)

We've been talking about EMRs a bit. When I think of EMRs, this might be my own ignorance, but I think of any sort of technical support coming from the EMR company. Why are people going to you for support with their EMR?

E. Jordan Spriegel (24:05)

this.

Chris (24:05)

yeah, mean, so

they're highly specialized systems, right? I mean, we all know there's quite a few out there. In fertility especially, they're not general purpose. They're very specifically built for that practice. So typically when you stand up in EMR, mean, beyond the training and getting people to using it is not the difficult part. It's really the integrations. So there's, in fertility, there's like a whole ecosystem, right? Where you have multiple data streams. Everything needs to talk to each other. ⁓ Lab systems, billing, patient portals.

Pharmacy genetic testing. I mean, there's tomorrow tanks right that are now in fertility. So there's all these different Data things happening and some of these EMRs do a good job and some of them don't so it really You know, need a representation at the clinic level because the EMR companies who do you think they're protecting, right? They're just protecting themselves and I mean they do best stuff for to protect the patient data and if it's in their cloud They're responsible for that piece of it. But you know, there's people in your clinic at your location

maybe staff even working remotely that are accessing this data. So it's moving around quite a bit. So you have to have eyes and controls in place at different levels.

Griffin Jones (25:10)

You guys want to burn any bridges here on Inside Reproductive Health and tell us which EMRs are good and which aren't?

E. Jordan Spriegel (25:14)

You

Chris (25:16)

I'm not sure we could do that. I don't know if I want targets on my back.

Griffin Jones (25:19)

Well, then tell us what specifically makes an EMR good in these regards and what the poor ones do.

Chris (25:27)

You know, my professional opinion since I've been doing this, have 20 years experience in fertility. So just throwing it out there. That's the gray hair on my head. It's not so much the product, it's the people behind it because there's a lot of great products that are released and then companies will say, we just sold this beautiful EMR to a new company. That new company says, all right, we're just going to sell the crap out of it and just refine it minimally.

To me, what makes a good EMR is the people that are behind it where, and I've had a lot of good stories I can share with you, but people that are like, hey, we started out small, now we're growing like crazy, but we need all these features, we need these improvements, we need these security components, we need all these integrations. And then you work with that EMR vendor to accomplish what the business needs, what your IT guy, which would be us, needs to keep you safe and secure to make sure the operations are running. You know what mean?

So it goes beyond the product. It's really more about the relationship to me, not just buying an off-the-shelf EMR and just be like, hey, plug it in and away you go.

Griffin Jones (26:27)

What are the issues that are people are coming to you with regard to EMR migration?

Chris (26:32)

Well, I mean, the first, depending on the size of the practice, of course, there's always the build versus buy, right? That's all executives are looking at that. there's always each, it's case by case, right? Every clinic, there's some very large entities out there that are private equity held where they can afford to do more and better. And they want that brand recognition. They want their own EMR. They can go out and do it and spend a fortune. For the most, most of our customers are smaller. they're looking for

Operationally, what's going to be the best, what's going to be easy to use, easy to manage, easy to secure, easy for us to support. So there's kind of a different field depending on who you speak to out there, I guess. Larger entities will have different requirements because they're looking to buy and acquire and merge. And so they want a product that may allow other EMRs to integrate into, so they could do migrations easier. Where other smaller standalone clinics may just be like, hey, we want the easiest product to use.

We don't want to spend a fortune on it. We are not going to use all the bells and whistles of it. So depending on how busy and how large the laboratories are and all these moving factors.

Griffin Jones (27:35)

I the EMR companies will have points of view on migration. There's a couple of rising stars. think Bluemick might be a rising star in the EMR space and we might want to do some coverage on their point of view on migration. But is there a right way and a wrong way to do it as far as you can tell?

Chris (27:54)

There's no right or wrong. It's really just planning and being able to be nimble in the execution of it. So there's always going to be things that you could plan for weeks and weeks and weeks, but something's going to throw you for a loop, right? And making sure you understand all the intricate parts of the clinic that may not be documented. That's the biggest thing we see is lack of documentation, where it's like the previous guy or the previous vendor just came in, set it up, and left. So nobody knows how it works or what

when it was set up or how it's secured or things like that. So you have to understand all that before you go out and rip something out and change it.

Griffin Jones (28:28)

You look like you have something to add to that Jordan when I asked if there was a right or wrong way you were kind of nodding your head. What were you thinking?

E. Jordan Spriegel (28:35)

just thinking that there can definitely be wrong ways, but Chris hit the nail on the head. mean, really planning is most important piece of it. I mean, you just got to make sure that you know kind of what's expected during the change.

Griffin Jones (28:47)

I was speaking with one fertility physician who is very tech savvy. And this individual was thinking that there can be, or maybe there will be in the near future, a way to migrate almost seamlessly. And the conversation started that it doesn't matter if the best EMR comes out tomorrow. Nobody's going to switch to it if they just switched EMRs.

Right? Like if you just switch EMRs, you're staying put for five, 10 years, maybe more. And it's just too painful of a process. And this individual's perspective was, well, you might be able to reverse engineer the API of each of the EMRs and just push a button and there's your migration. I'm very skeptical.

that that's possible. I don't know anything about coding. How close to that is it reality or complete wishful thinking?

Chris (29:54)

So.

E. Jordan Spriegel (29:54)

The

AI experts will tell you about two years for aogenic AI, which is AI being able to automate specific tasks like that for migration like that. Essentially AI would be able to read what's within the pages and match field to field to then migrate data. Cause if you're ever looking at any migration, you're typically taking data sets with, with rows and identifiers and then importing it from one system to another.

Chris (30:23)

And I would.

Griffin Jones (30:24)

Do you think it's possible today though? Like could you do it with Claude and or maybe like a couple developers? Can you reverse engineer the API of two different EMRs and press a button and have almost instant migration?

E. Jordan Spriegel (30:38)

You could, I mean, with the right keys, could almost build out anything per se. You just need to make sure that you'd have the right access to all systems or at least know kind of how that data is stored and how it's formatted and essentially.

Chris (30:48)

Yeah.

I think the biggest

hurdle is that is not technological Griffin. It's, it's, it's the fact that, you know, the one EMR vendor doesn't want you to leave that easily, right? If it becomes that open source where you could hop around, it's probably not going to be good for anyone. yeah, but I, I do agree AI is going to make it easier, but there are challenges. Like you said, if it's a cloud based system, you don't have the keys to that server, right? Whereas like some of the legacy, traditional EMRs are sitting on a SQL server in a closet or in a, in a company controlled data center.

where your IT guys can just go in there and grab the database and plug it into another one, it's definitely easier. So in discussions, it sounds easy, but it just, the execution of it is never simple.

Griffin Jones (31:33)

It's never as easy as it sounds. It's never as easy as you want it to be anyway. We've been talking a lot about IT from the business owners perspective, but how can IT support make life easier for doctors, for managers, for other, for nurses, people that don't own the business but just work in it?

Chris (31:35)

Right.

Yeah, that's a good question. mean, so, you know, before AI, we call it the digital transformation, right? And think AI just put a new twist on it. But essentially, you know, there's still quite a few clinics out there that operate on some paper charts to some degree. So I think getting to that level and kind of, again, doing a baseline analysis of where that clinic's at, right? How tech savvy are they today? And there's a lot of moving parts in the clinic, right? From the front desk, checking in and

automating the whole patient experience from start to finish, I think is way beyond an EMR. mean, a lot of EMRs will try to say, hey, we have all these modules incorporated, but in reality, what's happening in a 2000 square foot clinic, maybe a 20,000 square foot clinic may be way different, right? So you have to kind of understand the workflow and operationally, I think we work closely with operations leaders to understand that a little bit more.

And obviously one of my passions is working directly with the clinical and lab leadership and understanding the workflows in the clinic, in the lab. So you can not just throw a piece of technology at them and say, here, we think it's going to stick to the wall. Just go use it. But we have to be careful on that. And I've seen a lot of horror stories going back to the cyber thing where some startup clinics are using Slack, the free version of Slack, which is not HIPAA compliant, which they may not know or may not care.

Ultimately, when something goes wrong, you're going to be in trouble. So I don't think anybody wants that publicity or tarnish on their name, right? So we have to educate people as best we can from all levels. Doctors, front desk people, it doesn't matter. We treat them all the same.

Griffin Jones (33:37)

are people asking your help for with regard to AI?

E. Jordan Spriegel (33:41)

How can we utilize it? know, everyone wants to know AI is such a big buzzword right now. And I want to say confidently that not everyone even fully knows what the term AI means. Like, yes, it means artificial intelligence, but how does it actually play into a business and how is it actually beneficial? And the easiest way I would tell people a response to that would be think of a specific task, the more specific, the better. And then

Chris (33:41)

Jordan.

E. Jordan Spriegel (34:08)

think of how that can be automated. If you look at it piece by piece, then that typically will make it better. But AI is essentially how can I automate a piece of this, of my workflow.

Griffin Jones (34:19)

What are you seeing? What do you think can be automated that people are missing out on?

Chris (34:24)

it's going back like Jordan kind of touched on is you're trying to solve a problem. guess, you know, when we, when we hear people, doctors, business owners say we want AI, it's like, all right, where do your biggest pain points? Like, what are we trying to do? So a lot of them, you know, there might, there's good phone systems out there now that have great capabilities that are the interface well with EMRs and other systems. So we could say, you know, our front desk girls are so busy. They don't answer all the calls. All right. Here's a cool AI platform.

that's going to help you automate the reception as part of it. It's going to catch the patient's sentiment. If the patient's in the middle of a procedure and a bad mood, right? They don't want to be on hold for a while. So there's an AI phone platform that can capture that sentiment and say, all right, this person just moved up the food chain. They're extremely annoyed. They need to get through to a human right now, right? So those are simple things like we can layer into a business to help the business. And it's not super complicated, right? It's not just saying,

we're going to put AI into the back of your EMR. It's really just like phone system, checkbox, boom, you got AI capability. What else are we trying to solve? Like automate certain components of it. And then everybody gets a feel for AI because of the buzzword that's out there and they get the firsthand experience with it.

Griffin Jones (35:30)

What do you think fertility centers should do if they are realizing, okay, I'm probably a little bit more exposed than I'd like to be? What's the first step they should take?

Chris (35:43)

Yeah, the first thing to do is just have a conversation, kind of understand like what, you know, where do you feel you're at? And then do you have documentation? Like, is there any policies to, you know, there's so many moving parts and it just, that's the part that boggles us a little bit is the stuff I've seen where you have really smart security and IT guys go in there and like every, you know, we locked on the Microsoft environment and everything's HIPAA compliant. But then we've seen, I personally have seen nurses that are extremely busy in a, you know, 10, 12 hour workday.

They go to send an email to Mary Jo. Well, guess what? We saw 20 Mary Joes this month in the clinic. They send the wrong Mary Jo patient, you know, the results, right? Or whatever, some HIPAA breach happens just by the auto correct or the auto complete feature in Microsoft Outlook, right? So you're like, crap, now I got to shut that off and kind of educate people. Like, be extremely cautious when you're sending an email. Don't just type the first Mary Jo that pops up. All these little caveats that will improve your business and

educating your staff, I guess, is the most important thing, right? Where it's like, hey, keep an eye out for these little things that can catch you and bite you.

Griffin Jones (36:48)

How can people get a hold of you guys?

E. Jordan Spriegel (36:51)

They can contact us through the website, thinkonestop.com. They can just give us a call, 772-663-7867. They could send us a message on LinkedIn or Facebook, but the best ways would either be visit our website and contact us, email us at info at thinkonestop.com, or give us a call. We actually have a cool abbreviation. It's 772-OneStop.

Chris (36:51)

Jordan.

Griffin Jones (37:17)

And if people can't remember 772 One Stop, they can email me. I'll be happy to make the intro. And I look forward to having both of you back on as more cybersecurity issues come into the news, as more people start to tell me EMR things that I don't think can actually happen. I'll bring you all on. I appreciate you being our IT experts today.

E. Jordan Spriegel (37:41)

Yeah, thank you for having us.

Chris (37:41)

Yeah, thanks for having us. We

appreciate